Denial of Service (DoS) attacks have been orchestrated by a multitude of threat actors, from nation-states to vigilante groups, but by testing for denial of service vulnerabilities, security posture can be improved to help prevent, or at least make more difficult, these kinds of attacks specifically.
Denial of Service is a condition caused by an excess of traffic intentionally sent from a single host to a victim host or application that is either unusable or unavailable to legitimate users.
A Distributed Denial of Service (DDoS) attack floods the victim with traffic from multiple sources, making it particularly difficult to stop; the amount of traffic can be over 1.5 Tbps.
A recent example of a DoS attack that took down DNS services in Europe and North America was the attack against DNS provider Dyn in October 2016 using a botnet of Linux-based devices infected with Mirai malware. The unsecured IoT devices (including cameras, residential gateways, and baby monitors) used in this attack sent a large amount of data to Dyn, peaking at 261 Gbps and crashing their servers.
Although a successful DoS attack can mean bad news, multiple open-source tools are available for detecting your vulnerability to Denial of Service (DoS) attacks. We’ll review three denial of service testing tools that you could add to your vulnerability assessment toolkit.
hping3, a Kali Linux open-source packet crafting tool, allows the type of packet to be set (TCP, UDP, and ICMP), as well as the speed at which to send them. hping3 enables the user to finely tune the speed of the packets being sent using a microsecond interval. This Active Network Smashing Tool simulates DoS attacks specifically and allows for the creation of HTTP GET and POST requests for web application attacks.
hping itself is a security tool that is also used for the following:
- Firewall testing
- Advanced port scanning
- Network testing, using different protocols, TOS, fragmentation
- Manual path MTU discovery
- Advanced traceroute, under all supported protocols
- Remote OS fingerprinting
- Remote uptime guessing
- TCP/IP stacks auditing
HULK (Http Unbearable Load King) is a web server DDoS attack tool created by security researcher Barry Shteiman to bypass caching and hit the server’s direct resource pool with a high volume of “unique and obfuscated traffic.” HULK is written in Python but has been ported to other languages such as Golang.
HULK was created on the premise that many DDoS tools use an easily observable pattern, thus making detection and mitigation an easier task. HULK creates a unique value for each request being sent. Specific techniques used include the following, as listed as on their website:
- Source client obfuscation – For every request that is constructed, the User Agent is a random value out of a known list.
- Reference forgery – The referrer that points at the request is obfuscated and points into either the host itself or a pre-listed website.
- Stickiness – Use a standard Http command to ask the server to maintain open connections by using Keep-Alive with a variable time window.
- no-cache – A server that is not behind a dedicated caching service presents a unique page.
- Unique URL transformation – Custom parameters are randomized and attached to each request, rendering it unique and causing the server to process the response.
HULK also has a “safe” option to kill the process and control the attack in a lab setting. Some firewalls, including Palo Alto, have specific settings to defend against HULK attacks, making this method a weaker option as time progresses and more vendors adopt these rules.
GoldenEye is an open-source, Http DDoS attack testing tool based on HULK. This tool sends keep-alive packets to a given host, creating the illusion of a flood of active users connecting—and most importantly staying connected—to a targeted host. GoldenEye should be used for stress testing a given application or web service.
These three tools are only the beginning for DDoS testing. Coming up, we will provide an in-depth analysis of each of these tools, including test cases, packet captures, best/worst use cases for each tool, and much more.
Want more? Read...