ceh v8 labs module 10 denial of service

CEH Lab Manual

Denial of ServiceModule 10

Module 10 - Denial of Service

Denial of ServiceDenial of Service (DoS) is an attack on a con/pnter or network that prevents kgitimate use of its resources.

Lab Scenario111 com puting , a denial-of-service attack (D oS attack) is an a ttem p t to m ake a m ach ine o r ne tw o rk resource unavailable to its in ten d ed users. A lthough the m eans to earn* ou t, m otives for, and targets o f a D oS attack m ay van*, it generally consists o f the effo rts o f on e o r m ore peop le to tem porarily ־01 indefinitely in te rru p t 01־ su spend seivices o f a h o s t co n n ec ted to the In ternet.

P erp e tra to rs o f D oS attacks typically target sites 01־ seivices h o ste d 011 h igh- p rofile w eb se n ers such־ as banks, cred it card paym en t gatew ays, and even ro o t nam eseivers. T h e te rm is generally u sed rela ting to co m p u te r netw orks, b u t is n o t lim ited to tins field; fo r exam ple, it is also u sed 111 re ference to C P U resource m anagem ent.

O n e co m m o n m e th o d o f attack involves sa turating the target m ach ine w ith ex ternal com m unications requests, such th a t it can n o t resp o n d to legitim ate traffic, o r responds so slowly as to be ren d ered essentially unavailable. Such attacks usually lead to a se iver overload. D em al-o f-sen 'ice attacks can essentially disable you r co m p u te r 01־ yo u r netw ork . D oS attacks can be lucrative for crim inals; recen t attacks have show n tha t D oS attacks a w ay for cyber crim inals to profit.

As an ex p ert ethical hacker 01־ security administrator o f an o rganization , you shou ld have sound know ledge o f h o w denial-of-service and distributed denial-of-service attacks are carried ou t, to d etect and neutralize attack handlers, an d to m itigate such attacks.

Lab ObjectivesT h e objective o f tins lab is to help s tuden ts learn to p e rfo rm D oS attacks and to test ne tw o rk for D oS flaws.

111 tliis lab, you will:

■ C reate and launch a den ia l-o f-senTice attack to a victim

■ R em otely adm in ister clients

■ P erfo rm a D oS attack by sending a huge am o u n t o f SY N packets con tinuously

I C O N K E Y

Valuableinformation

Test your

^ Web exercise

Workbook re\

P erfo rm a D o S H T T P attack

Ethical H ack ing and C ountenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab M anual Page 703


Lab EnvironmentT o earn־ ou t this, you need:

■ A com puter running W indow Server 2008

■ W indows X P /7 running 111 virtual m achine

■ A w eb brow ser w ith In ternet access

■ A dm inistrative privileges to rnn tools

Lab DurationTime: 60 M inutes

Overview of Denial of ServiceDemal-of-service (DoS) is an attack on a com puter o r netw ork that prevents legitimate use o f its resources. 111 a D oS attack, attackers flood a victim ’s system w ith illegitimate service requests o r traffic to overload its resources and prevent it from perform ing intended tasks.

Lab TasksPick an organization that you feel is w orthy o f your attention. Tins could be an educational institution, a com m ercial com pany, or perhaps a nonprofit charity.

R ecom m ended labs to assist you in denial o f service:

■ SYN flooding a target host using hping3

■ H T T P flooding using D oS H T T P

Lab AnalysisAnalyze and docum ent the results related to the lab exercise. G ive your opinion on your target’s security posture and exposure.

PLEASE TALK TO YOUR I NS TRUCTOR IF YOU HAVE QUESTI ONS RELATED TO THI S LAB.

Ethical H ack ing and C ounterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

& Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 10 Denial- of-Service

Overview

C E H Lab M anual Page


SYN Flooding a Target Host Using hping3hpingJ is a command-line oriented TCP/ IP packet assembler/ analyser.

