DDoS Attack Explained | How to Perform DOS Attack | Ethical Hacking and Penetration Testing
Summary
TLDRIn this educational video, the presenter demonstrates a Distributed Denial of Service (DDoS) attack using a Windows Server 2019 configured as a web server with an IP address of 10.10.10.8. They begin by showing the server's stable performance metrics, then proceed to illustrate the attack's impact by sending continuous ping commands with increased packet sizes. The video explains how attackers can coordinate from multiple devices or use botnets to overwhelm targets. It also touches on the difficulty of identifying the source of such attacks and mentions alternative attack vectors like SYN flooding, using tools like hping3 to simulate the attack and demonstrate its potential to disrupt server performance.
Takeaways
- π» The video demonstrates a DDoS attack on a Windows Server 2019 configured as a web server with IIS.
- π The server's IP address is 10.10.10.8, and it shows stable performance with low CPU and memory utilization before the attack.
- π A simple ping command can be used to launch a DDoS attack by sending continuous pings with large packet sizes.
- π The ping command uses ICMP protocol, which might be blocked by firewalls, prompting attackers to find alternative methods.
- π€ Botnets can be used to amplify DDoS attacks by coordinating multiple devices to target a single IP address.
- π Identifying the perpetrator of a DDoS attack can be challenging, especially when botnets are involved.
- π SYN flooding is a type of DDoS attack that overwhelms a server by sending numerous SYN packets to establish connections.
- π οΈ hping3 is a tool used to perform SYN flooding attacks, which can be executed from the Kali Linux operating system.
- π The video shows how SYN flooding can cause a significant spike in network and CPU utilization, potentially taking down a server.
- π₯ DDoS attacks are often carried out by groups of attackers targeting a single IP to maximize the impact and overwhelm the target's resources.
Q & A
What is the main topic of the video?
-The main topic of the video is a demonstration of a Distributed Denial of Service (DDoS) attack.
What server is used for the demonstration?
-A Windows Server 2019 configured as a web server running with IIS is used for the demonstration.
What is the IP address of the machine used in the demonstration?
-The IP address of the machine used in the demonstration is 10.10.10.8.
What was the initial CPU utilization percentage of the server before the attack?
-The initial CPU utilization percentage of the server was between 5% and 7%.
What was the initial network utilization before the attack?
-The initial network utilization was very low, as indicated by the script.
How is a simple ping command used to demonstrate an attack?
-A simple ping command is used to demonstrate an attack by producing continuous pings with the -t option and increasing the packet size to the maximum supported by the ping command.
What is the purpose of using a large packet size in the ping command?
-Using a large packet size in the ping command is intended to increase the network traffic and potentially overwhelm the target's network resources.
What is the significance of the attackers using multiple devices to launch an attack?
-Using multiple devices to launch an attack amplifies the impact and makes it more difficult for the target to mitigate the attack, as it simulates a larger number of legitimate users or systems.
What is a botnet and how is it related to DDoS attacks?
-A botnet is a network of compromised devices that can be remotely controlled to perform actions, such as launching DDoS attacks, by sending commands to all devices in the network simultaneously.
Why is it challenging to find the real perpetrator of a botnet-based DDoS attack?
-It is challenging to find the real perpetrator of a botnet-based DDoS attack because the attack is distributed across many devices, often without the knowledge of their owners, making it difficult to trace back to the original attacker.
What is a SYN flood attack and how does it work?
-A SYN flood attack is a type of DDoS attack where an attacker sends a large number of SYN packets to the target, causing the target to exhaust its resources in attempting to establish connections, thereby denying service to legitimate users.
What tool is mentioned in the script for performing a SYN flood attack?
-The tool mentioned for performing a SYN flood attack is hping3, which is commonly used in Kali Linux operating system.
How does increasing the packet size in a SYN flood attack affect the target?
-Increasing the packet size in a SYN flood attack can consume more resources on the target, potentially causing a greater impact on the network and system performance.
Outlines
π Demonstration of a DDoS Attack
This paragraph introduces a video demonstration on DDoS (Distributed Denial of Service) attacks. The presenter has set up a Windows Server 2019 with IIS to act as a web server, with an IP address of 10.10.10.8. The server's performance is stable, with CPU and memory utilization at 5-7% and 65% respectively, and minimal network utilization. The demonstration proceeds with a simple ping command to show how even a basic command can be used to launch an attack. The presenter increases the packet size to the maximum supported by ping, which is 65500 bytes, to simulate a high volume of traffic. The video explains that while a single computer's attack might not be significant, attackers often use multiple devices or botnets to overwhelm the target, making it difficult for forensic investigators to trace the real attacker. The paragraph concludes by mentioning that while ICMP (Internet Control Message Protocol) packets used by ping might be blocked by firewalls, attackers can still use other methods to launch attacks, such as targeting specific ports like 80 or 443.
