| Denial of Service is a condition caused by an excess of traffic intentionally sent from a single host to a victim host or application that is either unusable or unavailable to legitimate users. |
| Distributed Denial of Service (DDoS) attack floods the victim with traffic from multiple sources, making it particularly difficult to stop; the amount of traffic can be over 1.5 Tbps. |
In October 2016, a vicious attack against DNS provider Dyn caused widespread chaos in North America and Europe. Using a botnet of Linux-based devices infected with the Mirai malware, unsecured IoT devices, including cameras, baby monitors, and residential gateways, sent an enormous amount of data to Dyn, resulting in a crippling 261 Gbps peak and the crashing of their servers.
Although a successful DoS attack can mean bad news, multiple open-source tools are available for detecting your vulnerability to Denial of Service (DoS) attacks. We’ll review three denial of service testing tools that you could add to your vulnerability assessment toolkit.
1. hping3
hping3, a Kali Linux open-source packet crafting tool, allows the type of packet to be set (TCP, UDP, and ICMP), as well as the speed at which to send them. hping3 enables the user to finely tune the speed of the packets being sent using a microsecond interval. This Active Network Smashing Tool simulates DoS attacks specifically and allows for the creation of HTTP GET and POST requests for web application attacks.
hping itself is a security tool that is also used for the following:
- Firewall testing
- Advanced port scanning
- Network testing, using different protocols, TOS, fragmentation
- Manual path MTU discovery
- Advanced traceroute, under all supported protocols
- Remote OS fingerprinting
- Remote uptime guessing
- TCP/IP stacks auditing
2. HULK
HULK (Http Unbearable Load King) is a web server DDoS attack tool created by security researcher Barry Shteiman to bypass caching and hit the server’s direct resource pool with a high volume of “unique and obfuscated traffic.” HULK is written in Python but has been ported to other languages such as Golang.
HULK was created on the premise that many DDoS tools use an easily observable pattern, thus making detection and mitigation an easier task. HULK creates a unique value for each request being sent. Specific techniques used include the following, as listed as on their website:
- Source client obfuscation – For every request that is constructed, the User Agent is a random value out of a known list.
- Reference forgery – The referrer that points at the request is obfuscated and points into either the host itself or a pre-listed website.
- Stickiness – Use a standard Http command to ask the server to maintain open connections by using Keep-Alive with a variable time window.
- no-cache – A server that is not behind a dedicated caching service presents a unique page.
- Unique URL transformation – Custom parameters are randomized and attached to each request, rendering it unique and causing the server to process the response.
HULK also has a “safe” option to kill the process and control the attack in a lab setting. Some firewalls, including Palo Alto, have specific settings to defend against HULK attacks, making this method a weaker option as time progresses and more vendors adopt these rules.
3. GoldenEye
GoldenEye is an open-source, Http DDoS attack testing tool based on HULK. This tool sends keep-alive packets to a given host, creating the illusion of a flood of active users connecting—and most importantly staying connected—to a targeted host. GoldenEye should be used for stress testing a given application or web service.
By incorporating these three tools into your vulnerability assessment toolkit, you can take the first step towards fortifying your organization's security posture against DDoS attacks. However, regular DDoS testing is crucial for continued protection against the ever-evolving threat landscape, reducing the risk of downtime, reputational harm, and financial losses caused by cyber attacks.
Want more? Read...
