Free DDoS Attack Class | Part 1
Hello my little freaks! Hackfreaks Here!
Judging by the feedback, subscribers are very interested in the topic of DDoS attacks.
I decided not only to superficially talk about the topic, but to make a full-fledged and at the same time free training🔥 . Brought to you by Hackfreaks.
Let's get back to class! It's time to brew seagulls and start learning👇
Plan of the education:
4. Choice of equipment for DDOS attacks
5. Configuring equipment for DDOS attacks
1. Introduction
Anyway, you have heard or even are familiar with DDOS attacks in practice. Someone saw on the news, someone was engaged well, and someone just heard. In this tutorial, I will try to explain all the details as simply as possible and show how it is done by professionals.
I urge you not to attack government resources and large
companies, especially the banks of your country)))
Commercial organizations do not forgive this, they gnaw harshly in court. Otherwise, a criminal case may await you, even if the investigation will drag on for some time, but they will have time to prove it.
I think everything is clear, I will not delay, let's move on to theory.
2. Basic theory
First, let's look at the term DDOS itself. To do this, we turn to the wiki, and then I will write in my own words.
DDOS is an abbreviation of the English expression Distributed Denial of Service, This means denial of service to a network resource as a result of numerous distributed (that is, originating from different points of Internet access) requests. The difference between a Denial of Service (Denial of Service) attack and DDOS is that in this case, overload occurs as a result of requests from a specific Internet site.
And now in our own words:
Let's imagine the situation, there is a certain Vasya and a bunch of drunken homeless people.
Vasya walks along the street, does not bother anyone, goes to work. Suddenly, out of nowhere, a bunch of homeless people appear and begin to get * before him. What should Vasya do? They surrounded him and did not allow him to pass, moreover, he could not even move, because they became brutal and began to bite him. Having finished it off, they abruptly leave. What remains for Vasya? That's right, die or wait for an ambulance.
In this case, the attacked resource is Vasya, and the homeless people are our DDOS.
DDOS is often underestimated by many, but this is also a mistake. For example, it will take me some time to deface the site. And in this case, when everything is set up, one command is enough for me to fuck the bank at the root. In the case of deface, everyone can return back, and in the case of DDOS, they will not even be able to enter the server, because it will be lying around. For basic theory, I think it's worth starting with network models. She is in the public, but without her nowhere. These are the basics. In the case of DDOS, we will touch on the TCP / IP protocol stack .
TCP / IP is a digital data transmission network model. This model describes how data is transmitted from sender to receiver.
The TCP / IP protocol stack includes four layers, these are:
• Application layer (Layer 7) • Transport layer (layer 4) • Network layer (Layer 3) • Data link layer (Layer 2)
Let's now analyze each of the levels in order:
1. Application layer - the protocol of the upper layer of the OSI network model, provides interaction between the network and the user. The layer allows user applications to access network services such as database query processor, file access, email forwarding. mail.
Data types: Data
Functions: Access to network services
Examples: HTTP, Telnet, FTP, etc.
2. Transport layer - the 4th layer of the OSI network model, is intended for data delivery. In this case, it does not matter what data is transmitted, from where and where, that is, it provides the transmission mechanism itself. It divides the data blocks into fragments, the sizes of which depend on the protocol: it combines the short ones into one, and breaks the long ones.
Data Types: Segments / Datagrams
Functions: Direct Endpoint Communication and Reliability
Examples: TCP / UDP
3. Network layer - the 3rd layer of the OSI network model, designed to determine the path of data transmission. Responsible for translating logical addresses and names into physical ones, determining the shortest routes, switching and routing, tracking problems and congestion in the network.
Data types: Packets
Functions: Route definition and logical addressing
Examples: ICMP, GRE, etc.
I have not described the data link layer, why?
Because in our case it won't come in handy. For DDOS attacks, we will use attacks on the application and transport layers, rarely on the network .
• At the application level, these will be HTTP methods, on the transport TCP and UDP
• At the network GRE , since ICMP is no longer relevant.
Now let's see what we will do with HTTP, TCP and UDP:
In the case of HTTP flooding, we will flood with a huge number of HTTP Get / Post
requests, so much so that the web server fucking dooser.
HTTP - This is a connection established between a client and a server to transfer data over the HTTP protocol.
- The HTTP connection is identified as <Source IP, Source Port> and <Destination IP, Destination Port>.
