Lab No.

4
Analyzing DoS Attack Techniques

1. Overview
1.1. Purpose
A DoS (Denial of Service) attack is a type of cyber attack in which a malicious actor
aims to render a service unavailable to its intended users. These attacks can be performed on
every layer of a communication system and most of them are very easy to execute. DoS attacks
typically exploit security vulnerabilities present in network protocols or software design.
This lab is designed for students to experience some common DoS attack techniques.
After completing this lab, students will hopefully gain knowledge and skill about this type of
attack.
1.2. Lab environment
- OS: Linux Ubuntu
- Tools: Wireshark, Python, hping3, Saddam, iftop, top
1.3. Preparation
- Review lecture on Denial-of-Service attack.
- Read lab handouts.
- Answer correctly >50% multiple-choice preparation questions.
- Be familiar with aforementioned tools:
• hping3: https://techradix.in/hping-3-tutorials/
• Saddam: https://github.com/S4kur4/Saddam-new
• top: https://www.howtogeek.com/668986/how-to-use-the-linux-top-command-and-
understand-its-output/
• iftop: https://linoxide.com/monitoring-2/iftop-network-traffic/
2. Instructions
- Students complete the lab with the assigned group members.
- Each group runs the attack scenarios described below.
- Each group writes reports about results of attack scenarios based on provided template.
On every computer in practice room, students are provided with an Ubuntu 20.04 VM,
running in VirtualBox. The lab will be completed with these VMs.

3. Attack scenarios
3.1. Attack scenario 1 (3 points)
Network diagram:
- Step 1: [Victim] Open Terminal window no.1 and execute the command below. Wait about
30 seconds for the figures to stabilize. Capture the screen and put it in the report.
sudo top
- Step 2: [Victim] Open Terminal window no.2 and execute the command below. Capture
the screen and put it in the report.
sudo iftop -i Name_of_victim_interface
- Step 3: [Victim] Launch Wireshark and capture packets on relevant network interface
- Step 4: [Attack] Open Terminal window and execute the command below to attack victim’s
device.
sudo hping3 --icmp Victim_IP -d 65000 –-flood --rand-
source
- Step 5: [User] Open Terminal window and try to communicate with the victim’s device
using the Telnet service. The response time may be longer than usual.
telnet Victim_IP
- Step 6: [Victim] Open Terminal window in step 1 (top command) and wait about 30
seconds for the figures to stabilize. Capture the screen and put it in the report.
- Step 7: [Attack] Stop hping3 tool.
- Step 8: [Victim] Open Terminal window in step 2 (iftop command) and stop executing
iftop. Capture the screen and put it in the report.
- Step 9: [Victim] Stop capturing packets in Wireshark and analyze network traffic.
Question 1.
- Analyze result from executing top and indicate the victim CPU and RAM usage
before and during the attack.
- Analyze result from executing iftop and indicate the traffic the victim received
before and during the attack.
- Analyze network traffic in Wireshark and identify the attack technique used against
the victim. What is the result of this attack on the victim’s device?

3.2. Attack scenario 2 (3 points)

Network diagram:

- Step 1: [Victim] Open Terminal window no.1 and execute the command below. Wait about
30 seconds for the figures to stabilize. Capture the screen and put it in the report.
sudo top
- Step 2: [Victim] Open Terminal window no.2 and execute the command below. Capture
the screen and put it in the report.
sudo iftop -i Name_of_victim_interface
- Step 3: [Victim] Launch Wireshark and capture packets on relevant network interface
- Step 4: [Attack] Open Terminal window and execute the command below to attack victim’s
device.
sudo hping3 -S -p 23 Victim_IP –-flood --rand-source
- Step 5: [User] Open Terminal window and try to communicate with the victim’s device
using the Telnet service. The response time may be longer than usual.
telnet Victim_IP
- Step 6: [Victim] Open Terminal window in step 1 (top command) and wait about 30
seconds for the figures to stabilize. Capture the screen and put it in the report.
- Step 7: [Attack] Stop hping3 tool.
- Step 8: [Victim] Open Terminal window in step 2 (iftop command) and stop executing
iftop. Capture the screen and put it in the report.
- Step 9: [Victim] Stop capturing packets in Wireshark and analyze network traffic.
Question 2.
- Analyze result from executing top and indicate the victim CPU and RAM usage
before and during the attack.
- Analyze result from executing iftop and indicate the traffic the victim received
before and during the attack.
- Analyze network traffic in Wireshark and identify the attack technique used against
the victim. What is the result of this attack on the victim’s device?
- Describe briefly how to defense against this attack technique
3.3. Attack scenario 3 (4 points)
Network diagram:

- Step 1: [Victim] Open Terminal window no.1 and execute the command below. Wait about
30 seconds for the figures to stabilize. Capture the screen and put it in the report.
sudo top
- Step 2: [Victim] Open Terminal window no.2 and execute the command below. Capture
the screen and put it in the report.
sudo iftop -i Name_of_victim_interface
- Step 3: [Victim] Launch Wireshark and capture packets on relevant network interface
- Step 4: [Attack] Open Terminal window. Open dns.txt file and write IP address of DNS
Server
cd ~
sudo gedit dns.txt
Save the content of dns.txt file.
- Step 5: [Attack] Open Terminal window and execute the command below to attack victim’s
device.
sudo python saddam.py Victim_IP -d dns.txt:www.test.com
- Step 6: [User] Open Terminal window and try to communicate with the victim’s device
using the Telnet service. The response time may be longer than usual.
telnet Victim_IP
- Step 7: [Victim] Open Terminal window in step 1 (top command) and wait about 30
seconds for the figures to stabilize. Capture the screen and put it in the report.
- Step 7: [Attack] Stop Saddam.py tool.
- Step 8: [Victim] Open Terminal window in step 2 (iftop command) and stop executing
iftop. Capture the screen and put it in the report.
- Step 9: [Victim] Stop capturing packets in Wireshark and analyze network traffic.
Question 3.
- Analyze result from executing top and indicate the victim CPU and RAM usage
before and during the attack.
- Analyze result from executing iftop and indicate the traffic the victim received
before and during the attack.
- Analyze network traffic in Wireshark and identify the attack technique used against
the victim. What is the result of this attack on the victim’s device?
- Describe briefly how to defense against this attack technique