Section 6.9 Denial-of-Service Attacks
As you study this section, answer the following questions:
- What is the difference between a denial-of-service attack and a distributed denial-of-service attack?
- What are the four categories of denial-of-service attacks?
- What are some motivations behind denial-of-service attacks?
- How can you prevent and protect against DOS and DDoS attacks?
In this section, you will learn to:
- Launch a DoS and DDoS attack
- Analyze ICMP traffic in Wireshark
- Analyze a DoS attack
- Analyze a DDoS attack
The key terms for this section include:
Key Terms and Definitions
| Term | Definition |
|---|---|
| Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks | Network attacks that make resources unavailable to employees, vendors, and customers. |
| Fragmentation attack | A type of DoS attack that targets a network's datagram fragmentation systems. |
| Volumetric attack | A network-level attack that focuses on consuming all the bandwidth between a target and the internet by using multiple sources to flood traffic. |
| Amplification attack | An attack that focuses on exploiting vulnerabilities in protocols and broadcast networks, using intermediary computers to amplify small requests into larger payloads to overwhelm the server. |
| Application level attack | An attack that focuses on an application has a lower volume than other DoS attacks because it has to meet the protocol specifications of the application and can stop the application from running. |
| Protocol attack | A network-level or transport-level attack that focuses on the connection state tables of firewalls, load balances, and application servers. |
| TCP fragmentation | A TCP fragmentation attack prevents TCP/IP packets from reassembly and is also known as a Teardrop attack. |
| Ping flood | An attack that floods a target computer with packets to overload it. |
| Smurf attack | An attack that targets ICMP protocol vulnerabilities and has three steps: create ICMP echo request packets using the spoofed IP address of the target machine, send packets to the broadcast address of a network, and disable the target computer with replies from numerous devices. |
| Fraggle attack | An attack that targets UDP weaknesses and broadcasts numerous UDP packets from a spoofed IP address in an attempt to flood the target. |
| Phlashing | An attack that pushes incorrect updates to a system's firmware causing irreversible damage. It is known as bricking because the system becomes as useful as a brick after the attack. |
| SYN flood | An attack that exploits the TCP three-way handshake, creates SYN packets with non-existent source addresses, causes the target machine to wait for a response from a SYN-ACK sent to the non-existent address, and results in resources becoming overloaded, waiting for more and more responses that are not coming. |
| Ping of Death | An attack that exploits fragmentation processes, violates TCP/IP maximum size of 65,535 bytes, and causes the reassembled packets to overflow the buffer and crash the system. |
| Land attack | An attack that changes a SYN packet so that the destination and the source address are the same, causing the server to crash or freeze. It is also known as a layer 4 attack. |
| Trinoo | A set of programs that uses UDP flooding to attack IP addresses. |
| Low Orbit Ion Cannon (LOIC) | A free and simple DoS attack tool. |
| DoSHTTP | A tool that uses HTTP flooding to attack URLs. It can be run on any Windows system. |
| UDPFlood | A tool that creates UDP packets for a network target. |
This section helps you prepare for the following certification exam objectives:
| Exam | Objective |
|---|---|
| CompTIA CySA+ CS0-003 | 1.2 Given a scenario, analyze indicators of potentially malicious activity
1.3 Given a scenario, use appropriate tools or techniques to determine malicious activity
2.2 Given a scenario, analyze output from vulnerability assessment tools
2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities
|
| TestOut CyberDefense Pro | 4.1 Manage security incidents
|
6.9.1 DoS Attack Types
Click one of the buttons to take you to that part of the video.
DoS Attack Types 00:00-00:39 As a security analyst, it's important to see that your networks are protected from denial-of-service, or DoS, attacks. To do this, it's helpful to understand the types of DoS and DDoS, or distributed denial-of-service, attacks that could occur on your network.
Denial-of-service attacks fall into five general categories: fragmentation, volumetric, amplification, Application layer, and protocol attacks. In this lesson, I'm going to look at each category and review a few specific attacks associated with each one. Let's start by looking at fragmentation attacks.
Fragmentation Attacks 00:39-01:53 Fragmentation attacks target a system's ability to reassemble fragmented packets. For example, UDP and ICMP fragmentation attacks involve sending fake UDP or ICMP packets that are larger than the maximum transmission unit for the network. To accommodate these large packages, the system disassembles them. Because the packets are fake, they can't be reassembled. This results in the target's resources being consumed and becoming unavailable.
TCP fragmentation attacks, also known as teardrop attacks, prevent TCP/IP packets from being reassembled. In this attack, the perpetrator sets the flags on all frames to indicate fragments and provides instructions that doesn't exist.
To see how this works, imagine you're trying to put together a bookshelf. You pull out all the pieces and lay them in front of you. The directions say that the first step is to connect part A to part B using part C. You look for part C but can't find it. Even worse, you realize that you can't find several of the other parts needed. Now, you're stuck with a bunch of pieces that don't fit together. This is exactly like the server during a teardrop attack, except the server handles a lot more than one box of parts at a time.
Volumetric Attacks 01:53-02:50 The second category is volumetric attacks. This attack's goal is to block traffic by consuming all available bandwidth between the target and the internet. Although there are many ways to do this, a common volumetric attack is known as a ping flood attack. The ping utility is used to test connectivity between two computers and is a useful tool. When it's used on a Windows system, the ping command only sends four request by default. But using built-in command options, this can be easily changed to indefinite pinging. In addition, there's another command option that increases pings' packet sizes. Rapidly sending these large ping packets begins to quickly consume the available bandwidth.
With the ability to multiply ping requests and increase packet sizes, traffic can easily add up and flood a target's capacity. This is especially true if the attacker sends pings from multiple machines with a botnet.
Amplification Attacks 02:50-03:48 The third attack category is amplification attacks. These attacks exploit vulnerabilities in protocols and broadcast networks. The name is derived from the idea that the attacker uses intermediary computers to amplify their attack's impact.
A smurf attack is a good example. As you might've guessed, the idea is that very small but numerous attackers overwhelm an opponent. A smurf attack targets ICMP protocol weaknesses. This is how it works.
First, the attacker creates ICMP echo request packets using the target machine's spoofed IP address. Then they send the packets to a network's broadcast address, resulting in a large number of devices sending the requested replies to the target's IP address. This attack's goal is to overwhelm the target computer with traffic, making it impossible to use. A fraggle attack is the same, except that it exploits the UDP protocol instead of the ICMP protocol.
Application Layer Attacks 03:48-04:24 The fourth category is Application layer attacks. The goal here isn't necessarily to use up bandwidth, but instead to consume all the target machine's resources. This is done by using botnets on multiple computer systems to request access to an application on the target machine, overwhelming it and making it unavailable to other users. For example, even if an account doesn't exist, asking to log onto an email server requires the server to perform database queries or other API calls in order to produce a web page. If too many request are made at the same time, it could even result in a system crash.
Protocol Attacks 04:24-04:58 Our last denial-of-service category is the TCP state-exhaustion attack, also known as a protocol attack. State-exhaustion attacks target the connection state tables of firewalls, load balancers, and application servers. We often see this done with a SYN flood attack that exploits a three-way handshake.
In this scenario, the attacker creates SYN packets with a fake source address. When the target machine responds with a SYN-ACK, it goes to the non-existent address, causing the target machine to wait for a response that'll never come.
Summary 04:58-05:18 That's it for this lesson. In this lesson, we discussed five denial-of-service attack categories: fragmentation, volumetric, amplification, Application layer, and protocol attacks. We also reviewed a few specific DoS and DDoS attacks.
6.9.2 DoS Attack Type Facts
Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks make network resources unavailable to employees, vendors, and customers.
This lesson covers the following topics:
- DoS attack categories
- DoS and DDoS attack types
- DoS tools
DoS Attack Categories
All DoS attacks involve an increase in traffic. There are multiple ways to accomplish this. Attackers can use more than one of the following categories of attack:
| Category | Description |
|---|---|
| Fragmentation attack | A fragmentation attack targets a network's datagram fragmentation systems.
