Thursday, 28 April 2016

DoS with Hping3



Denial of service (DoS) attack is a type of network attack by exhausting the network resource of the target in order to overwhelming the network service of the target. In result, the target may have unavailable service to the user. The common target are usually those who give service to public, for example bank service, delivery service, etc.

But, how does could happen? DoS can be conducted with many techniques, however the intention are still the same which is to flood the network of the target until it is exhausted and cannot give any service for proper user. The simple way of flooding the network target is sending the target with huge amount of packet in a short amount of time.

This time, I will try to show what I have learnt to conduct a simple DoS attack to one of my virtual machine. The attack that I used is an ICMP packet flooding with spoofed IP address. In order to do this, I should use an application that has the function to create a packet (packet crafting). This time I will use Hping3 on Kali Linux.  The command to execute the flooding is below:

# hping3 –c 100 –icmp –flood –rand-source target_IP
        
Notes:                                                                      
·      -c 100 actually specifies the number of packet sent, however, since we set the –flood mode, the packets that will be sent are over 100, therefore you could ignore the –c 100 options.
·    --icmp means the packets that will be sent are in form of ICMP packets.
·      --flood allow the rapid send of packets in a short time.
·      --rand-source will spoof the source of the IP address of the source packet.

The screen below is the execution of the command:

The result of the command shows that  there are 1770552 packets sent to the target. Noe, the question is host about the target. The target IP address is 192.168.28.145 on Ubuntu virtual machine. During the test, I ran wireshark and system monitor. Now lets see a cut scene from the wireshark packet that had been captured.



The sequence number of the packets reached 160490 packets of ICMP ping reply and request just in 7-8 seconds. Look at some of the lines here, it shows that the machine on 192.168.28.145 gave the ICMP reply to many spoofed IPs on the destination. This shows how the spoofed IP on Hping3 works. Basically hping3 sends many ICMP packets with spoofed IPs, the target then responds to the ICMP request with ICMP reply. However, since the packets flow are huge and in short amount of time, it may exhaust the network resource. This way if there is a legitimate user trying to contact the machine while an attack is occurring, it may received a delay on the service. That basically how the DoS works.



Here is the system monitor output of the machine:



On the network history part, we can see a huge increase in received and sent network packet. This is when the attack was occurring. Now, we know what and how DoS work. The actual attack would definitely much more complex and harder to solve directly. But with simple knowledge like this, we can gain more experience in the future.

Reference:
http://www.hping.org/manpage.html

 


Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)