Hacking by Solis Tech: How to Hack Computers, Basic Security and Penetration Testing (2014)
Chapter 21: Understanding a Denial of Service Attack
At this point, you know that there is a lot of things that a hacker can do once he is able to set-up shop inside your port. You are now aware that apart from hacking Wi-Fi passwords, hackers can also prevent users from using their own connection. Now, take a look at another attack that hackers love to perform against target users: the DoS attack.
What is DoS?
DoS simply means Denial of Service – as its name implies, its goal is to prevent users from making use of any server or access point. It is also fairly straightforward and simple to do – all you need to launch this type of attack is to find the service that you want to exploit, and then overwhelm it with packets until you bring it down.
DoS attacks are very dangerous to network of computers – if your job entails maintaining network security, you would find that a DoS attack is very similar to flooding a house, which means that the longer it takes you to stop it, the more damage it does to the network that you are maintaining. Users on the network would have no means to access the targeted service because the firewall state service is overwhelmed. DoS attacks can also cause reboots or may even lock up entire computer systems.
When an attack involves several network connections in order to launch a DoS attack, then it becomes a distributed denial of service (DDoS) attack. That means that the flooding of information to a targeted service may come at a great speed, thanks to bots or other hackers that are sending thousands of packets at the same time.
How Hackers Perform This Attack
All that a hacker needs to have to perform a DoS attack is a computer, a wireless adapter, and a software called Kali Linux. Take note that Kali Linux runs as an .iso so make sure that you burn it into a CD first.
Now that you have your tools ready, follow the following steps to perform a DoS attack on a wireless LAN:
1. Pull up Kali Linux and select aircrack-ng from the Top 10 Security Tools tab.
Once you pull up a fresh terminal, check if your wireless adapter is functioning. To do this enter the following command:
After doing this, you may see that your wireless adapter is set as wlan0
2. Place the wireless adapter in monitor mode.
Key in the command “airmon-ng start wlan0”.
3. Monitor all available access points and find your target service
You will need to find the BSSID of the access point that you want to attack and copy it, along with the channel of the access point that it is using. To do this, enter the following command:
4. Connect to the target access point
If you are able to connect to the access point, you would be able to see that at the bottom of the screen. You can use the following command to connect to the access point:
airodump-ng mon0 --bssid (BSSIDaddress) --channel (access point’s channel)
5. Get the MAC address of the target
Now that you are connected to the target access point, you would need to get the MAC address of the target access point. Copy the MAC address that you see right beside the BSSID of the target that you just connected to.
6. Do a broadcast deauthentication
This is similar to the step that you have done in the earlier chapter – you would be bumping off the users from the access point in order to deny service to them. To do that, you would need to send out thousands of deauthenticating frames to the target access point until it breaks down.
Pull up a fresh terminal and enter the following command:
aireplay-ng --deauth 1000 -a (BSSID) -h (MAC Address) mon0
7. Keep sending packets if the service still did not break down. Take note that this can be a long process, but once the service is no longer able to contain the incoming traffic of packets, all users that are trying to connect to the access point would not be able to log in, or would get disconnected immediately.
Now, you might notice one behavior exhibited by hackers when they choose their targets and launch their attacks: they always do a scan of the targeted system’s vulnerability. In the example above, you noticed that you are doing a scan for the connection names of your target so that you would know what access point to hit. In other DoS attacks, they search for open ports that are vulnerable to accepting incoming traffic.
What will happen when attackers know the ports of your system? Getting your hands on that knowledge means being able to identify all the services that your computer has, and the exact location of your computer’s vulnerability. Open ports welcome traffic because they are unsecured, and immediately prompt any hacker that that happen to be in the area that it’s fine to launch thousands of packets in.
Here is some good news if you are worrying about open ports: it is possible for you to know that someone is poking through open ports through the use of an Intrusion Detection System (IDS). These tools are normally used by websites and commercial servers and they function as an alert system to system administrators whenever too many packets are being bounced in and out of ports, which is a telltale sign of a port scan. IDS are normally equipped with threshold-level alerts, which means that system admins would become immediately alerted when there are waves of packets that are being sent to port terminals. When you get an alert that there is someone flooding any of your service, then you know that it is time to investigate your traffic.
Other Types of DoS Attacks
To have an idea of what you may be dealing with when you notice that there are large amounts of data being sent to you, it’s necessary to be familiar with the most common DoS attacks. Here are some of the most exploited types:
1. Ping Flooding
This is also known as smurf attack, ping of death, b flood, or SYN flood. As the name suggests, this involves sending an overwhelming number of ping packets until the web server exceeds its bandwidth. This is done by creating a fake sender address and then masking that as the sender of mass data. Since the address is not correct, the web server that responds to ping requests would contain half-open connections since it cannot send the TCP/SYN-ACK packet that it needs to deliver to the requesting party. The result would, of course, be traffic saturation and inability of the server to accommodate legitimate ping requests.
2. Application floods
This aDttack is also known as the layer 7 DDoS. This type of flooding aims to exploit buffer overflows which are software related. This works by sending thousands of requests to an application, which would result in precious CPU resource being wasted.
3. Peer-to-Peer attack
This type of attack involves massive connections to a website at once, which would cause the web server to crash. You can think of it like a network zombie attack, wherein several bot accounts or computers send thousands of requests to a web server for a connection, forcing the target to go beyond capacity.
How to Stop a DoS Attack
As you may have noticed, this type of attack may come in waves and can take a long time before putting a targeted service down. That means that you would have time to stop volumetric attacks before your system gets flooded with packets.
The best way to prevent a DoS attack from destroying your service is to have knowledge of what is happening in your network, especially if you notice strange behavior in the services that you are monitoring. You can sample the flow that gets into your system ports and predict trends in incoming traffic. Take note that flow analysis can take up time, and it may require you to sample more than one packet that goes into your ports to know the type of data that flows in.
If you manage to sample enough packets while an attack is going on, then you have plenty of opportunity to know more about the attack and the attacker. If you are suffering from a DoS attack on your wireless connection, you are aware that all users are getting bumped off repeatedly whenever they try to connect. That gives you an idea that, most likely, someone is feeding your connection several deauthentication packets with the intention of sending them in great speed until your system goes over the limit.
If you detect several connections feeding you unrelated data, then you know what to do: bump them off from your network and secure the vulnerable entry point that the hackers found.