Security DevCenter
oreilly.comSafari Books Online.Conferences.


Network Tool Development with hping3
Pages: 1, 2, 3

Have you ever thought that hping3 could become an easier, alternative way to build low-level tools that today are written with C and libpcap, libnet, or libdnet?

This is the main goal of hping3 itself. Developers and security researchers are wasting a lot of time with low-level tools; they will go faster using advanced tools with a higher level of abstraction. If security researchers have better tools, they will be able to do more interesting research. Often programmers and researchers come up with a new idea, but if the efforts needed just to test whether the idea works in practice are too big, there is a good chance that the idea will remain untested for a long time.

In 1998 you posted on Bugtraq a short explanation of a new type of network scan called idle scan. It's amazing that it still works. Today we have networks and hosts that use multiple technologies to protect themselves, and then old and vulnerable hosts that permit spoofed scans. How can we make the Internet a better place if the gap among hosts' security keeps increasing? Trusting nothing? Paranoia by default?

In the case of the "idle scan," the problem is in the TCP/IP protocol: fortunately there is a fix you can apply in software (that is, unguessable IP IDs). Still, correct implementations of TCP/IP have this bug. So my guess is that Internet security should be more a collective and technological goal, rather than something focused on a few hosts on the Internet.

Part of the "secure host" idea is related to business, in my opinion. If you want to sell a security product, you have to create the (wrong) impression that your security fully depends on the amount of money you invest in security products. Unfortunately, the real world works in a different way--to be secure you need secure code for your applications, but these applications are in most cases developed by others, and code security in turn depends on software culture, libraries, programming languages, and other things related to the "community." Second, you need good and secure networking protocols, again something about the Internet community that you can't buy for yourself.

Last year nmap included the support for idle scan. What do you think about its implementation?

That's very good and smart, as nmap itself generally is. idle scan is simple to describe, but very hard to implement in a real-world program; it's not by accident that nmap is the first usable implementation of idle scan. I'm very happy that Fyodor [the author of nmap] did this great work, and I think he reached one of his goals: to make idle scan available enough to the masses in order to force TCP/IP implementations to fix this problem.

Have you ever noted that some of the most known open source networking tools (ettercap, ntop, hping, WinDump, and WinPcap) are developed by Italians? Why do you think we are so interested in networking and security?

It's hard to tell. I guess that in part it's because security is a stimulating thing. It's possible that another reason is that research is not well funded in Italy, yet there is still a lot of desire to do something new and innovative--and one of the rare fields where you can do a lot of interesting new things with little money is computer security.

I live in Italy like you, and I know that in our country it's nearly impossible to find any economic support for this type of project. How could the community help you? Are you looking for Internet services, hardware, or maybe a job?

I agree that in Italy it's very hard to get economic support :) But I think I found a way in order to have economic support (very minimal, but still enough to do a bit less work as a freelancer and invest more time in free software): advertising. I think that banners may provide enough economic support for many little projects, at least. hping gets quite a lot of unique visitors every day, so the best way to help hping is to put links to the hping web site where appropriate, if you own a web site.

Users will get software for free from your pages; I think that a little banner is acceptable. On the other hand, if open source software is funded by a company, it's possible the developer will not be free to implement what he likes, but what the company wants. Advertising doesn't have this problem; you get the money and can use the saved time to implement the features you want.

I also applied the advertising strategy to Visitors, a GPL weblog analyzer you can find at, and it is working pretty well even for this less known software.

Federico Biancuzzi is a freelance interviewer. His interviews appeared on publications such as,,,,,,, the Polish print magazine BSD Magazine, and the Italian print magazine Linux&C.

Return to the Security DevCenter

Sponsored by: