Skip to content
/ stress-testing-scripts Public

Small compilation of Denial-of-Service scripts that act effectively against Routers and other IoT devices

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

waived/stress-testing-scripts

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
scripts
scripts
 
 
LEGAL.txt
LEGAL.txt
 
 
README.txt
README.txt
 
 

Repository files navigation

This repository contains a small collection of transport layer Denial-of-Service scripts
that act effectively against Routers, Firewalls, Servers, and various IoT devices.

The descriptions are as follows...

ACK:
  The TCP-ACK (Acknowledge) flood is most effective against firewalls and servers, whereas
  routers and load balancers are often not susceptible to this attack. By taking advantage
  of vulnerabilities in the TCP three-way handshake, spoofed ACK packets are sent to the
  endpoint. The device will then attempt to make sense of these packets, trying to link them
  with a session that does not exist. In addition to causing general network congestion, 
  resource exhaustion is the true end goal of this attack. 

  This attack may be used in place of a standard SYN flood, as certain systems may make use
  of SYN-cookies, which thwart such an attack. Since ACK floods are not hindered by the SYN-
  cookie feature, they pass to the endpoint without being rejected.

ACK-FRAG:
  A Fragmented Acknowledge flood as a modified version of the standard TCP-ACK flood. In
  this specific example, the attack will generate a spoofed source address when sending the
  ACK packets. The attack will generate anywhere between 50 to 150 of these fragmented packets.
  The acknowledgement number of these ACK packets will stay the same, however the randomly
  generated initial sequence number will increase by one per each packet. Finally, a complete
  ACK packet will be sent to the endpoint. The endpoint device will then struggle to piece
  together the ACK fragments, causing again, not only general network congestion, but
  resource exhaustion as well.

BOGUS:
  A bogus flood is an attack that sends packets to an endpoint with randomly chosen and enabled
  packet flags which act redundantly with each other. FIN-RST, SYN-FIN, URG-PSH-ECE, etc. The
  flags are randomly chosen per packet, also containing a spoofed source address. The goal is to
  completely overwhelm the endpoint with as much incoherent requests as possible and bog the
  network down.

DOMINATE:
  This attack method is a variation of the well known SYN flood. Via a weakness in the TCP-
  3-way handshake, Dominate will initiate as many concurrent connections to the endpoint as
  possible. With the SYN flag set, Dominate also enables the ECE (Explicit Congestion Notification 
  Echo) and CWR (Content Window Reduced) flag as well.

  During a conversation between a client and a server, the client may send one or more requests.
  The server obviously serves the requests. However, when the server is under a heavy load
  (non-malicious network congestion) the server may choose to send response/s with the ECE
  flag enabled. This tells the client that the server network is experiencing congestion
  and that in order to maintain the integrity of the data transveral, the client should
  reduce their content window size. If the client is ECN compliant, the client will have
  both the ECE and CWR flags enabled when sending any more requests. This also lets the server
  know that the requests have been downsized.

  In a dominate attack, these flags are already pre-set, letting the endpoint believe that
  the requests are being downsized for accomidate their network. Variations of Dominate also
  contain junk data buffers.This type of attack can work effectively against some known load
  balancers and specifically has been known to take down prominent OVH services.

L4:
  Short for 'Layer-4' flood, or sometimes known as a 'COMBO flood,' this attack is
  a combination of both UDP and TCP floods. Here a dynamic data buffer is generated
  where the attacker specifies the range of bytes to generate per request, and the
  attacker spams the endpoint with these UDP/TCP packets containing an gibberish data
  buffer. This attack is not spoofed and the attacker's true source address is exposed.

MIXAMP:
  This specific method is sometimes known as a 'UDP-MIX' or 'UDP AMP' flood. Its a reflective/
  amplified, Distributed Denial-of-Service attack. The attacker loads into the script a
  list of reflectors (servers who are running a UDP service vulnerable to packet reflection
  attacks). The format for the list is <ip>:<port> and this method supports various
  services including but not limited to: DNS, NTP, CharGen, WS-Discovery, DVR IP Cameras,
  SSDP, SSMP, Microsoft SQL database, MemCache, etc.

