Denial of Service
Denial of Service
Scenario
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks have
become a major threat to computer networks. These attacks attempt to make a
machine or network resource unavailable to its authorized users. Usually, DoS and
DDoS attacks exploit vulnerabilities in the implementation of TCP/IP model protocol
or bugs in a specific OS.
In a DoS attack, attackers flood a victim’s system with nonlegitimate service requests
or traffic to overload its resources, bringing the system down and leading to the
unavailability of the victim’s website—or at least significantly slowing the victim’s
system or network performance. The goal of a DoS attack is not to gain unauthorized
access to a system or corrupt data, but to keep legitimate users from using the system.
As an expert ethical hacker or penetration tester (hereafter, pen tester), you must
possess sound knowledge of DoS and DDoS attacks to detect and neutralize attack
handlers, and mitigate such attacks.
The labs in this module give hands-on experience in auditing a network against DoS
and DDoS attacks.
Objectives
The objective of the lab is to perform DoS attack and other tasks that include, but is
not limited to:
● Perform a DoS attack by continuously sending a large number of SYN packets
● Perform a DoS attack (SYN Flooding, Ping of Death (PoD), and UDP
application layer flood) on a target host
● Perform a DDoS attack
● Detect and analyze DoS attack traffic
● Detect and protect against a DDoS attack
● Flooding the victim’s system with more traffic than it can handle
● Flooding a service (such as an internet relay chat (IRC)) with more events than
it can handle
● Crashing a transmission control protocol (TCP)/internet protocol (IP) stack by
sending corrupt packets
● Crashing a service by interacting with it in an unexpected way
● Hanging a system by causing it to go into an infinite loop
Lab Tasks
Ethical hackers or pen testers use numerous tools and techniques to perform DoS and
DDoS attacks on the target network. Recommended labs that will assist you in
learning various DoS attack techniques include:
Note: Your screens might differ from that of the screenshots due to the updates in the
Operating Systems, tools and other online services demonstrated in the lab tasks.
DoS and DDoS attacks have become popular, because of the easy accessibility of
exploit plans and the negligible amount of brainwork required while executing them.
These attacks can be very dangerous, because they can quickly consume the largest
hosts on the Internet, rendering them useless. The impact of these attacks includes loss
of goodwill, disabled networks, financial loss, and disabled organizations.
In a DDoS attack, many applications pound the target browser or network with fake
exterior requests that make the system, network, browser, or site slow, useless, and
disabled or unavailable.
The attacker initiates the DDoS attack by sending a command to the zombie agents.
These zombie agents send a connection request to a large number of reflector systems
with the spoofed IP address of the victim. The reflector systems see these requests as
coming from the victim’s machine instead of as zombie agents, because of the
spoofing of the source IP address. Hence, they send the requested information
(response to connection request) to the victim. The victim’s machine is flooded with
unsolicited responses from several reflector computers at once. This may reduce
performance or may even cause the victim’s machine to shut down completely.
As an expert ethical hacker or pen tester, you must have the required knowledge to
perform DoS and DDoS attacks to be able to test systems in the target network.
In this lab, you will gain hands-on experience in auditing network resources against
DoS and DDoS attacks.
Lab Objectives
DDoS attacks mainly aim at the network bandwidth; they exhaust network,
application, or service resources, and thereby restrict legitimate users from accessing
their system or network resources.
Attack techniques:
Attack techniques:
Attack techniques:
Metasploit is a penetration testing platform that allows a user to find, exploit, and
validate vulnerabilities. Also, it provides the infrastructure, content, and tools to
conduct penetration tests and comprehensive security auditing. The Metasploit
framework has numerous auxiliary module scripts that can be used to perform DoS
attacks.
Here, we will use the Metasploit tool to perform a DoS attack (SYN flooding) on a
target host.
Note:In this task, we will use the Parrot Security (10.10.1.13) machine to perform
SYN flooding on the Windows 10 (10.10.1.10) machine through port 21.
9. The result appears, displaying the port status as open, as shown in the
screenshot.
Note: If the port in your lab environment turns out to be closed, look for
an open port using Nmap.
10.Now, we will perform SYN flooding on the target machine (Windows 10)
using port 21.
11.In this task, we will use an auxiliary module of Metasploit called synflood to
perform a DoS attack on the target machine.
12.Type msfconsole from a command-line terminal and press Enter to launch
msfconsole.
13.In the msf command line, type use auxiliary/dos/tcp/synflood and
press Enter to launch a SYN flood module.
14.Now, determine which module options need to be configured to begin the DoS
attack.
15.Type show options and press Enter. This displays all the options associated
with the auxiliary module.
16.Here, we will perform SYN flooding on port 21 of the Windows 10 machine
by spoofing the IP address of the Parrot Security machine with that of
the Windows Server 2019 (10.10.1.19) machine.