A fragmentation attack works as follows:
|
| Volumetric attack | A volumetric attack:
|
| Amplification attack | An amplification attack:
|
| Application level attack | An application level attack:
|
| Protocol attack | A protocol attack:
|
DoS and DDoS Attack Types
The following table describes several DoS attack types:
| Attack | Description |
|---|---|
| TCP fragmentation | A TCP fragmentation attack:
|
| Ping flood | A ping flood attack floods a target computer with packets to overload it. Pings are helpful in testing connectivity between computers. Keep in mind the following.
|
| Smurf attack | A smurf attack:
|
| Fraggle attack | A fraggle attack:
|
| Phlashing | Phlashing:
|
| SYN flood | A SYN flood attack:
|
| Ping of Death | A ping of death attack:
|
| Land attack | A land attack:
|
DoS Tools
The following table describes DoS tools you can use.
| Tool | Description |
|---|---|
| Trinoo | Trinoo (also known as trin00) is a set of programs that uses UDP flooding to attack IP addresses. |
| Low Orbit Ion Cannon (LOIC) | LOIC is a free and simple DoS attack tool. |
| DoSHTTP | DoSHTTP uses HTTP flooding to attack URLs. It can be run on any Windows system. |
| UDPFlood | The UDPFlood tool creates UDP packets for a network target. |
| Targa | Targa is a multi-functional tool that can perform land, WinNuke, and teardrop attacks. |
| Jolt2 | Jolt2 is a DoS tool that sends numerous fragmented packets to a Windows machine. |
| Shark | Shark is a tool that can create botnets. |
| PlugBot | PlugBot is a tool that can create botnets. |
| Poison Ivy | Poison Ivy is a tool that can create botnets. |
6.9.3 DoS Countermeasures
Click one of the buttons to take you to that part of the video.
DoS Countermeasures 00:00-00:27 Denial-of-service attacks are a significant threat to many organizations today. In this lesson, we'll discuss prevention, protection, and responses to DoS and DDoS attacks.
The most important phase in countering a DoS or DDoS attack is long before the attack is launched and is part of an active defense approach to cybersecurity. There are several preventative steps you can take.
Prevention 00:27-02:31 The first place to start is analyzing your network for weaknesses in configuration and checking all access points for vulnerabilities. You can do this through internal and external audits. There are several things to check for in this process. Let's look at few. First, check for any legacy systems running in your network. Legacy systems can still be performing their intended function but can pose a vulnerability with their potentially outdated security protocols. Next, when checking the access points, only allow outside access to necessary servers and restrict outside access to all others. Then, disable unnecessary services on live systems. Extra services just provide more attack opportunities. Also, be sure to remove any dead links and archived data. And finally, create redundant resources which will allow you to redirect traffic and keep your system up and running in the even of an attack.
Another key area in prevention is to involve others from the organization in the process. Be sure to help management understand the importance of prevention and get their cooperation in training employees in prevention, recognition, and defense. Having the organization trained will be one of your greatest defense strategies. Teach them the signs of a DoS or DDoS attack such as: services unavailable or slow, 503 error messages (unless maintenance is being performed), abnormal spikes in network traffic, or customer complaints about website access. It can be helpful to stage simulations of an attack to practice how employees and cybersecurity pros can work together to respond.
All members of this team should know their role in the emergency response plan and where to find the information they need. You'll also want a communication plan (who needs to know what and when). Some attacks have a quick and simple fix, but others escalate quickly, so you'll want to have an escalation plan in place. At what point do you switch over to your redundant systems? Response plans are an extremely important part of an active defense.
Protection 02:31-03:14 Now, for the protection phase there are also several steps you can take, such as utilizing your cloud-based service provider's resources, like additional bandwidth, and monitoring services. Additionally, you can invest in DDoS mitigation services, and anti-malware software that can help prevent Trojan infections and bot injections. You can also implement anti-spoofing measures, as well as threat management and intrusion prevention systems which can provide VPNs, anti-spam, and load balancing protection. Many network devices come with some type of mitigation settings as well. Router throttling, for example, limits the potential impact of a DoS attack and can provide some response time for administrators.
