Welcome back, my fledgling hackers!
Over the years, we have examined multiple ways to own, exploit, or compromise a system. On the other hand, we have not spent a lot of time on denial-of-service (DoS) attacks.
For those of you who are new here, a denial of service is basically a simple attack that keeps the target system from operating as it should. In its simplest form, it uses up all of the system resources so that others can't connect. More sophisticated attacks will cause the system to crash or create a infinite loop that uses all of the system's CPU cycles.
In general, a DoS attack is the easiest and least sophisticated type of attack. Some have gone so far as to say that an eight-year-old could participate in a DoS attack, and there is some truth to that statement since some tools make it as easy as putting in an IP address and hitting "Start."
In recent years, DoS and DDoS attacks (the latter of which involves more than one attack source) have been growing rapidly and more and more companies/websites are employing specialized anti-DoS tools and techniques (among the most popular and most expensive is Incapsula).
In this article, I want to lay some groundwork on the techniques for DoSing and provide you with some of the tools to do so. Before we do that, though, I want to point out that some of the tools we have already explored here on Null Byte are useful for DoS attacks, including Hping, Nmap, Metasploit, and even Aircrack-ng (for DoSing wireless access points).
Methods
You can categorize denial-of-service attacks into at least three different types, which include:
- Volume-Based
These are the simplest attacks. The attacker simply sends a large volume of packets to the target thereby using up all the resources. The resources used might simply be bandwidth. These attacks include ICMP and UDP floods.
- Protocol-Based
These attacks often use the server's resources rather than bandwidth going to and from of the server. They can also use the resources of the network equipment on the periphery of the server (such a firewalls, intrusion detection systems, and switches). Examples include Smurf attacks (ICMP to a broadcast IP with a spoofed IP), Fraggle attacks (same as the Smurf, only using UDP), SYN floods, ping of deaths (oversized ICMP with the same destination and source IP and port), and many others.
- Application Layer Attacks
These attacks are compromised of what appear to be legitimate application layer (layer 7) requests to the server that are intended to crash it. These include attacks on Apache HTTP Server and Microsoft IIS, and includes tools such as Slowloris.
DoS & DDoS Tools
There are literally hundreds of DoS and DDoS tools available. Within Kali, we can find auxiliary modules within Metasploit specifically for DoSing. If we navigate to:
kali > cd /usr/share/metasplot-framework/auxiliary/dos
And list the contents of that directory, we can see that Metasploit has organized its DoS tools by the type of target. There are hundreds of denial-of-service tools in Metasploit.
We can also find hundreds of DoS tools in the Exploit Database built into Kali, and still more at Exploit-DB.com. We can find a listing of the Exploit-DB DoS tools by navigating to:
kali > /usr/share/exploitdb/platforms/windows/dos
A long listing (ls -l) of this directory lists all of the Windows DoS tools. A similar, shorter list is at /usr/share/exploitdb/platforms/Linux/dos.
Some of the Most Popular DoS Tools
There is no way I can list and evaluate every DoS tool, but here is a limited list of some of the most popular and effective. This is far from an exhaustive list, but I hope to give you the basics on some of the most popular DoS and DDoS tools. If you have a favorite, by all means, please put it in the comments with a link to the download.
One quick note of warning: Be very careful when looking online for DoS or DDoS tools. Many of them simply take you to a malicious link and will install a trojan on your system. I don't know anyone who would do that. ;-)
1. LOIC
The Low Orbit Ion Cannon (LOIC) may be the most popular DoS tool and has made its way into hacker lore. It is capable of sending mass amounts of ICMP or UDP packets to the target, thereby saturating the bandwidth, and has been used in some of the most effective and notorious DoS attacks.
LOIC was effectively used by 4chan in the Project Chanology attack on the Church of Scientology website in 2009, and by Anonymous in the Operation Payback attack against PayPal, Visa, and MasterCard in retaliation for cutting off WikiLeaks donations.
LOIC attacks can be largely mitigated by limiting UDP and ICMP packets and limiting how many packets can be sent and delivered to any one client. You can download LOIC on SourceForge. This tool is Windows-based and almost as easy as pointing and clicking.
2. HOIC
The HOIC was developed during Operation Payback by Praetox—the same folks who developed LOIC. The key difference is that HOIC uses a HTTP flood using booster files that enable a small number of users to effectively DoS a website by sending a flood of randomized HTTP GET and POST requests. It is capable of simultaneously DoSing up to 256 domains. You can download it from SourceForge.
3. XOIC
XOIC is another easy-to-use DoS tool. The user simply needs to set the IP address and port of the target, select a protocol (HTTP, UDP, ICMP, or TCP), then begin to fire away! You can download it on SourceForge
4. HULK
HTTP Unbearable Load King, or HULK, is another tool capable of bringing down web servers. This tool uses various obfuscation techniques to limit the ability of the target to mitigate the attack. You can download it on Packet Storm.
5. UDP Flooder
UDP Flooder does just as you would expect—it sends a flood of UDP packets to the target. It has been effectively used to knock gamers off their networks (online games primarily use UDP). You can download it at SourceForge.
6. RUDY
R-U-Dead-Yet, or RUDY, takes a different approach to DoSing websites. It enables the user to select a form from the web app and then use that form to send a flood of POST requests. You can download it from Hybrid Security.
7. ToR's Hammer
ToR's Hammer was designed to be run through the ToR network to anonymize the attack and limit mitigation. The problem with this strategy is that the ToR network tends to be very slow, thereby limiting the rate at which the packets can be sent and thereby limiting the effectiveness of this tool. You can download it from Packet Storm or SourceForge.
8. Pyloris
Pyloris is another DoS tool, but with still a different strategy. It allows the user to construct their own, unique HTTP request headers. It then attempts to keep open these TCP connections as long as possible in order to exhaust the connection queue. When it does this, no legitimate connections can be made and new attempts to connect by other users will be dropped. You can download it on SourceForge.
9. OWASP Switchblade
The Open Web Application Security Project (OWASP) and ProactiveRISK developed the Switchblade DoS tool to be used to test the resiliency of a web app to DoS attempts. It has three modes, 1. SSL Half-Open, 2. HTTP Post, and 3. Slowloris. You can download it from OWASP.
10. DAVOSET
DAVOSET (DDoS attacks via other sites execution tool) is a DDoS tool, written in Perl, that uses zombie systems to distribute the attack across multiple systems. This tool uses Abuse of Functionality and XML External Entities vulnerabilities on other sites to "zombie" them and attack the target site. It includes over 160 zombie services. You can download it from Packet Storm or GitHub.
11. GoldenEye HTTP DoS Tool
GoldenEye is simple DoS tool that loads an HTTP server attempting to exhaust its resource pool. It's great for testing your website, but not really effective in the real world as most perimeter defenses will detect it. You can download it from GitHub.
12. THC-SSL-DOS
This DDoS tool (built right into Kali) is different from most DoS tools in that it doesn't require huge amounts of bandwidth and can be conducted with a single system. It attacks vulnerabilities in SSL to bring down the server. You can download it from THC, but if you are using Kali, you already have it.
13. DDOSIM - Layer 7 DDoS Simulator
This tool from Storm Security simulates a DDoS attack from various zombies with random IP addresses. It attempts to create a full TCP connection (SYN-SYN/ACK-ACK). As the name implies, it operates at the application layer (layer 7). It is also capable of simulating a DDoS attack upon the SMTP server and a TCP flood at random ports. You can download it from SourceForge.
Keep coming back, my fledgling hackers, as we continue to explore the tools and techniques of the most valuable skill set of the future—hacking!
Just updated your iPhone? You'll find new emoji, enhanced security, podcast transcripts, Apple Cash virtual numbers, and other useful features. There are even new additions hidden within Safari. Find out what's new and changed on your iPhone with the iOS 17.4 update.
68 Comments
Great article OTW. I really like the array of tools you chose. Although, to anyone reading this, I recommend staying away from LOIC, HOIC and XOIC as they are essentially an open letter inviting the FBI right to your doorstep, and nobody wants that :)
I am new here
After dosing what is the result what we can do
But the big question now is how can you stay undetected while using one of these methods/tools :P.
Anonymity is always a question, but I guess it should mostly work over proxies and vpns, even though you might loose a bit of Speed. Good for anonymous DoSing is a botnet, just make sure that the botnet cannot be traced back to you afterwards.
And now let's try to solve the mystery of what happened to #4.
In japanese culture, 4 is considered an unlucky number. It spells like 'shi' that means 'death'. Also 9 is considered to avoid, as 'ku' is 'suffering'. But actually we don't mind suffering. No pain, no gain.
Well then, you learn something new everyday huh. Interesting...
-Defalt
It's all coming together! Thanks OTW :)
Good article and good reference!
Once again, great article OTW
Cheers,
Washu
Awesome guide ;)
Can I do something wrong
(apart from that I can get caught and do much damage)
with these tools or is it just entering the IP and clicking on go?
Can I attack with these programs a local PC (VM) in my network?
I should, shouldn't I ?
@PHOENIX750
Your post got my interest.
Is there any good proxy guide?
I tried it one times but I didn't understand, that's why I always use my Tor browser (very easy to use and no difficult installation :D).
One more question:
What happens after the DoS?
Server restarts, but how can I get access?
I heard one time that the AV/Firewall is booting up as the latest part, so that I can easily hack the server.
Is that right?
Cheers
Yes, you can attack local machines with these tools, just enter thier local IP address.
Here is an article by OTW about using proxies.
The DoS attack won't shut the server off, so the anti-virus won't need to restart. It will either slow it down or bring it offline.
-Defalt
Ok thanks a lot ;)
Let's say the server is slowed down or offline, what now?
How can the servers get hacked now?
E.g. Paypal was hacked by Anonymous with LOIC, how was the hacked peformed if LOIC only slows down?
If LOIC (or any other DoS program) only slows down, what is the advantage of using a DoS program?
EDIT: Just tried LOIC with mono in Kali Linux and made a DoS attack to another VM (Win7).
Local IP is 192.168.0.22, so I attacked it and nothing noticeable happened.
I didn't changed any settings, except the method (tried TCP, UDP and HTTP)
Have I done it wrong, or do I have just a logical fault?
Cheers
See the edit below...
As for the local DoS issue, there are many DoS tools available within kali, I suggest you use one of them instead of trying to use mono with LOIC. Try using hping3, just start your terminal and enter the following...
hping3 --flood [TARGET ADDRESS]
If you insist on using LOIC, you can fire up wireshark and see if your packets are being sent at all.
EDIT: I did some digging on operation payback, and from what I see the servers were just booted offline, not compromised, if you have documentation that states otherwise, please link it so that I can read it.
-Defalt
Paypal was not brought down by LOIC, but rather by 2 botnets from users Civil and Switch in the first wave of IRC users on AnonOps.
In addition to that, LOIC was used to deceive newbies into thinking they had the power to boot anyone offline, while in actual fact the botnets did the intended job.
An IP tracker was embedded into LOIC to act as a smokescreen, so that only those using the application would be caught instead of the actual mutilators.
TRT
Ah ok, thanks guys ;)
Immediately deleted LOIC :D
Just wanted to see how it looks, I will try Defalt's method through hping.
Cheers
EDIT:
Tried it with:
but nothing did really slow my victim (Win7 in a VM) down.
I did not go over 15% network load and the apache website was still reachable.
Was it supposed to be like this or should the DoS cause more performance?
I also tried opening multiple instances of the terminal with the hping command, but it didn't really helped.
Is hping using the correct interface? If you really want this issue solved, screenshots would help immensely.
-Defalt
Here's a screenshot of the network load of my victim.
