A D.D.O.S Attack Using ICMP And TCP SYN Flooding Technique

A D.D.O.S Attack Using ICMP And TCP SYN Flooding Technique

A D.D.O.S Attack Using ICMP And TCP SYN Flooding Technique

Disclaimer: Don’t use these techniques on systems and servers unless you have the permission of the owner.

Have a Cup of T….heory

Q1. What is a D.O.S attack?
Ans: D.O.S attack is short for Denial of Service attack. When a hacker sends a lot of garbage traffic to a server, in such an amount so that the bogus traffic consumes all the resources on that particular server rendering it unusable to the legitimate users and in the worst case can cause the server to shut down temporarily is called a D.O.S attack..

Q2. Whats the difference between D.D.O.S and D.O.S attacks?
Ans: When a DOS attack originates from hundreds of Botnets AKA compromised PC, servers which are controlled by a BotMaster and targets a specific server or a group of them is called a D.D.O.S attack. Wherever a single server is used to flood the traffic is called a D.O.S attack.

Q3. How can I identify such an attack?
Ans: You may experience unavailability of a web service or a site, your access may denied to some servers or sites for a long period and obviously sudden decrease in network performance.

Q4. How many types of D.O.S attack can be performed?
Ans: D.O.S attack can be of a lot of types. Some of them are
1. ICMP Flooding or Ping Flooding.
2. TCP SYN Flooding or UDP Flooding.
3. Permanent DOS attacks.
4. Distributed attack or DDOS.
5. Teardrop, Nuke etc.

In this tutorial we are going to use only two types of them, ICMP Flood attack and TCP SYN Flood attack.

Q5. What is SYN and TCP SYN Flood attack?
Ans: To establish an active connection between two computers the TCP uses a technique called three way handshake.

1. First the client sends a synchronize(SYN) request with a sequence number x to the server.
2. The server responds by sending an acknowledgment message(SYN-ACK) with it’s own sequence number y and the acknowledgment number x+1, that it has got the SYN request.
3. When client receives it, the client sends an acknowledgment message(ACK) with an acknowledgment number y+1.
SYN Flood is a type of DOS attack. Here the attacker sends perpetual SYN requests to eat up server resources as much as it can. The attacker may never send the expected SYN-ACK reply or even if it replies it use a false IP address. So the server never gets the acknowledgment packet even waiting till timeout.

Q6. What is a Ping attack or ICMP Flood attack?
Ans: The Ping attack or ICMP Flood attack is a type of simple DOS attack in which target is bombarded by ICMP Echo request packets. It is one of the most primitive type of DOS attack.
NOTE: For this type of attack you should prefer UNIX or LINUX systems, since they are more capable to perform a ping flood. You can send more bytes of data than the windows ping version’s data-size limitation of 65500 bytes. OK, Let’s proceed further.

Q7. How to remain anonymous while D.O.Sing?
Ans: The best way to remain untraceable is to use a chain of anonymous proxy servers or use a private VPN service. Also you can spoof your IP address while using the tools. If the router wants to know your address it will lookout for the 32 bit source address written at the IP packet header. So you can write any address there.

Q8. What are the countermeasures to prevent a D.O.S or D.D.O.S attack?
Ans:
1. You can use a firewall configured against the malicious IP addresses, ports or protocols.
2. Switch level delayed binding or deep inspection algorithms.
3. Application layer analysis of legitimate data packets.
4. DDS or IPS based Defense mechanisms.
5. Blackhole mechanism to pass all the flood to a null node.
6. Cleaning center Method where packets are inspected and sorted.
7. Hardware level countermeasures where dedicated hardware communicate with routers and switches to prevent attacks.

Now Boots On The Ground…

Prerequisites:

1. Virtual Box installed. (You can use any such software of your choice)
Get it from here:- https://www.virtualbox.org/wiki/Downloads
2. A host machine with minimum of 8 GB RAM (recommended).

3. Ubuntu server ISO file. (You can use any such Server operating System of your choice.)
Get it from here:- https://www.ubuntu.com/download/server

4. Kali Linux ISO file. Get it from here:- https://www.kali.org/downloads/

Check out your processor and OS architecture to be sure which version of these software you need to download.

