hping3 – SYN Flooding, ICMP Flooding & Land Attacks
What is a Denial of Service Attack?
A denial of service attacks is an attack set out to bring down a network infrastructure or rather, the vital devices on a network. You are either trying to bring down a whole network or you are trying to bring down vital devices
What is hping3?
Hping3 is basically a TCP IP packet generator and analyzer! It is common for generating packets! I don’t like saying this, but it’s mostly used for denial of service attacks OR for flooding.
How to get it?
Well, Hping3 comes on ALL penetration testing distributions.
To see how to download Kali Linux, just watch my video.
What is Syn flooding?
Syn flooding is essentially sending half-open connections. It is initial Syn packets, but you are not completing the handshake. These attacks are used to target individual access points, and most for popularly attacking firewalls. Firewalls don’t treat these as actual connections as you are sending, syn another syn and this overwhelms the device/access point or Firewall!
How do I do it?
Just type into the terminal:
hping3 -V -c 1000 -d 100 -S -p 21 –flood [IP ADDRESS]
What happens, is essentially a denial of service attack. The router will go down completely until you restart it! It’s been tried and tested many times, and it works. It’s scary stuff! Don’t worry though guys! I’ll show you how to mitigate this at the end!
- The -V is for a verbose output
- The -c command is essentially the number of packets you want to send to the particular target. In this case, 1000 packets
- The -d command allows you to choose the size of a packet. For this example, 100
- To specify the type of packet, we need to add -S which is a syn packet
- After this, the -p command specifies the port, so the port 21 in this case, the FTP port.
- You then type in the command –flood
- After this, you have to type in the IP address that you want to take down.
- You can cancel the attack by doing CTRL, then C. CTRL + C
By targeting individual computers, won’t really work as establishing a half open connection won’t create many issues. This is usually more for access points(Aps) or firewalls. You can test this on your network. If it does cause a denial of service, just restart your router and you are all good to go!
This is how you perform a simple Syn flood attack!
You may be wondering, what the hell is this?!
Don’t worry, that’s why I’m here.
LAND stands for, Local Area Network Denial attack! Essentially a denial of service attack! What it is, is you essentially send packets with the same source and destination as the IP, to the same IP. In other words, this is commonly referred to as IP spoofing. What is happening is:
If my computer has an IP address, of 192.168.1.110, I would essentially send packets with the source and destination IP of 192.168.1.110 to my IP address. This will cause a LOT of issues. This usually causes a lot of issues on smaller organisations/schools/universities/companies that do not have appropriate security features.
The command, for this, is:
hping3 -V -c 1000 -d 100 -S -p 21 -s 80 -k -a 192.168.1.110 192.168.1.110
- -v Is to verbose an output
- -c Is to specify the number of packets
- -d Is the size of the packets
- -S is the syn packets
- -p Is the destination port
- -s Is the source port. This only matters if you are doing it on an incognito mode. Set this to whatever you want
- -k Preserves the source port
- -a Spoofs the source address
- Then add the ip which you need to spoof
- You then add the address which you need to send it to.
What happens here, is the spoofed source address (so you are spoofing a source address), and this is used to send various or many ICMP packets, or ICMP echo requests. What you are doing here, is you are sending from the source IP, many ICMP packets to the entire network range, or to a specific network range and as a result, those devices on that network range, will respond to these ICMP packets, and a result to all of these responses, given by the amount of requests is obviously, a denial of service attack. This works on computers or individual devices on a network.
The command for this, is:
hping3 -1 –flood -a [IP OF TARGET] [NETWORK RANGE]
- The reason -1 is used, is because if you type in hping3 in terminal and press enter, you will see that we are trying to get away from the UDP/TCP, and go to the ICMP. So if we scroll up a bit, we can see that -1 corresponds with ICMP. This is the one we want to use! This allows us to move into ICMP mode
- We then add –flood
- We want to spoof the source address, which is done using -a
- You then add the IP address of the target (In my case, 192.168.1.103)
- You then add the network range (In my case 220.127.116.11, a medium sized network)
This is how you execute a simple ICMP flood attack!
Now the interesting part for the people requesting….
Simple, if you go to your default gateway/router IP and type it in the URL, you will see if you go into Security > Advanced Security . There is an option to disable AND enable DoS protection. This is in my case. You can also input thresholds of packets etc. I would recommend to keep it at 1000.
This is a simple way to mitigate against DoS attacks and more router manufacturers are pushing towards adding this feature in, if it’s not there already.
I hope you enjoyed reading this article. The corresponding video for this article is here: