I have a question. What can i do about a syn flood to my server.

I know exactly what it is, how it was done, what was used, but I need help on preventing it.

What is being used is called juno-z.101f.c. It runs on *nix based os's.

Juno-z.101f.c is an improved rewrite of juno.c which is faster and better, employing state of the art tcp technologies.

Here is what is written in the beginning of the c source code.
* this is a rewrite of the juno.c syn flooder, some notable improvements:
- faster packet creation (about 4x faster), although the kernel does most
of the work, so don't expect 4x as much output. The speed is partially
due to a new checksum technique that I've created, that is, to use a
16-bit sum counter, and use add-with-carry ops on it, instead of using
a 32-bit counter, then a double-fold at the end. The routine also adds
in fields of the tcp header and pseudo header as it sets up the packet.
This is an improvement over the standard method which is to prep the
packet and then sum it in a completely separate series of operations.
- "sane" source ips, they only come from legitimate class A's, they never
come from the same class as the target, and they never end in 0 or 255
- some packet forgery problems fixed, they should look very much like
an ms-windows system created them now, thus preventing tcp-sanity filters
- now multithreaded, uses up to 16 threads for max output on SMP systems
- better delay processing, no longer limited to 1/100th of a second,
now does up to 1/1000000000th of a second
- now uses direct system calls, thus saving the time to bounce through
library routines. This also eliminates the need for using .h files,
should now compile and run on fbsd with linux portability in the kernel
- performance lists (on program exit) fixed, juno.c and old juno-z.c files
used 1 second timing, this version uses 1/1000000th of a second */
--------------------------------------------------------
I tested this dos attack on myself, i put up iplog on my server, i selected port 80 as the destination port, and this is what i received on iplog.

Jun 5 06:55:10 TCP: www connection attempt from 216.75.156.248:1138
Jun 5 06:55:10 TCP: www connection attempt from 211.61.23.237:1044
Jun 5 06:55:10 TCP: www connection attempt from 24.75.157.249:1048
Jun 5 06:55:38 TCP: www connection attempt from 199.54.138.68:1229
Jun 5 06:55:39 TCP: www connection attempt from 128.245.250.105:1050
Jun 5 06:55:39 TCP: www connection attempt from 202.249.67.39:1053
Jun 5 06:55:39 TCP: www connection attempt from 193.234.177.1:1092
Jun 5 06:55:39 TCP: www connection attempt from soulside.com.criticalpath.net (209.228.156.220):1101
Jun 5 06:55:45 TCP: www connection attempt from 198.78.238.214:1076
Jun 5 06:55:45 TCP: www connection attempt from 194.202.16.63:1053

While this was going on, i could not connect to any websites on my machine, that were binded on port 80. (Most are)

Even after i stopped, i still couldn't. Also, i ran this attack for a max 10 seconds. There has to be some sort of prevention, in the previous version of juno, the way it attacked you was random ips, with the same source port. :1024, and :3072. It was easy to block that, just block all incoming connections, with the src port 1024 and 3072. But this one is different, its an improved version.

If anyone has any idea what I can do to have this stopped, or a comment, please post a reply.

thanks

also, another thing.

That was just a SMALL piece of the log, if you wanted the entire log, it'd be pages long.

something I just thought of was.. you couldn't take down yahoo.com, because they have powerful bandwith, ontop of that, they have a DNS pool for their webserver, they have like 4-5 machines mirroring the webpage, so it'd be pretty difficult.

That vs. one ip, one machine.

But not everybody has the resources, money, or power to get that much bandwith, or that many machines
;/

I've looked at the source code and there's not much you can do. Some possible solutions include:

1. Filter based on source IP (and destination, of course). This is easy to do -- there's 16 /8 networks to filter out -- and will completely block the attack with trivial effort. Unforunately this will block off most of the internet. (But not all; most of the early recipients of Class B networks will be unaffected).

2. Filter based on source port. The spoofed SYN packets have uniformly distributed source ports, while most operating systems assign dynamic ports by starting low and counting upwards; if you blocked source ports above 10,000 you would filter 85% of the attack while only blocking a small fraction of the legitimate traffic.

3. Try to attack the random number generator. The random number generator used is very weak, and it is quite possible that careful inspection of incoming packets could reveal the random number seeds of the attacking threads, at which point you could predict easily at any time what the source address and port would be for the next packet.