- At the client level, the protocol is provided by a tuple: <IP, port>
Establishing a connection between two endpoints is a multi-step process. It includes a footprint. steps:
1. Calculate ip by DNS hostname 2. Establishing a connection to the server 2. Sending a request 3. Waiting for a response 4. Closing the connection
In the case of UDP and TCP flooding , we will flood a huge number of packets per second. BUT, to begin with, let's look at one nuance. Namely, the difference between TCP and UDP.
In case some of you don't know, TCP is a secure protocol, unlike UDP.
Its difference is that it guarantees the delivery of packets to the addressee, in the case of UDP - it does not check delivery, its task is only to send. TCP has the so-called "triple handshake", which is established between the
client and the server, to describe it briefly as follows:
1. The client sends a request to create a TCP session and sends a TCP packet with the SYN flag.
2. The server replies with a TCP packet with SYN + ACK flags to the client.
3. The client sends a TCP packet with the ACK flag to the server.
Now let's take a closer look:
1. A client that intends to establish a connection sends a segment with a sequence number and a SYN flag to the server.
Further algorithm:
- The server receives the segment, remembers the sequence number and tries to create a socket (buffers and memory control structures) to serve the new client;
- If successful, the server sends the client a segment with a sequence number and SYN + ACK flags, and goes into the SYN-RECEIVED state;
- If successful, the server sends the client a segment with a sequence number and SYN + ACK flags, and goes into the SYN-RECEIVED state;
- In case of failure, the server sends the client a segment with the RST flag.
2. If the client receives a segment with the SYN flag, then it remembers the sequence number and sends the segment with the ACK flag.
Further algorithm:
- If it simultaneously receives the ACK flag (which usually happens), then it
goes into the ESTABLISHED state;
- If the client receives a segment with the RST flag, then it stops trying to connect;
- If the client does not receive a response within 10 seconds, then he repeats the
connection process again.
3. If the server in the SYN-RECEIVED state receives a segment with the ACK flag, then it transitions to the ESTABLISHED state. Otherwise, after a timeout, it closes the socket and enters the CLOSED state. The process is called a "three-way handshake", because although a connection establishment process using four segments is possible (SYN towards the server, ACK towards the client, SYN towards the client, ACK towards the server), in practice, three are used to save time. segment.
Now let's look at the TCP flags:
• ACK - Flag in the TCP segment, the setting of which means that the "
Acknowledgment number" field is enabled. If the ACK flag is set, this field contains the
sequence number expected by the recipient next time. Marks this
segment as acknowledgment of receipt.
• RST - Flag in the TCP segment header, the inclusion of which signals a break in the connection.
• FIN - Flag in the header of the TCP segment, the inclusion of which signals the
end of the session.
• SYN - Flag in the TCP segment header, used to synchronize the numbers of data transmission / reception sessions. It is with this flag that the connection is established.
Now let's move on to UDP:
UDP is the User Datagram Protocol. One of the key elements of TCP / IP, the set of networking protocols for the Internet. With UDP, computer applications can send messages (in this case, called datagrams) to other hosts over an IP network without the need for prior communication to establish special transmission channels or data paths.
Simply put, unlike TCP, it does not check anything and does not establish a
connection. It simply sends the desired information to the addressees. Well, one of the differences between UDP and TCP is of course the speed, it is much higher.
FAQ:
Is it enough to understand the material? Don't need to learn how packages work?
There is enough desire, read it again - you will understand. Memorization is optional, but it is better to know
Probably a banal question, but how then do all sorts of top hacker groups get it that they are not found?
Is it possible with DDOS to get access to FTP, etc.?
No, FTP access is already hack, not DDOS.
3. Methods of DDOS attacks
There are many DDOS methods, so I will divide them into three categories, depending on the
type of protocol. Perhaps I'll start with the HTTP methods.
HTTP Get / Post Flood - We generate a large number of HTTP requests to the victim's server. In most cases, these are GET requests to get the largest possible site elements. Each bot can generate a large number of legitimate requests (more than 10 times per second). Thus, you do not need to have a large army of bots or a super-private botnet to carry out this attack method. In addition to GET requests, POST requests can also be sent and other HTTP actions can be performed that lead to the same result - the victim's web server is overloaded and unavailable. You can even implement it from your own computer / server.
