the-binary - Commands 10/11 - Initiate TCP SYN Flood

Purpose:

This command causes the agent to initiate a TCP SYN flood.

Format:

A handler sends the following commands to initiate a TCP SYN Flood  (xxx = don't care):

Format for command 10:
2 xxx xxx 10
dest ip
destPortHi
destPortLo
srcFlag
source ip
source ip
nameFlag
name...
padding for a minimum packet size
of 201 bytes including the IP header

Format for command 11:
2 xxx xxx 11
dest ip
destPortHi
destPortLo
srcFlag
src ip
source ip
count
nameFlag
name...
padding for a minimum packet size
of 201 bytes including the IP header
NOTE: the shaded bytes must be encoded prior to transmission to the agent.

Commands 10 and 11 differ only in the inclusion of a 'count' parameter in command 11.  This parameter is described below.

Parameters:

dest IP:
The ip of the host to be targeted by the SYN flood. This is in network byte order and is ignored if nameFlag is non-zero.  See description of nameFlag/name below.
 
destPortHi/destPortLo:
The destination port to which the SYN packet will be sent.
srcFlag: boolean
Flag to indicate usage of source ip field. If this flag is zero, the supplied source IP will be ignored, and random source IPs will instead be used for each SYN packet sent.
 
source ip:
The IP to be used (spoofed) as the source of each SYN packet.  Used only is srcFLag is non-zero.
count: int range 0-255
For command 10 this value is set to zero.  The user sets this parameter for command 11 attacks.  This parameter sets the time between calls to gethostbyname when a host is being targeted by name rather than IP.  A lookup is performed following every 40000 * count packets.  A count of zero is equivalent to a count of 1.
 
nameFlag: boolean
If non-zero, ignore the destination IP and instead do a gethostbyname lookup on the hostname specified in the name parameter.  If a name lookup fails, the flood process will sleep for 10 minutes before attempting another lookup.  The flood process will loop indefinitely until a successful lookup occurs at which point the process will commence flooding the named host.  At some multiple of 40000 packets (controlled by the count parameter), the process will perform a new lookup on the host to re-validate its ip address.  This appears to be an attempt to work around the fixed IP problem that was use to neutralize the Code Red DoS of whitehouse.gov.
 
name: char*
Useful only if nameFlag is non-zero.  This parameter contains the null terminated host name of the host to be targeted by this SYN flood.

Action:

The agent sends no response to this message.  It simply initiates a SYN flooding service against dest IP/name as specified by the nameFlag parameter.  generated SYN packets display the following attributes: