DDoS and DoS Attacks and Tools - Part 2
In this we will go through the rest of the DoS attack types from the previous blog post. In the latter part we will get to know few infamous DoS attack tools. Please note that how you use these is at you own risk and make sure you always adhere to laws from your governing body.
Attacks Targeting Server Resources
In this type attacks the attacker will try to use as mush as server resources so that the server can't handle legitimate requests any more. This type of attacks will target servers memory, buffers and other resources. Attacker will exploit a weakness in communication protocol. There are attacks in this category which can result server to crash or otherwise require a manual reboot to come alive again. Server can be normal server or a state-full device like firewall or intrusion-detection system.
This is a connection-oriented protocol. One of main consents behind this protocol is that the three way handshake. which uses flag bits in following order to establish a connection SYN, SYN-ACK, ACK. An attacker can misuse all six flag bits (SYN,ACK,RST,PSH,FIN,URG) in order to cause damage. As we understood before by misusing this flag bits and mixing up the order of the handshake attacker will be able create abnormal traffic. The server will be overwhelmed understanding this abnormal traffic which will lead to a DoS situation.
TCP SYN Attack
This is fairly simple attack. If you understand how the TCP handshake works this is pretty straight forward. In three way handshake we(client) send SYN to server with our IP. Then server respond back with SYN-ACK which acknowledge the connection request. After that to establish connection the final step is we(client) send ACK back to server. This is the legitimate connection establishment procedure. But in TCP SYN attack instead using a legitimate IP attacker will use a spoofed IP address. Then When server respond to that spoofed IP with SYN-ACk which will fail and ACK will not sent to the server ever. The server will try several times sending SYN-ACK to spoofed IP address. While this time server will maintain its open threads and buffers for that connection. What will happen if an attacker is able create thousands of such uncompleted connections with in short period of time, of course Danial of Service will occur.
TCP PSH+ACK Attack(Flood)
In this attacker will uses another flag bit, which is PUSH bit. When the PUSH bit is set to 1, the TCP data will be immediately sent to the TCP receiver. This action will force server to empty it's TCP stack and send back an ACK when the action is completed. Attacker will use a botnet(another facility attackers use,more on this in later post) to achieve catastrophic PPS(packets per second) scale flood. Then the sever will not be able handle such amount of request because of the TCP buffer size limitations and even to ACK them.
I like to present you the next attack type which will target application resources in next post. For the time being will move into DoS attack tools next. Because it's less fun without actually executing or rather testing out these attack types that we already know.Before jumping into tools I want discuss one more interesting type of attack.
This attack will also use TCP protocol. But instead using a weakness directly in this attack. An attacker will use the use clever tweak on TCP packet. To execute this type not much client side power is used. Therefore one can categorize this attack as a "low and slow" attack.
The attacker will send SYN packet to server and the server will respond with SYN-ACK as usual. The twist comes in the next step then in the ACK packet the attacker will set the "window size" to zero.(If you are familier with the TCP packet structure it would be helpful to understand this)
What will happen when the window size is set to zero, it will tell the server the connection is established as well as server to wait with open connection. The server prepare data to send next and put it on it's buffers(Mostly on RAM) to send in future, but this future will not come!
To be successfully execute this attack the attacker will need lot of spoofed IP address to create lot of connections. How mush connections will depend on the server's capabilities. You might wonder why so special this sockstress??
This is why, when server puts that prepared data to it's RAM! sooner or later RAM will full and even when some illegitimate connections are closed the server will not clear the RAM. Therefore this attack will froze the server because we all know that will happen when we we use 100% RAM for long time. To recover this type of attack the server will need to manually restarted(mostly by pulling the plug!! and re-plugging).
DoS or DDoS tools does not have long history as DDoS attacks. But the first DoS tools are developed in early 1998 and evolved fast as DoS attacking methods. Two notable tools are Trinoo and Stacheldrat. These two tools were somewhat complex and ran on linux systems. As I mentioned earlier these tools evolved and later tools were ran on multiple platforms. One important fact is to notice that these tools were originally developed as DoS tools they were network stress tools but some clever parities were able to re-engineer them into DoS tools.
We will look into following tools, again I repeat how use these tools are at your own risk.please adhere to the laws of your authorities. As writer I will only introduce them in pure educational and research purpose only. I will only discuss the background of them. If you are looking to learning use then this post will not help you.
These tools are available on the WWW but it's up to use decide which versions to use and you might already know them because they are so infamous.
- Low Orbit Iron Cannon (LOIC)
- High Orbit Iron Cannon (HOIC)
- R U Dead Yet (R.U.D.Y)
This was the first tool used by "Anonymous" group of hackers. This tool was originally developed as a network stress testing tool by Praetox Technologies. Anonymous picked the source code and made few changers and then they were able to point a copy of at an IRC server and access it over the IRC channel. By doing this they were able to perform more coordinated attacks. But LOIC was not able to obscure it's users IP addresses which send the open invitation to law enforcement. But later like in 2011 Anonymous dropped this moved into differnt tools.
After stepping away from LOIC this was the next stop to Anonymous. By using Anonymous were able to execute attacks which were harder to block. This tool comes with a GUI and most of it's anonymity is not great. But on the other hand use of booster scripts allows user to specify lists of target URLs and iidentifying information to cycle through HOIC as it generates it's traffic.
Unlike tools we already know #RefRef uses a vulnerability based attack tool. This tool is used as a injection tool to inject special SQL expressions to backend servers. Unlike LOIC and HOIC #RefRef doesn't need large number of machines to take down a server but the backend server needs to use SQL. This tool is also used by Anonymous group.I can give you one example how mush damage this tool cause. As records states less than 20 second attack on a site made the site go off-line for more than 30 minutes.
I this tool specially because it was the tool that was used to take down Wikileaks down. It is written C and source code is out there if you are interested in doing some tests with it. This tool was created by the hacker Th3j35t3r (theJester). This is fairly simple tool but it will do the damage. When I tested this worked fine. This tool is a good starting point to start study how DoS tools work since the source code is available. The cover photo is something related to this tool.
I leave the last two tools to you to find out and try out. I hope this post was something useful to you if you new to DoS world. I think it is important to know about these in-order to detect these attack as soon as possible. In my opinion I think that we can't make a system or rather a server 100% DoS proof because when the technologies evolve these attack types will evolve as well. The best example the newest trend in DoS attacks is to use IoT devices as botnets to execute attacks that are in 100GB/s - 1000GB/s scale.