■ con key Lab ScenarioA SY N flood is a fo rm o f dem al-of-service attack 111 w h ich ail attacker sends a succession o f SY N requests to a target's system 111 an a ttem p t to consum e enough server resources to m ake the system unresponsive to legitim ate traffic.

A SYN flood attack w orks by n o t resp o n d in g to the server w ith the expected A C K code. T h e m alicious client can either sim ply n o t send the expected A C K , o r by spoofing the source IP address 111 the SY N , cause the server to send the S Y N -A C K to a falsified IP address, w h ich will n o t send an A C K because it "know s" th a t it never sen t a SY N . T h e server will w ait fo r the acknow ledgem ent fo r som e tim e, as sim ple ne tw ork congestion could also be the cause o f the m issing A C K , b u t 111 an attack increasingly large n u m b ers o f h a lf-open connections will b in d resources o n th e server u n til no new connections can be m ade, resu lting 111 a denial o f service to legitim ate traffic. Som e system s m ay also m alfunction badly o r even crash if o th e r opera ting system functions are starved o f resources 111 tins way.

A s an expert ethical hacker or security administrator of an o rganization , you should have so u n d know ledge o f denial-of־service and distributed denial-of- service attacks and should be able to d etect and neutralize attack handlers. Y ou shou ld use SYN cookies as a coun term easu re against the SYN flood w hich elim inates the resources allocated o n the target host.

Lab ObjectivesT he objective o f tins lab is to help s tuden ts learn to p e rfo rm denial-of-service attacks and test the ne tw o rk fo r D oS flaws.

111 tins lab, you will:

■ P e rlo rm denial-o t-serv ice attacks

■ Send huge am o u n t o f SYN packets con tinuously

1 ~/ Valuable information

y*' Test your knowledge

** Web exercise

m Workbook review




Lab EnvironmentT o earn’ ou t die k b , you need:

■ A com puter m nning W indow s 7 as victim m achine

■ BackTrack 5 r3 runn ing 111 virtual m achine as attacker m achine

" Wireshark is located at D:\CEH-Tools\CEHv8 Module 08 Sniffing\SniffingTools\Wi reshark

& Tools demonstrated in this lab are available at D:\CEH- Tools\CEHv8 Module 10 Denial- of-Service

Lab DurationTune: 10 M inutes

Overview of hping311p111g3 is a netw ork too l able to send custom T C P /IP packets and to display target replies like a ping program does w ith IC M P replies. 11p111g3 handles fragm entation, arbitrary packets body, and size and can be used 111 order to transfer hies encapsulated under supported protocols.

Lab Tasks1. Launch BackTack 5 r3 on the virtual machine.

2. Launch die hingp3 utility h o rn the BackTrack 5 r3 virtual macliine. Select BackTrack Menu -> Backtrack -> Information Gathering -> Network Analysis -> Identify Live H osts -> Hping3.

rj 3 Sun Oct 21. 1:34 PM

.!4 Network ITaffic Analysis

n OSIMT Analysis>

»!. Route Analysis

K service Fingerprinting-־

. . . Network Analysis

Web Appl ^ Otrace

|ף Database ^ aiiveo

^ Wireless ^ alrvefi

,־ fc; arping

^ (Jetect*new־ip6

”*b dnmap

^ fping

^ hplng2

hpingj

^ netciscovcf

^ netifera

t. nmap

^ Pbrj sctpscan

tiacefi

araceroute

wo»-e

^ zenmap

^^Applications Places System ( \

V Accessories

► C<. information Gathering

״ ► | vulnerability Assessment

Exploitation Tools #- ״

► Pnvilege Escalation

► i| Maintaining Access

• Reverse Engineering

״ ן ; RFID Tools

► t j Stress Ifcsting

forensics

Repotting Tools

^ Graphics

^ internet

SB cyftce

Other

! f , Sound & Vi dec

System Tools

9 Wine

<< back

— j

Flood SYN Packet

0=5! hping3 is a command-line oriented T C P/IP packet assembler/analyzer.

Figure 1.1: BackTrack 5 r3 Menu

3. T he hping3 utility starts 111 d ie com m and shell.1y=I Type only hping3 without any argument. If hping3 was compiled with Tel scripting capabilities, you should see a prompt.

C E H Lab M anual Page 706 E th ical H ack ing and C ountenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


* * root(afbt: -File Edit View t r m in a l Help

> sy n s e t SYN f l a gt ־ ־ r s t s e t RST f l a g -־ * ־ p u sh s e t PUSH f l a gv a c k s e t ACK f l a gJ ־ ־ u rg s e t URG f l a g( - ־ x n a s s e t X u n u se d f l a g (0x40 )f y n a s s e t Y u n u se d f l a g (0x80 )■ tc p e x itc o d e u s e l a s t t c p - > t h f l a g s a s e x i t code tcp-tinestaTp enable t h e TCP tim e s ta m p o p t io n to g u e s s t h e H Z /u p tin e

(d e fa u lt is 0)d a ta s i z e d a t a f ro n f i l e a d d , s ig n a tu r e *Bum packets in

enoalt pTO'TOrotSR. | 1 \-u ^ e nd t e l l y o tr v t t t n r e a c h e J EOF a nd p r e v e n t reA in d•T - • t r a c e r o u t e t r a c e r o u t e mode \ ( I m p l ie s • • b in d a nd ־ ־ t t l 1)- - t r - s t o p E x i t when r e c e iv e t h e f i r s t n o t ICMP in t r a c e r o u t e node

t r <cep t t l Keep th e s o u r c e TTL f i x e d , u s e f u l t o n o n i t o r ] u s t one hop* * t r * n o - r t t D o n 't c a lc u l a t e / s h o w RTT in f o r m a t i o n i n t r a c e r o u t e node

ARS p a c k e t d e s c r i p t i o n (new , u n s ta b le )apd se n d S end th e p a c k e t d e s c r ib e d w i th apo ( s e e d o c s /A P O .tx t)

FIGURE 1.2: BackTrack 5 13 Command Shell with hpiug3

4. 111 die com m and shell, type hping3 -S 10.0.0.11 -a 10.0.0.13 -p 22 -- flood and press Enter.

a v * root(abt: -File Edit View Terminal Help

FIGURE 1.3: BackTrack 5 r3 11ping3 command

5. Li die previous com m and, 10.0.0.11 (Windows 7) is die victim ’s m aclune IP address, and 10.0.0.13 (BackTrack 5 r3) is die attacker’s m aclune IP address.

/v v x root(§bt: -File Edit View *fenminal Help

o״ o t e b t : - # hp1ng3 - s 1 0 .0 .0 .1 1 ■a 1 0 .0 .0 .1 3 •p 22 •■ f lo o d HPING 1 0 .0 9 .1 1 (e th O 1 0 .6 .0 .1 1 ) : S s e t , 40 h e a d e rs 0 d a t a h p in g i n f lo o d n o d e , no r e p l i e s w i l l be shown

<< back track

m First, type a simple command and see tlie result: #11ping3.0.0-alpha- 1> hping resolve www.google.com 66.102.9.104.

m The hping3 command should be called with a subcommand as a first argument and additional arguments according to die particular subcommand.

FIGURE 1.4: BackTrack4 Command Shell with 11pi11g3

6. hping3 floods the victim m aclune by sending bulk SYN packets and overloading victim resources.

H=y1 The hping resolve command is used to convert a hostname to an IP address.

