In recent weeks, major bank websites around the world have experienced outages after being have been hit with Distributed Denial of Service (DDoS) attacks. Although few, if any, of these banks have been totally knocked offline, these DoS attacks have dramatically slowed the response time of their websites to legitimate customers. The most recent victim was the Royal Bank of Scotland. Due to this attack, RBS customers were unable to access their accounts for about an hour last week.
Earlier this year, RBS was also attacked on the day they were supposed to make 600,000 payroll and other payments to customers' accounts. As a result, they were unable to make those payments as scheduled. This resulted in a number of very unhappy and disgruntled customers who did not receive their credits on time and therefore were unable withdraw funds or pay their bills.
The FBI has reported that these types attacks are becoming increasingly common among banking websites, also reporting that over 100 banks had been attacked just since just April of this year. Apparently, the attackers are seeking to extort money from the banks in exchange for avoiding these DDoS attacks.
The new attacks are different from the previous ones, primarily in their scale. These attacks are peaking at 60 -150 Gbps, while most DDoS attacks use less than 1 Gbps. While these attacks involve greater bandwidth, they seem to be coming from just 2000-3000 machines, rather than the hundreds of thousands of machines that have been involved in previous DDoS attacks.
Apparently, these attackers have found a way to send a much greater number of packets per machine, making them even more dangerous. In addition, since banks utilize the most secure websites in the world, the fact that they are susceptible to these DDoS attacks, with highly-trained security personnel and state-of-the-art security devices, tells us that nearly every other website is susceptible to these same attack and attackers.
There are many types of Denial of Service attacks. The three primary types are:
1. Application Layer
These types attacks target the application layer. In some cases, these attacks are capable of crashing the application such as the webserver, the OS, etc.
2. Protocol Based
These attacks target a particular protocol such ICMP, UDP, TCP, SMB, etc.
3. Volume Based
These attacks are the simplest and attempt to use up all the resources of a website by sending huge volumes of packets so that legitimate users cannot connect to the site.
A DoS attack is probably the simplest type of attack. In its basic form, the DoS attack uses up all the resources and bandwidth of the website so that legitimate users can not use the website or the response time of the website is so crippled that it makes its use less than optimal.
There are many dedicated DoS tools, such as Low Orbit Ion Cannon (LOIC), XOIC, HULK, R-Dead-Yet, Tor's Hammer, PyLoris, DavoSET, GoldenEye, and many others, but two of our network scanning tools make excellent DoS tools, as well.
Hping3, the network scanning tool, can be used as a DoS tool as well. Hping3 may be the most powerful and versatile of our network scanning tools, but as a DoS tool, it is capable of sending thousands of packets per second against the target. In addition, it has a feature to use random IP addresses so that the attack can not be traced back.
In this command, we will send 10 million packets (-c 10000000) as fast as possible (--flood) from random IP addresses (--rand-source).
hping3 --flood --rand-source -c 10000000 -S <IPaddress>
As you can see in the screenshot above, within seconds, I had sent over 113,000 packets at google.com.
Nmap, our favorite network scanning tool, can also be re-purposed as a DoS tool. It's capabilities can be extended by NSE scripts. These are scripts, purposely written for nmap, that enable it do additional tasks. Among these scripts are some for DoSing.
In the command below, we will be sending SMB packets via the SMB flood script at "insane" speed (-T5) while spoofing our MAC address (--spoof-mac) and spoofing our IP address (-S) to port 445 (-p).
nmap -script smb-flood --spoof-mac <MAC address > -S <IP address> -p 445 -e eth0 -P0
This command requires us to add -e eth0 to tell nmap which interface to use (since we used a spoofed IP) and I have added -P0 to suppress the ping, so that it can get past websites that block ICMP.