Wednesday, March 5, 2014

Denial Of Service Attacks : Explained for Beginners

By Shashwat March 05, 2014 , , , , , , , , , ,
  • Disclaimer - TLDR; some stuff here can be used to carry out illegal activity, our intention is, however, to educate
Just like most other things associated with hacking, a denial of service attack is not everyone's cup of tea. It, however, can be understood if explained properly. In this tutorial, I'll try to give you a big picture of denial of service attacks, before I start using geeky terms like packets and all that. We'll start at the easiest point.


What effect does a denial of service attack have


Wireless hacking usually gives you the password of a wireless network. A man in the middle attack lets you spy on network traffic. Exploiting a vulnerability and sending a payload gives you access and control over the target machine. What exactly does a Denial of Service (DOS) attack do? Basically, it robs the legitimate owner of a resource from the right to use it. I mean if I successfully perform a DOS on your machine, you won't be able to use it anymore. In the modern scenario, it is used to disrupt online services. Many hacktivist groups (internet activists who use hacking as a form of active resistance - a name worth mentioning here is Anonymous) do a Distributed Denial of service attack on government and private websites to make them listen to the people's opinion (the legitimacy of this method of dictating your opinion has been a topic of debate, and a lot of hactivists had to suffer jailtime for participating in DDOS). So basically it's just what its name suggests, Denial Of Service.

Basic Concept

It uses the fact that while a service can be more than sufficient to cater to the demands of the desired users, a drastic increase in unwelcome users can make the service go down. Most of us use the words like "This website was down the other day" without any idea what it actually means. Well now you do. To give you a good idea of what is happening, I'll take the example from the movie "We Are Legion".


Scenario One : Multiplayer online game

Now consider you are playing an online multi-player game. There are millions of other people who also play this game. Now there's a pool in the game that everyone likes to visit. Now you and your friends know that they have the power of numbers. There are a lot of you, and together you decide to make identical characters in the game. And then all of you go and block the access to the pool. You just carried out a denial of service attack. The users of the game have now been deprived of a service which they had obtained the right to use when they signed up for the game. This is just what the guys at 4chan (birthplace and residence of Anonymous) did a long time ago. This is the kind of thing that gives you a very basic idea what a denial of service attack can be.
Denial of service in a game
They made a Swastika and blocked access to the pool

Scenario 2 : Bus stop

Now assume that due to some reason, you want to disrupt the bus service of your city and stop the people from using the service. To stop the legitimate people from utilizing this service, you can call your friends to unnecessarily use it. Basically you can invite millions of friends to come and crowd around all the bus stops and take the buses without any purpose. Practically it is not feasible since you don't have millions of friends, and they are definitely not wasting their time and money riding aimlessly from one place to another.

So while this may seem impossible in the real world, in the virtual world, you can cause as much load as a thousand (or even a million) users alone at the click of a button. There are many tools out there for this purpose, however, you are not recommended to use them as a DOS on someone else is illegal, and easy to detect (Knock, knock. It's the police). We will, come back to this later, and do a DOS on our own computer.

 

How denial of service attacks are carried out

Basically, when you visit a website, you send them a request to deliver their content to you. What you send is a packet. Basically, it take more than just one packet, you need a lot of them. But still, the bandwidth that you consume in requesting the server to send you some data is very little. In return, the data they send you is huge. This takes up server resources, for which they pay for. A legitimate view can easily earn more than the server costs on account of advertisements, etc. So, companies buy server that can provide enough data transfer for its regular users. However, if the number of users suddenly increases, the server gives up. It goes down. And since the company knows it under DOS, it just turns off the server, so that it does not have to waste its monetary resources on a DOS, and wait till the DOS stops. Now with the modern computers and bandwidth, we alone can easily pretend to be a thousand or even more users at once. While this is not good for the server, it is not something that can make it succumb (your computer is not the only thing that gets better with time, the servers do too). However, if a lot of people like you do a DOS attack, it becomes a distributed denial of service attack. This can easily be fatal for a server. It's just like you go to a page, and start refreshing it very fast, maybe a thousand times every second. And you are not the only one. There are thousand others that are doing the same thing. So basically you guys are equivalent to more than a million users using the site simultaneously, and that's not something the server can take. Sites like Google and Facebook have stronger servers, and algorithms that can easily identify a DOS and block the traffic from that IP. But it's not just the websites that get better, and the black hat hackers too are improving every day. This leaves a huge scope for understanding DOS attacks and becoming an asset to one of these sides ( the good, the bad and the ugly).


