https://github.com/waived/stress-testing-scripts

Small compilation of Denial-of-Service scripts that act effectively against Routers and other IoT devices
https://github.com/waived/stress-testing-scripts

cloudflare-bypass denial-of-service denial-of-service-attack firewall-bypass iphm layer3 layer4 layer4-ddos layer4bypass spoofed-packets

Last synced: 8 months ago
JSON representation

Small compilation of Denial-of-Service scripts that act effectively against Routers and other IoT devices

• Host: GitHub
• URL: https://github.com/waived/stress-testing-scripts
• Owner: waived
• Created: 2024-05-12T22:57:14.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2025-01-22T18:38:41.000Z (about 1 year ago)
• Last Synced: 2025-01-22T19:38:37.717Z (about 1 year ago)
• Topics: cloudflare-bypass, denial-of-service, denial-of-service-attack, firewall-bypass, iphm, layer3, layer4, layer4-ddos, layer4bypass, spoofed-packets
• Language: Python
• Homepage:
• Size: 38.1 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.txt

Awesome Lists containing this project

README

          
This repository contains a small collection of transport layer Denial-of-Service scripts

that act effectively against Routers, Firewalls, Servers, and various IoT devices.

The descriptions are as follows...

ACK:

  The TCP-ACK (Acknowledge) flood is most effective against firewalls and servers, whereas

  routers and load balancers are often not susceptible to this attack. By taking advantage

  of vulnerabilities in the TCP three-way handshake, spoofed ACK packets are sent to the

  endpoint. The device will then attempt to make sense of these packets, trying to link them

  with a session that does not exist. In addition to causing general network congestion, 

  resource exhaustion is the true end goal of this attack. 

  This attack may be used in place of a standard SYN flood, as certain systems may make use

  of SYN-cookies, which thwart such an attack. Since ACK floods are not hindered by the SYN-

  cookie feature, they pass to the endpoint without being rejected.

ACK-FRAG:

  A Fragmented Acknowledge flood as a modified version of the standard TCP-ACK flood. In

  this specific example, the attack will generate a spoofed source address when sending the

  ACK packets. The attack will generate anywhere between 50 to 150 of these fragmented packets.

  The acknowledgement number of these ACK packets will stay the same, however the randomly

  generated initial sequence number will increase by one per each packet. Finally, a complete

  ACK packet will be sent to the endpoint. The endpoint device will then struggle to piece

  together the ACK fragments, causing again, not only general network congestion, but

  resource exhaustion as well.

BOGUS:

  A bogus flood is an attack that sends packets to an endpoint with randomly chosen and enabled

  packet flags which act redundantly with each other. FIN-RST, SYN-FIN, URG-PSH-ECE, etc. The

  flags are randomly chosen per packet, also containing a spoofed source address. The goal is to

  completely overwhelm the endpoint with as much incoherent requests as possible and bog the

  network down.

DOMINATE:

  This attack method is a variation of the well known SYN flood. Via a weakness in the TCP-

  3-way handshake, Dominate will initiate as many concurrent connections to the endpoint as

  possible. With the SYN flag set, Dominate also enables the ECE (Explicit Congestion Notification 

  Echo) and CWR (Content Window Reduced) flag as well.

  During a conversation between a client and a server, the client may send one or more requests.

  The server obviously serves the requests. However, when the server is under a heavy load

  (non-malicious network congestion) the server may choose to send response/s with the ECE

  flag enabled. This tells the client that the server network is experiencing congestion

  and that in order to maintain the integrity of the data transveral, the client should

  reduce their content window size. If the client is ECN compliant, the client will have

  both the ECE and CWR flags enabled when sending any more requests. This also lets the server

  know that the requests have been downsized.

  In a dominate attack, these flags are already pre-set, letting the endpoint believe that

  the requests are being downsized for accomidate their network. Variations of Dominate also

  contain junk data buffers.This type of attack can work effectively against some known load

  balancers and specifically has been known to take down prominent OVH services.

L4:

  Short for 'Layer-4' flood, or sometimes known as a 'COMBO flood,' this attack is

  a combination of both UDP and TCP floods. Here a dynamic data buffer is generated

  where the attacker specifies the range of bytes to generate per request, and the

  attacker spams the endpoint with these UDP/TCP packets containing an gibberish data

  buffer. This attack is not spoofed and the attacker's true source address is exposed.

