# simulate syn flood attack



## kamelia (Jun 29, 2019)

Hi,
I have a userland software with FreeBSD TCP/IP stack.
I want to simulate SYN Flooding attack on it. 
and I using hping and tcpdump tools but it seems like it doesn't work and it drops none of the packets!
I have no idea what is wrong? something i missed?

Thanks in advance!


----------



## rootbert (Jun 30, 2019)

how about more details? freebsd version, firewall ruleset, hping program arguments, network config, source of the userland software ...


----------



## tommiie (Jul 1, 2019)

If you are sending a bunch of SYN packets using whatever tool, you're not _simulating_ a SYN-flood attack but you're actually doing a SYN-flood attack.


----------



## kamelia (Jul 1, 2019)

rootbert said:


> how about more details? freebsd version, firewall ruleset, hping program arguments, network config, source of the userland software ...


freebsd 11
there is no ruleset in iptables
I am using : hping3 -c 10000 -S -p 80 --flood --rand-source 192.168.1.10
I define variables in tcp_syncache.c file for counting receive and drop packets but when I'm doing attack, these counters sometimes jump back without any errors. for example, if now cache_count=1000 then next packet is equal to 700! 
I can't understand what's going on!


----------



## SirDice (Jul 2, 2019)

kamelia said:


> there is no ruleset in iptables


IPTables is a Linux firewall, FreeBSD doesn't have it.

Your "flood" is likely not big enough to make an impact.


----------



## kamelia (Jul 2, 2019)

SirDice said:


> IPTables is a Linux firewall, FreeBSD doesn't have it.
> 
> Your "flood" is likely not big enough to make an impact.


then what's happening here? 
" I define variables in tcp_syncache.c file for counting receive and drop packets but when I'm doing attack, these counters sometimes jump back without any errors. for example, if now cache_count=1000 then next packet is equal to 700! "
would you please help me?


----------



## SirDice (Jul 2, 2019)

Is there anything listening on port 80? If there's nothing accepting the SYN then it would simply respond with a RST and be done. The whole idea behind a SYN flood is to send a lot of SYN requests to which the 'victim' responds with a SYN/ACK and never finishing the three-way handshake (SYN; SYN/ACK; ACK). Thereby leaving a bunch of connections in a so-called "half-open" state, which uses up resources.


----------



## kamelia (Jul 2, 2019)

SirDice said:


> Is there anything listening on port 80? If there's nothing accepting the SYN then it would simply respond with a RST and be done. The whole idea behind a SYN flood is to send a lot of SYN requests to which the 'victim' responds with a SYN/ACK and never finishing the three-way handshake (SYN; SYN/ACK; ACK). Thereby leaving a bunch of connections in a so-called "half-open" state, which uses up resources.


yes, I run nginx and it listens on port 80.
I use tcpdump and I see syn and syn/ack packets and there is no rst packet.
my problem is syncache algorithm in freebsd. how does it work?


----------



## SirDice (Jul 2, 2019)

Maybe read the manual page; syncache(4)?


----------

