This script is designed to monitor network traffic for potential SYN Flood attacks and block malicious IPs by inspecting incoming SYN packets. SYN Flood attacks are a form of Denial of Service (DoS) attack where attackers send a large number of SYN packets to overwhelm a system’s resources.
The 3-Way Handshake is the process that establishes a TCP connection between a client and server:
- SYN: The client sends a SYN packet to initiate the connection.
- SYN-ACK: The server responds with a SYN-ACK to acknowledge the request.
- ACK: The client sends an ACK to complete the handshake, establishing the connection.
Hackers can manipulate SYN packets to launch a SYN Flood attack:
-
SYN Flood: The attacker sends numerous SYN packets, often with spoofed source IPs. The target server responds with SYN-ACK but never receives the final ACK, leaving connections half-open and consuming system resources. This can crash the server or cause it to become unresponsive.
-
SYN attacks also reveal open ports on your server. When an attacker sends SYN packets to your IP address and receives a SYN-ACK response, they can infer that a port is open and reachable. Once they know which ports are exposed, these can be targeted for further attacks, such as buffer overflow or Brute Force attempts.
By detecting and blocking suspicious IPs based on excessive SYN packets, this firewall not only prevents system resource exhaustion but also limits the exposure of open ports that could later be exploited.
This Python script uses Scapy and iptables to monitor TCP connections and block IP addresses exhibiting malicious behavior (e.g., multiple port access within a short time). It checks for SYN packets and blocks IPs that exceed a threshold of port attempts.
- Monitor network traffic for incoming SYN packets concurrently.
- Block IP addresses that access multiple ports within a short time.
- Unblock IP addresses after a certain timeout.
- Utilizes iptables to manage firewall rules and block/unblock IPs.
- Customizable timeout and port threshold settings.
- Uses multithreading to avoid bottlenecks
- Python 3.x
- Scapy: Used for sniffing network packets.
- iptables: Used to block/unblock IPs by adding/removing rules.
- sudo privileges: Required for modifying
iptablesrules. - requests: For HTTP requests.
-
Clone the repo:
git clone https://github.com/Danish811/PortShield.git
-
Install necessary Python packages:
pip install scapy requests
-
Ensure
iptablesis installed (most Linux distros come with it by default):sudo apt install iptables
- RENEW_TIME: 600 seconds (10 minutes). The timeout after which blocked IPs can be unblocked.
- MAX_ATTEMPTS: 10 attempts, after which the IP is blocked.
You can modify these variables to customize the script’s behavior.
-
Packet sniffing: The script listens for incoming SYN packets on all TCP connections.
-
Blocking IP: If an IP makes attempts to access more than 10 ports within
RENEW_TIME, that IP is blocked usingiptables. The outgoing traffic to/from that IP will be dropped. -
Unblocking IP: If the IP's activity falls below the threshold (i.e., after
RENEW_TIME), it will be unblocked and allowed to send traffic again. -
Verifying if an IP is blocked: The script can check if an IP is currently blocked by querying
iptables.
Run the script using Python:
python3 main.pyThe script will start monitoring TCP SYN packets and automatically block IPs that violate the port attempt rule.
Since iptables requires root privileges to modify the firewall, ensure you have the necessary permissions.
- Use
sudoto run the script as root:sudo python3 main.py
Run the script using Python:
python3 attack.pynmap $TARGET_IP- RENEW_TIME: The time in seconds before the ports list is reset. Change it to adjust the unblocking interval.
- MAX_ATTEMPTS: The number of unique ports an IP can try to connect to before being blocked. You can modify this to your desired threshold.
- block_ip(src_ip): Blocks the IP address by adding a rule to
iptables. - unblock_ip(src_ip): Unblocks the IP address by removing the blocking rule from
iptables. - verify_block(src_ip): Checks if the IP address is currently blocked.
-
Permission issues: If you encounter
sudo: iptables: command not found, make sureiptablesis installed on your system.Install it via:
sudo apt install iptables
-
iptables errors: If
iptablesreports errors likeNo such file or directory, ensure thatiptablesis properly installed and configured for your system. You might need to switch toiptables-legacyif you're using a distribution that defaults tonftables.