Response 03:14-04:16 To respond to an attack, it's best to detect it early. Being vigilant in auditing and monitoring consistently will help with this. Also, having the staff trained to look for the warning signs we talked about earlier will aid in early detection. As soon as you are aware of the attack, diverting the traffic to a scrubbing center or a sinkhole can protect your system. Next, filter your traffic through rule writing that identifies distinguishing patterns of malicious packets and blocks them.
After that, check your systems for any degradation in functionality and address any new vulnerabilities. And finally, after the attack, gather information from system logs and reports to discover the source and type of attack to help prevent any similar attacks in the future.
These attacks are becoming more common, and although the large-scale attacks against large companies catch the spotlight, small and mid-sized companies are also combating more and more attacks, making this area an important part of your cybersecurity knowledge base.
Summary 04:16-04:39 That's it for this lesson. In this lesson, we went over a few countermeasures for DoS and DDoS attacks. We looked at steps to prevent access and protect your assets, and then finished with some important ways to respond to an attack. Implementing these steps can help keep your organization safe from denial-of-service attacks.
6.9.4 DoS Countermeasure Facts
Part of having an active defense in your organization is being proactively prepared for denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks.
This lesson covers the following topics:
- DoS and DDoS prevention and protection
- DoS and DDoS attack response
DoS and DDoS Prevention and Protection
The most important phase in countering a DoS or DDoS attack happens before the attack is launched. The following are several steps you can take to harden your system.
- Analyze configuration weaknesses in the network.
- Check all access points for vulnerabilities.
- Allow only necessary outside access to servers.
- Conduct internal and external audits. Key areas to check are legacy systems. Often legacy systems do not have up-to-date security policies.
- Disable unnecessary services. Unnecessary services provide opportunities for attack.
- Remove dead links and archived data to reduce potential attack surfaces.
Steps you can take to protect your system include:
- Utilize your cloud-based service provider's resources, such as additional bandwidth and monitoring services.
- Invest in DDoS mitigation services.
- Install anti-malware software to prevent Trojan and bot infections.
- Implement anti-spoofing measures.
- Implement threat management and intrusion prevention systems (IPS) which can provide:
- VPNs
- Anti-spam protection
- Load balancing
- Configure the preexisting mitigation settings, such as router throttling, on network devices to help protect the system.
- Create redundant resources to allow redirection of traffic and continuous service in the event of an attack.
DoS and DDoS Attack Response
Create a response team to help prepare for the response to an attack. The response team can assist with the following tasks.
- Help management understand the importance of preventative action, the role of the response team, and the importance of an escalation plan.
- Train employees in prevention, recognition, and defense. Training should include the warning signs of DoS and DDoS attacks:
- Slow or unavailable services.
- 503 messages (unless maintenance is being performed).
- Abnormal spikes in network traffic.
- Customer complaints about access.
- Stage simulations to fine-tune the response plan.
- Create a communication plan for team members.
- Create an escalation plan.
To respond to an attack, it is best to detect it early.
- Be vigilant and consistent in auditing and monitoring.
- Have staff trained to look for attack warning signs.
When you are aware that you are under attack:
- Divert traffic to a scrubbing center or sinkhole.
- Use rule writing to identify distinguishing patterns of malicious packets and block them.
After the attack:
- Check systems for functionality degradation.
- Address any new vulnerabilities.
- Analyze system logs and reports to discover the source and type of attack. This will help you prepare against future attacks.
6.9.5 DDoS Attack Types
Click one of the buttons to take you to that part of the video.
Distributed Denial of Service 00:04-00:49 A distributed denial of service, or DDoS, attack is designed to essentially bombard the target with more data than it can handle causing it to shut down. A DDoS attack can target a network, specific applications or services, and protection systems like the IDS. Because many IDS systems today use a central logging server, an attacker can target that server directly causing it to shut down. Once it shuts down, attacks would go unnoticed because the alert data is no longer logged.
There are many different methods used to pull off a DDoS attack. The three main types of DDoS attacks are application layer attacks, protocol attacks, and amplification attacks. Let's look at each.
Application Layer DDoS 00:49-01:16 The goal of an application layer attack is to exhaust the target's resources by overloading a specific program or service. For example, an attacker could send large amounts of HTTP requests to a web server causing it to constantly load a web page. This takes little effort on the attacker's end, but the web server is being required to load images, scripts, and other media. This would soon overload the web server and cause it to crash.
