In this article, we will look at what DoS and DDoS are, how they work, what their types are, and how you can test a resource for resilience.
DoS is an attack in which a single source generates a large number of requests to a target server in order to occupy its resources and make it inaccessible to normal users.
DDoS is a type of DoS, but using multiple sources (botnets, virtual machines, infected devices), which makes the attack large-scale and more difficult to repel.
Types of DoS/DDoS attacks:
In this article we will consider the most relevant type of HTTP flood attack:
When conducting an attack like HTTP Flood, one of the main problems can be the protection provided by services like Cloudflare or other similar solutions. These services are designed to protect against DDoS attacks and other types of unauthorized traffic, and can make testing very difficult. They can mask the real IP address of the server by redirecting traffic through their proxy servers, making it impossible to directly affect the target server through HTTP requests. To launch an attack, you need to find the victim's real IP address, which may not be easy. In some cases, you can try to extract this address from DNS query history or through other methods such as analyzing public domain records. However, it can be difficult to find the real IP, especially if the site uses additional layers of protection or distributed content delivery networks (CDNs).
You can check if the target site is protected by Cloudflare or similar bullshit by using the browser extension Wappalyzer
You can check if you have the correct IP address by using curl
If it doesn't give an error, redirects to the target site or displays a welcome message from the web server, it is most likely the real IP of the server.
So, to conduct a DoS attack we need:
Important!
To allow the system to handle more open connections at the same time, you need to increase the limit on the number of open file descriptors. Usually the default limit on Ubuntu is 1024. To increase the limit, write the command
Example how to start atack:
After running the command you will see statistics, one of the main indicators is Latency. A sharp increase in Latency with increasing load is a sign that the server is failing. A latency > 1-1.5 s, means that the server is clearly failing.
To increase capacity, you can use multiple servers at the same time.
DoS/DDoS protection
If your site may be under attack, you can use:
DoS is an attack in which a single source generates a large number of requests to a target server in order to occupy its resources and make it inaccessible to normal users.
DDoS is a type of DoS, but using multiple sources (botnets, virtual machines, infected devices), which makes the attack large-scale and more difficult to repel.
Types of DoS/DDoS attacks:
- SYN flood - sending a large number of TCP requests with the initial phase of the connection without terminating it, thus overloading the connection table of the server (long outdated, most servers in the default configuration already have protection against this type of attacks).
- UDP flood - sending a huge number of UDP packets that the server has to process (relevant, but not so effective anymore. It is easily blocked by network level filtering, but can be used to overload the channel)
- HTTP flood - sending a large number of HTTP requests emulating user behavior (relevant, especially for servers without protection, as it is difficult to distinguish from legitimate traffic).
- ICMP flood - ICMP request overload (obsolete, most modern systems and routers block or limit ICMP traffic)
- Slowloris - sending incomplete HTTP requests in order to keep the connection open as long as possible (partially obsolete, most modern web servers have protection against slowloris attacks).
In this article we will consider the most relevant type of HTTP flood attack:
When conducting an attack like HTTP Flood, one of the main problems can be the protection provided by services like Cloudflare or other similar solutions. These services are designed to protect against DDoS attacks and other types of unauthorized traffic, and can make testing very difficult. They can mask the real IP address of the server by redirecting traffic through their proxy servers, making it impossible to directly affect the target server through HTTP requests. To launch an attack, you need to find the victim's real IP address, which may not be easy. In some cases, you can try to extract this address from DNS query history or through other methods such as analyzing public domain records. However, it can be difficult to find the real IP, especially if the site uses additional layers of protection or distributed content delivery networks (CDNs).
You can check if the target site is protected by Cloudflare or similar bullshit by using the browser extension Wappalyzer
- https://search.censys.io (most likely to show real IP addresses)
- https://dnsdumpster.com
- https://viewdns.info
Simply paste the IP into the browser string, or:
curl http://<IP>
curl http://<IP>
So, to conduct a DoS attack we need:
- One, or preferably several (for clarity), Linux-based servers (for example Ubuntu 22/24)
- A domain or IP to attack
- An installed testing utility, such as wrk.
sudo apt update && sudo apt upgrade -y
sudo apt install wrk -y
sudo apt install wrk -y
Important!
To allow the system to handle more open connections at the same time, you need to increase the limit on the number of open file descriptors. Usually the default limit on Ubuntu is 1024. To increase the limit, write the command
Bash:
ulimit -n 100000
Bash:
wrk -t500 -c1000 -d300s [URL='https://robotsec.xyz/']https://robotsec.xyz[/URL]-t500 - number of threads
-c1000 - number of open connections
-d300s - test duration (5 minutes)
https://robotsec.xyz - target address
-c1000 - number of open connections
-d300s - test duration (5 minutes)
https://robotsec.xyz - target address
After running the command you will see statistics, one of the main indicators is Latency. A sharp increase in Latency with increasing load is a sign that the server is failing. A latency > 1-1.5 s, means that the server is clearly failing.
To increase capacity, you can use multiple servers at the same time.
DoS/DDoS protection
If your site may be under attack, you can use:
- Network filters and firewalls (iptables, ufw)
- CDNs with anti-DDoS (Cloudflare, Akamai)
- Rate limiting - limit the number of requests from one IP (will not help in case of DDoS attack).
- Anti-DDoS services from hosting providers or third-party companies.