π‘ Exploring SYN Flooding in DDoS Attacks
The second paragraph delves into a specific type of DDoS attack known as SYN flooding. SYN packets are part of the TCP handshake process used to establish a connection. The video demonstrates how an attacker can flood a target with SYN packets, causing the target's resources to be consumed as it tries to manage the half-open connections. The tool used for this demonstration is hping3, a popular tool in Kali Linux, which allows the specification of packet size, number of packets, and the type of attack (in this case, SYN flooding). The presenter targets port 80, which is commonly used for web traffic, and shows how the network traffic and CPU utilization spike significantly during the attack. The video concludes by emphasizing that successful DDoS attacks often require a substantial amount of resources, which is why attackers often collaborate in groups to target a single IP. The paragraph ends with a teaser for upcoming videos that will cover more topics related to DDoS attacks.
Mindmap
Keywords
π‘DDoS Attack
π‘Windows Server 2019
π‘IIS
π‘IP Address
π‘CPU Utilization
π‘Memory Utilization
π‘Network Utilization
π‘Ping Command
π‘ICMP Protocol
π‘Botnet
π‘SYN Flooding
π‘hping3
Highlights
Introduction to a practical demonstration of a DDoS attack.
Use of Windows Server 2019 configured as a web server with IIS.
IP address of the web server is 10.10.10.8.
Performance metrics of the web server show stable CPU and memory utilization.
Demonstration of how a simple ping command can be used to launch an attack.
Explanation of the impact of continuous ping commands on network traffic.
The concept of attackers launching attacks from multiple devices simultaneously.
Discussion on the difficulty of attributing blame in botnet-based DDoS attacks.
Mention of the 'Ping of Death' attack and its limitations due to firewalls blocking ICMP.
Introduction to SYN flooding as a method of DDoS attack.
Explanation of the role of the SYN flag in TCP connection establishment.
Use of hping3 tool for performing SYN flooding attacks.
Command structure for hping3 to target a specific port with SYN packets.
Observation of resource consumption on the target during SYN flooding.
Impact of increasing packet size on the effectiveness of the attack.
Conclusion on the necessity of substantial resources for successful DDoS attacks.
Overview of how attackers coordinate group efforts to bring down targets.
Closing remarks andι’ε of upcoming videos on related topics.
Transcripts
00:00welcome back so in this video we will
00:02discuss on the ddos attack
00:05so we'll see the practical demonstration
00:07on the ddos attack
00:10so here for this demonstration i have a
00:13web server or have configured this
00:15windows server 2019 as a web server it
00:17is running with iis
00:19and
00:20i'll also
00:22note down the ip errors of this machine
00:28so this machine's ips for 10.10.10.8
00:33and also i'd like to check the
00:37performance of this machine so the
00:39performance is quite stable
00:42and cpu utilization is just five percent
00:44seven percent and memory utilization is
00:47just sixty-five percent and the network
00:50utilization also is a
00:52very big uh very little
00:54and now
00:55we'll uh
00:56proceed with the attack and this attacks
00:58can be even launched with a simple ping
01:01command also
01:02i can just use the simple
01:05ping commands
01:08so let me increase the font size so it
01:12should be visible
01:14better visible for you
01:17okay so
01:18so usually we used to uh
01:21ping the
01:23uh
01:24destination to know whether you are
01:26getting the response
01:28so you can see the response it is using
01:31only 32 bytes
01:33so which will not create any big impact
01:36in your
01:38network traffic but still
01:41the
01:41using the simple ping command itself we
01:44can use we can
01:45uh attack the target
01:47by
01:49producing continuous ping by using
01:51hyphen t
01:52and also we can define the length of the
01:55packet so usually it is taking 32 bytes
01:58here i am going to
02:00give
02:01something around 50 65
02:03500 bytes so this is the maximum
02:06number of byte which supports in the
02:08ping so usually when uh when you use the
02:11ping command it is going to use the icmp
02:13protocol so let me try this
02:17and again
02:19with a single
02:20ping operation will not get much
02:25difference so let me repeat the command
02:30multiple times
02:32we'll verify here and here you can see
02:36the traffic utilization goes up
02:39so it goes up beyond uh
02:41uh i think
02:43it is it is going beyond
02:464 mbps
02:48so
02:49from a single computer if you are
02:51targeting uh this attack obviously you
02:53cannot bring down the target
02:55so where uh usually the attackers what
02:57they will do is they will plan this
02:59attack uh
03:01to be launched from
03:03multiple devices
