A denial-of-service (DoS) attack is one that prevents the target from performing its normal duties on the network. Although this is typically accomplished by flooding the server with network traffic, it can also be accomplished by crashing a service or consuming all of the server's resources, including CPU, memory, disk space, or allowed client connections. The attack can be protocol-, operating system-, or service-specific. You can try crafting packets to evade IDS or firewall detection. For network-traffic-based DoS attacks, a single attacker is unlikely to have much (if any) impact. The most serious exploits are distributed denial-of-service (DDoS) attacks, in which thousands or hundreds of thousands of machines (typically in a botnet) are coordinated to attack a single target.

The following table summarizes common DoS attack types and tools.

DoS Attack Type


Tool Examples

Packet flood

Create and send massive amounts of TCP, UDP, ICMP, or random packet traffic to target. Can include different TCP flag variants.

hping3, nemesy, XOIC, Low Orbit Ion Cannon (LOIC), Spike DDoS Toolkit, xcrush-20

SYN flood

Create and send massive amounts of TCP SYN packets.

hping3, Metasploit auxiliary/dos/tcp/synflood, Spike DDoS Toolkit, xcrush-20

Ping of Death

Send ICMP ECHO REQUESTs that are larger than 65,536 bytes, causing the target to crash, freeze, or reboot.

jolt, xcrush-20, eugenics.pl, Crazy Pinger, ping.exe; e.g., ping -l 65510 your.target.ip.address

ICMP/UDP fragmentation attack

Variant of UDP flood or Ping of Death. Send the target UDP or ICMP fragments that when reassembled are too large for the network's MTU.

hping3, spike.sh, eugenics.pl

TCP fragmentation attack

Send the target TCP fragments that have overlapping sequence numbers and cannot be reassembled. Windows NT, Windows 95, and Linux versions prior to version 2.1.63 are most vulnerable.

Teardrop, NewTear, Bonk, Boink, Targa, xcrush-20, eugenics.pl

Smurf attack

Send large numbers of spoofed ICMP ECHO REQUESTs to intermediate devices that all respond to a single target.

hping3, xcrush-20, eugenics.pl

Fraggle attack

Same as a Smurf attack, except uses UDP instead of ICMP.

xcrush-20, eugenics.pl

Land attack

Send spoofed packet where source and destination IP are the same. The target floods itself with packets.

hping3, Land, Targa, LaTierra, xcrush-20, eugenics.pl

SMB malformed request

Send a malformed request to an SMB named pipe causing a Blue Stop Screen (Blue Screen of Death) on Windows.

SMBDie, Bitchslap


Keep as many fake web connections as possible open for as long as possible, until the maximum number of allowed connections is reached. Allows one web server to take down another without impacting other ports or services on the target network.

Slowloris script, R-U-Dead-Yet (RUDY)

NTP amplification

Send spoofed NTP queries to publicly available NTP servers to overwhelm a target with UDP traffic.

NTPDos, NTPDoser, Saddam

HTTP flood attack

Use seemingly legitimate HTTP GET or POST requests to attack a web server. Does not require spoofing or malformed packets, but can consume a high amount of resources with a single request.

High Orbit Ion Cannon (HOIC), Low Orbit Ion Cannon (LOIC), XOIC, HULK, DDOSIM, Tor's Hammer, PyLoris, OWASP DOS HTTP POST, DAVOSET, GoldenEye HTTP Denial Of Service Tool, Spike DDoS Toolkit

DNS flood attack

Consume all CPU or memory of a DNS server with a flood of requests.

zodiac, DNS Flood, Hyenae, Spike DDoS Toolkit

DNS amplification attack

Like Smurf or other amplification attacks, multiple public DNS servers receive spoofed queries and respond to a target.

Saddam, Tsunami, DDoS Attack

Note: Many of these tools can be used for multiple DoS attack types. You may find variants with different features.

DoS attack example

The following figure shows the command and output from a web server SYN flood generated from the hping3 tool.

Hping3 web server SYN flood

Note: You can search for Metasploit DoS modules at the msf console. For example, to search for DoS attacks that involve DNS, enter search type:auxiliary name:dos -S dns.

Stress Testing

Stress testing is a euphemism for conducting a denial-of-service attack against a target. You can use scripts, bots, or other tools to deliberately and intensively attack a server or service to see how it performs. Some stress testers simply flood the target with distributed denial-of-service (DDoS) traffic. Others are application-specific and simulate very high numbers of actual user requests. An administrator might use stress testing to ensure that a website can withstand attacks or abnormally high traffic.

Because the intent is to render the service non-functional, a pen tester would need authorization to stress test a production machine. Additionally, the client would need to understand the implications of stress testing live servers. There are many commercially available stress testing services and products available online. There are also several sites online that will rent you their illegal botnet for "stress testing" purposes. These sites charge a nominal price by the hour.