The highest points in the graph were made with multiple instances on my Kali VM.
I think the interface was right, because there is traffic going through.
However I think I was too positive what a single DoS attack can do.
I think I can only bring that baby offline if I will use multiple systems which perform a DoS ;)
Cheers
For future reference, simultaneous, coordinated DoS attacks from multiple systems is a DDoS attack. Standing instead for Distributed Denial of Service.
If you cannot kill internet access by just DoSing the victim locally, you may try DoSing the router, killing access for all hosts on the network.
-Defalt
I know the difference between DoS and DDoS, I just wrote instead of "or I will try a DDoS" this:
"I will use multiple system which perform a DoS"
Should be the same, shouldn't it?
;)
However thanks for the tip with the router ;)
I will take a look to my old tech stuff, there should be an old router which I will try to attack by DDoS attacks.
Cheers
i can use Nmap to find port but question is
which program can hack with only IP address ?
If taking down a computer was as simple as running a single instance of hping, the internet would have died long ago.
So unless your target is suffering from a bad handling of some kind of packets, it won't take 1-2-10 machines to do it, but thousands of them (actually, even much less if you use some sort of amplification attack, but that's another story). That's why TRT referenced the use of botnets to accomplish this kind of attack.
When you recreate this in a controlled environment, you can observe a spike in network requests and logs, even measure some RAM increase in the process, but you won't take it down.
So you are possibly doing it right, but just with not enough resources to see its effects.
Also, friendly reminder that packeting won't get you any command execution on your target, nor root, nor anything good. It's fine tho when you are using this to crash a sniffer, an IDS/IPS, or security cameras, but that again, is another story.
Thanks ;)
Great explantation :)
I can get more resources only with more systems, can't I?
Because more instances of hping3 didn't really help.
Cheers
You would need resources from external networks that don't share your same bandwidth. More instances on same box or same LAN won't work. You can ask friends for help, or pay for legitimate stress testing (aka: you are paying to be ddosed) or pis* someone off on some minecraft server and get it for free... really, all you will see is the server or the network being at 100% an be unresponsive. Not too much exciting...
It only gets exciting when a limited number of packets (possibly, just one) is able to take a service down. That's the real fun !
And how does this work? :D
Taking a service down with only one packet?
A packet with a data volume of 5 Terabyte? :D
Like Jose did it? :D
Source:
https://www.youtube.com/watch?v=5iHA3CMX6DI
watch at 4:08
Cheers
LOL that vid is very funny, seen in another post but always worth another watch !
And no, it's not the size of the packet that matters, but how that packet is handled (just to stay in line with the 850Mb schlong). Let's say that the server can't handle an overly large HEAD request (damn, I did it again...) or a particular header sent by the user, you might impair or crash it fir far few resources. (here an example. In some cases you can get also remote execution, but if that's not possible, sometimes even a DoS will suffice. And this is not just for web serviers, but for every service, like ftp, ssh, smtp, routers, IDS, antivirus, etc..
This tutorial focuses on 'classic' http request flooding, I just wanted to add there are other ways to cripple a service that doesn't require a big amount of resources.
Great post, Occupy the Web. I liked it.
what a bunch of naughty little children . Go outside and play or i'll spank you myself ...........
Occupy, all the programs you have shown use your own ICMP requests, UDP, TCP, etc. It pings a target, basically like CMD, and says requests.... You might have gotten some kids in trouble already.... I do not approve of this tutorial.... Please delete... You should make a tutorial on a BOTNET, which might be safer in a way....
You don't approve????
Not in the oppresive way, that I will 'Make you' take it down, but just take it down... Make a tutorial that shows how to create a botnet, write code, etc... Not how to use LOIC, HOIC and XOIC.
Using Loic is not Ok.
Using a botnet is Ok.
hmmm...
Triphat, please learn to read both sentences before replying. I have stated that a Botnet is safer than DDoSing unprotected with LOIC.
Sorry, my bad.