4. Try to survive the attack. This would require a good operating system with large buffers, but it is quite possible to design a stateful firewall which intercepts SYN packets and holds them until it verifies their authenticity.

5. As is always the case for DoS attacks, if you can get help from your ISP you might be able to trace the packets back to their source(s), but that isn't really a practical solution for companies smaller than Yahoo/Amazon/Ebay/etc.

where can i find this wonderful juno-z.101f.c file? :)

Enable syn cookies in the kernel of your machine (I assume that it is a Linux box).

For more information look at http://cr.yp.to/syncookies.html


-- kryps

yes
i have done that
that doesn't do much, actually barely anything.

it hammers to hard man, you'd have to actually have your box, or server, get hit hard with juno.c, then you'll see what i mean.

Your problem is simply that the packets take too long to process; they aren't consuming any resources apart from CPU time and network bandwidth, but enough packets will completely fill your network and effectively disable the server regardless of how fast you drop them.

Ironically you might actually see an improvement by disabling SYN cookies, since they consume more cpu time than other methods of ISN generation.

why would anyone want to write such terrible software?
I always wondered how much further along we would all be if everyone used brains like those for better purposes.

true
According to the author, it is meant for "educational purposes" only

It's just loop holes, to get around illegal stuff.

They make the stuff, distribute it, and other people use it for bad purposes
pisses me off that they even create it

hmmm.... can anyone of you email it to me? i just wanna study the source..

nevermind.. i found it...

In my opinion, the whole idea behind UNIX raw sockets (low-level packet control enabling spoofed packets) is stupid. There is no real legitimate use for it.

But the worst part of the matter is MICROSOFT IS GOING TO PUT THIS FUNCTIONALITY INTO XP! This means every packet kiddie with WinXP and a cable modem is going to be spoofing packets all over the place.

Another example of the usual gang of idiots up there at Microsoft.

quote:
-----
Another example of the usual gang of idiots up there at Microsoft
-----

and i presume bombino, during your focussed attack on Microsofts new operation system you COMPLETELY failed to notice that *nix already has this finctionality.

hey, what a STUPID IDOIT all those people that designed *nix operating systems are, theyre hopeless loosers why did they put in such a pointless feature.

do you see my point? i dont support Microsoft or *nix all the way, they both have their downfalls, dont slate one without slating the other !! :D

The Register had a very nice rebuttal to Steve Gibson's ranting FUD on the entire XP socket issue. If I can dig up the link, I'll post it. I'm not the hugest Microsoft fan, but this whole thing has spun entirely out of control - especially when the flames are fanned by diehard anti-Microsoft people.

node9
I am not sure what your options are. If they are spoofing the IP information and randomly changing ports, you are in a tough position. There is no easy way to allow a server on the internet and stop syn attacks.

The best you can do is whittle down the attack by using a variety of techniques, e.g. syn cookies, RSS response, longer queues w/ shorter time outs. Syn cookies can work but you need a lot of RAM and processor speed.

What is your bandwidth? I am surprised if you are on T1 or faster that a single syn flood would kill the network unless your machine is overloaded. What is the machine load during the attacks? What is the memory usage. If the TCP/IP syn queue is filling up, your memory usage will also increase.

Packet filtering is probably your only option. Unfortuantely, many mail servers are configured to use identd and send syn request.

We were attacked about a month ago, but fortunately, it was from a Windows box with a limited IP range. IP filtering worked.

Can't wait until XP arrives.....then all of the zombied DDoS machines will be even harder to trace.


Here are some resources......

You may want to take a look at this article:
http://www.networkcomputing.com/unixworld/security/004/004.txt.html

And the CERT on this issue:
http://www.cert.org/advisories/CA-1996-21.html

Here is a freeware firewall application ( i don't think it has been updated since last year)
http://www.bronzesoft.org/projects/scfw/

Can't wait until XP arrives.....then all of the zombied DDoS machines will be even harder to trace.

Exactly!

I don't think it's a case of Microsoft-basing, I think raw sockets are just a bad idea.

Most home users are running Windows, they don't have firewalls, they will upgrade or buy new computers with WindowsXP installed and the zombie-masters will have a field day.

UNIX was developed as very expensive proprietary software that ran on very expensive hardware. It was managed by presumably trusted system admins who could monitor the system and prevent users from abusing the power of raw sockets. It doesn't mean the designers of UNIX were stupid (maybe short-sighted), they were developing for completely different conditions than Microsoft is developing WindowsXP for.