17.Issue the following commands:
o set RHOST (Target IP Address) (here, 10.10.1.10)
o set RPORT 21
o set SHOST (Spoofable IP Address) (here, 10.10.1.19)
23.Wireshark displays the traffic coming from the machine. Here, you can
observe that the Source IP address is that of the Windows Server
2019 (10.10.1.19) machine. This implies that the IP address of the Parrot
Security machine has been spoofed.
24.Observe that the target machine (Windows 10) has drastically slowed,
implying that the DoS attack is in progress on the machine. If the attack is
continued for some time, the machine’s resources will eventually be completely
exhausted, causing it to stop responding.
25.Once the performance analysis of the machine is complete, click on CEHv11
Parrot Security to switch to the Parrot Security machine and press Ctrl+C to
terminate the attack.
26.This concludes the demonstration of how to perform SYN flooding on a target
host using Metasploit.
27.Close all open windows and document all the acquired information.
Tasks 2: Perform a DoS Attack on a Target Host using
hping3
hping3 is a command-line-oriented network scanning and packet crafting tool for the
TCP/IP p rotocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and
raw-IP protocols.
It performs network security auditing, firewall testing, manual path MTU discovery,
advanced traceroute, remote OS fingerprinting, remote uptime guessing, TCP/IP
stacks auditing, and other functions.
Here, we will use the hping3 tool to perform DoS attacks such as SYN flooding, Ping
of Death (PoD) attacks, and UDP application layer flood attacks on a target host.
Note: -S: sets the SYN flag; -a: spoofs the IP address; -p: specifies the
destination port; and --flood: sends a huge number of packets.
10.This command initiates the SYN flooding attack on the Windows 10 machine.
After a few seconds, press Ctrl+C to stop the SYN flooding of the target
machine.
Note: If you send the SYN packets for a long period, then the target
system may crash.
11.Observe how, in very little time, the huge number of packets are sent to the
target machine.
12.hping3 floods the victim machine by sending bulk SYN
packets and overloading the victim’s resources.
13.Click CEHv11 Windows 10 to switch to the Windows 10 machine and click
on Info tab to change the order of the packets. You can observe TCP-
SYN packets captured by Wireshark, as shown in the screenshot.
Note: -d: specifies data size; -S: sets the SYN flag; -p: specifies the
destination port; and --flood: sends a huge number of packets.
22.This command initiates the PoD attack on the Windows 10 machine.
Note: In a PoD attack, the attacker tries to crash, freeze, or destabilize
the targeted system or service by sending malformed or oversized
packets using a simple ping command.
Note:For example, the attacker sends a packet that has a size of 65,538
bytes to the target web server. This packet size exceeds the size limit
prescribed by RFC 791 IP, which is 65,535 bytes. The receiving
system’s reassembly process might cause the system to crash.
23.hping3 floods the victim machine by sending bulk packets, and thereby
overloading the victim’s resources.
24.Click CEHv11 Windows 10 to switch to the Windows 10 machine
25.Observe the Processes tab in the Task Manager window.
26.Click the Performance tab to view the performance of various system
components (CPU, Memory, Disk, Ethernet).
27.Wait for 5 minutes and under the Performance tab, the CPU performance is
displayed in the right-hand pane. You can observe that the CPU Utilization has
increased enormously indicating a DoS attack on the system.
28.Observe the degradation in the performance of the system, which might result
in the system crashing.
Note: Some of the UDP based application layer protocols that attackers
can employ to flood target networks include:
Here, we will use the HOIC tool to perform a DDoS attack on the target machine.
Note: In this task, we will use the Windows 10, Windows Server
2019 and Windows Server 2016 machines to launch a DDoS attack on the Parrot
Security machine.
Note:To perform the DDoS attack, run this tool from various machines
at once. If you run the tool directly from the shared drive in the machines
one at a time, errors might occur. To avoid errors, copy the folder High
Orbit Ion Cannon (HOIC) individually to each machine’s Desktop,
and then run the tool.
6. Similarly, follow the previous step (Step # 5) on the Windows Server
2019 (click CEHv11 Windows Server 2019 to switch to the Windows Server
2019) and Windows Server 2016 (click CEHv11 Windows Server 2016 to
switch to the Windows Server 2016) machines.
18.On completion of the task, click FIRE TEH LAZER! again, and then close the
HOIC window on all the attacker machines. Also, close
the Wireshark window on the Parrot Security machine.
Here, we will use the LOIC tool to perform a DDoS attack on the target system.
Note: In this task, we will use the Windows 10, Windows Server 2019,
and Windows Server 2016 machines to launch a DDoS attack on the Parrot
Security machine.
