Clara Montón Pellejero TASK 1 In order to do this task, first I checked that the connection with the server is 128, this is why the attacker needs a number much higher than this one. The person who receives this has 128 open connections. 11/02/21]seed@VM :~ $ sudo sysctl -q net.ipv4.tcp_max_syn_backlog let.ipv4.tcp max syn backlog = 128 As I just care about the tsp data, I used the command netstat -ant to get the tsp. So this are the different ports that are listening, and as the photo shows there are no active connections at the moment, the port is open but there is nothing connected to it. 11/09/21]seed@VM :~ $ netstat -ant Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address cp 0 cp 0 0 127.0.1.1:53 0.0.0.0 :* LISTEN :cp 0 0 127.0.0.1:53 0.0.0.0 :* LISTEN cp cp 0 0 0.0.0.0:23 0.0.0.0 :* LISTEN tcp 0 0 127.0.0.1:953 0.0.0.0 :* LISTEN :cp 0 127.0.0.1:3306 0.0.0.0 :* LISTEN :??? 0 0 ::: 80 LISTEN :??? 0 0 ::: 53 LISTEN :??? 0 0 ::: 21 LISTEN :??? 0 0 ::: 22 LISTEN :cp6 0 0 : : : 3128 LISTEN tcp6 6 0 :: 1:953 0 10.0.2.15:53 0.0.0.0 :* 0 0.0.0.0:22 0.0.0.0 :* LISTEN Foreign Address State LISTEN LISTEN (The port is 80) we can see that it is received a lot of syn packages. tcp6 0 127.0.0.1:80 tcp6 0 127.0.0.1:88 tcp6 0 0 127.0.0.1:80 tcp6 tcp6 tcp6 0 127.0.0.1:80 tcp6 0 127.0.0.1:80 0 127.0.0.1:80 0 127.0.0.1:80 231.79.68.5:53775 SYN RECV 238.175.191.19:55770 SYN RECV 229.124.220.73:56123 SYN RECV 233.100.215.68:43216 SYN RECV 235.246.128.122:13846 SYN RECV 232.83.173.73:38695 SYN RECV 227.26.214.59:4653 SYN RECV In order to start the attack and know if it success I wrote the command: curl -s -v http://127.0.0.1:80/> /dev/null With this I check the HTTP requests(plaintext that anyone can read them and corrected by using TLS encryption). Here we can see that the attack was not successfully done as it is connected. |11/09/21|seed@VM :~ $ curl -s -v http://127.0.0.1:80/ > /dev/null Trying 127.0.0.1 ... Connected to 127.0.0.1 (127.0.0.1) port 80 (#0) I will analyze above the meaning of the command: V: which means verboseso, so the curl gives raw connection. S: which means silent, so the curl does not give unnecessary data.
http://127.0.0.1:80/: refering to the local machine, port 80. Now in order to make the attack successful, and know if the cookies are connected I used this command: sudo sysctl net.ipv4.tcp_syncookies As it appears 1 as an output, they are on, so the protection needs to be shut down. [11/09/21]seed@VM :~ $ sudo sysctl net. ipv4. tcp_syncookies het. ipv4. tcp_syncookies = 1 In order to put them off I used the command sudo sysctl -w net.ipv4.tcp_syncookies=0 [11/09/21]seed@VM :~ $ sudo sysctl -w net. ipv4. tcp_syncookies=0 net.ipv4.tcp_syncookies = 0 [11/09/21]seed@VM :~ $ sudo sysctl net.ipv4.tcp_syncookies net.ipv4. tcp_syncookies = 0 Here we can observe how the protection is shut down Now I did the attack again by using more than 128 and observe how it takes longer: 11/09/21]seed@VM :-