Sockstress Test

Background

Sockstress is an old attack, from 2008, that completes TCP handshakes and then lowers the Window size to zero, tying up connections at layer 4, somewhat similar to the SlowLoris layer 7 attack.

I searched for working code to test it a few years ago, but couldn't find any, and I thought it had been patched.

Then, a week or two ago, @seeveeare contacted me on Twitter and said it was really powerful and I should check it out.

At first it seemed weak to me, because a cursory reading of the Wikipedia page made me expect it to kill the target OS completely. But then I read it more carefully and realized that when attacking from a single IP address, and for only a brief time, I should only expect to render a single service unavailable, not kill the whole OS.

Attacking Apache with Sockstress

So I tested it using the same setup as SlowLoris: Target is on the left, a BackTrack 5 R3 virtual machine running Apache. Attacker is on the right, running sockstress.

As you can see below, it exhausts all available requests, after just a few seconds.

So, it's worth checking out. Especially since variants of the attack are supposed to kill the target OS entirely, even to the point of making it unbootable.

References

http://en.wikipedia.org/wiki/Sockstress

Get sockstress source code here: https://defuse.ca/sockstress.htm

Credit

Thanks to @seeveeare and rcv for informing me about this.

Posted 3:52 PM 1-1-13 by Sam Bowne
Credits added 6:05 pm 1-1-13