Protocol DDoS 01:16-01:47 An attacker can also use different protocols such as TCP flags to overload network devices such as the IDS central logging server. One example of this is a SYN flood. With this attack, the attacker sends a bunch of SYN packets with a spoofed IP address. When the target responds with the SYN-ACK packet, it sends it to the wrong IP address which means no response will come back. So, the target eventually gets overwhelmed waiting for the response packets to come back.
Amplification DDoS 01:47-02:30 An amplification attack tries to consume the bandwidth between the target and the internet effectively cutting users off. DNS amplification attacks are a common example of this. With a DNS amplification attack, the attacker sends a large amount of DNS queries to multiple open DNS servers with the victims IP address spoofed as the sender. The DNS servers the send the DNS responses to the victim which can become quickly overload.
Regardless of the method being used, the goal is to overload the memory, CPU, disk space, network, or any other critical component of the IDS itself or the IDS logging server and disable it so an attack can then be carried out.
Summary 02:30-02:45 That's it for this lesson. In this lesson we looked at how a distributed denial of service attack works and how they can be used to knock out the IDS and its logging server.
6.9.6 DDoS Attack Types Facts
This lesson covers the following topics:
- Distributed denial-of-service (DDoS) attack
- DDoS attack types
Distributed Denial-of-Service (DDoS) Attack
A distributed denial-of-service attack is designed to bombard the target with more data than it can handle, causing it to shut down. A DDoS attack can target a network, an application, specific services, or protection systems like the IDS.
For example, many IDSs today use a central logging server. An attacker can target that server directly, causing it to shut down. Once it shuts down, attacks go unnoticed because the alert data is no longer logged.
DDoS Attack Types
There are many methods to run a DDoS attack. The following table explains the three main methods:
| Attack Method | Description |
|---|---|
| Application layer DDoS | An application layer DDoS attack exhausts the target’s resources by overloading a specific program or service. For example:
|
| Protocol DDoS | This type of attack targets protocols such as TCP to overload network devices such as a firewall. A TCP SYN flood attack is a common example of this type of attack and is carried out as follows:
|
| Amplification DDoS | This type of attack consumes the bandwidth between the target and the internet, effectively cutting the target off from the internet. A common example of this type of attack is carried out as follows:
|
6.9.7 Signs of a DDoS Attack
Click one of the buttons to take you to that part of the video.
Signs of a DDoS Attack 00:00-00:42 In this lesson, we'll discuss the signs of a distributed denial-of-service attack. During a DDoS attack, an attacker employs botnets on multiple networks to attack a target simultaneously. These directed attacks can significantly reduce the availability of a network's resources and result in unusual traffic spikes and excessive bandwidth consumption. DDoS attacks are considered successful when they use all available bandwidth. This is often accomplished by flooding a target with requests from many different devices controlled by the attacker, quickly consuming large amounts of bandwidth. Network-related indicators of compromise, or IOCs, can be used to identify DDoS attacks.
DDoS Indicators of Compromise 00:42-02:14 Traffic spikes are a key indicator of a DDoS attack because they reflect an abnormal surge in network activity, often resulting from an attacker flooding the network with excess traffic. Under usual circumstances, network activity follows a relatively predictable pattern, with incremental rises and falls. However, during a DDoS attack, there's a sudden, significant increase in data flow, often several times greater than the expected traffic volume. This abrupt and significant spike in traffic is usually unnatural. It signifies that a network is overwhelmed with external connection requests, a classic sign of a DDoS attack.
Bandwidth consumption is another key indicator that can reveal DDoS attacks. During a typical operation, a network has a steady bandwidth usage pattern within a specific range, aligned with normal business operations. However, in the event of a DDoS attack, there's an abnormal increase in bandwidth consumption as the network receives a large volume of requests from the attacker's botnet. DDoS attacks are successful when they use all available bandwidth. An attacker spoofs a target IP address and opens connections with multiple servers. With all SYN/ACK responses directed to the target server, it quickly runs out of bandwidth.
