Monday, April 28, 2014

Denial Of Service Methods : ICMP, SYN, teardrop, botnets

Introduction to Denial Of Service

In a previous post, I had introduced you to the basic idea of a denial of service attack. We used real life examples (bus stop and online game) to depict the idea behind a DOS attack. We crashed our own Windows and Kali Linux machine (using batch and command line interface respectively). Now it's time to learn how actually DOS of service attacks work, in terms of packets and other networking terms. So here is a one by one description on four of the well known attacks.

Various methods of Denial Of Service attack

ICMP flooding (smurfing)

Before I go off explaining what the attack is, first I'll tell you about the packets.
Contents of an ICMP packet (should not bother you currently)
ICMP packets have two purposes (technically)-
  • It is used by network devices, like routers, to send error messages indicating, for example, that a requested service is not available or that a host or router could not be reached
  • It is also used to relay query messages
Practically, all an ICMP packet does is confirm connectivity. You send a message to an IP and see if you are connected. If not, you get an error like "Destination unreachable". Pings use the ICMP packet.
While the packet as a whole allows us to directly attack the network by flooding it with a lot of ICMP packets, the second ability listed above gives us a new advantage. We can send ICMP relay packets to a network, with a spoofed source IP (we will change our IP to that of target), and when the network will replay to our packet, it will reply to the spoofed IP, causing it to be flooded with ICMP packets. This is called indirect ICMP flooding, also known as smurfing. It is tougher to detect than a normal direct ICMP attack, and the network serves as amplifier, the larger the better, making the attack much stronger, since you have the power of many computers at your disposal, instead of just one. If the target is flooded with enough packets, it loses it ability to respond to genuine packets, resulting in a successful Denial of Service attack.

SYN flooding

The three way handshake (that didn't happen in our case)
In SYN flooding, the attacker send the target a large number of TCP/SYN packets. These packets have a source address, and the target computer replies (TCP/SYN-ACK packet) back to the source IP, trying to establish a TCP connection. In ideal condition, the target receives an acknowledgement packet back from the source, and the connection established is in a fully open state. However, the attacker uses a fake source address while sending TCP packets to the victim, and the target's reply goes to an inexistent IP, and therefore, does not generate an acknowledgement packet. The connection is never established, and the target is left with a half open connection. Eventually, a lot of half open connections are created, and the target network gets saturated to the point where it does not have resources left to respond to the genuine packets, resulting in a successful DOS attack. Also, since the connections stay open for a while, the server loses its ability to work for a good amount of time after the attack has been stopped.

Teardrop attack

First of all - In computer networking, a mangled or invalid packet is a packet — especially IP packet — that either lacks order or self-coherence, or contains code aimed to confuse or disrupt computers, firewalls, routers, or any service present on the network. (source : Wikipedia)
Now in  a teardrop attack, mangled IP packets are sent to the target. They are overlapping, over-sized, and loaded with payloads. Now various operating systems have a bug in their TCP/IP fragmentation re-assembly code. What that means, is when the OS tries to re-assemble the TCP/IP packets that it gets, a piece of code exploits a bug in the way the re-assembling process works, and the OS crashes. This bug has been fixed, and only Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack. This type of attack does not require much bandwidth on the user side, and has devastating effect for the targeted server.


