Skip to main content

tcp flood

Summary

TCP flood DoS attacks

What it does

A DoS tool for exhausting the number of TCP connections. This tool allows testers to check the robustness of TCP servers, allowing for a large number of open TCP connections which are kept open by sending data periodically. It works asynchronously and at packet level, thus allowing for larger numbers of open connections than those normally allowed by the operating system. By making use of the built-in rate limiter, testers are able to bypass network security protection while still exhausting basic resources such as the socket connection count.

Tool functionality

The TCP flood tool tries to open and maintain a large number of connections with the target server, sending a valid payload to do so. This is a denial-of-service tool and is very effective for TCP servers that keep connections open for a long time. Vulnerable target servers often run out of file descriptor resources.

Command format

sipvicious tcp flood <target1 [target2 [target3 ...]]> [flags]

Flags

      --payload-file string   Set a file containing the data to send over each open TCP connection
      --rate string           Specify how many packets to send for each period of time; format: packets/duration; e.g. 100/30ms
      --sockets int           Specify the maximum number of sockets to take up on the target server (default 9999999)
      --srchwstr string       Set the source MAC address; useful for attack nodes with multiple interfaces
      --srcipstr string       Set the source IP address; useful for attack nodes with multiple interfaces

Flags inherited from parent commands

  -C, --config string       configuration file to use (may be JSON, TOML or YAML)
      --debug               set log level to debug
  -T, --duration duration   Stop the tool after a certain amount of time; e.g. 30s
      --logfile string      specify a log filename
      --results string      specify the filename for the result output, defaults to standard output. See documentation for information on file extension meanings

Examples

sipvicious tcp flood tcp://target:5060
sipvicious tcp flood tcp://target:5060 --payload sip-message.txt
sipvicious tcp flood tcp://target:5060 --rate 10/1ms

Advanced examples

sipvicious tcp flood tcp://target:5060

Exit codes

CodeDescription
40A security issue is raised when the prober detects SIP-level or network-level errors
30A network connectivity issue is raised when the connection fails before the attack is started

Full flag documentation

Flag: -C, --config

Specify a configuration file which may be a JSON, TOML and YAML config format. To get the default settings and figure out which settings are available, one may run the sipvicious utils dump config command. This is typically used to create a template configuration that can then be edited as need be.

These settings may be overwritten when the corresponding flag is explicitly set, if one is present.

Flag: --debug

Tells the logger to print out debug messages.

Flag: -T, --duration

Specify the maximum duration of the attack so that it stops after a certain time. Examples include:

  • 30s
  • 10m
  • 24h

Flag: --logfile

When the logfile flag is specified, a log file is created in the location specified and logs are generated in this file instead of being sent to standard output. If the filename ends with a .json file extension, then the output format is in JSON, otherwise it defaults to text format.

Flag: --payload-file

Specify a file containing the payload to send to keep the connection open. By default, we send an HTTP Request.

Flag: --rate

Rate allows one to limit the attack below a certain rate. If the value is 100/30ms, that means that 100 packets should be spread out evenly across 30 milliseconds across all the connections per target.

Flag: --results

When the results flag is specified, upon completing the test, it outputs the results to the specified filename. The format for this output file is text unless the filename ends with a .json file extension. In that case, the result output is that of JSON.

The schema for the JSON output for this submodule can be found here.

Flag: --sockets

Set the maximum number of sockets to try to take up on the target server.

Flag: --srchwstr

Specify the source MAC address using this flag. This is useful when the attacker machine has more than one interface.

Flag: --srcipstr

Specify the source IP address using this flag. This is useful when the attacker machine has more than one interface.

JSON schema

The following is the JSON schema for the JSON output of this tool:

{
  "type": "object",
  "properties": {
    "status": {
      "type": "object",
      "properties": {
        "returncode": { "type": "integer" },
        "description": { "type": "string" }
      }
    },
    "targets": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "target": { "type": "string" },
          "status": {
            "type": "object",
            "properties": {
              "returncode": { "type": "integer" },
              "description": { "type": "string" }
            }
          },
          "results": {
            "type": "object",
            "properties": {
            }
          },
          "issues": {
            "type": "object",
            "properties": {
            }
          }
        }
      }
    }
  }
}