Find a Service to TargetThe first step to mounting a DoS is to find a service you can target. This would be something with open ports, something with vulnerabilities, and certainly something that will accept incoming connections. Some of these services include:
- Web servers
- DNS servers
- Email servers
- FTP servers
- Telnet servers
Overwhelm the ServiceIdeally, it should be a service that doesn’t have a maximum limit to the number of connections. The best way to find out whether a service doesn’t have an upper boundary on number of connections is to send it a few hundred thousand connections and then observe what happens.
But to achieve optimal effect, you have to send specific queries and information. For example, if you’re targeting a Web server with a search engine, don’t just request a web page or slap F5 a bunch of times. Instead, request a complex search query or something that’s going to consume a significant amount of horsepower to resolve.
If doing that just once already has a noticeable impact on the backend, then doing that a hundred times a second would probably bring that server down. You can do the same thing against a DNS server. You can force it to resolve complex DNS queries that aren’t cached. Do it often enough to bring that service down.
For an email service, you can send lots of large email attachments if you can get a legitimate account on its server. If you can’t, it’s pretty easy to spoof that kind of attack.
Those are some simple service-based Denial-of-Service attacks that you can mount almost universally. Again, it’s just a matter of finding the services that will allow you to do this.
Now, if you really can’t target specific services, you can simply flood a host with traffic. That can still work, except that the attack might not be as elegant and would certainly require a bit more traffic.
So now, let me show you how to mount a simple DoS attack using the environment I’ve set up just for attacks.
Mounting a DoS AttackLet’s assume that we’ve already done the network footprinting and scanning and enumeration processes. So we have a pretty good idea of what’s going on in the network we’re targeting. Typically, I use a paper notebook and screen cam a lot of it to gather a lot of screenshots.
In this particular case, I’m going to show you a window that appeared in one of my videos. It was on the Advanced Port Scanner. In that video, we found a bunch of different systems on the network.
One particular system, 192.168.1.16, wound up being a Windows 2008 Domain Controller, as well as a Web server and a couple of other things.
Let’s assume this is the system we’d like to attack. Knowing that it has all of those things, I know that I could mount a Denial of Service attack against it if I wanted to shut down the authentication process or Web service and all that kind of stuff.
I’ll now proceed and launch my favorite tool for attacking systems like this. It’s called the Low Orbit Ion Cannon or LOIC.
First, I’ll specify the IP address of the server I want to attack, which in this case is 192.168.1.16. Then I’ll Lock on to it. After that, I’ll choose a port that I know is open and that accepts incoming connections. For example, I’ll choose port 80 to mount a Web-based attack. I’ll then select TCP to specify which resources I want to tie up. Finally, I’ll click on the button to start mounting the attack.
You’ll then see the Requested data increasing rapidly. That means the attack has begun.
Depending on the situation, one client attacking this way may or may not immediately affect the performance of the server. But a Denial of Service attack doesn’t have to stop with just one client.
In a typical DoS attack, you would mount this attack against different ports at different times and try to footprint whether your actions are affecting services, impacting them in a noticeable way, or, better yet, able to shut the server down.
If not, you could scale this up by running the Low Orbit Ion Cannon on a dozen machines or even a hundred machines at the same time. A lot of this can be scripted. Meaning, you can capture the traffic and replay it at the command line on different targets or play it as part of a script from different attackers, which could be your peers, your zombies, or both.
This is the easiest tool to understand because it’s pretty darn obvious what it’s doing. It may start to slow down a little bit, partially because you’ll be consuming resources on the client and also because the server itself would either be running out of resources or starting to defend itself against your attack.
Some hosts can be configured to look for patterns to identify attacks and start defending itself. To counter their defense you could, for example, stop the attack momentarily (by clicking the same button you clicked to mount the attack) and change the port you’re attacking. To add a little confusion, you could slow the attack a little bit.
In our example, we’ll change the port from port 80 to port 88. If you review the screenshot on the Advanced Port Scanner you’ll see that port 88 is also open. Once you’re done changing the settings, you can resume the attack by clicking the attack button again.
With that, you’ll be attacking a different port, which amounts to a different service, at a slightly different way, and at a different speed. Speed is really only important if you’re attacking from one client. If you have a hundred different clients attacking at the same time you can slow things down at each individual client and still be able to mount quite an effective attack.
That is how an attack would look like when you do this kind of DoS. The only thing I want you to be cognizant of here is that I’m only showing things to you from one machine. It would look the same on each individual machine if I did it from hundreds or thousands of machines.
Distributed Denial of Service AttackA Distributed Denial of Service (DDoS) attack would be practically that same attack carried out by many different people at exactly the same time. A DDoS attack is only complex in terms of scale. The actual attack itself, from the perspective of each attacker, is exactly what you just saw.
One reason why some people use malware to launch these attacks is because malware can be timed to launch the attacks at exactly the same moment.
By Nick Powell