DoS vs DDoS
Denial-of-service (DoS) attacks are the precursor to DDoS attacks. Historically, DoS attacks were a primary method for disrupting computer systems on a network. DoS attacks originate from a single machine and can be very simple; a basic ping flood attack can be accomplished by sending more ICMP (ping) requests to a targeted server then it is able to process and respond to efficiently. Just about anyone with a networked machine is able to launch this type of attack by using built-in terminal commands. More complex DoS attacks may involve using packet fragmentation, such as the now largely defunct Ping of Death attack.
Attacks involving multiple computers or other devices all targeting the same victim are considered DDoS attacks due to their distributed design. Of the two, DDoS attacks are more prevalent and damaging in the modern Internet. Due to the the relative simplicity of purchasing or creating a group of malicious machines capable of sending a massive amount of Internet traffic to a target, bad actors are able to use networks of devices such as botnets to flood a target with requests. By utilizing a large network of machines infected with malware, a malicious actor is able to leverage the attack traffic of a large number of computer systems. With the rise of poorly secured Internet of Things (IoT) devices, more electronic hardware is able to be commandeered for nefarious purposes.
Not all distributed attacks involve botnets; some attack tools leverage volunteers who work together by sharing their available computer resources to take part in a common goal. The hacker group Anonymous has used DoS and DDoS tools, coupled with willing parties, for this very purpose.
How are DoS/DDoS attack tools categorized?
A number of different attack tools or “stressors” are available for free on the Internet. At their core, some of these tools have legitimate purposes, as security researchers and network engineers may at times perform stress tests against their own networks. Some attack tools are specialized and only focus on a particular area of the protocol stack, while others will be designed to allow for multiple attack vectors.
Attack tools can be broadly characterized into several groups:
Low and slow attack tools
As the name implies, these types of attack tools both use a low volume of data and operate very slowly. Designed to send small amounts of data across multiple connections in order to keep ports on a targeted server open as long as possible, these tools continue to utilize server resources until a targeted server is unable to maintain additional connections. Uniquely, low and slow attacks may at times be effective even when not using a distributed system such as a botnet and are commonly used by a single machine.
Application layer (L7) attack tools
These tools target layer 7 of the OSI model, where Internet-based requests such as HTTP occur. Using a type of HTTP flood attack to overwhelm a target with HTTP GET and POST requests, a malicious actor can launch attack traffic that is difficult to distinguish from normal requests made by actual visitors.
Protocol and transport layer (L3/L4) attack tools
Going further down the protocol stack, these tools utilize protocols like UDP to send large volumes of traffic to a targeted server, such as during a UDP flood. While often ineffective individually, these attacks are typically found in the form of DDoS attacks where the benefit of additional attacking machines increases the effect.
What are commonly used DoS/DDoS attack tools?
A few commonly used tools include:
Low Orbit Ion Cannon (LOIC)
The LOIC is an open-source stress testing application. It allows for both TCP and UDP protocol layer attacks to be carried out using a user-friendly WYSIWYG interface. Due to the popularity of the original tool, derivatives have been created that allow attacks to be launched using a web browser.
High Orbit Ion Cannon (HOIC)
This attack tool was created to replace the LOIC by expanding its capabilities and adding customizations. By utilizing the HTTP protocol, the HOIC is able to launch targeted attacks that are difficult to mitigate. The software is designed to have a minimum of 50 people working together in a coordinated attack effort.
Apart from being a slow-moving primate, Slowloris is an application designed to instigate a low and slow attack on a targeted server. The elegance of Slowloris is the limited amount of resources it needs to consume in order to create a damaging effect.
This is another low and slow attack tool designed to allow the user to easily launch attacks using a simple point-and-click interface. By opening multiple HTTP POST requests and then keeping those connections open as long as possible, the attack aims to slowly overwhelm the targeted server.