Network Security Test Methodology Part 4: TCP SYN DDoS attacks

David Avery
December 6, 2012

Each week, Ixia Connect introduces Security Thursday…a blog post on issues related to network security. The kickoff article focused on network security basics, detailing network risks, types of attacks, and the need for security. If you want to skip ahead and grab the entire series at the same time, download the full Network Security Black Book.

This week’s article deals with mitigating the effects of TCP SYN DDoS attacks. There are many more details in the full network security test methodology.

Network-based DDoS attacks is one of the oldest methods of attacks, yet is still very effective and easy to implement. Preventing vulnerabilities to DDoS attacks requires a specific test methodology that gauges a network or device performance during such an attack.

The following test methodology walks you through a configuration that uses a TCP SYN Flooding attack to measure the mitigation capabilities of the intermediate firewalls. The example covered in this test case is performed using attacks injected at line rate on 1GE, 10GE, or 40GE interfaces. It requires a pair of test ports.

The goal of this test is to measure DUT’s capabilities to detect and mitigate the TCP SYN Flooding attack. You can also add the application traffic in addition to the DDoS traffic to assess the impact in quality of experience of the users using web, voice or video services.


The current setup consists of two ports connected directly to the tested device/system under test.

In this test topology, you should emulate:

  • a BOTNET consisting of 100 DDoS Clients on port1
  • a target network by placing a DDoS Server component on port2

This topology can be used to test intermediate devices such as firewalls and unified thread management systems. The DDoS Server activity is optional, and it can be replaced with an external target such as an Apache Web Server.

Including the DDoS Server has the following advantages:

  • It discards all DDoS traffic at FPGA level avoiding any impact on the CPU used by the target port where application servers may be emulated.
  • It provides measurements such as successful attack frames, successful attack rate and attack throughput for analysis.

Step-by-Step Instructions

First you must create and configure the BOTNET (DDoS Clients) network and TARGET (DDoS Server) network (called BOTNET and TARGET below).

Configure DDoSv2 Client activity to the BOTNET network, and DDoSv2 Server activity to the TARGET network.

Add a TCP SYN Flood Attack to a client on BOTNET. The attack should use spoofed IP addresses and come over ports 20000 to 30000. On the TARGET side, receive the attack on port 80.

This configuration generates TCP SYN packets using all IP addresses added at the network level that are mapped to the BOTNET client activity. The destination IP range is set to the range of IPs defined under TARGET network that are mapped to TARGET server activity.

Configure the IP parameters of the BotNet network and Target network. Select the BOTNET network, then configure its IP with the following:

  • Network Name: BOTNET (WAN)
  • IP Type: IPv4
  • Address:
  • Mask: 16
  • Count: 100
  • Gateway:

Select the TARGET network, then configure its IP with the following:

  • Network Name: TARGET
  • IP Type: IPv4
  • Address:
  • Mask: 16
  • Count: 1
  • Gateway:

Run the test for at least 5 minutes, with a polling interval of at least 2 seconds (or less).

Results analysis

During the test, collect various statistics to suit your test requirements. Select the following key statistics to analyze the results for this test.

  • Network Statistics:
    • BOTNET: L2-3 throughput, frames sent rate, frames sent, link speed, bytes sent, and bits sent rate
    • TARGET: frames received rate, frames received, link speed, bytes received, bits received rate
  • DDoS Attack Statistics
    • attempted, successful, and blocked attacks

Test Variables

Run the test several times, varying test variables such as the number of botnets, source ports, destination ports, and DDoS pattern.


This test case demonstrates how to configure the IxLoad application to determine the maximum attack rate and attack throughput that a DDoS mitigation system such as a firewall or an UTM can mitigate, while the system under test is being flooded with TCP SYN Flooding.

Next week we will continue the Ixia Connect Security Series by looking at IPsec and Data Forwarding Performance.

Additional Resources:

Ixia’s Security Black Book

Network Security Test Methodology Part 1: Getting Back To Basics

Network Security Test Methodology Part 2: Checking Your IPS for Vulnerabilities

Network Security Test Methodology Part 3: Application Forwarding Performance Under DoS Attacks

blog comments powered by Disqus