REALIZATION OF A TCP SYN FLOOD ATTACK USING KALI LINUX

V O JN O TE H N IČ K I G LA S N IK / M IL IT A R Y T E C H N IC A L C O U R IE R , 2 01 8, V ol . 6 6, Is su e 3 REALIZATION OF A TCP SYN FLOOD ATTACK USING KALI LINUX Dejan V. Vuletića Nemanja D. Nojković a University of Defence in Belgrade, Strategic Research Institute, Belgrade, Republic of Serbia, e-mail: dejan.vuletic@mod.gov.rs, ORCID iD: http://orcid.org/0000-0001-9496-2259 b Serbian Armed Forces, General Staff, Department for Telecommunication and Informatics (Ј-6), Command Information Systems and IT Support Centre, Belgrade, Republic of Serbia, e-mail: nemanjanojko@gmail.com, ORCID iD: https://orcid.org/0000-0002-3216-1891


Introduction
The Transmission Control Protocol (TCP), unlike the User Datagram Protocol (UDP), is based on a connection, which means that the sending packet must establish a complete connection with its recipient or its intended recipient before sending any packets. This protocol relies on a three-way handshake mechanism (SYN, SYN-ACK, ACK) where each request forms a semi-open connection (SYN), a response request (SYN-ACK), and a confirmation to the response (ACK). Any attack attempting to abuse the TCP/IP protocol would usually do this by sending the TCP packet in the wrong order, causing the target server to run out of resources. One of the examples of this type of attacks is TCP SYN Flood (Lawrence, 2012).
In the TCP handshake mechanism, there must be an arrangement between each side in order for the connection to be established. If a TCP client does not exist or it is a client with a fake IP address, such an arrangement is not possible. In a TCP SYN or SYN flood attack, attackers set the situation for the server to believe that they require a legitimate connection through a number of TCP requests that come from a fake IP address. In a situation when the client's IP address is fake or the client is unable to respond, the certificate (ACK packet) is never sent back from the server. The server is forced to maintain an open connection and buffer for each request for the original connection, attempting to resend the SYN-ACK packet request before the request expires. Having in mind the fact that server resources are limited and SYN flood often includes a huge number of connection requests, the server is unable to process existing requests before new requests arrive and this results in service termination. Figure 1 shows the TCP SYN Flood attack pattern with corresponding messages sent between the server and a legitimate user, as well as the server and an attacker. As can be seen in the Figure, the connection confirmation does not arrive to the attacker as it does in the case with the legitimate user (Radware, 2013).  (Radware, 2013) Рис. 1 -TCP SYN Flood (Radware, 2013) Слика 1 -TCP SYN Flood (Radware, 2013) Practical realization of TCP Syn Flood Attacks To display the effects of TCP Syn Flood Attacks, we will use two computers that are connected to the same network. Kali Linux was installed on the attacking computer, as a virtual machine on Windows 10 using WMware Workstation 12 Player. The Windows 10 operating system is installed on the computer that will be attacked (Allen et al, 2014).
A computer that launches the attacks (the attacking computer). Kali Linux based on the Debian distribution is installed on this computer (Hertzog et al, 2017). It contains the hping3 tool, which is a free generator and package analyzer for the TCP/IP protocol. Hping3 is produced by Salvatore Sanfilippo. A newer version of hping3 is a script version which uses TcI language (a simple language for creating a program) (Beggs, 2014), (Ansari, 2015). Figure 2 shows the basic network virtual machine data obtained by typing the ifconfig command in the terminal on Kali Linux. The Figure  shows that there is IP address information, subnet masks and other network card information. The attack is implemented through the terminal by typing the command hping3 with certain parameters (Figure 3):  The name of the used tool (hping3)  Number of packets to send (-c 1000)  Size of each packet that will be sent (-d 128)  The type of packages to be sent (-s represents the SYN packets)  TCP Window Size (-w 64)  The attacking port (-p 8000)  Type of Attack (--flood). Flood mode -sending packet as fast as possible.  Using random source IP addresses (-rand-source)  Address of the attacked computer (destination IP address) Before the attack begins, we are checking the availability of the computer we are planning to attack in the Command Prompt on Windows 10, using the ping command. Figure 4 shows that there is no problem in the connection and that the ping on the targeted computer was executed. To increase the intensity of the attack, the command can be started from multiple terminals as shown in Figure 5. After executing the command (realization of the attack) we again use the ping command to check the availability of the attacked computer. Figure 6 shows that the computer partially responds to this command (not always available). A computer that will be attacked. We are watching events on this computer before and after the attack against it. Figure 7 shows the basic information about this computer using the ipconfig command in Windows Power Shall. In the Figure, we can see the IP address information, subnet masks, and other features of the network card. After executing the command on Kali Linux, the performance of the attacked computer has changed, as shown in Figure 8. By comparing images, it can be noted that processor utilization has increased. In addition to the performance changes, the attack made the computer unable to respond to connection requests, as shown by the ping command Request timed out. Due to the attacks, the computer could not connect and communicate with another computer on the network.
The interruption of the attack on the terminals is accomplished by pressing the Ctrl + C key. In addition to the performance changing, after stopping the attack, the ping command begins to work normally (it shows that the computer is available). This is shown in Figure 9.  Figure 9 -Appearance of the screen when the attack is completed and the ping command is given Рис. 9 -Экран после завершения атаки и после команды ping Слика 9 -Изглед екрана када је напад завршен и задата ping команда

Conclusion
Every system that is connected to the Internet and equipped with TCP-based network services is a potential victim of an attack. The earliest form of DoS attack was SYN flood, which originated in 1996 and exploits weaknesses in the TCP. Other attacks exploit weaknesses in operating systems and applications, leading to the inaccessibility of network services or even cesation of server operation.
Classic DoS attacks are one-on-one attacks in which a powerful host generates traffic that "overwhelms" the target host's connection, which hinders authorized clients from accessing network services. Distributed Denial of Service (DDoS) is a type of DoS attack that is used by multiple users. DDoS attacks have gone a step further, which is multiplying, resulting in the fact that servers or parts of the network can be totally unusable for clients.
There are several ways to execute DoS attacks such as TCP SYN Flood attack which can be done with different tools, such as Kali Linux.