As a professional ethical hacker or pen tester, you must use various DoS and DDoS
attack detection techniques to prevent the systems in the network from being
damaged.
This lab provides hands-on experience in detecting DoS and DDoS attacks using
various detection techniques.
Lab Objectives
● Detect and protect against DDoS attacks using Anti DDoS Guardian
● Activity Profiling: Profiles based on the average packet rate for a network
flow, which consists of consecutive packets with similar packet header
information
● Sequential Change-point Detection: Filters network traffic by IP addresses,
targeted port numbers, and communication protocols used, and stores the traffic
flow data in a graph that shows the traffic flow rate over time
● Wavelet-based Signal Analysis: Analyzes network traffic in terms of spectral
components
Here, we will detect and protect against a DDoS attack using Anti DDoS Guardian.
Note: In this task, we will use the Windows Server 2019 and Windows Server
2016 machines to perform a DDoS attack on the target system, Windows 10.
6. The Completing the Anti DDoS Guardian Setup Wizard window appears;
uncheck the Launch Mini IP Blocker option and click Finish.
7. The Anti-DDoS Wizard window appears; click Continue in all the wizard
steps, leaving all the default settings. In the last window, click Finish.
8. Click Show hidden icons from the bottom-right corner of Desktop and click
the Anti DDoS Guardian icon.
9. The Anti DDoS Guardian window appears, displaying information about
incoming and outgoing traffic, as shown in the screenshot.
10.Now, click CEHv11 Windows Server 2019 to switch to the Windows Server
2019 and click Ctrl+Alt+Del to activate the machine. By
default, Administrator profile is selected, type Pa$$w0rd to enter the
password and press Enter to log in.
11.Navigate to Desktop, open the High Orbit Ion Cannon (HOIC) folder, and
double-click hoic2.1.exe.
Note: If an Open File - Security Warning pop-up appears, click Run.
12.The HOIC GUI main window appears. Click the “+” button below
the TARGETS section.
13.The HOIC - [Target] pop-up appears. Type the target URL such
as http://[Target IP Address] (here, the target IP address is 10.10.1.10
[Windows 10]) in the URL field. Slide the Power bar to High. Under
the Booster section, select GenericBoost.hoic from the drop-down list and
click Add.
14.Set the THREADS value to 20 by clicking the > button until the value is
reached.
15.Now, click CEHv11 Windows Server 2016 to switch to Windows Server
2016 and click Ctrl+Alt+Del to activate the machine. By default, CEH\
Administrator profile is selected, type Pa$$w0rd to enter the password and
press Enter to log in. Follow Steps 12 - 15 to launch and configure HOIC.
16.Once HOIC is configured on both machines, switch to each machine
(Windows Server 2019 and Windows Server 2016) and click the FIRE TEH
LAZER! button to initiate the DDoS attack on the target Windows
10 machine.
Note: Here, we have selected 10.10.1.19. You can select either of them.
21.The Anti DDoS Guardian Traffic Detail Viewer window appears, displaying
the content of the selected session in the form of raw data. You can observe the
high number of incoming bytes from Remote IP address 10.10.1.19, as shown
in the screenshot.
22.You can use various options from the left-hand pane such as Clear, Stop
Listing, Block IP, and Allow IP. Using the Block IP option blocks the IP
address sending the huge number of packets.
23.In the Traffic Detail Viewer window, click Block IP option from the left pane.
24.Observe that the blocked IP session turns red in the Action Taken column.
25.Similarly, you can Block IP the address of the 10.10.1.16 session.
26.On completion of the task, click FIRE TEH LAZER! again, and then close the
HOIC window on all attacker machines (Windows Server 2019 and Windows
Server 2016).
27.This concludes the demonstration of how to detect and protect against a DDoS
attack using Anti DDoS Guardian.
28.Close all open windows and document all the acquired information.
29.You can also use other DoS and DDoS protection tools such as Imperva
Incapsula DDoS Protection (https://www.incapsula.com), DOSarrest’s
DDoS protection service (https://www.dosarrest.com), DDoS-
GUARD (https://ddos-guard.net),
and Cloudflare (https://www.cloudflare.com) to protect organization’s systems
and networks from DoS and DDoS attacks.
30.Navigate to Control Panel | Programs | Programs and Features and
uninstall Anti DDoS Guardian.
29.You can also use other DoS and DDoS protection tools such as Imperva
Incapsula DDoS Protection (https://www.incapsula.com), DOSarrest’s
DDoS protection service (https://www.dosarrest.com), DDoS-
GUARD (https://ddos-guard.net),
and Cloudflare (https://www.cloudflare.com) to protect organization’s systems
and networks from DoS and DDoS attacks.
30.Navigate to Control Panel | Programs | Programs and Features and
uninstall Anti DDoS Guardian.