A Live DOS on your Kali Machine

If you have Kali linux (The hackers OS- the OS of choice if you use this blog) the here's a small exercise for you. 
We are going to execute a command in the Kali linux terminal that will cripple the operating system and make it hand. It will most probably work on other linux distributions too.
Warning : This code will freeze Kali linux, and most probably it will not recover from the shock. You'll lose any unsaved data. You will have to restart the machine the hard way (turn of the virtual machine directly or cut the power supply if its a real machine). Just copy paste the code and your computer is gone.
:(){ :|:& };:

The machine froze right after I pressed enter. I had to power it off from the Vmware interface.
What basically happened is that the one line command asked the operating system to keep opening process very fast for an infinite period of time. It just gave up.
Here's something for the Windows Users

Crashing Windows Using Batch file

Open a notepad. Put the following code in it-
:1
Start
goto 1
Save the file as name.bat
Bat here is batch file extension. Run it. Game over.
It basically executes the second line, and the third line makes it go over to the first, execute the second, and then over to first again, execute the second..... infinitely. So again, denial of service. All the processing power is used by a useless command, while you, the legitimate user, can't do anything.

That's it for this tutorial, we'll discuss the technical details of a practical denial of service in a later tutorial.

PS:
As suggested in the comments, this script will crash windows much faster-

:1
bash name.bat
goto 1

If you look at the script carefully, it is quite easy to understand what it does. Everytime the script is executed, it does two things-

  1. Opens another instance of the same script
  2. Goes to the beginning of the script
So for every execution, the number of scripts slowing down your computer doubles up. This means that instead of linear, the load on memory and processor is now exponential (the script gets more and more dangerous with time).
Share with your friends
Posted by at
Labels: , , , , , , , , , ,

48 comments:

  1. AnonymousApril 6, 2014 at 6:04 PM

    Thanks it's a good job :)

    ReplyDelete
  2. AnonymousMay 24, 2014 at 4:33 PM

    Interesting. Can't wait for the next tutorial. I watched the doc about Anonymous, they showed how and why they did a DOS Attack in the game example you refer to. Genius. Could you do the attack via TOR to enable you to change your ip. We have Macchanger, why doesn't somebody write a exploit that will change your ip. I knew I should have lernt how to program when I had a spectrum 48k, back in 1984.

    ReplyDelete
    Replies
    1. Shashwat ChaudharyMay 25, 2014 at 1:46 AM

      Next tutorial on IP masking during DOS. We will spoof the source ip with random ones. Wait for it... :D

      Delete
  3. AnonymousMay 25, 2014 at 4:58 AM

    Thank you for a great detailed description in response to my question. I always learn something or become a little wiser after visiting your cool site.

    ReplyDelete
  4. AnonymousJune 27, 2014 at 12:00 PM

    dont call a person who is willing to learn a dummy you idiot...people want to hack for their own benefit but they just dont understand how hard it really is...and plz stop showing off...it makes you a dick

    ReplyDelete
    Replies
    1. Shashwat ChaudharyJune 28, 2014 at 5:02 AM

      Nevermind read your comment on the other post.

      Delete
    2. AnonymousJune 19, 2015 at 6:34 AM

      relax :D dont take it seriously dummy :P

      Delete
    3. UnknownAugust 31, 2015 at 10:45 AM

      There's only 1 dick here, and that's you Mr. anon ...
      Show some respect.