HTTP Strong - A large number of HTTP requests are also generated to the victim's server, but the difference with this method is that empty HTTP requests are sent to the web server. This method is very powerful and is accordingly in private. I wanted to purchase it as a separate script, but unfortunately in the CIS there are few people who generally understand something about DDOS, and they are pushed abroad by acquaintance. Fortunately, I was able to test it by once renting a private botnet for a month. The method is very powerful, and if you happen to come across it, buy it.
HTTP Null - A large number of HTTP requests are generated, also empty, but the difference between this method and Strong is that HTTP Strong waits for a response from the web server, while HTTP Null does not. I also had a chance to test, the method is unrealistically powerful.
JSBypass - A method that bypasses the CloudFlare stub and analogs. Probably most of you have come across this picture: You go to the site, and there is an incomprehensible picture spinning for 5 seconds, like this:
This is a CloudFlare stub. This method bypasses it in a fairly simple way, cookies are parsed and your victim instantly falls. Also, to this method, you can additionally specify a proxy for greater efficiency. I met it extremely rarely in botnets, it works perfectly from servers.
XML-RPC - Quite a tricky method. Using this method, requests will not go from your server, but from vulnerable sites on the WordPress CMS. Those. - you scan the ranges, find vulnerable sites among them and issue a remote command during an attack. The method is very effective and cost effective. Since you don't need a botnet or a super-powerful server to use it. It is enough not to be banned by the hosting provider :)
Joomla Reflection - Similar to XML-RPC method, they have the same principle of operation, but in this case it is not WordPress but CMS Joomla.
FAQ:
Which one is used most often?
HTTP Get / Post is the most common. Less commonly XMLRPC
What about attacks on the logic of the application? For example, go through all the sections and requests of the site with a small botnet, reading the response speed of the application, after fuzzing to identify the most difficult parts of the application and purposefully attack them?
Doesn't make much sense if there is a botnet. The botnet will a priori fuck anything. But it makes sense if the botnet is extremely small. POST flood is better, for example, for registration. But if there is a captcha type check, the meaning disappears. Only if you don't find a cheeky injection in it == Well, this is a joke, if there is no botnet, then through some Apache Bench you can find, for example, a lousy working database cache and through certain queries in the search engine of the site, drag it into one person.
Which one is more relevant to choose?
XMLRPC is more alive than all living things, again the other day Sakharny put them on the RKN. HTTP flood will always be relevant - this is the basis of Layer 7 XMLRPC, not Joomla and there will be happiness. Well, JSBypass when you see Cloud with a stub
What a fucking sheet)) . AND IF YOU ENJOYING THE ARTICLE THEN SUBS TO THE OUR TELEGRAM CHANNEL IS APPRECIATIVE
Then I'll tell you what kind of sheet
I have described the most popular and frequently used methods, how to implement the majority, I will describe in the next stages of the plan.
Now I would like to talk about TCP methods , there are quite a few of them, unlike UDP, but nevertheless, I decided to touch on the transport layer starting with TCP.
Most transport layer attacks are carried out through IP spoofing.
IP spoofing is, in short, spoofing the reverse IP address. Which allows you to
deceive the system by spoofing the sender's address. It is thanks to IP spoofing that it is impossible to identify the attacker.
SSYN ( Spoofed SYN) - in this case, we send fake SYN requests to the server, spoofing the sender's address (Spoofing).
The response SYN + ACK is sent to a non-existent address, as a result, the so-called half-open connections appear in the connection queue, awaiting confirmation from the client. After a certain timeout expires, these connections are dropped. The method is very effective and relevant to this day. They can protect themselves from it, but in the CIS, few people are smart enough for this.
SYN-ACK Flood - In this case, during a SYN-ACK flood, we flood with fake SYN-ACK packets arriving in large quantities. Trying to make a decision on each SYN-ACK packet and match it with one of the entries stored in the connection table, the victim's server allocates computing resources for this (RAM, percent, etc.) to process the stream of fake SYN-ACK packets. As a result, the same thing happens as during a SYN flood: an overload of the victim's server, leading to its partial inaccessibility or complete cunt.
Dominate - In this case, there is a large number of TCP packets with different flags, in practice this method has shown great success. xMAS - This method hits closed TCP ports and hard finishes the processor, forcing them to literally melt. RST / FIN Flood - In this case, to close the TCP-SYN session, an RST or FIN packets are exchanged between the client and the host. During an RST or FIN flood, the victim's server at high speed receives fake RST or FIN packets that are not related to any of the sessions in the server's database. During an RST or FIN flood, the victim's server is forced to allocate a significant amount of system resources (again, this is RAM, percent, etc.) to match incoming packets with current connections, which leads to a loss of server performance and to its partial inaccessibility.
