DDoS and DoS Attacks and Tools - Part 1

Note: Following Content is only for educational and White Hat security purposes.

History of DOS Attackers

Back in 1974, a teenager named David Dennis created the first ever DoS attack. This student was a student at University High School, located across the street from thr University of Illinois at Urbana. He came to know about a command that could be run on PLATO terminals which was used at the Computer Based Learning Center (CERL) of University of Illinois. He was curious and wondered what will happen if a room full of people executed a command of PLATO terminal. When he wrote a program and executed he found out that his program has forced all 31 computers of the  CERL to turned off!

After that DoS attacks has spread and DDoS, a new and powerful variant of DoS came in to play. Below are some noted cyber attacks from 1988 to near 2014.from year 2000 DDoS Tools were used for the attacks most of the time. The attacks were in scales from Small tickles to Geo-Political events

1988 - Morris Worm, AOL's Punters
1996 - First SYN Flood
2000- FBI taken down, Attacks on eBay, Yahoo, Amazon
2002 - Attack on Internet's DNS  Root servers
2003 - MyDoom attacks 1M computers, Attack on Al-Jazeera website during Iraq war (This was the early stages of attacks which were backed by political moral.)
2007 - Cyber attack on Estonia (Showing the early stages of cyber warfare)
2008 - Attack on Georgian government sites
2009 - Attacks on Iranian government (The early stages of Hacktivists and rise of the Anonymous Group)
2010 - Operation Payback, Avenge Wikileaks' Assange
2011,2012 - Operation Tunisia, Operation Sony, Operation Syria, Operation MegaUpload,Operation Russia, Operation India, Operation Japan
2012,2013 - Operation Ababil targets financial institutions. (At this era most attacks were major political attacks)

DoS or DDoS attacks are the most harmful attacks currently being undertaken. Current major attacks are in the scale of 1000 Gb per second and over 50Mil packets per second.

Types of Attacks

Now we will discuss some DDoS Attack types and what vulnerabilities of protocols, architectures are used in them. Every type of attack uses a specific vulnerability to exploit and make advantage of it. As you read this article you may understand that the black-hat's are using some property of existing internet protocol in a way which it was not meant to be used. That their cleverness, to use what is in hand to deliver the best they can. We will discuss about following attack types in details.

This Attacks will target Network Resources

  • UDP Flood 
  • ICMP Flood
  • Amplification Attacks
  • Connection-Oriented Attacks 
  • Connectionless Attacks
  • Reflective Attacks

This Attacks will target Server Resources 

  • TCP/IP Weakness
  • TCP SYN Flood
  • TCP RST Attack
  • TCP PSH+ACK Attack

"SSL-Based" Attacks

  • Encrypted-based HTTP Attacks
  • THC-SSL-DoS Attacks

This Attacks will Target Application Resources

  • HTTP Flood Attack
  • DNS Flood Attack
  • "Low and Slow" Attack
  • Slow HTTP GET Request Attack
  • Slow HTTP POST Request Attack
  • Regular Expression DoS Attack
  • Hash Collisions DoS Attack

Network Flood Attacks

 This attacks will consume all of the victims network bandwidth. But the trick is all the network traffic will looks like legitimate network traffic. To successfully execute this type of attack a botnet  can be used since a single computer might not be enough to create the expected network flood. This attack type is simple. Only thing need to be done is create a huge amount of traffic to the targeted site.
Result: Victim's site will be incredibly slow and  unresponsive.

UDP Flood: 

User Datagram Protocol is a connectionless protocol. This attack will not exploit a specific vulnerability of the UDP. Instead it uses the usual traffic in exhaustive manner which makes it a volumetric attack. Therefore scale of such attacks will w measured using the bandwidth used or the number of the packets sent per second(PPS).
The attacker will send large number of UDP packets to random ports of the server. The server which is unable to handle the large number requests will try to send ICMP "destination unreachable" because there is no specific application listening to that port. Then eventually the server will congested will the traffic, Until the incoming attack traffic is on the server will unavailable or unresponsive.

ICMP Flood: 

This is fairly simple and might be outdated type of attack because of  current server capabilities. In this attack, attacker will send whole lot of ICMP flood (ping flood) to the server. The server will be overwhelmed by the incoming large traffic of  ICMP. My opinion is that be succesfull this type of attack will require lot of machine or bandwidth power at the attackers side as well because current servers have enough computing power and bandwidth to survive this type of attack. Don't use this this is Old! 

Amplification Attacks:

This attacks of type does some amplification of  some type (Number of packets, Bandwidth) in the attacks. An amplification attack via a single computer can do some damage. But when the attack is via a botnet the expected results are mush more harmful. There are few types of these of attacks based on the what they amplify.
  • Sumrf Attacks
  • Fraggle Attacks
  • DNS Ampilification
Sumrf Attacks and Fraggle attacks are almost other than the protocol they use. Attacker will use a devise(as amplifier) which can broadcast packets to them. Most of the time an amplifier can be a router.
Attacker will send a packet to the amplifier with spoofed IP address. Source address: Victim IP, Destination Address: Broadcast IP. When the packet reaches the router(amplifier) it will broadcast that to all the clients and client's will respond to victim because the destination address is victim's IP which will lead to denial-of-service condition.Note: Now most of the routers have forwarding restrictions and disabled broadcasting. Therefore this will not work 100%
Sumrf Attacks: ICMP
Fraggle: UDP

DNS Amplification

We will discuss this method separately since this method is different from Smurf and Fraggle Attacks. Here the attacker try to use a Open DNS Resolver as a exploit to the attack which can much larger response than the request. In this amplification the packet size is increased. UDP is used in this and  if not correct counter-measures are not taken at DNS server end then there will be...

following is a such a query to google DNS server. How ever don't expect any results here because Google has make necessary measures to prevent such attacks. use source address as victim IP.
                 dig ANY isc.org @

DNS amplification attack was a success full attack was attack while ago.

 Practical Testing

You can set up a virtual server and write some codes to create packets and send them over using C language. C will make sure you have necessary speed up from the programing language point of view. I think when it comes to it DDoS (and other subject matters as well) it is better to know the theoretical background first. Otherwise you will sending packets all over the place without where to exploit. 

It the next post we will discuss how to deliver other attack types and How to perform real world testing. Finally it's up to you to pick your hat color.



Popular posts from this blog

DDoS and DoS Attacks and Tools - Part 2

Apache Spark Small Talk