03:04so maybe a group of
03:07attackers will
03:09will start attacking this at the same
03:11time
03:12or you can even they can also
03:15do by spreading a botnet into the public
03:20internet and uh
03:22at a particular time when they want to
03:24launch the attack so they will
03:26send the instructions to the botnet to
03:29launch the attack so immediately all the
03:31botnets uh maybe the botnets will be uh
03:35installed in any of the internet users
03:38computers so from there even lacks of
03:40your devices or
03:42multiple lacks of devices may get
03:44compromised with this kind of botnets so
03:47through which they can launch this
03:48attack so obviously with this uh
03:53this kind of ping attack itself the
03:56target can be brought down
03:58uh again and this kind of for
04:00botnet-based dos attacks uh even finding
04:03the a real perpetrator that is the real
04:07attacker is going to be a hard
04:10hard thing for the in forensic
04:13investigators but still
04:15it will take long time but finally we
04:18can
04:18find the
04:19person who initiated this attack
04:23and even
04:26we can also launch attack through some
04:28other options so the there
04:31since uh when you are using the ping
04:33command it is using the icmp packet so
04:36most of the organizations they might
04:38have blocked the icmp in the firewall
04:40itself so by uh by
04:43pig of death attack so whatever we have
04:45done here is the peak of death attack so
04:47by performing the ping ping of
04:50death attack is not going to be possible
04:52in these cases
04:53so even attackers may find some other
04:56solutions if your any web server is
04:57hosted obviously port 80 or 443 is going
05:00to be open
05:02so through that port the attackers may
05:04flood the packets so they may flood the
05:07ac
05:08packets or they may flood the syn
05:10packets or more
05:11so here i'll show you how to perform the
05:14uh syn attack
05:16so that is syn flooding
05:18so syn flooding uh i believe you know in
05:21the previous videos we have discussed
05:23about the uh tcp flags where the syn syn
05:26flag is used for establishing the
05:28connection
05:30so where attacker may send many uh
05:34syn packets to the tag and so through
05:36which the
05:37target can be brought down
05:39and now uh
05:41for for using this uh syn flooding we
05:44can also use a tool called hping3 which
05:47is a famous tool in uh
05:49kali linux operating system so we can
05:52use this hping3 command
05:54hp3 is basically the command and hyphen
05:58v is to
05:59get the web browse output and hyphen
06:02c is to define the
06:04size of the packet
06:06and hyphen d is to define the uh no i'm
06:10sorry hyphen
06:11d is to
06:12define the
06:14size of the packet and hyphen c is to
06:16define the number of packets that has to
06:18be sent
06:19and hyphen s is to define the
06:22syn flooding that is to define the syn
06:25packet
06:26and hyphen p is to define the port and
06:29here i want to target the port h0
06:32and again hyphen iphone flood and
06:35finally the target ip
06:37so by giving this command we can
06:42consume more resource of the target let
06:44me see what
06:46happens and here we can see we are not
06:49able to access the virtual machine
06:51itself
06:53so let me stop this command
06:56by pressing ctrl c we can stop the
07:00proceeding of the command and here you
07:02can see the network traffic was
07:05utilizing up to 11 mbps
07:07and even you can also see the cpu
07:10utilization went high
07:12now let us try to
07:15increase the
07:17packet size
07:19so
07:20let me add one zero
07:24so we'll just wait for few seconds
07:27then let me stop
07:29let me go to the virtual machine again
07:31you can see so there is a huge spike
07:34and even in the network utilization also
07:36you can see there is a huge spike
07:39so by doing this continuously obviously
07:42to uh
07:44get a success in this kind of attacks
07:46you need to have a huge amount of
07:48resource so basically the results should
07:50be higher than the target
07:52so in that cases most of them attackers
07:54so they'll be
07:56doing this as a group a group of
07:58attackers will be targeting one
08:00particular ip so through which they can
08:02bring down the target so this is how
08:05they uh launch the ddos attacks
08:09and that's all for this demonstration so
08:12we'll discuss the rest of the topics in
08:14the upcoming videos until then bye
Browse More Related Video
DDoS Attack | DDoS Attack Explained | What Is A DDoS Attack? | Cyber Attacks Explained | Simplilearn
How to configure DHCP server | DHCP server configuration step by step
Unir un cliente Windows 10 a un dominio en Windows Server 2019
How To Make Your Own Minecraft Server With Eaglercraft!
Advanced Wireshark Network Forensics - Part 3/3
Deauthentication - N10-008 CompTIA Network+ : 4.2
5.0 / 5 (0 votes)