Dos Attack method (HPING3)

Source: Internet
Author: User

This article is my previous in and company colleagues testing company firewall products, the relevant test summary, first excerpt as follows:

1. DOS with Random source IP

1 [email protected]:~# hping3-c 10000-d 120-s-W 64-p +--flood--rand-source

Parameter meaning::
Hping3 = App name.
-C 100000 = number of packets sent.
-d = size of packet.
-s = send only SYN packets.
-W = size of TCP window.
-P = Destination port (being FTP port). You can use any port.
--flood = Sending packets as fast as possible, no response is displayed. Flood mode.
--rand-source = uses a random source IP Addresses. or use-A or spoof to hide hostnames. = Destination IP address or target machines IP address. Or use a URL in my case resolves to (as entered in/etc/hosts file)

2. ICMP Flood
The flooding attack for ICMP is to send the maximum ICMP data to the target machine within the minimum time, for example, by using a ping command. In the "old" era it was possible to destroy the machine by using a huge ping (ping of Death), hoping that these times had passed, but it was still possible to attack any machine's bandwidth and processing time if it received this ICMP packet.
ICMP Flood using hping 3:
Hping3-q-n-a 0--icmp-d--flood
-Q indicates quiet,-n means no name resolving, and ID 0 indicates ICMP echo request (ping)
-D I indicates the size of the package (the is, the normal size for a ping).
Some system configurations automatically discard this malformed ICMP packet generated by hping (for example, it is not possible to set an ID with an order). In this case, you can use Wireshark to sniff a normal ICMP echo request message, save it as a binary file, and replay it using HPING3.
Hping3-q-N--rawip-a 1--file "./icmp_echo_request.bin"-D---flood

3. UDP Flood
This is the same concept of ICMP flooding unless you send a large amount of UDP data. UDP flooding is very dangerous for network bandwidth.
Generating UDP Flood:
Hping3-q-n-a (--keep-p)--flood
For UDP, you have to know exactly where the source and destination ports are, and here I have chosen the DNS and BOOTPC (dhclient) ports. The BOOTPC (68) port is often open on the PC because most people use DHCP to connect themselves to the network.
Ame blacklist_180--set-m Comment--comment "blacklist source IP"-j DROP

4. SYN Flood
Syn flooding is the most commonly used scanning technique, and the reason for doing so is because it is the most dangerous. A SYN flood consists of sending a large number of TCP packets only to the SYN flag. Because the SYN message is used to open a TCP connection, the victim's host will attempt to open the connection. These connections, which are stored in the connection table, will continue to open for a certain amount of time, while attackers are constantly flooding with SYN packets. Once the victim's connection table is filled, it will not accept any new connections, so if it is a server it means that it is no longer accessible to anyone.
Example of a SYN flood attack:

5, other TCP flood attacks
There are many possibilities for using TCP flooding. Just set the various TCP flags as you wish. Some TCP flooding techniques include the development of a number of unusual sign disturbances. For example with SARFU scan
Example with the SARFU scan:

6. Land attack
Land attack principle is: with a specially crafted SYN packet, its original address and destination address are set to a certain server address. This will cause the receiving server to send an syn-ack message to its own address, which then sends back an ACK message and creates an empty connection. Each such connection will be retained by the attacked server until it expires and the response to the land attack is different, many UNIX implementations will crash and NT becomes extremely slow (about 5 minutes)

7, Nmap Scan to determine the open port

Network Mapper, a web-based scanning software under Linux, is used to scan Internet-connected computers for open Network connections. Determine which services are running on which connections and infer which operating system the computer is running

8. ARP Attack/ARP spoofing
Tool: Ettercap

Dos Attack method (HPING3)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.