Sockstress is an attack tool that exploits vulnerabilities in the TCP stack allowing an attacker to create a denial-of-service condition for a target server. In the normal TCP three-way handshake, a client sends a SYN packet to the server, the server responds with a SYN-ACK packet, and the client responds to the SYN-ACK with an ACK, establishing a connection. Attackers using Sockstress establish a normal TCP connection with the target server but they send a “window size 0” packet to the server inside the last ACK, instructing it to set the size of the TCP window to 0 bytes.

The TCP Window is a buffer that stores the received data before it uploads it up to the application layer. The Widow Size field indicates how much more room is in the buffer in each point of time. Window size set to zero means that there is no more space whatsoever and that the other side should stop sending more data until further notice. In this case the server will send window size probe packets to the client continually to see when it can accept new information, but because the attacker does not change the window size, the connection is kept open indefinitely.

By opening many connections of this nature to a server, the attacker consumes all of the space in the server’s TCP connection table (as well as other tables), preventing legitimate users from establishing a connection. Alternately, the attacker can open many connections with a very small (around 4-byte) window size, forcing the server to break up information into a massive number of tiny 4-byte chunks. Many connections of this type will consume a server’s available memory, also causing a denial-of-service.

DDoSPedia Index