Etliical H ack ing and C ounterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


http://www.google.com


7. G o to die victim’s machine (Windows 7). Install and launch W ireshark, and observe the SYN packets.

ט Microsoft Corporation: \Pevice\NPFJ605FlD17-52CF-4EA9-BA6P-5E43A8Dro2DD [Wireshark 122 (SVN Rev 44520-

Pile Edit View Gc Capture Analyze Statistics Telephony Tools Internals Help

IBTal 0. <a. 0 1 m m m »

Destination Protocol Length Info

כ13 . 1 0 .0 .0 . 1 1 TCP 54 [TCP P e r t num bers r e u s e d ] 53620 > s s h [SYN ] 5כ13 . 54 [TCP P e r t num bers r e u s e d ] 53621 > s s h [SYN ] Sנ13 . 1 0 .0 .0 . 1 1 TCP 54 [TCP P e r t num bers r e u s e d ] 53622 > s s h [S YN ] 5נ13 . 1 0 .0 .0 . 1 1 TCP 54 [TCP P o r t num bers r e u s e d ] 53623 > s s h [S YN ] 5

TCP ■ f f1 i־M 7 r־ 3 ^ T T T 1U - t I& Z W W t t 7M 13771 ■ 3

1 1 0 .0 .0 . 1 1 TCP 54 [TCP P o r t num bers r e u s e d ] 53625 > s s h [SYN ] 51

| Gl F ram e 1 : 54 b y te s o n w i r e (4 3 2 b i t s ) , 54 b y te s c a p tu re d (4 3 2 b i t s ) o n i n t e r f a c e 0 . E th e r n e t I I , S r c : M ic r o s o f_ a 8 :7 8 :0 7 ( 0 0 : 1 5 : 5 d :a 8 :7 8 :0 7 ) , D s t : M 'c r o s o f_ a 8 :7 8 : 0 5 ( 0 0 :1 5 :5 d :a

I E i n t e r n e t P r o t o c o l v e r s io n 4 , s r c : 1 0 .0 .0 . 1 3 ( 1 0 . 0 . 0 . 1 3 ) , D s t : 1 0 .0 .0 . 1 1 ( 1 0 . 0 . 0 . 1 1 )I j T ra n s m is s io n c o n t r o l P r o t o c o l , s r c P o r t : 11 7 6 6 ( 1 1 7 6 6 ) , D s t P o r t : s s h ( 2 2 ) , s e q : 0 , L e n : 0

. . ] . x . . . ] . X . . . E . • (• :..®. .............

OOOO 00 15 5d as 78 05 00 15 5d aS 78 07 OS 00 45 000 0 19 00 28 d l 3a 00 00 4 0 06 95 7e Oa 00 00 Od Oa 000 0 20 00 Ob 2d f 6 00 16 3a a9 09 f c 61 62 d6 d7 50 020 0 30 02 0 0 ee d f 00 00

O File: *C\Usen\Admin\AppData\Local\Temp... Packets: 119311 Displayed: 119311 Marke... Profile: Default

FIGURE 1.5: Wireshark with SYN Packets Traffic

Y ou sent huge num ber o l SYN packets, w hich caused die victim ’s machine to crash.

m 11ping3 was mainly used as a security tool in the past. It can be used in many ways by people who don't care for security to test networks and hosts. A subset o f the things you can do using hping3:■ Firewall testingי Advanced port scanning י Network testing, using

various protocols, TOS, fragmentation

■ Manual padi MTU discovery

■ Advanced traceroute, under all the supported protocols

■ Remote OS fingerprinting

* Remote uptime guessing■ TC P/IP stacks auditing

Lab AnalysisD ocum ent all die results gadier during die lab.

T o o l /U t i l i ty In fo rm a tio n C o l le c te d /O b je c t iv e s A c h ie v e d

h p in g 3SYN packets observed over flooding the resources in v ic tim m achine

PLEASE TALK TO YOUR I NSTRUCTOR IF YOU HAVE QUESTI ONS RELATED TO THI S LAB.

I n te r n e t C o n n e c t io n R e q u ir e d

□ Y es

P la tfo rm S u p p o rte d

0 C la ss ro o m

0 N o

0 1Labs

Ethical H ack ing and C ountem ieasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

C E H Lab M anual 08


Lab

HTTP Flooding Using DoSHTTPDoS HTTP is an H TTP flood denial-of-service (DoS) testing too! for Windows. DoSHTTP includes port designation and repo !ting.