Last time I checked this was a whitehat forum. Didn't know the good guys had a clearance to have a botnet.
You are right with the safety statement, it's just that instructing us on how to create an army of zombies is just beyond our purpose, while learning how a (d)doS attack is put in place is a whole other thing.
You clearly do not understand what a Botnet is.
I clearly do not understand how the term ethical hacker fits in a bunch of computers infected with some malware that allows all sort of credentials stealing, carding, dosing, or covering more nefarious activities.
Since when are all 'Botnets' ussd for illegal activities?
When you mention botnets to be used for Denial of Service purposes, it immediately paints a picture in everyone's mind that it is not for pure intent. Just saying.
TRT
Thinking and being are two different things.
Distributed Denial of Service on 3rd parties without authorization is illegal. So what makes you believe that wielding a botnet to handle the job, as well as to disguise the source, suddenly makes it legal?
Null Byte is white hat. White hat resides in the legal area. Familiarize yourself with the terms.
TRT
I would say that you have a point, but you don't. Using a botnet, for any purpose, is illegal. You simply don't have legal rights to infect PCs of people by malware. But, of course, there are tutorials all over the internet. Why do you want it from a whitehat site?
-The Joker
I didn't state that spreading malware on multiple machines to form a botnet is in any way legal. I indicated that, regardless of its legality, using it to perform a Distributed Denial of Service attack would automatically be deemed illegal.
But I agree with TJ, expecting to see such a tutorial on a white hat website would be foolish, AX0N EX.
TRT
First, I am not recommending any of these tools, simply listing them. Second, we are a white hat hacker site. We are not advocating use of these for malicious purposes. Third, if one wanted to hide their identity, simply spoof your IP.
The article will stay.
You never showed your 'Hacker apprentices' how to spoof your IP Address on a Windows Machine?
We don't use windows.
Yes 'We' do. You have done tutorials where Windows has been used, and most of the people on here do not have the knowledge to install a primary operating system like Kali Linux. And you haven't shown how to spoof on GNU/Linux either.
Since we are talking of http request flooding, you can use this tutorial and many other on this subject. Oh wait, also this.
Proxying is different than spoofing.
You can't really spoof your IP while making an http request, you can just cover it with a proxy. Some kind of attack can be spoofed tho, and that is covered in the second guide I linked above.
Good point. But you can technically spoof an HTTP requests, depending where the data comes from and whether you trust the source.
...but you won't be able to make a real connection. That would be close to the holy grail of anonimity if anyone could just spoof their IP while connecting to a website. That would have an avalanche effect on all other services too, the fundament of the Internet itself would crumble.
No we don't! I repeat my earlier comment "we are a white hat site".
Your star pupil, like Phoenix has admitted he himself is not a 'White hat', and more of a 'Grey hat'. With this being said, you have also yourself said that being white hat, blackhat, etc depend on your perspective.
What depends on you perspective are minute details, not the law.
-The Joker
Installing linux isn't hard, and OTW shouldn't have to do a windows based tutorial. I think that operating system is mostly point and click.
nice tut
@ axon ex: Spoofing an IP is like one of the very first things i came across when i started working on my (by lack of better word) 'hacking' skills even before i visited this website/forum.. You also say that most of the people here don't know how to install a system like Kali, well then they are frequently visiting the wrong website because most of the tutorials here are made almost exclusively for linux and in the cmd-line, rarely you will find a post with an alternate way to do this in windows (or it should be a virtual machine running linux on a windows) or in a GUI, not that i want to defend or offend anyone but i honestly do not get what u are trying to say or prove.. Other than the fact that you are a 'darker than grey' hacker..
White hat, black hat and grey hat are based on for a lack of better wording, opinions, more than they are a set of rules. For example if you follow ones set of rules on how to be a white hat someone else may think that's grey hat or even black hat.
I'm not imposing on anybody, just wanted to give my 2 cents.
I suggest that you make the sets of rules from their standard definitions. I may kill anyone, and may be put in jail(or even be hanged) for it (the punishment here is 20 years in jail or being hanged), because the court doesn't base its opinion on what I think instead of the standard and absolute law.
