Module 10: Denial-of-Service

Overview of Denial of Service

A DoS attack is a type of security break that does not generally result in the theft of information. However, these attacks can harm the target in terms of time and resources. Further, failure to protect against such attacks might mean the loss of a service such as email. In a worst-case scenario, a DoS attack can mean the accidental destruction of the files and programs of millions of people who happen to be surfing the Web at the time of the attack.

Some examples of types of DoS attacks:

• Flooding the victim’s system with more traffic than it can handle

• Flooding a service (such as an internet relay chat (IRC)) with more events than it can handle

• Crashing a transmission control protocol (TCP)/internet protocol (IP) stack by sending corrupt packets

• Crashing a service by interacting with it in an unexpected way

• Hanging a system by causing it to go into an infinite loop

Lab 1: Perform DoS and DDoS Attacks using Various Techniques

Overview of DoS and DDoS Attacks

DDoS attacks mainly aim at the network bandwidth; they exhaust network, application, or service resources, and thereby restrict legitimate users from accessing their system or network resources.

In general, the following are categories of DoS/DDoS attack vectors:

• Volumetric Attacks: Consume the bandwidth of the target network or service

  Attack techniques:

  • UDP flood attack

  • ICMP flood attack

  • Ping of Death and smurf attack

  • Pulse wave and zero-day attack

• Protocol Attacks: Consume resources like connection state tables present in the network infrastructure components such as load-balancers, firewalls, and application servers

  Attack techniques:

  • SYN flood attack

  • Fragmentation attack

  • Spoofed session flood attack

  • ACK flood attack

• Application Layer Attacks: Consume application resources or services, thereby making them unavailable to other legitimate users

  Attack techniques:

  • HTTP GET/POST attack

  • Slowloris attack

  • UDP application layer flood attack

  • DDoS extortion attack

Tasks 1: Perform a DoS Attack (SYN Flooding) on a Target Host using Metasploit

SYN flooding takes advantage of a flaw with regard to how most hosts implement the TCP three-way handshake. This attack occurs when the intruder sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle. Normally, the connection establishes with the TCP three-way handshake, and the host keeps track of the partially open connections while waiting in a listening queue for response ACK packets.

Metasploit is a penetration testing platform that allows a user to find, exploit, and validate vulnerabilities. Also, it provides the infrastructure, content, and tools to conduct penetration tests and comprehensive security auditing. The Metasploit framework has numerous auxiliary module scripts that can be used to perform DoS attacks.\

You can use the auxiliary/dos/tcp/synflood module to perform a DoS/DDoS attack on the target machine using the SSH services running on the victim machine. Set up all the required options in the module and run the attack.

Task 2: Perform a DoS Attack on a Target Host using hping3

hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols.

It performs network security auditing, firewall testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP stacks auditing, and other functions.

hping3 -S (Target IP Address) -a (Spoofable IP Address) -p 22 --flood

This command initiates the SYN flooding attack on the target machine. After a few seconds, press Ctrl+C to stop the SYN flooding of the target machine. If you send the SYN packets for a long period, then the target system may crash.

hping3 -d 65538 -S -p 21 --flood (Target IP Address)

-d: specifies data size;

-S: sets the SYN flag;

-p: specifies the destination port;

--flood: sends a huge number of packets.

Task 3: Perform a DoS Attack using Raven-storm

Raven-Storm is a DDoS tool for penetration testing that features Layer 3, Layer 4, and Layer 7 attacks. It is written in python3 and is effective and powerful in shutting down hosts and servers. It can be used to perform strong attacks and can be optimized for non typical targets.

Task 4: Perform a DDoS Attack using HOIC

HOIC (High Orbit Ion Cannon) is a network stress and DoS/DDoS attack application. This tool is written in the BASIC language. It is designed to attack up to 256 target URLs simultaneously. It sends HTTP, POST, and GET requests to a computer that uses lulz inspired GUIs. It offers a high-speed multi-threaded HTTP Flood; a built-in scripting system allows the deployment of “boosters,” which are scripts designed to thwart DDoS countermeasures and increase DoS output.

Task 5: Perform a DDoS Attack using LOIC

LOIC (Low Orbit Ion Cannon) is a network stress testing and DoS attack application. We can also call it an application-based DOS attack as it mostly targets web applications. We can use LOIC on a target site to flood the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service of a particular host.

Lab 2: Detect and Protect Against DoS and DDoS Attacks

Overview of DoS and DDoS Attack Detection

Detection techniques are based on identifying and discriminating the illegitimate traffic increase and flash events from the legitimate packet traffic.

The following are the three types of detection techniques:

• Activity Profiling: Profiles based on the average packet rate for a network flow, which consists of consecutive packets with similar packet header information

• Sequential Change-point Detection: Filters network traffic by IP addresses, targeted port numbers, and communication protocols used, and stores the traffic flow data in a graph that shows the traffic flow rate over time

• Wavelet-based Signal Analysis: Analyzes network traffic in terms of spectral components

Task 1: Detect and Protect Against DDoS Attacks using Anti DDoS Guardian

Anti DDoS Guardian is a DDoS attack protection tool. It protects IIS servers, Apache serves, game servers, Camfrog servers, mail servers, FTP servers, VOIP PBX, and SIP servers and other systems. Anti DDoS Guardian monitors each incoming and outgoing packet in Real-Time. It displays the local address, remote address, and other information of each network flow. Anti DDoS Guardian limits network flow number, client bandwidth, client concurrent TCP connection number, and TCP connection rate. It also limits the UDP bandwidth, UDP connection rate, and UDP packet rate.

Hacker's Mantra:As a young boy, I was taught in high school that hacking was cool. - Kevin Mitnick