№7. Ethical Hacking Labs. DoS attacks

13 April 2023 10 minutes Author: Endpool

DoS Threat: Understanding the Risks and Protecting Your Systems

Denial of Service (DoS) is an attack on a computer system or network designed to make the system or network unavailable to intended users by overloading it with traffic, data, or requests. The goal of a DoS attack is to disrupt normal operations and prevent legitimate users from accessing the target system or network. DoS attacks can take many forms, including flooding the network with traffic, exploiting software vulnerabilities, or using brute force techniques to guess login credentials. Such attacks can cause significant damages, financial losses and damage the company’s reputation. Also (DoS) is a type of cyber attack, the purpose of which is to make a computer resource unavailable to intended users. The attack can be carried out by overloading the target system with traffic, making it unable to process legitimate requests. The attack can also be carried out by exploiting vulnerabilities in the target system to crash it.

DoS attacks can be carried out by individuals or groups for various reasons, such as extortion, protest, or revenge. Distributed Denial of Service (DDoS) attacks involve multiple computers in the attack, making it difficult to mitigate the attack. Preventing DoS attacks requires various measures, such as network infrastructure protection, traffic filtering, and user authentication. DoS attacks generally fall into 2 categories: Buffer Overflow Attacks A type of attack in which a memory buffer overflow can cause the computer to use up all available hard disk space. This form of exploit often results in slow performance, system crashes, or other malicious server behavior that results in a denial of service. Flood attacks. By flooding the target server with a huge number of packets, an attacker can overwhelm the server’s capacity, leading to a denial of service. For most DoS attacks to be successful, the attacker must have more available bandwidth than the target. Historically, DoS attacks have typically exploited security vulnerabilities present in the network, software, and hardware. These attacks have become less common because DDoS attacks are more destructive and relatively easy to create given the tools available. In fact, most DoS attacks can also be turned into DDoS attacks.

A few common historical DoS attacks include:

Attack of the Smurfs

Атака Smurf — is a type of distributed denial of service (DDoS) attack that floods the victim’s network with Internet Control Message Protocol (ICMP) packets. The attack is launched using spoofed broadcast addresses, causing the target network to become overloaded with traffic. This can cause network congestion, slow or stopped performance, and potentially even downtime. The name “Smurf” comes from the fact that this attack originally used the Smurf malware to generate traffic.

Ping flood

Пінг-флуд — is a type of denial-of-service (DoS) attack in which an attacker floods a target device or network with Internet Control Message Protocol (ICMP) echo packets, commonly known as “pings.” The attack is usually carried out using automated tools that send a large number of ping requests to the target, causing the target device or network to become unresponsive to legitimate traffic. Ping streams can be launched with relatively little bandwidth and are difficult to mitigate, making them a common tactic for attackers looking to disrupt online services.

Ping of death

A ping of death is a type of denial-of-service (DoS) attack in which an attacker sends an intentionally malformed or oversized ping packet to a target computer or server. This can cause the target system to crash or become unresponsive because it has difficulty processing an excessively large or invalid packet. Although the Ping of Death attack has been largely obsoleted by improvements in network protocols and security measures, it remains an important part of computer security history.

SYN Flood

A SYN flood is a form of denial-of-service attack in which an attacker sends a sequence of SYN requests to a target machine in an attempt to exhaust its resources and make it unresponsive to legitimate incoming traffic. A TCP session establishes a connection using a three-way handshake mechanism. The source sends a SYN packet to the destination. The receiver, upon receiving a SYN packet, responds by sending a SYN/ACK packet back to the source. This SYN/ACK packet acknowledges the arrival of the first SYN packet to the source. Finally, the source sends an ACK packet for the ACK/SYN packet sent by the receiver. In a SYN attack, an attacker uses a three-way handshake method. First, the attacker sends a fake TCP SYN request to the target server, and when the server sends a SYN/ACK in response to the client’s (attacker’s) request, the client never sends an ACK response. This leaves the server waiting for the connection to complete.


Spoofing the IP address of the attacker’s machine. Perform SYN Flooding on the target machine.


Kali Linux virtual machine. Windows 10 virtual machine (with firewall disabled). A Windows Server 2012 or 2016 virtual machine.

Open port test

Log in to Kali Linux and open a new terminal window. We are going to perform a SYN flood on Windows 10 through some open port. To check which port is open or not, we will use Nmap to scan all open ports.

In this lab. work, we will use a helper module from Metasploit called synflood to perform a DoS attack on the target using port 445.

Perform a DoS attack

By setting the SHOST parameter to the Windows Server IP address, you are spoofing the IP address of the Kali Linux machine. After configuring the helper, launch a DoS attack on Windows 10 by typing:

Learn DoS attack

Go to your Windows 10 machine and launch Wireshark , select the correct interface and click Start. Wireshark displays the traffic coming from the machine as shown below:

Here you can notice that the source IP address is from Windows Server. This means that the IP address of Kali Linux has been spoofed. Next, open Task Manager in Windows 10 and click on the Performance tab. You will notice that the CPU and Ethernet usage has increased dramatically after the attack, which means that a DoS attack is in progress. If the attack continues for some time, the machine’s resources will be completely exhausted and it will stop responding.

SYN Flooding with hping3

hping3 — is a command line packet generation and network probing tool for network administrators and security experts. It allows users to create and send different types of network packets, including TCP, UDP, ICMP, and RAW-IP, with customized parameters and payloads. hping3 can be used for a variety of tasks such as firewall testing, port scanning, traceroute functions, and network security auditing. Its flexibility and versatility make it a popular tool for network analysis and troubleshooting.

Perform a SYN flood using hping3

This initiates a SYN flood in Windows 10. Hping3 floods the victim machine by sending massive SYN packets and overloading the victim’s resources. Switch to Windows 10 and launch Wireshark , select the correct interface and start capturing. After analyzing the received traffic, you will notice a huge number of SYN packets, which can cause the target machine to crash.

DDoS attack using HOIC

A  DDoS attack involves a group of compromised systems, usually infected with Trojans, that are used to perform a DoS attack on a target system or network.


Perform a DDoS attack – HTTP flood.


Kali Linux Virtual Machine (Target). Windows Server Virtual Machine, Windows 10 and Windows 7 (criminals).

Overview of HOIC

High Orbit Ion Cannon (HOIC) — is a free and open source networking application developed by the hacktivist group Anonymous to replace the Low Orbit Ion Cannon (LOIC). Used for Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, it functions by flooding target systems with unsolicited HTTP GET and POST requests.

Log in to the virtual machines

Before starting this lab, power on and log in to all virtual machines in this lab (Windows 7, 10, Server, and Kali Linux). Copy the High Orbit Ion Cannon (HOIC) folder to all Windows(3) virtual machines.

Configure HOIC

Switch to Windows 10 and open HOIC (hoic2.1.exe). In the HOIC GUI, press “+” to add a target.

Perform a DDoS attack

Once HOIC is set on all machines, go to each machine and press FIRE TEH LAZER!.

This initiates a DDoS attack on the target (Kali Linux). Switch to Kali Linux and launch Wireshark. Notice that Wireshark starts to capture a very high volume of packets, which means that the machine is receiving a huge amount of incoming packets. These packages come from Windows 7, Windows Server, and Windows 10 virtual machines.

In this lab, only three machines demonstrate the pouring of one machine. If there are a large number of machines running the bay, the Kali Linux target resources are completely consumed and the machine becomes overloaded. In real-time, a group of hackers controlling hundreds or thousands of machines configure this tool on their machines and simulate a DDoS attack while simultaneously flooding the target machine/website. The target is overloaded and stops responding to user requests or starts dropping packets coming from legitimate users. The greater the number of attacker machines, the higher the impact of the attack on the target machine/website. Click FIRE TEH LAZER to stop DDoS! again and then close the HOIC window.

Detection of DoS attack traffic

KFSensor — is a Windows-based IDS honeypot. It acts as a decoy to attract and detect hackers and worms by impersonating vulnerable system services and Trojans. Acting as a decoy server, it can divert attacks away from critical systems and provide a higher level of information.


Detection of a DoS attack using KFSensorAnalyze an incoming packet dump using Wireshark.


Windows 10 virtual machine Windows Server 2012 or 2016 virtual machine Kali Linux virtual machine

Setting up

Install KFSensor and Wireshark to a Windows 10 virtual machine.Run KFSensor as administrator. Click on Settings from the top menu and select Setup Wizard. Leave the default options until you settle on DoS options.

Select Caution from the Denial of Service Options drop-down list and select Enable Packet Dump Files from the Network Protocol Analyzer drop-down list:

Click Next and finish the wizard:

In the left pane, you will see the FTP icon in green, and the FTP section is empty, which means that there is no traffic on port 21 at the moment.

KFSensor is now configured to detect DoS attacks.

Perform a DoS attack

After entering the command, switch to Windows 10, observe that the machine is almost frozen, which means that Windows resources are completely exhausted. This means that the DoS attack was successful. Go back to Kali Linux and press Ctrl+C to stop the SYN flood.

DoS attack detection

This means that KFSensor has detected a DoS attack. Select another random event and double-click it to view event details. In the event window, which contains the event summary, you can see the event severity level (High), event description (Syn Scan), event visitor (IP address of the attacker’s computer), sensor name (FTP) and so on as you see lower.

Analyze the packet dump on Wireshark

Wireshark downloads the file and displays the packet details as shown above. You can analyze packets to get information about packet headers.
Other related articles
Found an error?
If you find an error, take a screenshot and send it to the bot.