... net.sf.xss-html-filter xss-html-filter 1.1 xss-html-filter releases xss-html-filter Releases Repository http://xss-html-filter.sf.net/releases/ Computer Hacks and tricks: Sockstress

Wednesday, December 18, 2013


Sockstress is a user-land TCP socket stress framework that can complete arbitrary numbers of open sockets without incurring the typical overhead of tracking state. Once the socket is established, it is capable of sending TCP attacks that target specific types of kernel and system resources such as Counters, Timers, and Memory Pools. Obviously, some of the attacks described here are considered "well known". However, the full effects of these attacks is less known. Further, there are more attacks yet to be discovered/documented. As researchers document ways of depleting specific resources, attack modules could be added into the sockstress framework.
The sockstress attack tool consists of two main parts:
1)Phantom IP is a program that performs ARP for IP addresses. To use fantaip, type 'fantaip -i interface CIDR', Ex., 'fantaip -i eth0'. This ARP/Layer 2 function could optionally be provided by other means depending on the requirements of the local network topology. Since sockstress completes TCP sockets in user-land, it is not advisable to use sockstress with an IP address configured for use by the kernel, as the kernel would then RST the sockets. This is not strictly required as the use of a firewall to drop incoming packets with rst flag can be used to achieve the same goal and prevent the kernel from interfering with the attack vector.
2) Sockstress: In its most basic use, sockstress simply opens TCP sockets and sends a specified TCP stress test. It can optionally send an application specific TCP payload (i.e. 'GET / HTTP/1.0' request). By default, post attack it ignores subsequent communications on the established socket. It can optionally ACK probes for active sockets. The attacks take advantage of the exposed resources the target makes available post handshake.
The client side cookies, heavily discussed in blogs, news and discussion lists, is an implementation detail of sockstress, and not strictly necessary for carrying out these attacks

Connection flood stress[edit]

Sockstress does not have a special attack module for performing a simple connection flood attack, but any of the attack modules can be used as such if the -c-1 (max connections unlimited) and -m-1 (max syn unlimited) options are used. This would approximate the naptha attack by performing a connection flood, exhausting all available TCB's as described in the CPNI document in section 3.1.1
Example commands:
  1. fantaip -i eth0 -vvv
  2. sockstress -A -c-1 -d -m-1 -Mz -p22,80 -r300 -s192.168.1.128/25 -vv

Zero window connection stress[edit]

Create a connection to a listening socket and upon 3 way handshake (inside last ack) send 0 window.
       syn -> (4k window)
               <- syn+ack (32k window)
       ack -> (0 window)
Now the server will have to "probe" the client until the zero window opens up. This is the most simple of the attack types to understand. The result is similar to a connection flood, except that the sockets remain open potentially indefinitely (when -A/ACK is enabled). This is described in the CPNI document in section 2.2. A variation here would be to PSH a client payload (i.e. 'GET / HTTP/1.0') prior to setting the window to 0. This variation would be similar to what is described in the CPNI document section 5.1.1. A further variation would be to occasionally advertise a TCP window larger than 0, then go back to 0-window.
Good against:
services that have long timeouts Example commands:
  1. fantaip -i eth0 -vvv
  2. sockstress -A -c-1 -d -m-1 -Mz -p22,80 -r300 -s192.168.1.128/25 -vv

So basically sock stress is a tool that redirects the attacker's data and send it back at them this can can be dangerous in somecases because if you are looking at a large attack and there is a large amount of data you would double the amount of traffic on the world wide web and if there was a large enough attack it could have the possibiblity of completely overflowing the data limit on the World Wide Web which is extremely unlikely because you would need millions and millions of attackers.
here is the source code:


I take no responsibility for anything you do with this nor do I encourage the use of this in malicous ways.

No comments:

Post a Comment