the-binary - Commands 10/11 - Initiate TCP SYN Flood
Purpose:
This command causes the agent to initiate a TCP SYN flood.
Format:
A handler sends the following commands to initiate a TCP SYN Flood
(xxx = don't care):
Format for command 10:
| 2 |
xxx |
xxx |
10 |
|
dest ip
|
|
destPortHi
|
destPortLo
|
srcFlag
|
source ip
|
|
source ip
|
nameFlag
|
|
name...
|
padding for a minimum packet size
of 201 bytes including the IP header |
Format for command 11:
| 2 |
xxx |
xxx |
11 |
|
dest ip
|
|
destPortHi
|
destPortLo
|
srcFlag
|
src ip
|
|
source ip
|
count
|
|
nameFlag
|
name...
|
padding for a minimum packet size
of 201 bytes including the IP header |
NOTE: the shaded bytes must be encoded prior to transmission to the agent.
Commands 10 and 11 differ only in the inclusion of a 'count' parameter
in command 11. This parameter is described below.
Parameters:
-
dest IP:
-
The ip of the host to be targeted by the SYN flood. This is in network
byte order and is ignored if nameFlag is non-zero. See description
of nameFlag/name below.
-
-
destPortHi/destPortLo:
-
The destination port to which the SYN packet will be sent.
srcFlag: boolean
Flag to indicate usage of source ip field. If this flag is zero, the supplied
source IP will be ignored, and random source IPs will instead be used for
each SYN packet sent.
source ip:
The IP to be used (spoofed) as the source of each SYN packet. Used
only is srcFLag is non-zero.
-
count: int range 0-255
-
For command 10 this value is set to zero. The user sets this parameter
for command 11 attacks. This parameter sets the time between calls
to gethostbyname when a host is being targeted by name rather than IP.
A lookup is performed following every 40000 * count packets. A count
of zero is equivalent to a count of 1.
-
-
nameFlag: boolean
-
If non-zero, ignore the destination IP and instead do a gethostbyname lookup
on the hostname specified in the name parameter. If a name lookup
fails, the flood process will sleep for 10 minutes before attempting another
lookup. The flood process will loop indefinitely until a successful
lookup occurs at which point the process will commence flooding the named
host. At some multiple of 40000 packets (controlled by the count
parameter), the process will perform a new lookup on the host to re-validate
its ip address. This appears to be an attempt to work around the
fixed IP problem that was use to neutralize the Code Red DoS of whitehouse.gov.
-
-
name: char*
-
Useful only if nameFlag is non-zero. This parameter contains the
null terminated host name of the host to be targeted by this SYN flood.
Action:
The agent sends no response to this message. It simply initiates
a SYN flooding service against dest IP/name as specified by the nameFlag
parameter. generated SYN packets display the following attributes:
-
randomized spoofed IP if srcFlag is zero, or specific spoofed IP if srcFlag
is one.
-
randomized ip ttl in the range 128 - 240
-
randomized ip id in the range 2 - 3090
-
randomized tcp window in the range 200 - 1600
-
randomized tcp source port in the range 1 - 40000
-
randomized tcp sequence number in the range 1 - 40000000