Module: Denial of service (DOS)
In computing, a denial of service attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend service of a host connected to the internet.
the signs of a potential DoS attack? Here are a few that may indicate that a DoS attack is in effect:
■ Unavailability of a resource
■ Loss of access to a website
■ Slow performance
■ Increase in spam emails
DoS attacks result in a multitude of consequences. Let’s look at some common examples of
what is seen in the real world and what you’ll most likely see on the exam:
Web Server Compromise A Successful DoS attack and subsequent compromise of a web
server constitutes the widest public exposure against a specific target. What you see most
often is a loss of uptime for a company web page or web resource.
Back-End Resources Back-end resources include infrastructure items that support a
public-facing resource such as a web application. DoS attacks that take down a backend
resource such as a customer database or server farm essentially render all front-end
Network or Computer Specific DoS attacks are also launched from within a local area
network, with intent to compromise the network itself or to compromise a specific node
such as a server or client system.
Types of Attacks
DoS attacks come in many fl avors, each of which is critical to your understanding of the
nature of the DoS attack class.
This type of attack exploits the three-way handshake with the intention of tying up a
system. For this attack to occur, the attacker will forge SYN packets with a bogus source
address. When the victim system responds with a SYN-ACK, it goes to this bogus address,
and since the address doesn’t exist, it causes the victim system to wait for a response that
will never come. This waiting period ties up a connection to the system because the system
will not receive an ACK.
ICMP Flood Attack
An ICMP request requires the server to process the request and respond, thus consuming
CPU resources. Attacks on the ICMP include smurf attacks, ICMP floods, and ping floods,
all of which take advantage of this situation by flooding the server with ICMP requests
without waiting for the response.
Ping of Death
A true classic indeed, originating in the mid- to late-1990s, the ping of death was a ping
packet that was larger than the allowable 64 K. Although not much of a significant threat
today due to ping blocking, OS patching, and general awareness, back in its heyday the
ping of death was a formidable and extremely easy-to-use DoS exploit. Exercise 11.2
demonstrates how to perform a ping of death in Windows.
A teardrop attack occurs when an attacker sends custom-crafted fragmented packets with
offset values that overlap during the attempted rebuild. This causes the target machine to
become unstable when attempting to rebuild the fragmented packets.
A smurf attack spoofs the IP address of the target machine and sends numerous ICMP echo
request packets to the broadcast addresses of intermediary sites. The intermediary sites
amplify the ICMP traffic back to the source IP, thereby saturating the network segment of
the target machines.
A fraggle attack is a variation of a smurf attack that uses UDP echo requests instead of
ICMP. It still uses an intermediary for amplification. Commonly a fraggle attack targets the
UDP echo requests to the chargen (character generator) port of the intermediary systems
via a broadcast request. Just as in a smurf attack, the attacker spoofs the victim’s IP address
as the source. Each client that receives the echo to the chargen port will in turn generate a
character to be sent to the victim. Once it’s received, the victim machine will echo back to
the intermediary’s chargen port, thus restarting the cycle.
A land attack sends traffic to the target machine with the source spoofed as the target
machine itself. The victim attempts to acknowledge the request repeatedly with no end.
ICMP Flood with hping3
In this exercise you will use hping3 to perform a smurf attack.
At the Linux command prompt type:
hping3 -1 –flood -a 192.168.0.10
hping3 -c 10000 -d 128 -S -w 64 -p 8080 –flood –rand-source <Target IP>
In this command hping3 spoofs broadcast packets to the target, which in this case is
Performing a Ping of Death
Perform a ping of death attack.
To perform a ping of death in Windows use the following command:
ping -l 65540 <hostname or IP>
ping <IP address> -l 65500 -w 1 -n 1
-w worker to set
-n time to set to replay back to the target
What is a DDoS Attack?
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like a traffic jam clogging up with highway, preventing regular traffic from arriving at its desired destination.
A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system.
Infected devices are controlled remotely by threat actors, often cybercriminals, and are used for specific functions, so the malicious operations stay hidden to the user. Botnets are commonly used to send email spam, engage in click fraud campaigns and generate malicious traffic for distributed denial-of-service attacks.
Tools for Performing DOS and DDOS attack
Goldeneye – it’s a Kali Linux tool from Github.com
https://github.com/jseidl/GoldenEye download Link
To run the goldeneye.py firstly download it from the github.com and copy it to the directory where you want to save.
Open terminal – # ./goldeneye.py <URL of the target> -w 10 -s 500 -m random
For DDOS attack the main task is to down the target server by botnets for creating virtual slaves we are using Ufonet from github.com
https://github.com/epsylon/ufonet download link
LOIC – LOIC performs a DoS attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP or UDP packets with the intention of disrupting the service of a particular host.