TCP-SYN Flood Config file

319 views
Skip to first unread message

Burak Özalp

unread,
Nov 27, 2015, 3:47:54 AM11/27/15
to netsn...@googlegroups.com
Hi everyone;

First of all, you've done great job with netsniff-ng!Congrulations!
I want to use trafgen to simulate an syn_flood attack. In --help, i saw
that

" trafgen --dev eth0 --conf tcp_syn.cfg -u `id -u bob` -g `id -g bob`"

command. Could you please share tcp_syn.cfg file?

Best Regards
Burak Ozalp

Daniel Borkmann

unread,
Nov 27, 2015, 4:13:55 AM11/27/15
to burak...@labrisnetworks.com, netsn...@googlegroups.com
Did you try:

trafgen -e > tcp_syn.cfg

It has a built-in example for getting started. You can test it with:

trafgen -e | trafgen -i - -o eth0 --cpp -n 1

If you want to analyse the packet on TX (a la wireshark), you need to:

trafgen -e | trafgen -i - -o eth0 --qdisc-path --cpp -n 1

Cheers,
Daniel

Daniel Borkmann

unread,
Nov 27, 2015, 5:10:12 AM11/27/15
to Burak Özalp, netsn...@googlegroups.com
On 11/27/2015 11:01 AM, Burak Özalp wrote:
> Thank you! I edited the data part and at most i could send 1.800.000 packets per second. Does it possible to increase the pps ? I think that netsniff-ng is a good alternative to netmap, especially about tcp_syn flood attacks.

Hmm, likely depends on your network tuning and hardware, people have
reported to get ~6Mpps on TCP SYNs:

https://www.mail-archive.com/net...@vger.kernel.org/msg87192.html

What kernel/settings do you have for fine-tuning?

Burak Özalp

unread,
Nov 27, 2015, 5:10:33 AM11/27/15
to Daniel Borkmann, netsn...@googlegroups.com
Thank you! I edited the data part and at most i could send 1.800.000
packets per second. Does it possible to increase the pps ? I think that
netsniff-ng is a good alternative to netmap, especially about tcp_syn
flood attacks.

Best Regards
Burak Ozalp



On 27-11-2015 11:13, Daniel Borkmann wrote:

Mike Redan

unread,
Nov 27, 2015, 7:03:24 AM11/27/15
to netsn...@googlegroups.com, Burak Özalp
Jesper from Redhat has some good examples of using trafgen to send high pps rates: 

it also helps to just throw more CPUs at it with '-P 4' on your command line

--
You received this message because you are subscribed to the Google Groups "netsniff-ng" group.
To unsubscribe from this group and stop receiving emails from it, send an email to netsniff-ng...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Burak Özalp

unread,
Nov 28, 2015, 9:32:50 AM11/28/15
to Mike Redan, netsn...@googlegroups.com
Hello again,

First thank you for your support. I did these configurations.
 ----  Threw more CPU with --cpu 24
 ----  Applied basic tuning for network overload testing(Mr.Jesper) (including upgrading kernel to 3.15)
 ----  Test with optimized syn_flood.cfg (https://github.com/netoptimizer/network-testing/blob/master/trafgen/syn_attack01.trafgen) with adjusted settings
 
With these options current pps is 2.5 Million.

I attached sysctl.out and config file of kernel.

Why I couldn't manage to see 12Mpps as Jesper ?

Best Regards
Burak Özalp
config-3.15.9-5.lbr.x86_64
sysctl.txt

Eric Dumazet

unread,
Nov 28, 2015, 5:14:30 PM11/28/15
to netsn...@googlegroups.com, Mike Redan
On Sat, 2015-11-28 at 13:56 +0200, Burak Özalp wrote:
> Hello again,
>
> First thank you for your support. I did these configurations.
> ---- Threw more CPU with --cpu 24
> ---- Applied basic tuning for network overload testing(Mr.Jesper)
> (including upgrading kernel to 3.15)
> ---- Test with optimized syn_flood.cfg
> (https://github.com/netoptimizer/network-testing/blob/master/trafgen/syn_attack01.trafgen) with adjusted settings
>
> With these options current pps is 2.5 Million.
>
> I attached sysctl.out and config file of kernel.
>
> Why I couldn't manage to see 12Mpps as Jesper ?
>
> Best Regards
> Burak Özalp
>

Proper multiqueue settings, like IRQ properly setup ?

Using 4 cpus 'only' I get at least 4 Mpps.


Burak Özalp

unread,
Nov 30, 2015, 4:23:45 AM11/30/15
to netsn...@googlegroups.com
Hi everyone,

I realized that --qdisc-path option is not available on version 0.5.8-6
whish is the latest RPM on CentoOS 7.

Could you please upload the latest RPM (v0.6.0) for CentOS 7.

Best Regards
Burak Özalp

Daniel Borkmann

unread,
Nov 30, 2015, 4:47:47 AM11/30/15
to burak...@labrisnetworks.com, netsn...@googlegroups.com
On 11/30/2015 10:21 AM, Burak Özalp wrote:
> Hi everyone,
>
> I realized that --qdisc-path option is not available on version 0.5.8-6 whish is the latest RPM on CentoOS 7.
>
> Could you please upload the latest RPM (v0.6.0) for CentOS 7.

I think you need to open a bug against RHEL7 (there should be a netsniff-ng
component to file a bug against) at : https://bugzilla.redhat.com/

This would also allow RH folks to check whether RHEL7 kernel still needs
backporting of the direct xmit mode patches.

Note: In case you only want --qdisc-path, then trafgen versions that don't
have this option, will use it by default. Since more recent trafgen versions
use direct xmit mode by default, --qdisc-path was an option to fallback to
the previous behavior.

But would be good in any case, if the RHEL7 package gets an update anyway.

Thanks,
Daniel

Burak Özalp

unread,
Nov 30, 2015, 7:04:14 AM11/30/15
to Mike Redan, netsn...@googlegroups.com
Hi,

I realized that i use v0.5.8 in CentOS 7. İ tested with v0.6.0 with 12 core and finally i can manage to send 6 Mpps without any flags(with Jasper adjusted syn_attack config file) !

Thank you for your support.

Best Regards
Burak Ozalp

Daniel Borkmann

unread,
Nov 30, 2015, 7:08:03 AM11/30/15
to burak...@labrisnetworks.com, netsn...@googlegroups.com, Mike Redan
On 11/30/2015 01:02 PM, Burak Özalp wrote:
...
> I realized that i use v0.5.8 in CentOS 7. İ tested with v0.6.0 with 12 core and finally i can manage to send 6 Mpps without any flags(with Jasper adjusted syn_attack config file) !

Nice to hear! Thanks!
Reply all
Reply to author
Forward
0 new messages