Lab ScenarioH T T P flooding is an attack that uses enorm ous useless packets to jam a w eb server. 111 tliis paper, w e use ludden sem i-M arkov m odels (HSMM) to descnbe W eb- brow sing patterns and detect H T T P flooding attacks. W e first use a large num ber of legitimate request sequences to train an H SM M m odel and then use tins legitimate m odel to check each incom ing request sequence. A bnorm al W w b traffic w hose likelihood falls into unreasonable range for the legitimate m odel w ould be classified as potential attack traffic and should be controlled w ith special actions such as filtering or limiting the traffic. Finally w e validate our approach by testing die m ethod w ith real data. T he result shows that our m ethod can detect the anom aly w eb traffic effectively.

111 the previous lab you learned about SYN flooding using 11p111g3 and the counterm easures that can be im plem ented to prevent such attacks. A no ther m ethod tha t attackers can use to attack a server is by using the H T T P flood approach.

As an expert ethical hacker and penetration tester, you m ust be aware of all types of hacking attem pts on a w eb server. For H T T P flooding attack you should im plem ent an advanced technique know n as “ tarpitting,” w hich once established successfully will set connections w indow size to few bytes. A ccording to T C P /IP pro tocol design, the connecting device w ill initially only send as m uch data to target as it takes to fill die w indow until the server responds. W ith tarpitting , there will be no response back to the packets for all unw anted H T T P requests, thereby protecting your w eb server.

Lab ObjectivesT he objective o f tins lab is to help sm den ts learn H T T P flood ing dem al-o t service (DoS) attack.

I C O N K E Y

/ Valuable information

.-* v Test your ____knowledge

m. Web exercise




Lab EnvironmentT o earn’ ou t this lab, you need:

■ DoSHTTP tool located at D:\CEH-Tools\CEHv8 Module 10 Denial-of- Service' DDoS Attack Tools\DoS HTTP

■ Y ou can also dow n load the la test version o f DoSHTTP from the link h ttp : / / w w w .so ck e tso ft.n e t/

■ I f you decide to dow nload the la test version, th en screensho ts show n 111 the lab m igh t differ

■ A com puter running Windows Server 2012 as host m achine

■ Windows 7 running on virtual m achine as attacker m achine

■ A w eb brow ser w ith an In ternet connection

■ A dm inistrative privileges to 11111 tools

Lab DurationTime: 10 M inutes

Overview of DoSHTTPD oS H T T P is an H T T P Hood denial-of-service (DoS) testing tool for W indows. It includes U RL verification, H T T P redirection, and perform ance m onitoring. D oS H T T P uses m ultiple asynchronous sockets to perform an effective H T T P flood. D oS H T T P can be used sim ultaneously on m ultiple clients to em ulate a d istnbuted den1al-of-senTice (DDoS) attack. Tins tool is used by IT professionals to test w eb sender perform ance.

Lab Tasks1. Install and launch D oS H T T P 111 Windows Server 2012 .

2. T o launch D oS H T T P , m ove your m ouse cursor to low er left corner o f die desktop and click Start.

& Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 10 Denial- of-Service

DoSHTTPFlooding

FIGURE 2.1: Windows Server 2012 Desktop view

Ethical H ack ing and Counterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


http://www.socketsoft.net/


3. Click die DoSHttp 2.5 app from die Start m enu apps to launch die program .

Start A d m in is t r a to r ^

CcroUcr Task MoiillaManager Firefox Ctone

* © •

S

CommandPrompt

Notefao*

r r ־l

VtmnKtr HypofV Nk «kWobClcnt

rwSHTTP

% וי ■

FIGURE 2.2: Windows Server 2012 Start Menu Apps

T he DoSHTTP m ain screen appears as show n 111 the following figure; 111 diis lab w e have dem onstrated trial version. Click Try to continue.

y* DoSHTTP is an easy to use and powerful HTTP Flood Denial o f Service (DoS) Testing Tool for Windows. DoSHTTP includes URL Verification, HTTP Redirection, Port Designation, Performance Monitoring and Enhanced Reporting.

