Introduction to SYN Flood Attacker V1.0 For Linux

TCP/IP SYN Attack SYN Flooding Attack is an Attack that uses the imperfect three-way handshake protocol of TCP/IP to maliciously send a large number of packets containing only the SYN handshake sequence. This attack method may cause the attacked computer to refuse or even crash in order to keep the potential connection for a certain period of time and occupy a large amount of system resources and cannot be released.

Introduction:
SYN Flood Attacker V1.0 is a denial-of-service product based on TCP/IP SYN Flood attack testing. The test target is any TCP/IP-based system, including but not limited to Unix/Linux/Windows/mac OS.
However, this software can only run in the RedHat Linux 7.x environment and can run in other Linux environments without testing), because the compiling environment of this software is RedHat Linux 7.x, and requires the ROOT permission to run it.
Upload the software to any path in Linux and set its attribute to chmod 500 syn.
If the running PATH is included in $ PATH, you can directly enter syn to run at the # prompt. Otherwise, the cd will enter the upload PATH and run./syn.
The syntax is as follows:
Usage: syn SpoofSourceIP AttackIP AttackPort [Packages] [Loops] [Sleep second]
Where:
Syn indicates the software. The above syntax is displayed without parameters or missing parameters.
SpoofSourceIP indicates the spoofing source IP address, that is, forging an IP address.
AttackIP indicates the IP address or www domain name for attack testing.
AttackPort indicates the target port for attack testing.
Packages: an optional parameter, indicating the number of concurrent SYN packets. The default value is 1 packet.
Optional Loops parameter, indicating the number of cycles. The default value is 1.
Sleep second is an optional parameter, indicating the number of seconds for Sleep wait after each SYN Attack. The default value is 1 second. If it is set to 0, it indicates continuous sending without Sleep.

Instance reference:
Typical attack tests are as follows:
Syn 1.1.1.1 target address destination port 99999 9999 0
The preceding Command sends 99999 SYN Flood attack packets each time to the specified port of the target address, and sends them 9999 times in a loop for continuous transmission.
If the attack test is effective, the target system will be rejected, and the network segment and gateway server of the target system will be affected due to the proliferation of false response packets.

Technical analysis:
Why do we need to forge the source IP address?
Spoofing source IP addresses can prevent tracing. However, when the source IP address passes through the gateway, It will be replaced with the actual IP address of the gateway. Therefore, your gateway server will be exposed, therefore, use the local LAN to send attack test packets with caution.
On the other hand, only the source IP address can be forged to cause the largest attack test. If your IP address is used, all attack packets will be sent back to your system by the three-way handshake protocol of TCP/IP. In addition, the source IP address can be forged to both the target system and the real owner of the forged IP address.
However, we strongly recommend that you use a counterfeit source IP address that is not reachable! Any reachable IP address will immediately respond to the RST disconnection after receiving a response from the target, and the target will also release the connection. If an IP address that is inaccessible or hard to be delivered within a short period of time is used, the target will remain in the SYN_RECV waiting state. If the attack packets are large enough, intensive enough, and properly used, the target system will not be spared.

How to select the target port?
You can test the function as long as the firewall does not listen to the block or has a port that is allowed to pass. The scanner can be used to test which firewall blocks the port. If the port passes the test selectively, it can be used to test the attack by forging a legitimate IP address.
Generally, port 80 of HTTP is always usable.
Ports 135/137/138/445 of Windows systems can also be included in the scope of key tests and evaluations.
In addition, SMTP/POP3, mySQL database port 3306, and other system ports with slow release or explicitly described by the Security Bulletin can also be tested according to the specific situation.
Based on experience, for Windows systems, if the target system does not have an appropriate firewall, port 445 will be fatal. For mySQL 3306 and other database connection ports, because the number of transient concurrent connections that these connection ports can withstand is limited, the high-density attack will be very effective. Considering that some database application systems use the local localhost or 127.0.0.1 call method, therefore, it may be interesting to set the source IP address to 127.0.0.1.
By the way, more than 65535 of the concurrent attack packets will lead to the winding of the Attack System ports. In practical use, this winding may cause frequent faults in the gateway firewall from the inside through the target system, which will be overwhelmed.

Should I sleep temporarily after each attack test?
In general, continuous attack without sleep is better, but in some special cases and some special port applications, sleep for a certain period of time may be more effective.

Related Articles]

• Analysis and Summary of TCP/IP attack principles
  

• Detailed description of TCP/IP protocol datagram Structure
  

• Interpreting TCP/IP protocol by connecting to an instance