MIXAMP:

  This specific method is sometimes known as a 'UDP-MIX' or 'UDP AMP' flood. Its a reflective/

  amplified, Distributed Denial-of-Service attack. The attacker loads into the script a

  list of reflectors (servers who are running a UDP service vulnerable to packet reflection

  attacks). The format for the list is : and this method supports various

  services including but not limited to: DNS, NTP, CharGen, WS-Discovery, DVR IP Cameras,

  SSDP, SSMP, Microsoft SQL database, MemCache, etc.

  Here the source address of each packet is spoofed to be the victim's address. The 

  attacker spends specifically crafted packets to the IP:PORT found in the reflector

  list. These requests are then responded to and sent back to the victim's endpoint, as

  the services believe the victim was the one who made the request. Because these mixed

  service types are 'amplified' (where they send more data to the victim than what was

  requested) the attack has a larger data overhead and puts more or a strain on the 

  victim's network than what could have naturally be generated by the attacker.

RST: 

  Sometimes known as a 'TCP-Reset' flood, this attack sends RST packets to the

  endpoint. An RST packet essentially asks the endpoint to re-initiate the

  connection and start over. Here the connection will hang and eat up server-

  side resources. Eventually, the endpoint will being to drop legitimate connections

  and become inaccessible to legitimate users. Each packet contains a spoofed

  source address.

SSYN:

  Spoofed SYN (Synchronize) flood, or sometimes known as a 'half-open' attack. This attack relies on

  socket state-exhaustion to cripple the victim. The attack will generate a barrage of SYN packets, each

  with its own spoofed source address. The endpoint thinks that these source addresses are attemping to

  establish a TCP connection. The endpoint will send out SYN-ACK (Synchronize-Acknowledge) packets to the

  source addresses and await the final ACK packet to signal the completion of the handshake. With every SYN

  packet, the endpoint will reserve a TCP socket, and open said socket once the handshake is completed.

  However, this attack does not fully complete the handshake, and therefore the system expends all of its

  available sockets (each system varies in how many sockets it can spawn at once). After it runs out, all

  legitimate traffic will not be able to establish a connection.

  After a while, the reserved sockets will be thrown out, and reused to serve other legitmate users.

  The rate in which the attack will push out SYN packets will be way quicker than the turnover time for

  each reserved connection. Ultimately, the endpoint will crawl to a halt.

  Note: this attack will be rendered useless if the endpoint has SYN-cookies enabled. To bypass

  this security measure, use other attacks instead, such as ACK, ACKFRAG, RST, etc. 

SYNACK:

  This attack leverages the TCP 3-way handshake vulnerability by starting off the conversation in the

  middle. Instead of sending a SYN packet to initiate a TCP connection, it sends a SYN+ACK packet to

  the endpoint. The endpoint then assumes a handshake was already made, originating from the device or

  network and attempt to send a final ACK packet unfruitfully to spoofed source address. The end goal

  is to consume all server-side resources.

TSUNAMI:

  This attack is also known as a PSH+ACK (Push Acknowledge) flood. The PSH flag instructs the endpoint

  to process the data immediately, raising its priority level, and the ACK flag denotes the end of the

  TCP 3-way handshake. However, in this attack the PSH+ACK packet also contains a junk data buffer. This

  buffer is dynamic in size and content, specified by the attacker, and makes a hybrid DoS attack out of

  both volumetric and protocol abuse methods. It also manages to bypass SYN-cookies entirely. It puts

  load on the endpoint network and additionally creates server-side confusion.

SUDP:

  Spoofed UDP (datagram flood) takes advantage of weaknesses in the UDP protocol. Since this is a connectionless

  protocol, the source address can easily be spoofed. This attack incorperates a dynamic data buffer in both

  size and content, specified by the user. Its volumetric capabilities overwhelm the endpoint network and leave

  server-side resources exhausted.

XMAS:

  This is known as a Christmas flood, since all the packet flags are 'lit up' like a Christmas tree. Each

  packet, which contains a spoofed source address, sends all of the packet flags at once: SYN, ACK, URG, PSH,

  FIN, ECE, CWR, and RST. This attack overwhelms the target system, consuming its resources and causing it to

  become unresponsive to legitimate traffic. This attack is also known as a 'TCP All-flag' attack.

*** NOTE ***

  Python is 10 to 100 times faster when compiled. When a script is not compiled, it needs to be interpreted

  and its performance is slowed down. Compiling into a .pyc or even .elf/.exe format will increase performance.