H DoSHTTP 2 . 5 . 1 - Socketsoft.net [Loading...] X

| File O ptions Help

D

H ־

Ta

rUs[ m

DoSHTTP Registration

/ U nreq is te red V ersionV You have 13 days or 3 uses left on your free trial.

( f r y J 3Close

Enter your Serial Number and click the Register button. 3Sa

jSerial Number Register

I

C׳ s c 3 r-s r t־ttD ://w w w .so cke tso ft. re t '׳

R e a d y1

Tools demonstrated in this lab are available in D:\CEH- Tools\CEHv8 Module 10 Denial- of-Service

FIGURE 2.3: DoSHTIP main window

5. E n te r die U R L or IP address 111 die Target URL field.

6. Select a User Agent, num ber o t Sockets to send, and the type of Requests to send. Click Start.

7. 111 diis lab, w e are using W indow s 7 IP (10.0.0.7) to flood.

m DoSHTTP includes Port Designation and Reporting.

C E H Lab M anual Page 711 E th ical H ack ing and C ounterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.

http://www.socketsoft


H nn^HTTP ? S 1 - W k p f c n f t np t [Fva lnatinn M n rlp ] *1File Options Help

DoSHTTPHTTP Flood Denial of Service (DoS) Testing ToolTarget URL10.0.0.11

Usei Agent|Mozilla/6.0 (compatible; MSIE 7.0a; Windows NT 5.2; SV1)

Sockets Requests1500 ▼ | |Continuous ▼] Verify URL jStart FloodJ Close

Laa> D s c a mer h ttD ://w w w .so cke tso ft.re t׳'

Ready ----- !------------------JFIGURE 2.4: DoSHTTP Flooding

Note: These IP addresses may differ 111 your lab environm ent.

8. Click OK 111 the D o S H T T P evaluation pop-up.

H DoSHTTP 2.5.1 - Socketsoft.net [Evaluation Mode] x

File Options Help

DoSHTTP

Evaluation mode will only perform a maximum of 10000 requests per session.

OK

Lees D-Sca rrer t־ttD:.|,.׳’www.soctetsoft.ret/

Ready

y DoSHTTP uses multiple asynchronous sockets to perform an effective HTTP Flood. DoSHTTP can be used simultaneously on multiple clients to emulate a Distributed Denial of Service (DDoS) attack.

FIGURE 2.5: DoSHTTP Evaluation mode pop-up

9. L aunch die Wireshark netw ork p ro toco l analyzer 111 die Windows 7 virtual machine and start its interface.

10. D oS H T T P sends asynchronous sockets and perform s HTTP flooding o f die target network.

11. G o to Virtual machine, open Wireshark. and observe that a lo t o f packet traffic is captured by W ireshark.

y DoSHTTP can help IT Professionals test web server performance and evaluate web server protection software. DoSHTTP was developed by certified IT Security and Software Development professionals

Ethical H ack ing and C ounterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Strictly Prohibited.


http://www.soctetsoft.ret/


j" ptjringfromMicrosofKorporat!onADev!n\NP^605FlD1^2CMEA^A6^E48A8CW2^File £dit View £0 Capture Analyze Statistics Telephony Tools Internals Help

p y a i ojai 1 ט * mm »Filter | ▼ | Expression.. Clear Apply Save

No. Time Source Destination Protocol Length Info •*

81 1 4 .2 2 6 8 5 3 0 1 0 . 0 . 0 . 1 0 1 0 .0 .0 .1 1 TCP 66 57281 > h t t p [SYN ] Sec

ARP 4 2 who has 1 0 .0 .0 . 1 3 ? TeNBNS 92 Name q u e r y NB WPAD<00>l l n n r 84 s ta n d a r d q u e r y 0 x fe 9 9LLNNR 64 s ta r d a r d q u e r y 0 x fe 9 9LLNNR 84 S ta r d a rd q u e r y 0 x fe 9 9

