Sockstress


Sockstress is an attack tool that exploits vulnerabilities in the TCP stack allowing an attacker to create a denial-of-service condition for a target server. In the normal TCP three-way handshake, a client sends a SYN packet to the server, the server responds with a SYN-ACK packet, and the client responds to the SYN-ACK with an ACK, establishing a connection. Attackers using Sockstress establish a normal TCP connection with the target server but they send a “window size 0” packet to the server inside the last ACK, instructing it to set the size of the TCP window to 0 bytes.

The TCP Window is a buffer that stores the received data before it uploads it up to the application layer. The Window Size field indicates how much more room is in the buffer in each point of time. Window size set to zero means that there is no more space whatsoever and that the other side should stop sending more data until further notice. In this case the server will send window size probe packets to the client continually to see when it can accept new information, but because the attacker does not change the window size, the connection is kept open indefinitely.

By opening many connections of this nature to a server, the attacker consumes all of the space in the server’s TCP connection table (as well as other tables), preventing legitimate users from establishing a connection. Alternately, the attacker can open many connections with a very small (around 4-byte) window size, forcing the server to break up information into a massive number of tiny 4-byte chunks. Many connections of this type will consume a server’s available memory, also causing a denial-of-service.

Research
Quarterly DDoS And Application Attack Report: Q3, 2021

Quarterly DDoS And Application Attack Report: Q3, 2021

Radware’s Quarterly DDoS and Application Attack Report provides an overview of attack activity witnessed during the third quarter of the 2021 calendar year.

Read more

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support

Get Social

Connect with experts and join the conversation about Radware technologies.

Radware Blog
Security Research Center