ACK Flood - In this case, with a fragmented ACK flood, packets of the maximum allowable size (for example, 1500 bytes) are used to fill a significant channel bandwidth with a relatively small number of transmitted packets. Fragmented ACK packets usually pass through routers, firewalls and intrusion prevention systems easily. these devices do not reassemble fragmented packets at the network layer. Typically, these packets contain random data. Since the attacker's goal is to fill the entire bandwidth of the victim's external network channels, this type of flooding reduces the
performance of all servers in the attacked network.
ESSYN - Essentially the TCP SSYN method, but was rewritten by Starfall in 2013. Rumor has it that it is more effective. Apparently these are not rumors.
xSYN - Also TCP SSYN method, but was also rewritten by Starfall in 2013.
FAQ:
How do you determine which method is right? That is, it is clear that the task is to * put *, but is it possible to break through the first time, or is it only done by typing?
Using the poke method. It happens that sites put the same syn-coockie, which you will not immediately notice and filtered, but there are few brains in the CIS, and all are stupid. + depending on what kind of protection, but more on that later.
Can I use several at the same time?)
Yes! But it makes sense to run several at once, if you can run dominate.
Which of the options is harder to beat off a curator, a clodfler, etc.?
I have tried to describe TCP methods as easily as possible in order to start the long journey of UDP methods.
UDP Flood - During a UDP flood, the victim's server receives a huge amount of spoofed UDP packets from a wide range of IP addresses. The victim's server or network equipment in front of it becomes overwhelmed with fake UDP packets. The attack provokes congestion on network interfaces by occupying the entire bandwidth. In UDP, there is no concept of establishing a connection (handshake) as in TCP. This makes filtering UDP flooding while maintaining legitimate UDP traffic an extremely difficult task, as well as an effective way to flood the channel. UDP flood is striking
network with packets containing random or static IP addresses, and can be implemented to disable the server using information about it, such as the target port of the legitimate service and the destination IP address. Due to the complexities of checking UDP traffic (there is no mechanism for checking a session like with TCP), many telecom operators offer their customers traffic blocking according to various criteria, which is essentially saving the network by blocking individual servers.
NTP Amplification - This is a type of transport layer DDOS attack in which a publicly available NTP (Network Time Protocol) server is used to generate junk traffic. So, by sending short requests to one of the open NTP servers, you can get a response tens of times larger (amplification effect). We use this by sending requests with the address of the victim server as the IP address of the request source. As a result, the victim's server network is overloaded with “garbage” UDP traffic, from which it is quite difficult to identify legitimate NTP requests and responses. Implementing this method is as easy as shelling pears, like all amplification methods. This
method uses port 123.
DNS amplification - This type of attack uses the transport layer DDOS specifics of DNS services on the network. The point is to request domain information from a public DNS server and send its response to the attacked server. When implementing this type of attack, we form and execute a request, in response to which the DNS server returns as much data as possible. For example, requesting a list of all DNS records in a specific zone. Because In the UDP protocol, the verification of the source IP addresses is not carried out, huyarim is shorter than generating requests on behalf of the victim's server, indicating its IP address in the outgoing address field. The main goal here is to fill the server channel
victims with voluminous responses from public DNS servers. So, using a good worksheet for generating queries to public DNS servers, we can increase the flow of generated junk traffic up to 100 times. At the same time, it is almost impossible to figure out us or calculate at least the IP addresses of the query generators, since the real outgoing IP address is always replaced with another one. Although the method is old, it still lives on. This method uses port 53.
Chargen Amplification - This type of transport layer DDOS attack works the same as NTP amplification, only requests are sent to servers using the Chargen service. This method is practically no different from other amplifications, well, and another port is also used, 19. This method is also easy to implement with spoofing.
SSDP Amplification - This method is a UDP based protocol that
uses universal Plug and Play devices for amplification, which allows requests to be sent using port 1900. SSDP is one of the strongest methods, outperforming NTP, DNS, Chargen, etc.
VSE - This type of transport layer DDOS attack is aimed at attacking Valve's servers. Very efficient and also used for other game servers, uses port 27015.
Continuation in the next article, which will be released very soon!