This sudden bandwidth surge is often disproportionate to standard operational bandwidth consumption. It can cause the network to slow down or even crash as it becomes overloaded with requests. Therefore, monitoring for unexpected spikes in bandwidth consumption can provide essential early detection of a potential DDoS attack.
Establishing a Baseline 02:14-03:30 Establishing a baseline of regular network traffic is critical to detect potential DDoS attacks effectively. This process involves continuous monitoring and collection of data about the network's typical activity levels during routine operation.
The first step in establishing a baseline is choosing a representative data collection period. This period should capture the network's standard activity during normal business hours, weekends, and other regular events that influence network load. Once the period is established, you should track numerous parameters like the number of packets sent and received, the number of unique connections, bandwidth usage, and any other metrics that reflect the network's regular operation. It's essential to consider peak and off-peak times to account for the network's full range of activity.
After collecting this data over a sufficient period, it can be analyzed to identify typical patterns and levels of network traffic. This establishes the "normal" baseline against which future traffic can be compared. Correctly set, this baseline will enable network administrators to identify any significant deviations that could indicate a DDoS attack. Regular updates to the baseline are necessary to ensure its accuracy over time, as network usage can evolve with changing business operations.
Summary 03:30-03:42 That's it for this lesson. In this lesson, we discussed signs of a DDoS attack. We talked about indicators of compromise and the importance of establishing a baseline to identify anomalies in traffic and bandwidth.
6.9.8 Signs of a DDoS Attack Facts
This lesson covers the following topics:
- Distributed denial-of-service (DDoS) intrusion
- Establishing a baseline
Distributed Denial-of-Service (DDoS) Intrusion
A distributed denial-of-service (DDoS) attack uses botnets on multiple networks to simultaneously attack a target. These directed attacks can significantly reduce the availability of a network’s resources. The following table provides descriptions of DDoS IoCs.
| IoC | Description |
|---|---|
| Unusual traffic spikes | Increased traffic spikes can reveal DDoS attacks. Establish a baseline to know when traffic has risen to an unusual level. |
| Bandwidth consumption | DDoS attacks are successful when they use all available bandwidth. An attacker spoofs a target IP address and opens connections with multiple servers to do that. With all SYN/ACK responses directed to the target server, it quickly runs out of bandwidth. |
Establishing a Baseline
Establishing a baseline of regular network traffic is critical to effectively detect potential DDoS attacks. This process involves continuous monitoring and collection of data about the network's typical activity levels during routine operation.
To establish a baseline:
- Step 1 : Choose a representative period for data collection. This period should capture the network's standard activity during normal business hours, weekends, and other regular events that influence network load.
- Step 2 : Track numerous parameters like the number of packets sent and received, the number of unique connections, bandwidth usage, and other metrics that reflect the network's regular operation. It's essential to consider peak and off-peak times to account for the network's full range of activity.
- Step 3: Analyze data to identify typical patterns and levels of network traffic. This establishes the normal baseline against which future traffic can be compared.
This baseline enables network administrators to identify any significant deviations that could indicate a DDoS attack. Regular updates to the baseline are necessary to ensure its accuracy over time, as network usage can evolve with changing business operations.
6.9.9 Launch a DoS and DDoS Attack
Click one of the buttons to take you to that part of the video.
Launch a DoS Attack 00:00-00:40 A denial-of-service attack, or DoS attack, is an attempt to prevent legitimate users from using a system. The attacker sends excessive messages asking the victim to authenticate requests that have a spoofed IP addresses. The victim isn't able to find the attacker's return address, causing the server to wait. Eventually, the victim gives up and closes the connection. The attacker sends more authentication messages and starts the process over and over, keeping the victim busy.
Just a reminder here: attacking computers is illegal, and you can go to jail for doing it. Make sure you have written permission before doing anything related to launching a DoS attack.
Use Ettercap to Perform a DoS Attack 00:40-02:02 To start, we're going to use Ettercap to do a DoS attack. Before we begin, let's look at a couple of things on the victim machine. I'm going to want to know if my DoS attack is actually working. I'm going to verify that by running Wireshark. Let's start capturing traffic. I also have Task Manager open to view the performance on this victim machine. First, here in Task Manager, you see that not much is going on with the performance; everything is quiet and calm. Now, let's go to my Kali Linux system.