5. LOIC Tool. Get it from here:- http://sourceforge.net/projects/loic/

6. First, We need a virtual penetration testing lab, I have created my lab using this tutorial
https://www.cybrary.it/0p3n/tutorial-for-setting-up-a-virtual-penetration-testing-lab-at-your-home/

7. Then we need a virtual web server to get our hands dirty. For that I have followed this tutorial
https://www.cybrary.it/0p3n/tutorial-for-setting-up-a-virtual-web-server-for-safe-penetration-testing-at-your-home/

Let’s Start…

STEP 1: Start VirtualBox and start an instance of Ubuntu server. Log into it and fire “ifconfig” to know the server IP address since our server is homemade and don’t have any domain name registered to it until now. On real websites or servers you can use simple “ping www.website-name.com” to get the IP Address. Also take a note of the Ethernet Interface name the server is running on.

So our target IP address is 192.168.56.102 and the
Ethernet Interface name is eth1

Note these down.

STEP 2: Check whether our server is working or not. Open a browser on your host machine and type the IP address. You should see something similar to this.

So now we know our server is up and running. So it is time to do the next step.

STEP 3: Start an instance of Windows in your virtual machine.

PART A. We will use our dear ping command for flooding our target. Generally we use ping command to send an ICMP echo request to a host or IP address but we can use it to flooding!!!

Open notepad.exe and write the following in it.

@echo off
ping 192.168.56.102 -t -l 65500

Now save the file with the name “ping-flood.bat”.

Now click on the .bat file to open several instances of it. All of them running simultaneously. The more they are, the good it is. It will look like this.

PART B. Start LOIC. It is a very respected and useful tool when it comes to stress testing on websites or servers. It is written in C# and runs on .NET Framework. It initiates a D.O.S attack on target IP address or server by sending a hefty amount of TCP or UDP traffics to render it unusable hence taking it down.

Now configure LOIC to initiate an attack.

1. On LOIC window in “Select your target” section, put target IP address. In our case which is 192.168.56.102. Then press the “Lock On” button.

2. Now in the “Attack options” section, choose “TCP” in “Method” combo box and choose the number of threads you want to run in “Threads” text box. I am choosing the default value of 10 threads. Optionally at “TCP/UDP message” text box write any message you want to convey to the victim.

3. Then Hit the “IMMA CHARGIN MA LAZER” button to start flooding the server bandwidth.

4. Stop flooding when you want to, using the same button which now has been turned into “Stop Flooding”.

5. You may probably want more instances of Windows, initiating UDP traffic also. Hence launching more instances of ping flood and more garbage TCP/UDP traffic through LOIC. Now move on to next step.

STEP 4. Start an instance of Kali Linux.

PART A. In this part we will use a simple TCP SYN flooder of Metasploit Framework.

1. Open Metasploit Framework and wait for the databases to initiate.
Once it finished, type “use auxiliary/dos/tcp/synflood” to load the SYN Flood module and hit Enter.
2. you can fire “show options” to see available options, and “set” them as you want. The syntax for this is
set “options” “relevant value”

3. Type “set INTERFACE eth1”. As eth1 is the name of our interface.

4. Our victim’s IP is 192.168.56.102. Assign it to the script by typing “set RHOST 192.168.56.102”.

5. You can spoof your IP address to any random one using “set SHOST 192.168.56.156”. (Optional)

6. Now type “run” in the terminal and hit Enter. You will see something like this.

PART B. Now we are going to use a new tool called ettercap to launch an DOS attack on target. We will use ettercap’s GUI version in this tutorial.

1. Open a terminal and hit Enter after typing “ettercap -G”.

2. Go to ettercap’s menu bar. Click on Sniff → Unified sniffing.

3. Select the Network Interface and hit OK. I am choosing “eth1”. You will see sniffing has been started and “Plugins” menu has showed up in the menu bar.

4. Select “Plugins” and click on “Manage the plugins”.

5. Select the dos-attack plugin and double-click on it.

6. You will be presented with a dialog box telling you to insert the victim IP which is 192.168.56.102 in this tutorial. After clicking OK you will be told to enter a spoofed address. Enter any Random IP then click OK.

7. You will see an attack has been started.

STEP 5. You may want to launch more instances of Metasploit Framework or Ettercap and launch another instance of Kali and do the same. The more flood you can send the better the chances to take down a server.

Meanwhile the server has went rogue and executing some load balancing mechanisms to survive. See the server output log.

Even we can not access the default index.html page, which automatically shows up when you visit the server IP address. After waiting for sometime browser shows this.

So we have successfully taken our target server down.

Before we finish: D.O.S or D.D.O.S attacks are not even generally considered as hacking by most of the people. However many countries has passed strict laws against it. Because attackers can unleash nasty attacks with this old D.D.O.S methods using a massive botnet army. The good thing is that the attack technique is very easy and can be performed without any knowledge of programming but preferably with a little knowledge of TCP/IP networking. Peace.