This is not to say that you need to always specify all of the fields. You can specify what
you want, and
hping3
will fill the rest of the fields in the IP and transport headers as
normal.
hping3
is capable of flooding by not bothering to wait for any responses or
even bothering to use any waiting periods. The tool will send out as much traffic as it
can, as fast as it can. You can see the output from the tool in
Example 2-5
.
Example 2-5. Using hping3 for flooding
root@rosebud:~# hping3 --flood -S -p
80
192.168.86.1
HPING 192.168.86.1
(
eth0 192.168.86.1
)
: S
set
,
40
headers +
0
data bytes
hping in flood mode, no replies will be shown
^C
--- 192.168.86.1 hping statistic ---
75425
packets transmitted,
0
packets received, 100% packet loss
round-trip min/avg/max
=
0.0/0.0/0.0 ms
When I ran this, I was connected to my Kali system remotely. As soon as I started it
up, I tried to kill it because I had the output I was looking for. However, the system
was cramming packets down the wire (and getting responses) as fast as it could. This
made it hard to get the Ctrl-C I was trying to send to my Kali system, meaning
hping3
wasn’t dying—it was just merrily sending a lot of packets out into the network (fortu‐
nately, I used my local network to test on, rather than trying to test someone else’s
system). The operating system and network were otherwise engaged, so there was no
response for a long period of time. In
Example 2-5
, I am using
hping3
to send SYN
messages to port 80. This is a SYN flood. In this example, I’m not only testing the
ability of the system to handle the flood at the network stack (operating system) with
just the capability of the hardware and operating system to respond to the traffic, but
also testing the transport layer.
The operating system has to hold out a small chunk of memory with Transport Con‐
trol Protocol (TCP) connections. Years ago, the number of slots available for these
initial messages, called
half-open connections
, wasn’t very large. The expectation was
that the connecting system was well-behaved and it would complete the connection,
at which point it was up to the application to manage. Once the number of slots avail‐
able to take half-open connections is exhausted, no new connections, including con‐
nections from legitimate clients, will be accepted. These days, most systems are far
more capable of handling SYN floods. The operating system will just handle these
inbound, half-open connections and dispose of them using a variety of techniques,
including reducing the timeout period during which the connection is allowed to be
half-open.
This test uses SYN messages (
-S
) to port 80 (
-p 80
). The idea is that we should get a
SYN/ACK message back as the second stage of the three-way handshake. I don’t have
to specify a protocol because that’s accomplished by just saying that I want to send a
SYN message. TCP is the only protocol that has the SYN message. Finally, I tell
