Analyzing Denial-of-Service Attacks

This project is done by:

Reem Abd-Alhadi

Mohammed Tarawneh

Amer AbuShanab

Omar Al-Bustanji

​

​

​

Supervisor: Prof. Yazeed Ahmad Al-Sbou

​

TABLE OF CONTENTS:

1. Abstract
2. Objectives
3. Introduction
4. What is a DoS attack
5. List of attacks requirements
6. Ping of death
7. Syn Flood
8. ARP poisoning
9. HTTP Attack
10. DeAuthentication
11. RedTeamPython script
12. Conclusion

​

Abstract

This project aims to investigate different types of Denial-of-Service (DoS) attacks, such as Ping of Death, SYN flood, ARP poisoning, slow and fast HTTP attacks, and deauthentication attacks. The exploration is conducted using VirtualBox and Kali Linux. Furthermore, a Python script with five functions is developed using Scapy to simulate and evaluate potential vulnerabilities. These functions are port scanning, network scanning, slow HTTP, ARP poisoning, and deauthentication attacks.

Objectives:

• Explore various types of Denial-of-Service (DoS) attacks, including POD, SYN flood, ARP poisoning, slow and fast HTTP attacks, and deauthentication attacks.

​

• Utilize VirtualBox and Kali Linux along with their built-in tools to analyze and understand these DoS attacks.

​

• Develop a Python script with five distinct functions using Scapy to simulate and assess potential vulnerability.

​

Introduction

• Imagine this scenario: you're running a successful online business, serving hundreds or thousands of customers every day. Your website is your storefront, your primary means of reaching out to clients and generating revenue. Now, picture waking up one morning to find that your website is inaccessible, your customers unable to reach your services, and your revenue stream drop to a halt. This is the reality of a Denial of Service (DoS) attack.

​

• In this presentation, we will embark on a journey to understand the insidious nature of DoS attacks, their potential impact on businesses and individuals, the techniques employed by attackers, and most importantly, the strategies to mitigate and defend against such threats.

​

What is DoS Attack ?

• Definition:

​

• DoS is a cyberattack aiming to disrupt or suspend the services of a target system or network by overwhelming it with excessive traffic, rendering it inaccessible to legitimate users.

​

• Characteristics:

​

1. Disruption: DoS attacks aim to disrupt normal system functioning, causing downtime and service interruptions.
2. Availability: Attackers compromise the availability of services by flooding the target with excessive traffic, making them inaccessible.
3. No Unauthorized Access: Unlike other attacks, DoS doesn't involve unauthorized access but focuses on disrupting services.

​

• List of attacks requirements:

1-Virtualbox

​

2-Kali Linux

​

3-Windows 10

​

4-Metasploitable2 VM

​

5-Wireless card with monitor mode

​

​

​

​

6-Hping3

​

7-Slowhttptest,httperf

​

8-Airmon-ng,Airodump-ng,Aireplay-ng

​

9-WireShark

​

10-Nmap

​

​

​

​

Ping of Death

Ping of Death is a DoS attack where oversized or malformed ping packets are sent to crash or destabilize a target system or network.

IP fragments

Victim machine

Attacker

Ping of Death

….

Ping of Death packet

IP header

ICMP

header

ICMP

data

20 bytes

8 bytes

≥ 65.000 bytes

Attack setup and execution

• Use the following command

Options:

• -s : Sets the size of the packet

​

• -i : Specifies the interval between sending each packet

• CPU utilization before executing the attack :

• Result

• CPU utilization after executing the attack :

1. From the Windows firewall, we Add New Rule

to block the oversized ICMP packet requests.

2. Or we block the ICMP Echo Request.

1

2

Solution:

Using Wireshark to capture an incoming request after we added the Rule.

SYN Flood

A SYN Flood attack is a common form of Denial-of-Service attack that sends a large amount of  SYN requests to a server to overwhelm the open connections.

Hand Shaking

Hand Shaking involves three steps:

​

• A client sends a SYN (synchronize) message to a server, indicating a desire to establish a connection.

​

• The server acknowledges this request by sending a SYN-ACK message back to the client.

​

• The client responds with an ACK (acknowledgment), and the connection is officially established.

�

​

​

​

�

• In a SYN Flood attack:

​

• Attacker sends a barrage of SYN requests to a target server

�

• But intentionally avoids sending the final ACK

​

• This leaves the server waiting for a response that never comes, consuming resources for each of these half-open connections

Attack setup and execution

Options:

​

• sudo: to run as administrator.
• -V: verbose mode
• -d: specify the size of SYN packet which is 1360 bytes
• -S: to specify that the attack type
• -p: specify the victim machine port to attack
• --flood: to send as many packets as possible
• --rand-source to hide the IP address and send packets with random IP adresses

• Result

​

• If we go to the victim machine we found that CPU has been exhausted .
• The utilization of the CPU has reached his highest stages !

​

• If we try to access a web site, the browser keep loading.

Let's use Wireshark to analyze the incoming packet :

​

​

​

​

​

Solution:

• The repeated port number on the wireshark packets indicates that the problem is coming from this port !

​

• We can go to firewall and set some configurations

​

​

​

​

​

Now and after the port blocked by the firewall we can try the conecction stablity.

• After applying firewall configurations

ARP Poisoning

• ARP poisoning, also known as ARP spoofing ,is a type of cyber attack that involves manipulating the Address Resolution Protocol (ARP) cache of a computer or network device,and normally it is used in the man-in-the-middle attacks

​

• ARP stands for Address Resolution Protocol, It is a communication protocol used for mapping an IP address to a physical machine address

Original connection

Router

Victim machine

Attacker

New connection

New connection

Normal Man-in-The-Middle ARP poisoning attack

• Disable ipv4 forwarding

ARP response

ARP response

Attack setup and execution

• Script installation

​

• Use the following command

Options:

• -T : specify the type of the attack

​

• R : ARP poisoning option

​

• -A : Subnet IP address

1

2

3

• Result

Solution:

• Check for IP Tables arp -a

• Each device on the network has a unique MAC address, no two devices share the same MAC address

• Block the duplicate MAC address from the router configuration

HTTP attack

An HTTP attack, a form of cyber attack, attempts to exploit vulnerabilities in the Hypertext Transfer Protocol, targeting web applications, web servers, and users by manipulating or disrupting HTTP traffic. These attacks employ two techniques: slow and fast HTTP attacks

Slow HTTP Attack

Fast HTTP Attack

How slow HTTP attack works

Incomplete HTTP Request

Kali Linux

Metasploitable

Attack setup and execution

• NAT Network.

​

• Ifconfig

​

​

• namp 192.168.1.112

​

• In Windows 10 check the URL http://192.168.1.112

• To launch a slow http attack use the following command.

​

• using Wireshark to capture the incoming request.

​

Observation: �

• After 5 seconds.

​

• After 200 seconds.

​

Result�

JANE DOE

JOHN DOE

How Fast HTTP Attack Works

Kali Linux

Metasploitable (Data Base)

Metasploitable web app

Fast HTTP attack

Login to the DVWA web page by entering the:

• username: admin
• password: password.

​

​

​

Attack Setup and Execution

• Get a Variable from the (view page source)

​

• create the file

​

​

CPU utilization before executing an attack :

Execute httperf tool :

• The command:

​

• Install httperf tool:

​

CPU utilization after executing an attack :

• Result

Web application firewall

Install and Configure WAF

Use iptables for Basic Rate Limiting

Solution:

iptables is a tool that regulates incoming and outgoing network traffic. In Metasploitable, it can be configured to filter and control network packets based on specified rules to enhance security.

De-Authentication

A Deauthentication attack is a form of cyber attack that targets wireless networks ,works by sending Deauthentication frames to the target's device, forcing it to disconnect from the network,using a wireless card that supports monitor mode

​

What is a Deauthentication frame ?

• A Deauthentication frame is a management frame used in Wi-Fi networks by the IEEE 802.11 protocol to disconnect a client device from an access point or from a wireless network

​

• Attackers took advantage of deauthentication frames By flooding a wireless network with deauthentication frames causing denial of service and preventing legitimate users from accessing network resources

​

​

Monitor mode

Special operating mode in wireless network adapters, allowing them to passively monitor all wireless traffic on a particular channel without connecting with any specific access point or network

Airodump-ng

Aireplay-ng

Airmon-ng

BSSID Search

Launch attack

Enable monitor mode

Options:

​

• -0 deauth attack

​

• -a BSSID for the router

​

• Wlan0 : wireless card interface

• Result

​

• The device will continue to disconnect from the Wi-Fi network repeatedly until the attack is stopped

• Given that the deauthentication frame is a part of the 802.11 protocol, stopping deauth attacks can be challenging

​

​

• We suggest implementing the following measures to enhance network security and mitigate the impact of such attacks:

​

​

A-802.11w Protected Management Frames

​

B-WPA3 Encryption (Wi-Fi Protected Access 3)

​

​

​

​

Solution:

RedTeam Python Script

​

• RedTeam Python Script is a script designed to perform 5 types of penetration testing mechanisms and it can be applied to test different types of attacks on networks especially WI-FI networks

Why You Should Build Your Own Penetration Testing Tool?

​

​

• Creating your own penetration testing tool can be incredibly useful as it allows you to customize the tool according to your specific needs

​

• Developing a penetration testing tool can provide a deep understanding of various cybersecurity concepts, including network protocols, vulnerabilities, exploit techniques, and defensive strategies

Port

Scan

Network Scan

HTTP attack

ARP poisoning

DeAuthentication

Functions:

Script installation

• Script is available on github on the following url:

​

• https://github.com/AsoMoe/Red-Team-Python

Python libraries:

1-Scapy: it is a Python library that enables the user to send and forge network packets, allowing construction of tools that can attack networks

​

2-Socket: provides a set of functions for network programming, it allows you to make connections with any devices or server

​

3-Subprocess: allows you to run system commands from within a Python script and capture their output

​

4-optparse:This library helps in parsing command-line options and arguments

OPTIONS:

• -T, --Type: to specify the type of operation.

​

• PS or PortScan: triggers the port scanning function.

​

• NS or NetScan: triggers the network scanning function.

​

• H or HTTP: performs a slow HTTP attack.

​

• R or ARP: performs the ARP poison attack.

​

​

​

• D or Deauth: performs the Deauth function.

​

• -A, --Addr: specify the IP address of the victim

​

• -s, --SocketNumber: to specify the number of sockets to establish.

​

• -i, --interface: to specify the network interface.

​

• -1, --P1:starting port

-2, --P2:ending port

​

​

​

• Code sample

1-Port Scan

2-Network Scan

3-ARP poisoning

4-HTTP attack

5-DeAuthentication

• Run sample

Conclusion:

• In conclusion, this project aimed to understand various denial-of-service attacks in a controlled environment while considering ethical implications

​

• We explored ICMP attacks like Ping of Death, advanced attacks like ARP poisoning and web server assaults such as fast and slow HTTP attacks, and concluded with deauthentication attacks on Wi-Fi networks.

​

• Alongside using built-in tools in Kali Linux, we developed a Python script to enhance learning, covering functionalities like port scanning, network scanning, ARP poisoning, slow HTTP attacks and deauthentication attacks.

Thanks!