Skip to main content
johnathan
Staff
johnathan
Staff
January 5, 2026

Technical Tip: How to test and verify if the DoS policy is working using 'hping3' from Linux and Powershell from Windows

  • January 5, 2026
  • 0 replies
  • 601 views
Description This article describes how to test if the DoS policy is working by using 'hping3' on Linux and PowerShell on Windows.
Scope FortiOS, DoS Policies.
Solution

The easiest way to test if a DoS policy is successfully blocking traffic is by using a utility to generate traffic that meets the conditions of the DoS policy. 

Be very careful when doing tests like this. Plan for this testing in a maintenance period, as it is possible that the firewall can get overloaded if the tests are done incorrectly or the DoS policy is misconfigured.

It is not recommended to do these tests over the internet. The local ISP may block the connection, as this is technically a simulated DoS attack. The recommendation would be to clone the DoS policy on the Internet interface and change it to an unused port. Plug a PC into that unused port and do the testing that way. This is the lowest impact way to test this feature.
The conditions to trigger the policy will be the same on either interface, so this is a valid test.

In this example, port 9 is being used. A PC is plugged directly into the firewall on this port:

 

dos_test.PNG

 

In the Linux example below, the 'udp_flood' sensor will be tested:

 

udp_flooooood.PNG

 

This can be done on Linux by using a utility called 'hping3'. This is built into some Linux distros; if not already installed, it is possible to grab it by using the distro's package manager. The command would be as follows:

sudo hping3 --udp -p 3000 x.x.x.x --flood -c 3000

'--udp' specifies UDP as the type, '-p' specifies the port, 'x.x.x.x' is the destination IP (this should be the firewall's IP), '--flood' is the speed at which packets are sent, and '-c' is how many packets are sent (might be ignored with --flood).
The full list of flags for this tool can be seen here: https://www.kali.org/tools/hping3/.

 

hping3.PNG


Use 'CTRL+C' to stop. It is not needed to run for very long with '--flood' enabled. This was run for only 1 or 2 seconds, and 365277 packets were sent.

Under Log & Report -> Security Events -> Anomaly, it is possible to see that the traffic is blocked:

 

blocked.PNG

 

On Windows, there is no binary of 'hping3' available. Other TCP or UDP ping utilities (like PsPing) do not generate enough traffic to be picked up by the DoS policy, so a PowerShell script can be used instead. For this example, the 'tcp_syn_flood' sensor will be tested.

 

tcp_syn_flood.PNG

 

The PowerShell script used to generate this traffic is as follows:

 

1..5000 | ForEach-Object {
     (New-Object System.Net.Sockets.TcpClient).ConnectAsync("x.x.x.x", yyy).Wait(0.1)
}

 

Replace 'x.x.x.x' with the firewall IP, and 'yyy' with the port that should be tested. It does not matter what port is used in this context. Simply copy and paste the commands into PowerShell and run them.

There will be the following output in PowerShell when the script is working correctly:

 

powahshell.PNG

 

Here is the traffic getting blocked in the firewall:


blocked windows.PNG
    Terms & ConditionsAccessibility statement