How many clueless home-users do you know with xDSL and cable connections running UNIX? This time next year how many clueless home users with xDSL and cable connections are going to be running WindowsXP? I don't see any advantage to having raw sockets in WindowsXP. I think it could very well create a real nightmare situation. If I were a naive home user with a zombie on my machine, I would want some clued up sysadmin who had just been attacked by my 'unwelcome guest' to be able to track me down and tell me so I could get rid of the thing, especially if my connection plan included data transfer charges.

Donna
http://donnamiller.net

It's amazing to see people jumping on this bandwagon. Since machines can already be taken over remotely via trojans (and can even have packet spoofing done if the user runs something that installs a stack or two), it takes a fantastical leap of logic to suddenly decide that just because XP is implementing full functionality that the number of clueless people who get their machines trojaned will suddenly mushroom into the end of the world as we know it. The ratios will remain the same: there will always be people who open and run attachments blindly, without thinking. The people that do it now will be the people that do it no matter what OS is installed on their systems. This whole thing has already been hashed over in various newsgroups and Gibson has posted another rant on his site, which has also been pointed out as more FUD than reality. Gibson's ok on some things, but he gets some things really wrong. I won't even start to discuss his Shields UP "security scanner"...

http://www.theregister.co.uk/content/55/20160.html
http://groups.google.com/groups?hl=en&safe=off&th=677b6ae2e2a3cbb,56&ic=1

It's true that the percentage of clueless morons will remain the same, but the NUMBER of cracked systems able to spoof using raw sockets will skyrocket.

95+% of people are running Windows, and a vast number of them are inexperienced users who just know enough to go online and surf around. You can call them stupid, ignorant, or whatever. But the fact remains that the MAJORITY of clueless folks (by percentage and by numbers) are of the Windows camp. I'd say the majority of the people who are running *nix are more experienced than most people who simply run Windows. That's just fact. I mean, who'd start off with Linux as their first os to play with? Windows makes things easy and simple. Linux gives you more freedom and control, but it sure isn't friendly to newbies.

Now, there is a rainbow at the end of this tunnel though... If xp does lead to substansially more stealth/spoof attacks, it might cause enough outrage by the people to actually force ISPs to finally act (which they should already be doing, but aren't because they have no financial incentives/consequences yet) and filter all OUTGOING packets to ensure non-bogus headers (or at least where a packet can't claim to be from another network altogether). This would finally lead us to a more stable internet, one which DOS attacks might finally be contained once and for all.

Originally posted by Skeptical
It's true that the percentage of clueless morons will remain the same, but the NUMBER of cracked systems able to spoof using raw sockets will skyrocket.


I'm not convinced. While I'll agree that the average windows-using luser is more clueless than the average linux-using luser, there are other factors to consider. It takes a certain amount of cluelessness to run executable programs which get emailed to you by random people; it takes far less cluelessness to not apply security patches.

Right "out of the box" Red Hat systems have proven themselves far more insecure than windows systems; certainly based on the network probes I've seen there appear to be far more systems inhabited by linux worms than by windows trojans. We are fortunate that so far Ramen etc. haven't contained zombie payloads, but when they do I think insecure linux systems are going to be a far greater threat than XP systems (especially since XP is now going to have some sort of firewall installed by default).

I agree that source address filtering is the most important step which should be taken -- preferably followed by adding IP options to "trace back" packet floods -- but one should not exagerate the increased danger caused by windows xp.

Originally posted by Skeptical
..I mean, who'd start off with Linux as their first os to play with? ...



I think the good folks in China, Russia,Romania,etc... are using Linux or any other Un*x variants as their first O.S.

Originally posted by Skeptical
It's true that the percentage of clueless morons will remain the same, but the NUMBER of cracked systems able to spoof using raw sockets will skyrocket.


Sorry, I don't buy it. The number may increase (not enough to be called a skyrocketing number, though), but it will be the same people that run executables right now - it's not the end of the Internet as we know it, because spoofing can already be done, on any Windows-based machine (since we're focusing on those at the moment), by any script kiddie who wants to send out an attachment with zombie code and a short stack to someone who will be dumb enough to run it.

If a straight DOS attack is bad enough to overrun filtering attempts (as it did in Gibson's case), the difference between flood attacks and flood attacks using spoofed packets is about the difference between being in the boiler room and being in an inside cabin when the Titanic went down. What's the difference between horrible and more horrible? Certainly not anything close to the hysteria that Gibson is trying to create.