Skip to content

Demonstrates a synflood DDOS attack with raw sockets (for Ubuntu and Debian-like distros)


Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit



52 Commits

Repository files navigation

gosynflood - Repeatedly Send Crafted TCP SYN Packets with Raw Sockets

intended for Ubuntu and other Debian distributions
# Clone project:
git clone

# Build and run:
cd <project root>
go build -o bin/gosynflood

# raw sockets require root privileges when executing:
sudo ./bin/gosynflood  -t <target IPV4 address> -p <port number> -i <network interface>

# Example:
sudo ./bin/gosynflood  -t -p 80 -i wlp3s0
-t private or public IP address of target webserver
-p target webserver's port number (defaults to port 80 if not provided)
-i your network interface (running without -i will fail,
     but it will suggest all found interfaces, ie: lo, wlpxxx, eth0 etc.)

Enter control-c to stop the flood attack.

Each packet's IP address is spoofed. MAC addresses are not spoofed. It is up to you to spoof your MAC Address beforehand if desired.

This attack may only work on web servers susceptible to numerous half-open connections (SYN_RECV).

To demonstrate this, a small Ubuntu Mate running Apache2 will act as the target. It's a physical machine on a private network.

1. The tcp_syncookies flag was set to 0 (to make the target vulnerable for demonstration purposes) and the webserver was started on the target:

  1. The attacker machine (a separate physical machine also running Ubuntu) executes the gosynflood exe with root privileges:

  1. The initial SYNs are visible in Wireshark on the target, purposefully never completing the thee 3-way handshake:

  1. During the attack the webserver should be unreachable at it's URL if it is susceptible. The half-open connections are visible via the command netstat -na --tcp

This was developed on Ubuntu 18.04 LTS.

Author: rootVIII 2020