DoS and DDoS attacks - Basics

DoS and DDoS attacks - Basic notions

DoS or (Denial of services) attacks are a way to exploit a user resources in a way the “services ” become unavaliable.

While DDoS stands for (Distributed Denial of Service) attacks. Are the same as DoS except that they use hundreds, or even thousands of machines to flood the services and cause the malfunction.

Usually this is performed by flooding the service with ICMP packets forcing a server to respond to the request by the attackers (this is achieved by the need to reply to the ICMP packet). Other attacks including sending malformed ICMP packets, flooding the site with resource requests, or SYN flood attacks.

Despite the ICMP traffic uses the TCP protocol, this kind of attack will not work on a Tor network. There are hundreds of reasons for .onion websites and markets to become unavailable, but rest assure a ICMP attack is not one of them.

But when this kind of attack is targeted at the Clearnet for example against www.facebook.com. Over and over again they keep being successful.

Or another method of achieving the same result- Ping of death attack (catchy name right!)

This attack is accomplished in two different ways, the first method is quite obvious, just send too many packages to flood the system. A system using Windows as the absolute packet size limit of 64K (65535 bytes).

This means that if you are able to send packets larger then the 64k limit, it will either completely crash down the system, or it will enable the attacker to successfully perform a privilege escalation attack. Flooding the site with requests for resources (videos, pictures, login requests, etc.)

To prevent this attacks you need to focus more on the hardware control then the implementations with the site itself. If you are hosting and managing both, the server and the website, you should try to enable ingress filtering over your network, to stop some of the attacks on the spot. If you use the backscatter traceback method  you will be able to do just that.

Also take care to block the ICMP packets looking for your external interface (the WAN). Take special attention to block all the "unallocated source address'".

Following these steps you will not stop a DDoS, but you certainly will weaken the effect.

Tools for DDos and DoS attacks

This is a section you are not going to find in many websites on the open web! But yes there are no Taboos on securityfreak everyone as the right to know this stuff.

I do not encourage you or recommend that you use this tools, but if you do, you are on your own.

*Offtopic just in case you do send me a message after you get arrested and I will pay you a visit.

The right tool for a DDoS attack will change according to the system you are using, your own preferences and your target characteristics.

Finally here they are!

 Low Orbit Ion Cannon – LOIC will attack the server by flooding it mostly with UPD or TCP traffic.

It is going to flood the server with huge amounts of ICMP traffic

 Trinoo – Trinoo is a fairly easy tool to use, the idea is to use Trinoo to orchestrate as many “Zombies” as you have got to create a vicious attack

 Tribal Flood Network – TFN is able to perform ICMP, ICMP Smurf, UDP, and SYN Flood attacks to your selected prey. This was the first publicly available DDoS tool

 Stacheldraht ‐ This one is a mix between Trinoo and TFN, as the features of both those programs, but also is able to send commands via ICMP and TCP packets to coordinating an attack. But not only is a great offensive tool, Stacheldraht can also play the defense, as it can encrypt all the communications between the client to the handlers

 TFN2K – This program includes some very advanced features like:

The spoofing of packets and the important port configuration options

 Shaft ‐ Almost exactly like Trinoo, the only real difference is that it includes the ability for the client to

configure the size of the flooding packets and the duration of the attack

 MStream – With Mstream you can use spoofed TCP packets to create a vicious attack over a pre selected victim

 Trinity – With Trinity get ready to taste the red pill! This application will conduct several DDoS functions as: fraggle, fragment, RST, ACK, SYN, among some others.

---

And we are almost on the end of my DoS and DDoS attacks article.

But Iam sure you don't know about all the technical terms used on the article, so I will leave you here a text that will definitely help you out with the technical terms:

 ICMP DOS – An attacker can use either the ICMP "Time exceeded" or "Destination

unreachable" messages. Both of these ICMP messages can cause a host to

immediately drop a connection

ICMP packet magnification ‐ An attacker sends forged ICMP packets to bring down a

host. As an example (as presented above), Windows has a packet size limit of 65500. So

anything received that is higher will be fragmented. Since the machine cannot reassemble the

packet, it might crash or reboot

 ICMP Smurf attack ‐ An attacker sends forged ICMP echo packets to vulnerable

networks' broadcast addresses. Doing this will tell all the systems on the network

(inside the broadcast domain) to send ICMP echo replies to the victim, consuming

the targets available bandwidth

 SYN flood attacks – A SYN flood attack takes advantage of the TCP three‐way handshake. A SYN

flood attacks spoofs the IP address thereby forcing the server to keep open the connection while

waiting for the ACK message (which is never sent) from the client and uses resources in the

process

 RST attacks – This attack works by injecting RST packets into TCP packets tricking the server to

close the connection. RST attacks are performed against other users trying to use a particular

resource

 Fraggle attacks – Fraggle attacks are similar to Smurf attacks except that Fraggle attacks uses

UDP packets instead of TCP packets

To wrap this up! As always if you like the article please do share it on social media, by using the buttons below the article (Facebook, Twitter, Stumbleupon, etc). And stay tune with my blog for more updates!