From Theory to Practice: The Mechanics of DDoS Attacks
Nunudzai Mrewa
Cybersecurity Professional | Community Organizer | Public Speaker | Security Researcher
In the dynamic realm of cybersecurity, Distributed Denial of Service (DDoS) attacks emerge as both deceptively simplistic yet profoundly disruptive. Fundamentally, these attacks are just digital barrages, designed to flood a network, incapacitate a server, and bring digital operations to a grinding halt. Despite their apparent simplicity, the ability of DDoS attacks to wreak havoc cannot be underestimated — a fact underscored by the extraordinary financial losses they can incur.
Consider these statistics: a study by the Ponemon Institute reveals that a mere minute of downtime from a DDoS attack can cost as much as $22,000, a staggering sum for any enterprise. Moreover, the aftermath of an attack is often just as severe. According to data from Getasta, the average cost of recovery for small to midsize businesses can reach an astounding $120,000. These numbers paint a stark portrait of the extensive economic damage that DDoS attacks can inflict.
In this issue of “Absolute Z3r0 Exploits,” we examine the mechanics of Denial of Service (DoS) attacks, highlighting their surprisingly straightforward execution. We focus on well-known tools like Tor’s Hammer, High Orbit and Low Orbit Ion Cannons, and use packet analysis techniques with Wireshark to provide a clear picture of how these attacks operate and the type of traffic they generate
Disclaimer
Before we move on, it’s important to say that this content is just for learning. We want to teach you about cybersecurity, not help anyone do anything that’s against the law. The writer is not responsible if someone uses this information the wrong way. That being said, let’s get started and learn about how DoS and DDoS attacks work.
Dos Attack
A Denial of Service (DoS) attack occurs when an attacker floods a server with so many requests that it overwhelms the server’s capacity to respond, disrupting its normal operation until it can no longer handle legitimate requests. A Distributed Denial of Service (DDoS) attack is a larger scale assault where the traffic comes from multiple sources, making it harder to stop. It effectively creates a “traffic jam” on the network, preventing legitimate traffic from reaching the server.
Let’s break down this analogy with a real-life example:
Scenario:
Imagine a busy highway that connects a city to its suburbs. This highway is the primary route for people commuting to work, delivering goods, and generally keeping the city connected. The highway has a certain capacity, and traffic flows smoothly as long as it stays within that capacity.
DDoS Attack Analogy:
Now, consider someone with malicious intent who wants to disrupt the normal flow of traffic on this highway. Instead of using a single car to block the road, which can be easily dealt with, they coordinate with others to unleash a massive fleet of vehicles onto the highway simultaneously.
As a result, the highway becomes congested and clogged with this excessive traffic. Legitimate commuters, who are trying to reach their workplaces or homes, find it nearly impossible to navigate through the gridlock. The highway, which was once efficient and functional, is now rendered unusable for its intended purpose.
Key Analogies:
Highway Capacity: In the digital realm, the capacity of a network or a web server is analogous to the bandwidth and processing power it has. When a flood of requests surpasses this capacity, the system becomes overwhelmed.
Legitimate Users: Legitimate commuters on the highway represent genuine users trying to access a website or an online service. The DDoS attack prevents them from reaching their destination.
Malicious Fleet of Vehicles: The coordinated fleet of vehicles in the analogy corresponds to the botnets or networks of compromised computers used in a DDoS attack. These “vehicles” are controlled by the attacker and directed to flood the target with traffic.
This analogy helps illustrate how a DDoS attack aims to disrupt the normal functioning of a system by overwhelming it with an excessive amount of traffic, making it temporarily or even permanently inaccessible to legitimate users.
Tor’s Hammer: An Introduction to Stealth DDoS Attacks
Tor’s Hammer is a type of Distributed Denial of Service (DDoS) attack tool that specifically targets web and application servers. It operates by sending a slow stream of HTTP POST requests to a single website or service within the same session. The attack is methodical; it doesn’t flood the server with requests all at once but maintains a steady flow of requests, which can gradually deplete the resources of the target server over time.
What makes Tor’s Hammer distinct is its ability to conduct the attack through the Tor network, which provides anonymity to its users. By using Tor, the source of the DDoS attack can be obscured, making it difficult to trace the origin of the malicious traffic. The tool takes advantage of this by sending traffic through the network’s various relays, hiding the attacker’s IP address behind randomised IPs provided by the Tor network. This way, Tor’s Hammer can launch persistent attacks against a server while protecting the attacker’s identity.
It’s designed to be disruptive yet stealthy, with the slow rate of requests dodging some detection systems that look for rapid spikes in traffic, thereby allowing the attack to continue for longer periods without being noticed and stopped.
Finding the person behind a DDoS attack can sometimes be straightforward. This is because the attack involves sending a huge amount of data to a server to flood it. Just like a return address on an envelope, each piece of data usually includes the sender’s IP address. If the authorities investigate, they might use these IP addresses to track down the person in charge of the attack.
However, if the attacker uses the Tor network, it gets tricky. The Tor network hides the user’s real IP address by routing through different servers, making it much harder to trace the attack back to the actual source.This is why Tor’s Hammer becomes a popular choice for DDoS attacks. Using the Tor network to mask the origin of the attack with layers of proxies helps attackers evade detection and makes it much more difficult for authorities to track them down.
The Tor’s Hammer was designed to run across the Tor network in order to anonymize the attack and limit mitigation options. This DDoS online tool can be used to target web applications and a web server. It performs browser-based internet requests, which we use to load web pages.
Features of Tor’s Hammer
Tor’s Hammer has some special features that make it work:
1. It can take a website address (URL) and turn it into clickable links.
2. It lets you easily connect different parts of a computer project together.
3. It can use Markdown, which is a simple way to make text look fancy, like when you make words bold or create headings.
4. It keeps its connections to a server open for a long time. It can handle between 1,000 to 30,000 of these connections.
5. Tor’s Hammer uses a lot of a website’s power by making many connections to it at the same time.
High Orbit Ion Cannon: A Deep Dive into DDoS Firepower
High Orbit Ion Cannon (HOIC) is a tool used to execute DDoS attacks by overwhelming a target server with a flood of internet traffic. The HOIC works via an application layer HTTP Flood DDoS attack, flooding a victim’s server with HTTP ‘GET’ and ‘POST’ requests with the goal of overloading the server’s request capacity. Here are some details on how HOIC functions and its effect on the target:
1. Concurrency: HOIC can send many requests at the same time, which means it can hit a server with a lot of data very quickly, just like many cars trying to get on a busy road all at once.
2. Threads: Increasing the number of threads in HOIC means it sends out more requests at the same time. Each thread is like a separate worker, all trying to send their own flood of requests.
3. Resource Strain: Servers have limits on how much they can handle, and HOIC tries to push past these limits. More requests mean the server has to work harder and might not be able to keep up.
4. Targeting: HOIC can attack more than one website or service at the same time. This is like causing traffic problems on multiple roads at once, not just one.
5. Types of Requests: It uses both ‘GET’ and ‘POST’ requests. ‘GET’ requests are like asking for directions, while ‘POST’ requests are like sending a package. HOIC sends lots of both kinds to add to the chaos.
By using High Orbit Ion Cannon in this way, attackers aim to make a server too busy to respond to real visitors, effectively taking the website or service offline.
On the Offensive: Testing the High Orbit Ion Cannon
Surpisingly, this tool was easy to find and easy to use. The image below of what it looks like when opened. I set a target of another vm of ip 10.0.2.9 with a high power setting and a booster. Boosters are add-ons for the High Orbit Ion Cannon (HOIC) that make the DDoS attacks stronger and harder to stop:
1. They help change the attack to target specific weaknesses.
2. They mix up the attack traffic to confuse defenses.
3. They can make the attack faster and more powerful.
4. They can help hide the attack to prevent it from being blocked.
领英推荐
As a result the packets flooded the machine with approx 5 thousand within 30 seconds of launching an attack. That’s quite powerful
Low Orbit Ion Cannon: Single-Target DDoS Attacks
Low Orbit Ion Cannon (LOIC) is another tool commonly used for launching DDoS attacks, but it operates differently from its sibling, the High Orbit Ion Cannon (HOIC). Here’s a breakdown of LOIC and how it differs from HOIC:
1. Targeting: Unlike HOIC, which can attack multiple targets at once, LOIC is designed to concentrate its fire on a single target. This means all of LOIC’s power is focused on overwhelming one server or website at a time.
2. User-friendliness: LOIC is known for its straightforward interface, which allows users with little technical expertise to execute an attack. It’s essentially a point-and-click tool, making it accessible for a wider audience.
3. Method of Attack: LOIC primarily uses TCP, UDP, or HTTP requests to flood a target. The user can choose the method and often sets it to send a massive amount of requests to the target’s IP address, aiming to consume the server’s resources.
4. Anonymity: One key difference is that LOIC does not have built-in anonymity features. Users of LOIC typically do not have their IP addresses masked by default, making them more vulnerable to being traced and identified unless they take additional steps to hide their identity.
