Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: dos attack/syn flood question

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    May 2009
    Posts
    3

    Default dos attack/syn flood question

    This is going to sound really nubbish, but this is the newbie forum...

    If one scan's a host (say with nmap) and there are no results, ie no ports open at all (its a router). Does that mean a dos attack or syn flood cannot be launched agianst that router/host?

    thanks !

  2. #2
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    if there is a firewall, you could overload the firewall that tries to return your packets. Nothing more

  3. #3
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    SYN floods need to have a listening TCP port on the target, or a firewall that is keeping track of TCP connections, so that they can fill the state table.

    There are other DOS types however.

    Saturating a hosts link with traffic will work regardless of whether the host itself has any listening ports or not. If the host is routing traffic or performing some other sort of processing of the traffic (e.g. its performing some filtering) then you can overwhelm its available resources by sending it more traffic than it can process.

    Also keep in mind that nmap scan results are not always 100% reliable (it doesn't scan all TCP ports by default, replies could be lost or filtered etc), so a nmap scan stating that no ports are open does not mean that no ports are listening.
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  4. #4
    Member
    Join Date
    Jan 2010
    Posts
    159

    Default

    Quote Originally Posted by lupin View Post
    Saturating a hosts link with traffic will work regardless of whether the host itself has any listening ports or not. If the host is routing traffic or performing some other sort of processing of the traffic (e.g. its performing some filtering) then you can overwhelm its available resources by sending it more traffic than it can process.
    Lupin hit the nail on the head here.

    Some time ago my datacenter that I worked at was the victim of a massive SYN flood. The firewalls could stop that without a problem. However, the sheer volume of traffic saturated our OC3 line and the upstream Cisco routers from our bandwith provider began to collapse.

    It was not the type of packet that was the problem, but the volume.

    (After that happened my employer took my advice and decided to stop hosting IRC servers at our datacenter).

  5. #5
    Just burned his ISO
    Join Date
    May 2009
    Posts
    3

    Default

    Would something like this work, provided many windows were opened, and the source connection is better than the destination?

    @echo off

    set ip=0.0.0.0
    set size=65500
    set timeout=1

    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    +more

  6. #6
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by wbeston View Post
    Would something like this work, provided many windows were opened, and the source connection is better than the destination?

    @echo off

    set ip=0.0.0.0
    set size=65500
    set timeout=1

    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    start ping %ip% -l %size% -t
    +more
    I don't know that pings to 0.0.0.0 will work very well. They don't leave the network card on the Vista box Im writing this from. The majority of routers wouldn't forward packets addressed to 0.0.0.0 either.

    When you say "Would something like this work" do you mean would this cause a DOS attack on a system?
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  7. #7
    Member
    Join Date
    Dec 2007
    Location
    @InterN0T
    Posts
    315

    Default

    Smurf Attacks or DNS Amplification Attacks. Go look them up.

    The above is just a PoD (Ping of Death) which most systems isn't vulnerable to now.
    If it should be and it's a pain, just disable ICMP Echo on the target machine.

    But as said above, Syn floods no. There's many ways to DoS but i'm not gonna spoonfeed about this topic..
    [quote][I]I realized, that I had fallen down from the top of the mountain into a deep, terrifying and dark hole, just to find out that another mountain in front of me, much greater than the previous, was the next step in life. I began to wander uphill on the next mountain of life while I knew it would be much harder than the previous mountain. [/I]- MaXe[/quote]

  8. #8
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by MaXe Legend View Post
    The above is just a PoD (Ping of Death) which most systems isn't vulnerable to now.
    A ping of death needs to exceed the maximum length of an IP packet (65,535 bytes) and it needs to reach the target system to work (so no sending to 0.0.0.0). That command isn't a ping of death, its really closer to a ping flood, although again, sending to 0.0.0.0 will be a problem.

    http://en.wikipedia.org/wiki/Ping_of_death
    http://insecure.org/sploits/ping-o-death.html
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

  9. #9
    Just burned his ISO
    Join Date
    May 2009
    Posts
    3

    Default

    well i meant 0.0.0.0 to signify target ip :P

    yeah, what im asking is would something like this be able to effect a router ? (not some big server in a datacenter) but an isp client

    thanks for clearing these things up for me guy, it was very helpful

  10. #10
    Super Moderator lupin's Avatar
    Join Date
    Jan 2010
    Posts
    2,943

    Default

    Quote Originally Posted by wbeston View Post
    yeah, what im asking is would something like this be able to effect a router ? (not some big server in a datacenter) but an isp client
    So basically you want advice on how to DOS a home Internet user?
    Capitalisation is important. It's the difference between "Helping your brother Jack off a horse" and "Helping your brother jack off a horse".

    The Forum Rules, Forum FAQ and the BackTrack Wiki... learn them, love them, live them.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •