- 21 Eki 2015
- 477
- 1
How to Do Dos Attack and DDos Attack?
What are Dos Attacks?
This type of attack that DoS stands for Denial of Service is a method of disrupting service. The target system cant serve anyone as a result of regular or back-to-back attacks by a person on a system or it is a type of attack aimed at the consumption of all resources belonging to the system. Service disruption attacks can be performed in many ways.
Generally used methods can be grouped under three classes:
1. Attacks on Bandwith
2. Protocol Attacks
3. Logical Attacks
What are DDoS Attacks?
An attacks is a type of attack that aims to make target system unable to serve anyone by attacking the target computer through many machines previously designed. This coordinated action both increases the size of the attack and allows the attacker to hide. The tools that perform these operations are called Zombies.
It is difficult to find the attacker in this type of attack. Because the attacker at the center of the attack doesnt actually participate in the attack. He directs only the other IP numbers. If an attack is made from a single IP address, a firewall can easily bock it. However, the attacks comes from a higher number of IP addresses, so firewall is disabled (Log overflow stops firewall services). This is the most important feature that distinguishes it from DoS attack.
DoS Attack Types
Service Overloading: This type of attack is used to disable certain hosts and services. The attacker sends many ICMP packets to the private port and host. This event is easily understood with network monitor.
Message Flooding: The difference from Service Overloading doesnt prevent the normal operation of the system. Packets sent in the same wy will be detected as normal this time. For example, if flood is done on Nis Server (Unix Network) Nis sees this as a password request and the attacker is allowed to dominate the host.
Clogging: Attacker sends SYN and takes ACK then it consists of not responding to the incoming ACK and constantly sending SYN. If this is repeated many times, the server will no longer be able to respond. Since these packets are sent with a fake ip, the system cant understand it and shut down the service. What happens if he understands, he wont answer so many requests from the same IP. The only solution is the firewalls that scan them.
Programs Used for DoS Attacks
Ping of Death
An attacker sends large ping packets to a machine he targets. Many operating system cant understand this large ping packets and the system either drops out of the network or crashes.
SSPing
SSPing is a DoS tool. The Ssping program sends large amounts of ICMP data packets to the target system. The operating system tries to separate the data packets it receives from each other. As a result, it experiences a memory overflow and stops serving.
Land Exploit
Land Exploit is a DoS attack program. TCP is an attack on the target system with the SYN packet. The attack is made continuously on the same port number. Land Exploit sends SYN packets using the same source and destination ports. Many machines experience Buffer overflow because they cant handle so much loading and he becomes unable to accept any connection.
Smurf
Smurf is a DoS attack program that sends ICMP packets to broadcast addresses. The attacker sends to the IP broadcast by changing the source address, which makes ICMP echo requests. This allows each machine on the broadcast network to receive these requests and allow each machine to respond to this spoofed address. In this way, a high level of network traffic is experienced. As a result is a DoS attack has occured. At the beginning of a TCP connection, the requesting application sends the SYN packet. In response, the receiving site confirms that it has received the request by sending the SYN-ACK packet. If for any reason the SYN-ACK package cant go, the receiving site accumulates them and tries to send them periodically. If too many SYN packets are sent with an IP number that isnt in use with the victims return address to the site using zombies, the target system wont be able to send and accumulate SYN-ACK packets. As a result, this accumulation will cause the queues to fill up and the target system wont be able to serve its normal users.
WinNuke
The WinNuke program sends data called out of band to Port 139 of the target system. The target cant identify them and the system is locked.
Usage:
WNUKE4 -c XXX.com 10000 0 450
(sends 10000 icmp packets of 450 bytes to the target.)
WNUKE4 -n XXX.com 0 1024-2024 6667-6668 UNPORT
Jolt2
Jolt2 is a program capable of DoS attacks on NT/2000 machines, giving the impression that is located in different segments. It sends illegal packets, causing the targets processor to run %100 and crash.
c: \> jolt2 1.2.3.4 -p 80 4.5.6.7
1.2.3.4 the ip number seen on the command line is the attackers spoofed address. It attacks 4.5.6.7 80 port of the target address. It consumes all CPU resources and disrupts the system.
Bubonic.c
Bubonic.c is a program that runs on Windows 2000 machines using DoS exploits. It regularly sends TCP packets to the destination.
c: \> bubonic 12.23.23.2 10.0.0.1 100
Targa
Targa is a DoS program that can attack in 8 different modules.
Programs used for DDoS attacks
1. Trinoo
2. TFN
3. Stacheldraht
4. Shaft
5. TFN2K
6. Mstream
DDoS Attack Method
All DDoS programs run in two phases.
Mass-Intrusion Phase In this phase, the systems that will carry out the DoS attack are accessed and the programs that will carry out the attack are loaded. These are the primary victims.
DDoS Attack Phase At this stage, the target sites are attackers, in which the primary victims are loaded onto target.
Trinoo
Trinoo is the first program to use the DDoS method.
TCP ports used:
Attacker to master: 27665/tcp
Master to daemon: 27444/udp
Daemon to master: 31335/udp
TFN2K
Machines loaded with zombies run in listening mode. Its ready for any incoming commands.
Running the server
#td
Running the client
This command #tn -h 23.4.56.4 -c8 -i 56.3.4.5 starts attack from this IP 23.4.56.4 to this IP 56.3.4.5.
Stacheldraht
It works like TFN and Trinoo but can send packets to its modules via cryptography.
The ports used are TCP and ICMP.