      Delete
  5. Spencer OlixJuly 6, 2014 at 2:08 AM

    This Might sound dumb but, if you are on a public network, (like a starbucks) and you change you ip and MAC address, are you anonymous? if not, what im I missing? Is there anyother simple ways to be anonymous without VPNs and other "hard stuff"

    ReplyDelete
    Replies
    1. UnknownJanuary 18, 2016 at 10:27 PM

      ismit possible to hack a WPA password without a wireless extension

      Delete
  6. Spencer OlixJuly 6, 2014 at 4:59 PM

    Thanks So much that was very detailed.

    ReplyDelete
  7. Spencer OlixJuly 6, 2014 at 5:09 PM

    "Innocence factor - Most of the DOS attacks are carried out by botnets. Botnets are a network of computers infected by malware (trojan known as remote administration tool or RAT). They are controlled by a main master who owns these bots/slaves. He can order them to conduct a DOS attack, and the traffic will originate from the computers of innocent users who have no idea what a malicious program is doing in the background while they are playing their favorite game." - Shashwat Chaudhary. Can This concept using RATS, apply easily to most kinds of hacking?

    ReplyDelete
  8. Spencer OlixJuly 7, 2014 at 11:07 PM

    That answered my question! thanks!

    ReplyDelete
  9. Albin KottaramDecember 23, 2014 at 8:47 PM

    I tried to crash windows 7 using the batch file but nothing happened. Is it because I have 8 GB of RAM ?

    ReplyDelete
    Replies
    1. ShashwatDecember 23, 2014 at 11:32 PM

      What happens when you execute the batch file? Do you see new command prompt windows opening up automatically? On a high end device, it'll take quite a good while for the system to crash.

      Delete
    2. AnonymousJanuary 25, 2016 at 1:45 PM

      You only have 8GB of RAM? XD I have half a terabyte (But my computer is giant)

      Delete
  10. amit inbarMarch 3, 2015 at 9:42 AM

    the file name will be "stuck.bat"
    edit the file and enter:

    :a
    bash stuck.bat
    goto a

    O = 2^x will overload the computer faster than O =x

    ReplyDelete
    Replies
    1. mI c0April 2, 2015 at 8:59 AM

      haha, using it exponentially...

      Delete
    2. ShashwatApril 4, 2015 at 9:17 AM

      Thanks for the addition, making corresponding changes.

      Delete
  11. AnonymousApril 7, 2015 at 9:00 PM

    see how websites are vulnerable to SQL map
    Real Admin Hacking of a website click on
    https://www.youtube.com/watch?v=72Gi1oDkHdM

    ReplyDelete
  12. AnonymousMay 28, 2015 at 11:13 AM

    thank you so much,,

    ReplyDelete
  13. AnonymousJune 6, 2015 at 11:42 AM

    Very well put. (Almost) Anybody can follow a step-by-step tut, but the key to being successful isn't in "knowing" what what's going to happen because the tut says so, but "understanding" what's going on as you progress through the steps. I spent more time trying trying to find "understanding" (hard to find)....Good to see someone taking the time to explain the "how it works"

    ReplyDelete
  14. chunkingzAugust 2, 2015 at 4:58 PM

    A quick tip you can add names of softwares installed on the system before the GOTO statement. larger softwares eat up ram faster...

    ReplyDelete
  15. AnonymousAugust 3, 2015 at 7:56 PM

    Thank you so much for explaining things so clearly! I will be spending a lot of time reading your tutorials in the near future

    ReplyDelete
  16. AnonymousSeptember 16, 2015 at 1:43 AM

    how to perform dos using hping3 in kali linux?

    ReplyDelete
  17. Dr. Priyanka N VishwakarmaDecember 9, 2015 at 1:34 AM

    brief abt how to ddos to site anonymously.
    hkope u get my point.

    ReplyDelete
  18. AnonymousDecember 13, 2015 at 3:08 AM

    Great job explaining what I saw in Mr.Robot

    ReplyDelete
  19. AnonymousJanuary 22, 2016 at 3:30 AM

    great!!!
    I never know those much clear details about what DOS actually mean.

    ReplyDelete
  20. AnonymousJanuary 28, 2016 at 1:20 AM

    Can I do a DOS attack on a friend's website/my own website? Is the web hotel/server going to have a problem with that and is it illegal? If I would do it on a friend's website then he would be with me as i do it.