I'm on Kali Linux. I'll come up here, navigate to Sniffing & Spoofing, and go up to Ettercap. Once it's open, I'll go to Sniff and select Unified sniffing. I'll leave the network interface set to eth0 and click OK.
Now I'll go up to Plugins and select Manage the plugins. I'm presented with a list of plugins. I want to find this one, dos_attack. I'll select that. And when I do, I'm asked to provide the victim IP address, so I'll type in '10.10.10.195' and click OK. It wants an unused IP. This will be the spoofed IP address, so I'll put in '10.10.10.50'. This IP isn't used on my network, so that'll work. Down here, you can see that the attack has started from the fake host. It's attacking ports 445, 135, and 139.
So, is it working? Well, let's go visit our victim machine and see how it's doing.
DoS Victim 02:02-02:56 I'm on the victim machine, a Windows 10 system. First, let's look at Wireshark. I see lots of traffic from 10.10.10.50 as a source going to the destination of 10.10.10.195. I have an assortment of traffic, lots of SYN and ACK packets. Remember that the source IP is spoofed. Now, let's look at Task Manger.
A few minutes ago, everything was quiet. Now, we see some action. You can see that my CPU was maxed out a few seconds ago. The Ethernet was maxed out, too. But now, it's calming down a bit. Perhaps my attack stopped.
Remember, this is just a single attack, or a DoS attack. So, what's the different between a DoS attack and a DDoS attack? Well, the DoS uses a single machine, and a DDoS uses multiple machines. How about we go to another machine, start another attack, and see what happens to our victim. That should be fun and interesting.
Use LOIC to Perform a DoS Attack 02:56-04:47 I'm on a Windows system now. We know how to use Ettercap to do a DoS attack. We could install it on another machine and repeat the exact same process to make this a DDoS attack. But that would be boring, and we wouldn't learn any new skills. So, instead, we'll use another program called Low Orbit Ion Cannon, or LOIC for short. LOIC is an open-source network stress testing and denial-of-service attack application. It was initially developed as a proprietary program, but it was later released into the public domain as open source. Most antivirus programs recognize it as malicious software, so be aware of that.
I've already downloaded the zip file and extracted it to this folder, here. I'll click on the executable and launch the program. It doesn't install; it just runs locally.
Up here, I can choose to attack a URL. Down here, I can attack an IP. I'll put in my victim's IP, '10.10.10.195'. I'll click Lock On to lock in that IP address.
Down here, I can actually insert a TCP/UDP message. This is something that would be visible to someone examining the packets on the victim machine. I happen to know that my victim is a huge Cardinal fan, so I want to send him a message that says, "Go Cubs Go." I'm sure he'll love that. Over here, I have this slider for speed. I can go way over here for fast, or leave it at slow. I'll just put it in the middle somewhere.
I'm going to change this to Port 135, since I know that port is open on the victim. I think my other attack from the Kali system has stopped, so I'll go restart it really quickly. Okay. The other attack is going, so we're good there.
Now, I'll come up here and click on this button, IMMA CHARGIN MAH LAZER, to start the attack. Down here, you can see it's running.
Since we're already attacking from the Kali Machine and now this Windows machine, we're essentially performing a DDoS attack on the victim. Let's jump over and see how he's doing.
DDoS Attack Victim 04:47-05:21 Okay. We're on our victim machine. First, let's look at Wireshark. Here, you can see the packets from the two attacking machines along with the victim machine going back and forth. I'll stop the capture so I can see this better. Here's my spoofed IP ending in .50. In red, you can see my attack going on from my attacker to the victim. In the lower pane, I can see my TCP message, Go Cubs Go.
In Task Manager, we see a spike in CPU and Ethernet usage, like before.
All right. That's it for our DoS and our DDoS attacks. It was on a small scale, but it worked.
Summary 05:21-05:43 In this demo, we started by explaining a DoS attack. Then we used Ettercap to perform a DoS attack on a victim. We used the Low Orbit Ion Cannon program from a Windows machine to create another attack, resulting in a DDoS attack. After each attack, we viewed Wireshark and Task Manager to analyze the results.