Jollier
Professional
- Messages
- 1,284
- Reaction score
- 1,352
- Points
- 113
In this article, we will look at what DoS and DDoS are, how they work, what their types are, and how you can test a resource for resilience.
DoS is an attack in which one source generates a large number of requests to the target server in order to occupy its resources and make it unavailable to regular users.
DDoS is a type of DoS, but using multiple sources at once (botnets, virtual machines, infected devices), which makes the attack large-scale and more difficult to repel.
Types of DoS/DDoS attacks
SYN flood - sending a large number of TCP requests with the initial phase of the connection, without completing it, thereby overloading the server's connection table (long outdated, most servers already have protection against this kind of attack installed in the default configuration)
UDP flood - sending a huge number of UDP packets that the server must process (relevant, but not as effective. Easily blocked by filtering at the network level, but can be used to overload the channel)
HTTP flood - sending a large number of HTTP requests emulating user behavior (relevant, especially for unprotected servers, since it is difficult to distinguish from legitimate traffic)
ICMP flood - overload with ICMP requests (outdated, most modern systems and routers block or limit ICMP traffic)
Slowloris - sending incomplete HTTP requests in order to keep the connection open as long as possible (partially outdated, most modern web servers have protection against slow attacks)
In this article, we will consider the most relevant type of attack of all time is HTTP flood:
When conducting an attack of the HTTP Flood type, one of the main problems can be the protection provided by services like Cloudflare or other similar solutions. These services are designed to protect against DDoS attacks and other types of unauthorized traffic, and can greatly complicate the testing process. They can mask the real IP address of the server by redirecting traffic through their proxies, which makes it impossible to directly affect the target server through HTTP requests. To carry out an attack, you need to find the real IP address of the victim, which may not be so easy. In some cases, you can try to extract this address from the history of DNS requests or through other methods, such as analyzing public domain records. However, finding the real IP can be quite difficult, especially if the site uses additional layers of protection or distributed content delivery networks (CDN).
You can check whether the target site is protected by Cloudflare or similar crap by using the Wappalyzer browser extension
Find IP / View DNS history
https://search.censys.io(most likely will show real IP addresses)
https://dnsdumpster.com
https://viewdns.info
You can check if you have the correct IP address using curl
Checking IP
Just paste the IP into the browser line, or:
curl http://<IP>
If it does not give an error, a redirect to the target site occurs or displays a welcome message from the web server, most likely this is the real IP of the server
So, to carry out a DoS attack we need:
Guide to installing the utility
sudo apt update && sudo apt upgrade -y
sudo apt install wrk -y
Important nuance!
In order for the system to be able to handle more open connections simultaneously, you need to increase the limit on the number of open file descriptors. Usually the default limit on Ubuntu is 1024. To increase the limit, enter the command ulimit -n 100000
An example of an attack
wrk -t500 -c1000 -d300s https://robotsec.xyz
Explanation of the flags
-t500 - number of threads
-c1000 - number of open connections
-d300s - test duration (5 minutes)
https://robotsec.xyz - target address
After executing the command, you will see statistics, one of the main indicators is Latency. A sharp increase in Latency with increasing load is a sign that the server cannot cope. An indicator > 1-1.5 s means that the server is clearly not coping.
To increase capacity, you can use several servers simultaneously.
DoS/DDoS protection
If your site can be attacked, you can use:
Network filters and firewalls (iptables, ufw)
CDN with anti-DDoS (Cloudflare, Akamai)
Rate limiting - limiting the number of requests from one IP (will not help with a DDoS attack)
Anti-DDoS services from hosting providers or third-party companies.
(c) Author's article by chmod_777
DoS is an attack in which one source generates a large number of requests to the target server in order to occupy its resources and make it unavailable to regular users.
DDoS is a type of DoS, but using multiple sources at once (botnets, virtual machines, infected devices), which makes the attack large-scale and more difficult to repel.
Types of DoS/DDoS attacks
SYN flood - sending a large number of TCP requests with the initial phase of the connection, without completing it, thereby overloading the server's connection table (long outdated, most servers already have protection against this kind of attack installed in the default configuration)
UDP flood - sending a huge number of UDP packets that the server must process (relevant, but not as effective. Easily blocked by filtering at the network level, but can be used to overload the channel)
HTTP flood - sending a large number of HTTP requests emulating user behavior (relevant, especially for unprotected servers, since it is difficult to distinguish from legitimate traffic)
ICMP flood - overload with ICMP requests (outdated, most modern systems and routers block or limit ICMP traffic)
Slowloris - sending incomplete HTTP requests in order to keep the connection open as long as possible (partially outdated, most modern web servers have protection against slow attacks)
In this article, we will consider the most relevant type of attack of all time is HTTP flood:
When conducting an attack of the HTTP Flood type, one of the main problems can be the protection provided by services like Cloudflare or other similar solutions. These services are designed to protect against DDoS attacks and other types of unauthorized traffic, and can greatly complicate the testing process. They can mask the real IP address of the server by redirecting traffic through their proxies, which makes it impossible to directly affect the target server through HTTP requests. To carry out an attack, you need to find the real IP address of the victim, which may not be so easy. In some cases, you can try to extract this address from the history of DNS requests or through other methods, such as analyzing public domain records. However, finding the real IP can be quite difficult, especially if the site uses additional layers of protection or distributed content delivery networks (CDN).
You can check whether the target site is protected by Cloudflare or similar crap by using the Wappalyzer browser extension
Find IP / View DNS history
https://search.censys.io(most likely will show real IP addresses)
https://dnsdumpster.com
https://viewdns.info
You can check if you have the correct IP address using curl
Checking IP
Just paste the IP into the browser line, or:
curl http://<IP>
If it does not give an error, a redirect to the target site occurs or displays a welcome message from the web server, most likely this is the real IP of the server
So, to carry out a DoS attack we need:
- One, or better yet, several (for clarity) Linux-based servers (for example, Ubuntu 22/24)
- Domain or IP to attack
- Installed testing utility, such as wrk
Guide to installing the utility
sudo apt update && sudo apt upgrade -y
sudo apt install wrk -y
Important nuance!
In order for the system to be able to handle more open connections simultaneously, you need to increase the limit on the number of open file descriptors. Usually the default limit on Ubuntu is 1024. To increase the limit, enter the command ulimit -n 100000
An example of an attack
wrk -t500 -c1000 -d300s https://robotsec.xyz
Explanation of the flags
-t500 - number of threads
-c1000 - number of open connections
-d300s - test duration (5 minutes)
https://robotsec.xyz - target address
After executing the command, you will see statistics, one of the main indicators is Latency. A sharp increase in Latency with increasing load is a sign that the server cannot cope. An indicator > 1-1.5 s means that the server is clearly not coping.
To increase capacity, you can use several servers simultaneously.
DoS/DDoS protection
If your site can be attacked, you can use:
Network filters and firewalls (iptables, ufw)
CDN with anti-DDoS (Cloudflare, Akamai)
Rate limiting - limiting the number of requests from one IP (will not help with a DDoS attack)
Anti-DDoS services from hosting providers or third-party companies.
(c) Author's article by chmod_777
