Guide on DoS & DDoS
Last updated
Last updated
Complete Guide on DoS & DDoS Attacks (For Educational & Defensive Purposes Only)
Disclaimer: This guide is meant for educational purposes only to understand how attacks work and how to defend against them. Unauthorized attacks on real systems are illegal.
1.1 What is a DoS Attack?
A Denial-of-Service (DoS) attack is when an attacker floods a target system (server, website, or network) with too much traffic or resource requests, making it slow or completely unavailable.
1.2 What is a DDoS Attack?
A Distributed Denial-of-Service (DDoS) attack is a more powerful version of DoS because it uses multiple machines (botnets or compromised systems) to flood the target.
To simulate or test DoS/DDoS (on legal test environments), you’ll need:
A. Tools for DoS:
hping3 (TCP/UDP flood)
LOIC (Low Orbit Ion Cannon)
HOIC (High Orbit Ion Cannon)
Slowloris (HTTP exhaustion attack)
GoldenEye (HTTP DoS attack)
Xerxes (Layer 7 attack used by Anonymous)
B. Tools for DDoS:
Metasploit Auxiliary Modules
Mirai Botnet (for IoT-based attacks, research purpose only)
Botnets (controlled through C2 servers, not recommended for ethical use)
Stresser/Booter Services (many are illegal but exist on the dark web)
C. System Setup:
A Linux system (Kali, Parrot, or Ubuntu)
A test server (self-hosted or legal target like a CTF challenge)
VPN or proxy chains (for anonymity if testing in a closed environment)
Step 1: Selecting a Target Targets can be web servers, APIs, networks, or applications. In real-world scenarios, attackers often scan websites using reconnaissance tools (Nmap, Shodan, etc.) to find weak targets.
Step 2: Choosing the Right Attack.
🔹 Layer 3 (Network Layer Attacks):
SYN Flood: Overloads a server’s connection requests.
UDP Flood: Sends a large number of UDP packets to exhaust server resources.
ICMP Flood (Ping Flood): Overwhelms a target with ping requests.
🔹 Layer 4 (Transport Layer Attacks)
hping3 UDP/TCP flood: Sends thousands of packets per second.
ACK Flood: Disrupts firewalls by flooding acknowledgment packets.
🔹 Layer 7 (Application Layer Attacks)
Slowloris Attack: Opens multiple HTTP connections and never closes them.
HTTP POST/GET Flood: Sends thousands of fake HTTP requests to overwhelm a web server.
4.1 DoS Attack Using hping3: hping3 -S --flood -V -p 80 <target_ip>
📌 Explanation:
-S → Sends SYN packets.
--flood → Sends packets as fast as possible.
-V → Verbose mode (shows output).
-p 80 → Targets port 80 (HTTP).
🔥 Impact:
This attack overwhelms the target’s web server, making it slow or unresponsive.
4.2 DDoS Attack Using LOIC (Windows/Linux)
Download LOIC (Low Orbit Ion Cannon).
Enter the Target IP or website URL.
Select Attack Mode (TCP, UDP, or HTTP flood).
Set Thread Count (Higher = More powerful attack).
Start Attack.
🔥 Impact:
If multiple users launch LOIC on the same target, it acts as a DDoS attack (easier to track, though).
4.3 Slowloris Attack (Layer 7 DoS):
git clone https://github.com/gkbrk/slowloris.git
cd slowloris
python3 slowloris.py --sockets 500
📌 Explanation:
This script opens many half-connections to the target and never closes them. The server crashes because it runs out of connections.
🔥 Impact:
Works best against Apache, Nginx, and IIS servers.
4.4 DDoS Using a Botnet (Mirai Example)
Compromise IoT devices (Cameras, Routers, etc.).
Inject malware to turn them into bots.
Send commands from a C2 Server to launch DDoS floods.
Target gets hit from thousands of infected machines.
🔥 Impact:
This is the most powerful form of DDoS, often used in real-world cyberattacks.
If you're hosting a website or server, you can prevent DoS/DDoS attacks using:
🔹 Firewall Rules: Block unusual traffic patterns.
🔹 Rate Limiting: Limits the number of requests per second from a single IP.
🔹 Cloudflare or AWS Shield: Protects against Layer 7 attacks.
🔹 Intrusion Detection Systems (IDS): Detects attack patterns.
🔹 Blackhole Routing: Drops traffic when a DDoS is detected.
🔹 Using CDN Services: Like Cloudflare, Akamai, or Fastly to absorb DDoS.
✅ When DoS/DDoS is Legal:
Testing your own server.
Testing inside a controlled lab environment.
With written permission from an organization.
❌ When DoS/DDoS is Illegal:
Attacking someone else's server without consent.
Disrupting government, banking, or public services.
Using botnets to attack websites.
💡 Consequences: Unauthorized DoS/DDoS attacks can lead to prison time (5-20 years), huge fines, and lifetime bans from using the internet in some countries.
DoS = Single machine attack.
DDoS = Multiple machines (botnets).
Attacks can be done using SYN Floods, UDP Floods, HTTP Floods, Slowloris, etc.
Defenses include firewalls, rate limiting, CDNs, and DDoS protection services.