hping3 – SYN Flooding, ICMP Flooding & Land Attacks

What is a Denial of Service Attack?

A denial of service attacks is an attack set out to bring down a network infrastructure or rather, the vital devices on a network. It’s main objective is to try to bring down a whole network or to bring down vital devices or infrastructure.

What is hping3?

Hping3 is a TCP/IP packet generator and analyzer. It is commonly used for generating packets. Because of its inherent functionality, many attackers utilize hping3 for denial of service attacks of for flooding.

Hping3 is available on most penetration testing distributions and can easily be downloaded from: http://www.hping.org/hping3.html

What is SYN flooding?

SYN flooding is the process of sending half-open connections without completing the TCP handshake. These attacks are used to target individual access points, and most commonly firewalls. Firewalls do not treat these as actual connections as you are half-open connections, as a result, many half-open connections overwhelm the firewalls.

POC

A simple DoS attack can be performed by using the following command:

hping3 -V  -c 1000 -d 100 -S -p 21 –flood [IP ADDRESS]

What happens, is essentially a denial of service attack. The router will go down completely until you restart it! It’s been tried and tested many times, and it works. It’s scary stuff! Don’t worry though guys! I’ll show you how to mitigate this at the end!

  • The -V is for verbose output.
  • The -c command is essentially the number of packets you want to send to the particular target, In this case, 1000 packets.
  • The -d command allows you to choose the size of a packet. For example, 100.
  • To specify the type of packet, we need to add -S which is a SYN packet.
  • After this, the -p command specifies the port, port 21 in this case, the FTP port.
  • IP Address – Specify the IP address of the target.

Land attacks

LAND stands for, Local Area Network Denial Attack. It is essentially a denial of service attack where you send packets with the same source and destination IP to the same IP address. This is commonly referred to as IP spoofing. 

POC

If my computer has an IP address, of 192.168.1.110, I would essentially send packets with the source and destination IP of 192.168.1.110 to my IP address. 

 

hping3 -V -c 1000 -d 100 -S -p 21 -s 80 -k -a 192.168.1.110 192.168.1.110

  • -v Is verbose output.
  • -c Is to specify the number of packets.
  • -d Is the size of the packets.
  • -S is the SYN packets.
  • -p Is the destination port.
  • -s Is the source port. This only matters if you are doing it on an incognito mode. Set this to whatever you want.
  • -k Preserves the source port.
  • -a Spoofs the source address.

 

ICMP Flooding

In ICMP flooding the spoofed source address is used to send various or many ICMP packets to the entire network range, or to a specific network range and as a result, the devices on the network range will respond to these ICMP packets. The sheer amount of requests will cause a denial of service attack.

hping3  -1 –flood -a [IP OF TARGET] [NETWORK RANGE]

  • The reason -1 is  used, is because if you type in hping3 in terminal and press enter, you will see that we are trying to get away from the UDP/TCP, and go to the ICMP. So if we scroll up a bit, we can see that -1 corresponds with ICMP. 
  • We then add –flood.
  • We want to spoof the source address, which is done using -a.
  • You then add the IP address of the target (In my case, 192.168.1.103).
  • You then add the network range (In my case 192.186.1.1/24, a medium sized network).

 

 

Liked it? Take a second to support Alexis on Patreon!
Share this post