Is there any way to simulate a SYN Flood attack in INET/OMNeT++?

Question

I have this kind of topology: attacker <-> router <-> victim, where attacker and victim are both StandardHost and router is Router (both from inet.node.inet). I know that a SYN flood attack might be tricky to define, but I'm looking for a way to simulate this kind of attack.

Attack definition:

1. Attacker sends a SYN packet (with a spoofed IP), victim replies with a SYN+ACK and the last ACK must "get lost", leaving the victim connection half opened. If the source IP is spoofed, the ACK gets naturally lost in the internet.

2. Victim uses TcpSinkApp

3. Attacker uses a modified version of TcpSessionApp, that just sends a TCP handshake every n seconds.

4. Router is just a router

These are my attempts:

1. I've looked for a way to drop packets from client to server based on the TCP header flags. Basically, if the final ACK gets lost on its way to the server, the handshake never happens. I tried to use the inet.queueing.filter.ContentBasedFilter, but I don't know where to place it properly and how to define the expression to drop the package based on the header flags. I've also tried another way to do it (like extending the Router and the routing cc class) but don't know where to look.

2. I've also tried to follow the spoofing the attacker IP solution, but again I don't know at which level inspect the IP header and replace the source IP. I've tried to replace the Tcp class of TcpSessionApp to TcpSpoof but didn't seem to work.

3. I've tried to define a maximum amount of possible threads/items of socketMap, to simulate the maximum amount of half-opened connections that the server can handle, but of course a thread is spawned and the socket added to the map after the handshake has already happened.

4. I've tried to create an application for the attacker that just sends out a SYN packet to the victim, without success.

Could anyone help me figure out which approach (or any new approach) is more feasible and why? I'd say that possibly a mix of spoofing the attacker source IP and setting a max amount of half-opened connections on victim's site would be great, but I need some guidance.