Client to Handler: 16660 TCP
Handler to and from agents: 65000 ICMP.
What are Dos Attacks?
This type of attack that DoS stands for Denial of Service is a method of disrupting service. The target system cant serve anyone as a result of regular or back-to-back attacks by a person on a system or it is a type of attack aimed at the consumption of all resources belonging to the system. Service disruption attacks can be performed in many ways.
Generally used methods can be grouped under three classes:
1. Attacks on Bandwith
2. Protocol Attacks
3. Logical Attacks
What are DDoS Attacks?
An attacks is a type of attack that aims to make target system unable to serve anyone by attacking the target computer through many machines previously designed. This coordinated action both increases the size of the attack and allows the attacker to hide. The tools that perform these operations are called Zombies.
It is difficult to find the attacker in this type of attack. Because the attacker at the center of the attack doesnt actually participate in the attack. He directs only the other IP numbers. If an attack is made from a single IP address, a firewall can easily bock it. However, the attacks comes from a higher number of IP addresses, so firewall is disabled (Log overflow stops firewall services). This is the most important feature that distinguishes it from DoS attack.
DoS Attack Types
Service Overloading: This type of attack is used to disable certain hosts and services. The attacker sends many ICMP packets to the private port and host. This event is easily understood with network monitor.
Message Flooding: The difference from Service Overloading doesnt prevent the normal operation of the system. Packets sent in the same wy will be detected as normal this time. For example, if flood is done on Nis Server (Unix Network) Nis sees this as a password request and the attacker is allowed to dominate the host.
Clogging: Attacker sends SYN and takes ACK then it consists of not responding to the incoming ACK and constantly sending SYN. If this is repeated many times, the server will no longer be able to respond. Since these packets are sent with a fake ip, the system cant understand it and shut down the service. What happens if he understands, he wont answer so many requests from the same IP. The only solution is the firewalls that scan them.
Programs Used for DoS Attacks
Ping of Death
An attacker sends large ping packets to a machine he targets. Many operating system cant understand this large ping packets and the system either drops out of the network or crashes.
SSPing
SSPing is a DoS tool. The Ssping program sends large amounts of ICMP data packets to the target system. The operating system tries to separate the data packets it receives from each other. As a result, it experiences a memory overflow and stops serving.
Land Exploit
Land Exploit is a DoS attack program. TCP is an attack on the target system with the SYN packet. The attack is made continuously on the same port number. Land Exploit sends SYN packets using the same source and destination ports. Many machines experience Buffer overflow because they cant handle so much loading and he becomes unable to accept any connection.
Smurf
Smurf is a DoS attack program that sends ICMP packets to broadcast addresses. The attacker sends to the IP broadcast by changing the source address, which makes ICMP echo requests. This allows each machine on the broadcast network to receive these requests and allow each machine to respond to this spoofed address. In this way, a high level of network traffic is experienced. As a result is a DoS attack has occured. At the beginning of a TCP connection, the requesting application sends the SYN packet. In response, the receiving site confirms that it has received the request by sending the SYN-ACK packet. If for any reason the SYN-ACK package cant go, the receiving site accumulates them and tries to send them periodically. If too many SYN packets are sent with an IP number that isnt in use with the victims return address to the site using zombies, the target system wont be able to send and accumulate SYN-ACK packets. As a result, this accumulation will cause the queues to fill up and the target system wont be able to serve its normal users.
WinNuke
The WinNuke program sends data called out of band to Port 139 of the target system. The target cant identify them and the system is locked.
Usage:
WNUKE4 -c XXX.com 10000 0 450
(sends 10000 icmp packets of 450 bytes to the target.)
WNUKE4 -n XXX.com 0 1024-2024 6667-6668 UNPORT
Jolt2
Jolt2 is a program capable of DoS attacks on NT/2000 machines, giving the impression that is located in different segments. It sends illegal packets, causing the targets processor to run %100 and crash.
c: \> jolt2 1.2.3.4 -p 80 4.5.6.7
1.2.3.4 the ip number seen on the command line is the attackers spoofed address. It attacks 4.5.6.7 80 port of the target address. It consumes all CPU resources and disrupts the system.
Bubonic.c
Bubonic.c is a program that runs on Windows 2000 machines using DoS exploits. It regularly sends TCP packets to the destination.
c: \> bubonic 12.23.23.2 10.0.0.1 100
Targa
Targa is a DoS program that can attack in 8 different modules.
Programs used for DDoS attacks
1. Trinoo
2. TFN
3. Stacheldraht
4. Shaft
5. TFN2K
6. Mstream
DDoS Attack Method
All DDoS programs run in two phases.
Mass-Intrusion Phase In this phase, the systems that will carry out the DoS attack are accessed and the programs that will carry out the attack are loaded. These are the primary victims.
DDoS Attack Phase At this stage, the target sites are attackers, in which the primary victims are loaded onto target.
Trinoo
Trinoo is the first program to use the DDoS method.
TCP ports used:
Attacker to master: 27665/tcp
Master to daemon: 27444/udp
Daemon to master: 31335/udp
TFN2K
Machines loaded with zombies run in listening mode. Its ready for any incoming commands.
Running the server
#td
Running the client
This command #tn -h 23.4.56.4 -c8 -i 56.3.4.5 starts attack from this IP 23.4.56.4 to this IP 56.3.4.5.
Stacheldraht
It works like TFN and Trinoo but can send packets to its modules via cryptography.
The ports used are TCP and ICMP.
Client to Handler: 16660 TCP
Handler to and from agents: 65000 ICMP.
