Search code examples
simulationddosns-3

what is the best way to simulate DDoS TCP SYN Flooding attack


I want to simulate a network that is under DDoS TCP SYN Flooding attack and evaluate the performance of a new solution and compare it with other solutions. i was planning to do it using NS3 but i read somewhere in the internet that i can't do it well using a descret event network simulator (NS3 is a descret event network simulator), i want to know why ? and what is the best alternative ?


Solution

  • Unfortunately, DoS attacks cannot be simulated in ns-3. By extension, DDoS attacks cannot be simulated either.

    How does a DoS attack work?

    To understand why ns-3 can't simulate a DoS attack, we need to first understand how a DoS attack works. As you mention, TCP SYN flooding is one way of simulating a DoS attack. Why does this work? Well, any computer had a finite number of resources, for example, memory and disk space. When a computer receives a SYN, it creates a socket to facilitate communication. Given that there are a finite number of resources, only a finite number of sockets can be created. So, a DoS attack works by overwhelming a computer on the network with SYNs, thereby forcing the computer to allocate many sockets that won't be used. At some point, the computer must simply refuse any connect, even legitimate connections. This is when a DoS attack has succeeded.

    Why can't ns-3 simulate it?

    In ns-3, there is no concept of a Node having finite resources, per say. Queues within Nodes can have finite size, but there is no way to limit the number of active connections on a Node. Ergo, there is no way to simulate a DoS attack.

    A (Potential) Solution

    Contribute to ns-3! Visit the gitlab repo, and try to add the functionality you desire.


    Response to Comment(s)

    TCP in ns-3

    I was using "number of active connections" as equivalent to "number of sockets". These terms are not entirely equivalent, but for the purpose of this answer, it's okay.

    In a SYN flood, the number of packets being received is not the concern. Rather, the problem is that each SYN received spawns a half-open socket, and only a finite number of sockets can exist on the computer.

    You are suggesting saturating the Queue that receives packets. You could send a bunch of packets to saturate this Queue, and that will disrupt the Node to some extent, but this will not simulate a SYN flood. A SYN flood works because too many half-open sockets are spawned, not because a packet queue is full.

    Again, a SYN flood works because a real computer can only have a finite number of sockets. In ns-3, there is no limit to the number fo sockets on a Node.

    The ns-3 model

    It seems that you may not be familiar with ns-3's model. I don't blame you; there is a steep learning curve. In ns-3, a Node is the equivalent of a computer/server/router on the network. Attached to Nodes are Applications. In turn, Applications create Sockets to facilitate communication over a network.

    Let's now look at TcpSocket, a subclass of Socket. TcpSocket maintains its state with the help of TcpTxBuffer, TcpRxBuffer, and other class variables. The Buffers are the classic buffers used by TCP to ensure reliable, ordered, and error checked delivery/reception of data. The size of these Buffers is limited, however there is no limit to the number of TcpSockets attached to an Application, nor is there a limit to the number of Applications attached to a Node. If such a limit existed, that would aid in simulating memory usage, but no such model exists in ns-3.

    This post on the ns-3 Google Groups also describes why you can't simulate SYN floods without changing the source code. Search that Google Group for more posts about DoS attacks. The linked post describes how you may be able to simulate other types of DoS attacks, but SYN floods are not explicitly supported.