General security

Denial of Service Attack

Kondah Hamza
December 7, 2016 by
Kondah Hamza

In this post, we examine the DoS (Denial of Service attack), how it works, what's the impact of such an attack, and some tools to perform this kind of exploitation in different vectors.

The DoS attack is one of the most destructive attacks on the web. It attempts to exhaust the resources of the victim and take down the victim's server(s). But first, what it is a DoS attack?

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

A DoS attack, for Denial of
Service, commonly called a stress test, consists of flooding a target with a large quantity of requests that slows the traffic or prevents the victim from responding to legitimate requests.

You can visualize the daily DDoS attacks worldwide in real time to see the severity of this kind of attack on http://www.digitalattackmap.com/

Figure 1 Digital Map of DDos Attacks

It is important to understand the difference between DoS and DDoS. A single attacker performs the DoS. Here's an example of a simple DoS Attack:

Figure 2 Simple DoS Attack

The DDoS attack, for Distributed Denial of Service, is a sort of DoS attack but performed by a group of machines controlled by the hacker. The hacker's machine is called the Master computer, and the group of the controlled machines are called zombies or botnets.

Here's an example of a simple DDoS Attack:

Figure 3 DDoS Attack

The DoS attack can be performed in different vectors (This is not the exhaustive list):

  • Application Layer Attack: This attack is performed in the 7th layer, and both of DoS and DDoS can be used in this case.

The concept behind the attack consists of sending a high number of requests to flood the traffic. There are multiple examples of this kind of DoS: HTTP Flooding, DNSQF (DNS Query Flood)

Figure 4 Example of HTTP Flooding attack

  • Network Layer Attack: These attacks are performed in the 3rd and 4th layer. The common case of this kind of attacks is the DDoS using exploitation like Syn flood or DNS amplification and others, with can cause several sorts of damage.

Figure 5 Network Layer Attack

The question now is what's the tools that can be used to perform this kind of attacks.

If you want to try if a website is down or not, you can use the following website: http://www.upordown.org/home/

Figure 6 Up or Down Website Portal

Scapy

Scapy is a powerful packet manipulation tool for networks written in Python:

Scapy can do many tasks like forge, decode, send, capture packets or even scanning, tracerouting and attacking networks.

It's one of the most popular and powerful DoS tools.

You can also check this article about Scapy present on InfoSec Institute: /search/?s=scapy

Download Scapy: https://github.com/secdev/scapy

Figure 7 Scapy


Low Canon Orbit

Low Orbit Ion Cannon (LOIC) is an open source network stress testing and denial-of-service attack application. LOIC performs a DoS attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server.

You can also check this article present on InfoSec Institute for more information about this awesome tool: /loic-dos-attacking-tool/

Download LOIC: https://sourceforge.net/projects/loic/

Figure 8 Low Canon Orbit

Hing3

Hping3 is a free packet generator and analyzer for the TCP/IP protocol. Hping3 is useful to security experts and can perform multiple manipulations like idle scan, test firewalling rules, test IDSes also DoS attacks.

Figure 9 Hing3

DDOSIM

DDOSIM is a popular DOS attacking tool. As the name suggests, it is used to perform DDOS attacks by simulating several zombie hosts. All zombie hosts create full TCP connections to the target server.

These are main features of DDOSIM

  • Simulates several zombies in attack
  • Random IP addresses
  • TCP-connection-based attacks
  • Application-layer DDOS attacks
  • HTTP DDoS with valid requests
  • HTTP DDoS with invalid requests (similar to a DC++ attack)
  • SMTP DDoS

Download DDOSIM: http://sourceforge.net/projects/ddosim/

Slowloris

Slowloris is a low bandwidth HTTP that can perform DoS attacks. Slowloris holds connections open by sending partial HTTP requests. He tries to keep sockets from closing as long as possible.

Figure 10 Slowloris

Download Slowloris: https://github.com/llaera/slowloris.pl

Conclusion

There are many cases that proof how DDOS attacks are powerful:

  • Attack against NASDAQ

A DDOS attack caused the shutdown of NASDAQ trading market for more than four hours, which resulted in a $9 million fine for NASDAQ

  • Attack against Turkey

Turkey was a victim of a large attack of DDOS by Anonymous targeting more than 400 000 websites affecting all sectors, especially banks and public institutions that caused millions of dollars of lost.

  • Russia VS Estonia

Estonia is the most connected country in the world, and it was affected by a massive DDOS attack that paralyzed the country for two days. No service was accessible. The attack was conducted from Russia and it's a big demonstration for the power of this attack

The DoS attack is one of the most destructive attacks on the net and it's really very difficult to detect. In the next articles, we will examine how to prevent it.

Kondah Hamza
Kondah Hamza

Kondah Hamza is an expert in it security and a Microsoft MVP in enterprise security. He is also involved with various organizations to help them in strengthening of their security. Today, he offers his services mainly as Consultant, Auditor/Pentester and Independent Trainer with Alphorm.com.