Denial-of-service (DoS) Attack Tools

Denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are types of cyber attacks that attempt to make an online service, server, or network unavailable by overwhelming it with a flood of internet traffic.

As its name implies, Network-based DoS uses one device to send a flood of internet traffic, while DDoS uses more than one device to send this traffic to the target system. In DDoS attacks, the attacker builds a network of infected computers by spreading malware through emails, websites, or social media. This network could consist of millions of devices and is also known as a botnet. Once infected, these devices can be controlled remotely by a botmaster, without their owners' knowledge, and used as an army to launch an attack against any online system. In other instances, DDoS can be executed by multiple individual attackers who work together to send data packets from their devices.

Botnets can generate huge floods of internet traffic to overwhelm a target. These floods can be generated in multiple ways, such as sending more connection requests than a server can handle, manipulating the TCP flags (like the well-known Christmas Tree attack), or having computers send the victim large amounts of random data to use up the target's bandwidth.

Nowadays, cybercriminals do not have to worry about executing such attacks technically, as the wave of Crimeware-as-a-Service (CaaS) continues to spread in the underground market. Launching different types of cyberattacks (including DDoS) becomes feasible for criminals with limited technical skills. For instance, many underground markets (e.g., hosted on TOR network) offer ready-to-launch DDoS attacks that can be executed against any target for a small payment.

Many companies develop DDoS tools to measure the strength of their networks. These are commonly named an IP stresser and are used to determine whether the current network setup is sufficient in terms of bandwidth, CPU, memory, number of servers, etc., to handle additional internet traffic. Other tools are created explicitly to launch DDoS attacks.

Launching a DDoS attack is illegal and can lead to the punishment of imprisonment in some countries. Running DDoS tools against online targets for testing purposes is legal as long as you have the necessary permission to do so from all affected parties.

There are numerous tools to execute DoS and DDoS attacks, both open source and commercial. In this article, we will mention both and talk a little bit about their features.

Network-based DDoS Attack Tools

Following is a list of the most popular DDoS tools that are currently available.

SolarWinds DDoS attacks are launched using botnets; to work, botnets need a master (which comes in the form of a command and control server) to receive attack instructions. Solarwinds works by leveraging community-sourced lists of known malicious actors to identify potential command and control servers' interactions. These lists come from various sources such as firewalls, IPS/IDS logs, security logs captured from servers, and endpoint devices.

Hulk DoS tool HULK DoS tool is a stress testing utility built using Python programming language (currently, it uses the Go language). It was created for educational and research purposes to help security researchers measure their defenses against DoS/DDoS attacks. Hulk attacks web servers and other online services by generating unique and obfuscated internet traffic, bypassing the server's caching engines, and hits its direct resource pool. The Hulk tool's main disadvantage is that it can fail in concealing the identity of the attacker, so its traffic can be blocked by security devices easily.

Tor's Hammer This is a DoS testing utility created in Python programming language and can attack both Apache and IIS servers. TOR Hammer attacks can be carried out through the TOR anonymous network to anonymize its traffic and make tracking the attacker almost impossible. Tor's Hammer performs slow-rate DDoS attacks; hence, it can consume web server resources by generating many connections for a prolonged time (connection will remain active for around 1000-30000 seconds), instead of generating large amounts of HTTP requests per second as most DDoS attack tools do.

R.U.D.Y. Short for R-U-Dead-Yet? This is a DoS tool used to execute slow-rate DDoS attacks, which work by opening a few connections to the victim server and make it active for as long as possible to consume server resources making it unable to handle legitimate traffic. R.U.D.Y begins its attack by finding embedded web forms on the target website. After selecting one form, the tool begins its work by sending a legitimate HTTP POST request with a long 'content-length' header field and then fills the form with random information. It does this one byte of information at a time and then waits. The information is sent in small chunks and at a very slow rate (about 10 seconds between each byte). The attack results in many application threads and forces it to await the end of never-ending posts to perform processing. This causes the target webserver to hang, awaiting the rest of the HTTP request to complete. By establishing simultaneous connections to the victim web server, it will eventually consume its resources and become unable to handle legitimate requests, which lead to a denial of service situation.

Hping Hping is an open-source packet generator for the TCP/IP protocol suite. It was created for security auditing and testing firewalls and networks. This tool can be used to launch a DoS attack by sending a large volume of TCP traffic to the target server without revealing the sender's true IP address.

Summary

In this article, we shed some light on DoS and DDoS attacks. There are many tools to perform such attacks. These tools can be used by security researchers and network administrators to check the defense of their network. However, the same tools can be abused by malicious actors to launch denial of service attacks against any web server or online application.