5. Impact: While both tools are designed to overload a server with requests, HOIC is considered to be more powerful and sophisticated due to its ability to hit multiple targets and manage multiple threads of attack, potentially causing a broader impact.
In summary, LOIC is a more direct and single-target DDoS tool, while HOIC offers a more advanced and flexible approach with the ability to coordinate attacks across multiple targets simultaneously.
Hping3: The Network Probing Swiss Army Knife
Hping3 is an advanced network tool that facilitates the crafting and sending of customized TCP/IP packets, widely employed for network security audits, protocol testing, and network performance analysis. Below is a brief technical breakdown of hping3’s capabilities:
Packet Crafting: Hping3 allows for fine-grained control over packet headers for TCP, UDP, ICMP, and RAW-IP, enabling users to manipulate packet characteristics for thorough testing.
Controlled Traffic Generation: It can generate traffic at specific rates or patterns to stress-test networks and devices, simulating various traffic loads and conditions.
Firewall and Security Auditing: The tool is adept at probing firewall rule sets and intrusion detection systems by crafting packets that specifically target the rules to be tested.
Advanced Tracing: Hping3 offers functionality similar to traceroute with more granular control over the packet contents and protocols used, aiding in the diagnosis of routing issues.
Spoofing and Anonymization: A key feature of hping3 is its capability to spoof source IP addresses, thereby anonymizing packet origins and facilitating security tests against network defenses. This can trick a firewall into allowing malicious packets by spoofing the IP address to match that of a known, trusted source.
Let’s now take hping3 for a technical test drive. With the option to craft packets that appear to originate from arbitrary IP addresses — including those within the network of the target — we can simulate an attack scenario.
Hping3 in Action
Here’s what each part of the command does:
In a specific test scenario, I configured the packet’s source IP to be 10.2.10.0, targeting 10.0.2.9 as the destination. This setup allowed me to simulate an attack from a defined internal network address to a particular machine within a controlled environment, illustrating the potential impact of a directed DDoS attack.
Crafting Packets with Specific IP
In the network tests I conducted, I experimented with hping3 to create packets that had spoofed source IP addresses, choosing values that were out of the ordinary:
For one test, I used the address 127.127.0.127. This address falls within the loopback range, usually reserved for a computer to send messages to itself. While these addresses aren't meant for external communication, they can be utilized in practice scenarios to observe how network equipment or applications handle atypical IP addresses.
Another example involved the IP 1.1.1.1, which is an actual public address and notably used by Cloudflare for DNS services. By spoofing this address, I made the packets appear as if they originated from Cloudflare's network infrastructure.
Employing such unique IP addresses in test environments allows us to gauge the response of systems to IP traffic from unexpected sources or simulate packets from a recognized internet service. It’s imperative to conduct such tests responsibly, ensuring they’re confined to a secure and lawful context, especially when using real-world IP addresses like 1.1.1.1.
Chaos with Purpose: Randomized IP Addressing via hping3
When using the --rand-source option with hping3, it configures the tool to spoof the source IP address of each packet sent, selecting a random IP for each one. This makes it appear as if the packets are coming from many different places.
The effectiveness of this approach depends on what you’re trying to achieve. If you’re testing how a network can handle traffic that appears to come from many different locations, this can be a useful method. It can also make it harder for the target’s network security to block the incoming packets since they aren’t coming from a single source that can be easily identified and filtered. IP spoofing works with random IPs even 1.1.1.1 but 0.0.0.0 didn't work.
Fortifying Defenses: Strategies to Mitigate DoS and DDoS Risks
To protect against the threats of DoS and DDoS attacks, it is essential to take proactive measures:
1. Capacity Assessment: Assess and understand the capacity of your server. Knowing the limits of your server’s handling capabilities is crucial in preparing it to withstand potential attacks.
2. Vulnerability Testing: Conduct tests to identify vulnerabilities. Tools like GoldenEye, an HTTP DoS testing tool, can simulate DoS attacks by opening multiple connections to a website to see how well the server copes under stress.
These steps can help you ensure that your server is equipped to handle unexpected traffic surges and can provide critical insights into areas where security enhancements are needed.
As we conclude this exploration into the mechanics of DoS and DDoS attacks, remember that knowledge is power in the realm of cybersecurity. Stay informed, remain vigilant, and consistently test and fortify your network’s defenses. With the right preparation and tools, you can safeguard your digital infrastructure against these disruptive forces.
A strong network defense is like a good onion, layered and able to make attackers cry.
Cost-effective sustainability reporting & Efficient business
12 个月Interesting read!