85 14 . 94 89 03 0 Del I_ c 3 :c 3 : c c B ro ad c as t85 1 5 .4 8 1 0 9 4 0 1 0 . 0 . 0 . 1 0 1 0 .0 .0 . 2 5 587 1 5 .4 8 1 2 8 0 0 fe 8 0 : : 3 8 a a : 63 90 : 554 f f 0 2 : : 1 :3 83 1 5 .4 8 1 3 2 8 0 1 0 . 0 . 0 . 1 0 2 2 4 .0 .0 .2 5 289 15 . 9 0 1 2 2 7 0 f e 8 0 : : 3 8 a a :6 3 9 0 : 5 5 4 f f 0 2 : :1 :3

l l n n r 64 s ta r d a r d q u e r y 0 x fe 9 9ARP 4 2 who ha s 1 0 .0 .0 . 1 3 ? T€NBNS 92 Name q u e r y NB w pad<00>n b n s 92 Name q u e r y NB WPAD<00>.DHCPv6 157 S o l i c i t XTD: 0 x a QQ84 CARP 4 2 who ha s 1 0 .0 .0 . 1 1 ? T€

2 2 4 .0 .0 .2 5 2 B ro a d c a s t1 0 .0 .0 .2 5 51 0 .0 .0 .2 5 5

90 13 02 0 1 0 .0 .0 . 1 094 94 97 0 D e 1 1 _ c 3 :c 3 :c c 23 13 28 0 1 0 .0 .0 . 1 0 99 62 12 0 1 0 .0 .0 . 1 076 75 60 0 f p80 : : 38aa : 63 90 :5 54 f f 0? : :1 7 4 5 4 7 8 0 0 D e l1 _ c 3 :c 3 :c c M ic r o s o f_ a 8 :7 8 :0 5

90 1591 1592 1693 1694 1795 18

w F rane 1: 42 b y te s on w ire (336 b i t s ) . 42 b y te s cap tu red (336 b i t s ) on in t e r fa c e 0• E th e rne t I I , s r c : D e11_c3:c3 :cc (d 4 :b e :d 9 : c 3 : c 3 : c c ) , D st: B roadcast ( f f : f f : f f : f f : f f : f f )

ffi Addrpss R P *0 lu t1 0 n P ro to c o l ( r e q u e s t )

0 0 00 f f f f f f f t f t f f d4 be d9 c3 c3 cc 08 0 6 0 0 010 0 10 0 8 00 06 04 0 0 01 d4 be d 9 c3 c3 cc Oa 0 0 0 0 Oa0 0 20 0 0 00 00 00 0 0 0 0 Oa 00 0 0 Od

F I G U R E 26: Wireshaik window

12. Y ou see a lo t o l H T T P packets are flooded to die ho st m achine.

13. D oS H T T P uses m ultiple asynchronous sockets to perform an H T T P flood against die entered network.

Lab AnalysisA nalyze and docum ent die results related to the lab exercise.

T o o l /U t i l i ty In fo r m a tio n C o l le c te d /O b je c t iv e s A c h ie v e d

D o S H T T P H T T P packets obse rved flood ing the h o s t m achine

PLEASE TALK TO YOUR I NS TRUCTOR IF YOU HAVE QUESTI ONS RELATED TO THI S LAB.

QuestionsEvaluate how D oS H T T P can be used sim ultaneously o n m ultiple clients and perform D D oS attacks.

DoSHTTP can be used simultaneously on multiple clients to emulate a Distributed Denial of Service (DDoS) attack.

Eth ical H ack ing and C ounterm easures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.



2. D eterm ine how you can prevent D oS H T T P attacks 011 a network.

In te r n e t C o n n e c t io n R e q u ire d

□ Y es

P la tfo rm S u p p o r te d

0 C la s s ro o m 0 !Labs

Ethical H ack ing and C ountenneasures Copyright © by EC-CouncilAll Rights Reserved. Reproduction is Stricdy Prohibited.


ceh v8 labs module 10 denial of service

Internet