I say that the terms are not relative. Everything can be grouped in the 4 groups, without confusion. And I didn't even understand what you and anon ex meant by 'perspective', since the terms are well defined.
-The Joker
What i meant by perspective is, you could do something that is seen good in the eyes of one group of people, but it will be bad to another group of people.
One "good" deed is not going to be seen as "good" in the eyes of others due to the amount of people on this earth. You just can't please them all.
For example, weed is legal in places were it is not legal in places. Some see it as beneficial and some don't.
Hell, some petition or whatever was being passed that was going to "prevent" us from tinkering with computers. We on this website, or most anyway, would not follow that law. Why in the world would we stop trying to learn computers?
I don't use weed, i don't care for it. I'm not arguing with you, i just wanted to clear what i meant by my using of perspective.
Since you're not arguing , and since you're not supporting that doing illegal things is fine if you deem it right, we're cool.
I don't really know about weed being illegal. It can have different uses, but if you talk about farming, it is seen as responsibilty of farmers to get rid of it, else it can have bad consequences on the crop.
Well, what I was saying was that there are some legal limits on how far you can go with your perspective of right and wrong, and Null Byte is under those limits. (Maybe it wouldn't be if it were hosted on darknet.)
-The Joker
Well, here I am, thinking you're a bit of a psycho. We never brought up the term of 'killing' anyone. Please get help if you plan on killing someone.
Note: Maybe this comment feels a bit long, but you can safely ignore it if it was not inteded for you. It is intended for Ax0n ex.
Well, here I am, thinking you're a bit of an idiot.
Anyways, that's not my style of writing or speaking.
Still, since you have spoken (kind of) nicely, I won't be as rude as I'd be if you hadn't. Consider that a privilege.
Though Pheonix has already spoken what I meant, and I'd remark, in a well and persuasive way, and (still) pretty much nicely, I still feel like I have to reply (even) to this kind of idioticity.
If you'll still feel like justifying, and are going to reply, then start by explaining the retardation and idioticity you showed in your comment.
You think you're too unique to learn from little examples, or something of the same level of foolishness. Or, of course, you are too retarded to understand examples. But that's up for you to decide.
First you say that thinking and doing are different things, then you say OTW should teach illegal things, that doing illegal things is right if they are safe, then you say it all depends on perspective, and now you dare not learn from a simple example. I'm saying this not for your sake, since I know you will still try to get around your words, but for someone who said that saying words like 'psycho' isn't morally right for Null Byte, and would otherwise be disappointed in whom he was taking a stand for.
Of course, I'll forgive you if you're a 10-year old and know not the difference of right and wrong, since I remember what it feels like when you are trying to justify what you think should be right but you know it isn't, and people feel like you're spamming. If you were having a little game of manipulation then you're lost. Otherwise, I don't have anything to say that won't be disturbing to someone who isn't you.
-The Joker
But... Does LOIC work? I think it doesnt but im not sure. Also is DDOSISM a simulator or a real tool?
LOIC technically works because it sends packets, but it uses your packets. When you DDoS with LOIC, you're basically using ping target -t -l 65000. Which is why your Internet Connection will likely go down when using LOIC
RUDY was used by the attackers who attacked Allsafe in mr.robot
i think episode 1
HI Y'ALL
Thanks for your ans.
Aldee
To anyone who have the same question as ALDEE.
Yes, flooding an target is very easy to detect since there will be a huge spike in the level of traffic to the server/target. And yes to the question you can use it as an strategic to get some traffic in that else would be stopped.
The worst scenario would be that your internet provider banns you, that's why you ALWAYS need a written and signed permission from the target. So that when you do get into trouble.. you have a free get out of jail card/paper...
People are right to say that an 8 year old could do a DOS attack. Think somebody tried to do a DDoS attack with his friends, and got roblux along with club penguin shut down
Share Your Thoughts