9/04/2024

Understanding DoS Attacks

  **       **       **
** ** **
|\**/| |\**/| |\**/| \ == / \ == / \ == / | | | | | |
|__| |__| |__| \ / \ / \ / \/  \/ \/

A DoS (Denial-of-Service) attack targets a network/server and floods it with network traffic, ultimately causing service disruption by overloading the target network and causing it to crash. To have a better understanding of DoS attacks on the network level, we need to understand how network traffic is transported. Network traffic is broken up and sent via data packets to the destination. 

An ICMP flood attack is a type of DoS attack performed by an attacker repeatedly sending Internet Control Message Protocol (ICMP) packets to a network server. This forces the targeted server to send an ICMP packet back. This eventually uses up all the bandwidth for incoming and outgoing traffic and causes the server to crash. We can replicate this attack using a packet generator program called hping, which can be downloaded from most Linux repositories. See the command below where "*target_ip*" is the ip of the targeted network and "-1" utilizes the ICMP protocol:

sudo hping3 -1 --flood *target_ip*

Another common DoS attack is the SYN flood attack. This attack uses the Transmission Control Protocol (TCP) and floods the server with synchronize (SYN) packets. To establish a TCP connection, a device sends a SYN packet request to a server. The server then responds with a SYN/ACK packet to acknowledge the receipt of the device's request and leaves a port open for the final step of the handshake. Once the server receives the final acknowledgement (ACK) packet from the device, the 3-way handshake is complete and a TCP connection is established. Attackers can take advantage of the protocol by flooding a server with SYN packet requests and never fully completing the 3-way handshake. This attack can be replicated using hping with the following command, where "-d 300" is the amount of data in bytes you wish to send in the packet, "-p 80" is the desired port you wish to attack, the "-S" switch places hping in SYN mode, and "*target_ip*" is the ip of the targeted network:

sudo hping3 -d 300 -p 80 -S --flood *target_ip*

A standard DoS attack utilizing a single source of network traffic is usually not enough to cause any major disruptions, let alone crash a network. A DDoS attack is a Distributed Denial-of-Service attack. DDoS attacks are usually performed using botnets, a large collection of compromised private internet-connected devices infected with malware and controlled as a group. These compromised devices are sometimes refereed to as "zombies". Using a botnet, an attacker can send requests from these computers to have a larger impact on the networks bandwidth, making it easier to crash the target network.