Wednesday, May 27, 2009

Episode #41: DoS or No DoS, That Is the Question

Ed muses:

I was talking with a sysadmin buddy a couple of months ago, who told me he thought his system was under a SYN flood Denial of Service attack, but he wasn't sure. I asked, "Why aren't you sure?" He told me that he couldn't get ahold of his network guys to look at the router and IDS. I said, "You don't need them... just measure it on your end system." "How?" he asked. "Count the number of half-open connections... Oh, and you should count the number of full-open connections too, in case you have a connection flood," I answered. "How?" he repeated.

I told him to use our good friend, netstat. Half-open TCP connections are generated by a SYN flood when an attacker uses a spoofed source address that never sends RESETs to tear down half-open connections. Netstat shows such items in its output as "SYN_RECEIVED". We can count the number of half-open connections using:
C:\> netstat -na | find /c "SYN_RECEIVED"
I'm simply using the /c option of the find command to look for connections in that state. Note that find is case sensitive, so I put in all caps for SYN_RECEIVED. The find command with /i is case insensitive.

Please note that the number of normal half-open connections for most systems is relatively small, typically under a hundred. If you see several hundred, you may have a SYN flood.

Another possibility involves the attacker launching a connection flood, not just a SYN flood. Here, the bad guy won't spoof anything, but will actually complete the three-way handshake with your system again and again. Some bot-net attacks do this by sending HTTP requests to a flood target because it blends in with normal web surfing. We can count those with netstat too, using:
C:\> netstat -na | find /c "ESTABLISHED"
Now, the number of established connections is heavily dependent on the nature and use of your given machine. A busy mail server or web server may have several hundred, or it might not. It all depends. What we need to look for here is a deviation from normal behavior for the system, with a lot more connections that we normall expect.

But, the beauty here is that we are using built-in tools to determine whether we've got a SYN or connection flood, without having to bother the network or IDS guys.

Hal comments:

This is, of course, a lot easier in the Unix shell than in Windows. In fact, I can actually give you counts for all current socket states with a single command line:

$ netstat -an | awk '/^tcp/ {print $6}' | sort | uniq -c     
13 ESTABLISHED
29 LISTEN

Thanks for giving me an easy one, Ed. Maybe I'll do the same for you sometime. Maybe.