    ReplyDelete
    Replies
    1. ShashwatJanuary 30, 2016 at 11:03 AM

      For practice host something on intranet (use IP 0.0.0.0) and then try to take it down. Or maybe try to perform a DOS on your wireless router.

      Delete
    2. ShashwatJanuary 30, 2016 at 11:04 AM

      And yeah, your web host won't be happy about a DOS attack on it (attacking your site is same as attacking your web host/server.)

      Delete
  21. AnonymousJune 13, 2016 at 4:59 AM

    where i can get the rest of the tutorial?

    ReplyDelete
  22. UnknownJuly 9, 2016 at 11:37 AM

    The ":1
    bash name.bat
    goto 1" code is what's known as a ForkBomb. Just throwing this out there bc it's really fun to say. :)

    ReplyDelete
  23. AnonymousAugust 12, 2016 at 10:27 AM

    how long does a ddos attack effective ?
    like is it a permanent effect to the page u want to attck or is there a time-limit

    ReplyDelete
    Replies
    1. ShashwatAugust 12, 2016 at 11:41 AM

      As long as one continues the attack, the target is down. There could also be some buffer time (depending on the magnitude of the attack) needed to recover after the DDOS is over.

      Delete
  24. UnknownOctober 25, 2016 at 8:45 PM

    i execute this command ":(){ :|:& };:" in my own kali linux pc and freezed it, but when i restarted it, the so doesnt runs, and keep in the black screen with the white "-" twinkling.. anyone knows how to fix it ?

    ReplyDelete
  25. AnonymousJuly 23, 2017 at 10:39 PM

    %|%

    call the file %.bat

    quick forkbomb

    ReplyDelete
  26. vé máy bay từ canada về việt namJuly 28, 2021 at 8:12 PM

    Mua vé máy bay tại Aivivu, tham khảo

    mua ve may bay di my

    ve may bay tu my ve vietnam

    vé máy bay từ đức về sài gòn

    các chuyến bay từ nga về việt nam

    giá vé máy bay từ anh về việt nam

    chuyến bay từ pháp về việt nam

    bảng giá khách sạn cách ly tại hà nội

    ReplyDelete
  27. cicillaFebruary 27, 2024 at 4:01 AM

    Since every case is different, we place a high value on individualized legal tactics catered to our clients' particular situations. This starts with a comprehensive evaluation of the case, in which we carefully review the facts, pinpoint possible defences, and weigh the advantages and disadvantages of the prosecution's position. Equipped with this understanding, we devise a tactical safeguard with the objective of attaining the most favourable result, be it by compromise, litigation, or non-traditional dispute settlement techniques.Fairfax Criminal Defense Lawyer

    ReplyDelete
  28. Publication Divorce New YorkApril 16, 2024 at 12:44 AM

    Publication Divorce New York allows divorce papers to be served via newspaper when a spouse cannot be located, providing a legal solution for uncontested divorces.

    ReplyDelete
  29. 카지노사이트November 3, 2024 at 12:43 AM

    You definitely have some great insight and great stories.

    ReplyDelete
  30. 메이저사이트November 3, 2024 at 12:43 AM

    I check out new stuff post. keep it up. Its greatt

    ReplyDelete
  31. 토토사이트November 3, 2024 at 12:43 AM

    I want you to thank for your time of this wonderful read!!!

    ReplyDelete
  32. 파워볼사이트November 3, 2024 at 12:44 AM

    I admire this article for the well-researched content and excellent wording.

    ReplyDelete
  33. Ryan hughNovember 7, 2024 at 1:38 AM

    A Denial of Service (DoS) attack is a cyberattack that disrupts normal operations by overwhelming a network resource, server, or website with a flood of illegitimate requests or data. These attacks are typically launched from a single device, with a more potent variant called a Distributed Denial of Service (DDoS) coming from multiple sources, usually compromised devices in a botnet New Jersey Careless Driving.

    ReplyDelete

Subscribe to: Post Comments (Atom)
© Kali Tutorials, 2016. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Shashwat Chaudhary and Kali Tutorials with appropriate and specific direction to the original content.