Denial of Service (DoS)

Theory

There are two distinct types of denial of service:

Denial of Service (DoS): using a single machine, a DoS attack reduces or prevents accessibility of service for its users. It usually does so by flooding the targeted machine with a consequent amount of requests to overload the system or by exploiting logic flaws that make the target server compute way too much.
Distributed Denial of Service (DDoS): a DDoS attack has the same goal as the DoS attack. Except it uses a multitude of compromised machines to cause a denial of service and usually relies on flooding rather than finding and exploiting logical flaws.

There are various ways to cause a denial of service by flooding such as:

MAC flooding: flooding a switch with packets using different source MAC addresses.
ARP poisoning/spoofing: linking multiple IP addresses with a single MAC address (to a target).
Slow HTTP: sending HTTP requests in a slow and fragmented way, one at a time.
File upload: exhausting the back-end system's disk space and network bandwidth by uploading lengthy files. Also, uploading a file that will be interpreted in the back-end could cause a DoS, if the file uploaded is malicious and its goal is to overload the system.
ICMP flood: flooding the targeted machine with an overwhelming amount of ICMP requests.

The list is not exhaustive however, one can keep in mind that multiple categories exist, presenting a different approach for conducting a DoS attack: bandwidth, packets, TCP-related components, application layer, etc.

Testing for DoS in engagements can be useful for detecting applications and configurations vulnerabilities, by then providing the client with possible mitigation to prevent DoS attacks.

Practice

Websites

hping3 is a tool for firewall testing, OS fingerprinting, port scanning, etc. (see manual). What's interesting is its DoS testing capabilities. More examples on hping3.

The command sends a huge amount of packets with random source addresses to stress firewall state tables and other dynamic tables (IP based) within the TCP/IP stacks and firewall software.

hping3 --rand-source --flood $TARGET_IP

The command sends a huge amount of SYN packets with a specified port.

hping3 -S --flood -V -p $TARGET_PORT $TARGET_IP

Other specialized tools can be used such as Hulk and GoldenEye.

hping3, Hulk, and GoldenEye should be used with care and in specific cases. The number of requests they can send could crash the targeted system.

Directory fuzzing is a key step during the reconnaissance phase. Depending on the number of threads used, a DoS could happen. Here's an example using Feroxbuster.

feroxbuster -H "User-Agent: PENTEST" -w $WORDLIST -u $TARGET_IP -t $THREADS

Resources

What Is a Distributed Denial of Service (DDoS) Attack? | NETSCOUTNETSCOUT

9.1 DoS/DDoS Concepts · CEH_v9

Denial of Service - OWASP Cheat Sheet Series

DoS Attack: Testing denial of service during a pentest?VAADATA - Ethical Hacking Services

Long password denial of service - Vulnerabilities - AcunetixAcunetix

PreviousInsecure Cookies NextIdentity and Access Management

Last updated 9 months ago