TCP-AMP-PSHACK stress test

Drives a TCP reflection flood that turns third-party hosts into PSH-ACK echo sources, validating that your edge filters reflected TCP rather than just UDP.

Run TCP-AMP-PSHACK test → All methods

600k pps

trigger rate

How it works

This method crafts TCP segments with a spoofed source set to your test target and sends them to a pool of reflector hosts. Those hosts answer toward the target, and because mid-stream PSH-ACK segments often trigger repeated retransmissions, each reflector returns more data than was sent, amplifying the load on your infrastructure. It tests whether your scrubbing tier recognizes and drops reflected TCP traffic, which many UDP-focused filters overlook.

Parameters

rate600k ppsOutbound trigger rate toward reflectors

reflectors1k-100k hostsSize of the responder pool feeding the target

portany open TCP portDestination port on the test target

duration10-600 sLength of the reflection run

Run it from the CLI

retro-cli

$ retro run tcp-amp-pshack --target 203.0.113.45 --duration 120

TCP-AMP-PSHACK FAQ

How is this different from a normal PSH-ACK flood?+

A direct PSH-ACK flood comes straight from the test source. This reflection variant bounces traffic off third-party hosts so the segments arrive from many unrelated addresses, which validates a different layer of your filtering.

What makes it amplifying?+

PSH-ACK segments sent into a half-open or unexpected state often provoke repeated retransmissions, so each reflector returns more toward the target than the single packet that triggered it.