A small botnet
Now, this is not an attack is such, rather, it is a way of carrying out the attacks more effectively. When carried out against a large server, the above attacks usually prove ineffective. Your home router is nothing when compared to the HUGE servers that big websites have, and handling a single PCs DOS effect can be a piece of cake. This leads to the need of a Distributed Denial of Service attack. In a distributed denial of service, hacking groups use their numbers as strength. For example, if you have 500 friends who know how to carry out a denial of service attack, then the combined impact is much more dangerous than that of a lone PC. However, it is not always possible to have 500 hackers next door, and not all of us are part of large black hat hacking organisations. 
Try not to end up like this
This is where the botnets steps in. Now the bad guys use tools called RATs (remote administration tools) to infect and get total control over computers over the internet. The RATs are a kind of trojan, and can lie there on your PC and you'll never find out. By the use of crypting, some hackers have mastered anti-virus evasion, and these RATs can lie undetected on your PC for years. This is 100% illegal. You can easily end up in jail for this, and I recommend that you stay away from this. But, its important that you are aware of the existence of such tools, and more importantly, what the hackers can do with them. Now lets assume you made a RAT and its has infected 10,000 people. You can actually control those 10,000 computers. Now there's this website server that you don't like, and you're this badass hacker who takes down stuff he doesn't like. No, you don't have a warehouse full of networking power (servers), but you do have ten thousand computers at your disposal, and this is called a botnet. You also have 5 friends who are hackers, and have similarly sized botnets. Such immense networking power can easily take down a large website for hours, if not days. The results of flooding packets from 50,000 computers can be catastrophic. With modern day firewalls, it is almost impossible to flood servers and take them down using one single computers, so while botnets are the most unethical entities, they are also the most powerful. Now here is a suggestion, Denial of Service attacks are easy to trace back (if you are a beginner), and even if you are good, there is always someone better, and you can't hide forever. So try not to send bad packets at random websites, you won't look good in orange 


  1. Great, clear description of a DOS attack and the infrastructure that plays it's part in the background. Can you imagine the tools GCHQ and the NSA use to invade our privacy. Compared to Kali and its many great tools, it's a different ball game altogether. They have built a Data collection Centre in Bluffdale America. Jacob Applebleam has been a target of the NSA because he empowers us with TOR to have some degree of privacy. What I would give to spend a day with Snowden. It's sad to think that internet suppression in Egypt , Turkey, etc, is all done with help from software created in the west by Companies that think nothing of suppressing peoples freedoms. I believe Facebook and Google have given backdoor access to the NSA to gather intelligence on us all. Just a thought.
    Love your posts, great site.
    Sorry to go off track.

  2. Thanks you for the reply.I tried out Maltego on my Kali Linux. WOW, that is some tool. Why is it so difficult to do a full install of Kali on a usb stick. As for trying to add persistence. Oh my word. Unebootin can add persistence to Ubuntu install but wont do it for Kali. Why doesn't someone write some software so this can be done. The methods I have come across to do it; Use virtual box. Kali installation guide to add persistence, this being far from simple. I was shocked after reading Kali linux cookbook advocating using Unebootin to add persistence when it doesn't work. Crazy.

    1. Another alternate is as follows. You will need two USBs for that. One should be configured for live booting of Kali (size - 4GB minimum). Another should be empty (I think this one should be 8GB at least). You can live boot using the former USB. Then as one would normally install live Kali to the hard disk, you can install it to the other USB drive. This other USB drive is capable of behaving as hard disk. Just install it and your USB drive will be as good as an external hard disk with Kali Linux installed. After the installation is complete, the Kali Linux isn't running in Live mode anymore, and you have persistence.

  3. Thank you Shashwat I will give the two USBs a shot. Furthermore, thanks for the link and enlightening me to Tails. I think its really good. I have a selection of small O.S for USB. Porteus Razor, Precise Puppy, CentOS, Xpud, Suger on a stick. A good shout, thanks.
    I have been reading Kali cookbook. It refers to Gerix as a wifi hacking tool to download. What do you think of it compared to Wifite and Fern ?

  4. The github project description of Gerix is - "A graphical user interface for aircrack-ng and pyrit". It does nothing special, just makes wireless hacking even easier by taking things in GUI. No more typing commands, just mouse clicks. Also, it doesn't come pre-installed in Kali (I might be wrong), and the users have reported that they come across bugs every now and then.

  5. Thanks. Your right, it's not pre-installed on Kali.

  6. great...great...great...great...great...
    i love your tutorials...amazing
    never found like these...
    i am expecting more.
    when will you post more?


© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.
Bitcoin: 1B5aLqJcMW7zznffTxQwta8JTZsxBDPguC