  Here the source address of each packet is spoofed to be the victim's address. The 
  attacker spends specifically crafted packets to the IP:PORT found in the reflector
  list. These requests are then responded to and sent back to the victim's endpoint, as
  the services believe the victim was the one who made the request. Because these mixed
  service types are 'amplified' (where they send more data to the victim than what was
  requested) the attack has a larger data overhead and puts more or a strain on the 
  victim's network than what could have naturally be generated by the attacker.

RST: 
  Sometimes known as a 'TCP-Reset' flood, this attack sends RST packets to the
  endpoint. An RST packet essentially asks the endpoint to re-initiate the
  connection and start over. Here the connection will hang and eat up server-
  side resources. Eventually, the endpoint will being to drop legitimate connections
  and become inaccessible to legitimate users. Each packet contains a spoofed
  source address.

SSYN:
  Spoofed SYN (Synchronize) flood, or sometimes known as a 'half-open' attack. This attack relies on
  socket state-exhaustion to cripple the victim. The attack will generate a barrage of SYN packets, each
  with its own spoofed source address. The endpoint thinks that these source addresses are attemping to
  establish a TCP connection. The endpoint will send out SYN-ACK (Synchronize-Acknowledge) packets to the
  source addresses and await the final ACK packet to signal the completion of the handshake. With every SYN
  packet, the endpoint will reserve a TCP socket, and open said socket once the handshake is completed.
  However, this attack does not fully complete the handshake, and therefore the system expends all of its
  available sockets (each system varies in how many sockets it can spawn at once). After it runs out, all
  legitimate traffic will not be able to establish a connection.

  After a while, the reserved sockets will be thrown out, and reused to serve other legitmate users.
  The rate in which the attack will push out SYN packets will be way quicker than the turnover time for
  each reserved connection. Ultimately, the endpoint will crawl to a halt.

  Note: this attack will be rendered useless if the endpoint has SYN-cookies enabled. To bypass
  this security measure, use other attacks instead, such as ACK, ACKFRAG, RST, etc. 

SYNACK:
  This attack leverages the TCP 3-way handshake vulnerability by starting off the conversation in the
  middle. Instead of sending a SYN packet to initiate a TCP connection, it sends a SYN+ACK packet to
  the endpoint. The endpoint then assumes a handshake was already made, originating from the device or
  network and attempt to send a final ACK packet unfruitfully to spoofed source address. The end goal
  is to consume all server-side resources.

TSUNAMI:
  This attack is also known as a PSH+ACK (Push Acknowledge) flood. The PSH flag instructs the endpoint
  to process the data immediately, raising its priority level, and the ACK flag denotes the end of the
  TCP 3-way handshake. However, in this attack the PSH+ACK packet also contains a junk data buffer. This
  buffer is dynamic in size and content, specified by the attacker, and makes a hybrid DoS attack out of
  both volumetric and protocol abuse methods. It also manages to bypass SYN-cookies entirely. It puts
  load on the endpoint network and additionally creates server-side confusion.

SUDP:
  Spoofed UDP (datagram flood) takes advantage of weaknesses in the UDP protocol. Since this is a connectionless
  protocol, the source address can easily be spoofed. This attack incorperates a dynamic data buffer in both
  size and content, specified by the user. Its volumetric capabilities overwhelm the endpoint network and leave
  server-side resources exhausted.

XMAS:
  This is known as a Christmas flood, since all the packet flags are 'lit up' like a Christmas tree. Each
  packet, which contains a spoofed source address, sends all of the packet flags at once: SYN, ACK, URG, PSH,
  FIN, ECE, CWR, and RST. This attack overwhelms the target system, consuming its resources and causing it to
  become unresponsive to legitimate traffic. This attack is also known as a 'TCP All-flag' attack.

*** NOTE ***
  Python is 10 to 100 times faster when compiled. When a script is not compiled, it needs to be interpreted
  and its performance is slowed down. Compiling into a .pyc or even .elf/.exe format will increase performance.

About

Small compilation of Denial-of-Service scripts that act effectively against Routers and other IoT devices

Topics

denial-of-service spoofed-packets layer3 firewall-bypass layer4 cloudflare-bypass layer4bypass denial-of-service-attack iphm layer4-ddos

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages