Legitimate Test Tool or DDoS Attack Weapon?

Since first reported over two decades ago, DDoS attacks have evolved dramatically, inspired by rapid technology growth. Development of cloud-based computing and IoT, combined with the lack of security hardening by many vendors, has significantly increased available firepower and opened new horizons for attackers.

Before discussing some of the more popular DDoS tools available, let’s put this in the context of recent attacks:

Some of the most powerful DDoS attacks over recent years include the 1.3Tbps attack on GitHub in 2018 and the 1.2Tbps attack on Dyn in 2016.  These relied on huge distributed networks of compromised devices, controlled by the attackers.

There are multiple ways cybercriminals can build such attack networks. One way is to take control of network-attached devices, by exploiting a critical vulnerability which forces them to load malicious code and then report their availability over a command and control channel. This is what has now become known as a botnet and can consist of IoT devices, including security cameras and DVRs, home routers, personal computers, or a host of other control and monitoring devices.

Another popular way to launch damaging DDoS attacks, is to build a list of vulnerable or misconfigured systems which can be used as reflectors and amplifiers to increase attack potency and help anonymize the original source – there are multiple protocols that power the Internet which are abused for the most common reflection attack types. For example, an attacker can build list of devices across the Internet that have UDP port 11211 open – used by the Memcached service. The attack is created by sending each of them a tiny request query to get all the items for the requested caches, except that the source of the requests is spoofed to be the IP address of the victim. While the request could be less than 100 Bytes long, replies may be 1 Megabytes for each cached item, which provides huge amplification factor and, as result, those replies can easily saturate all the victim’s available bandwidth (so called “full pipe” condition). This makes the victim’s network unavailable for their legitimate traffic, effectively taking them offline.

In order to build and manage those networks, Cybercriminals use custom made scripts to look for new bots and manage existing – in many cases this is not something which can be used as a standalone tool. However, there are a number of tools being discussed here that were actually created for the legitimate purpose of simulating distributed computer/bot network attacks, so security engineers can test a network’s resilience and the effectiveness of any countermeasures that are deployed. The attack distribution – that first “D” in the DDoS acronym – is achieved either by using randomly generated source IPs, or a list supplied from a pre-defined text file, or by simultaneous use at an agreed time –  frequently the case when using tools like LOIC- to run DDoS attacks.

Hping – A free CLI-based packet generator for IP/TCP/UDP/ICMP protocols. In addition to being the perfect packet generator for stress testing and network troubleshooting, it can be used as port scanner (–scan mode) or packet analyzer (–listen mode).  By default, it fills the data portion of each packet with a number of “x58” bytes, which makes it easy to catch by any device performing packet inspection. The tool allows traffic generation at different speeds, with packets of custom length and crafted protocol header fields. The ability to randomize source IP addresses, and increment source port numbers for each packet, makes it easy for the tool to saturate bandwidth or overwhelm flow / state table on a firewall.

Mausezahn – A free Linux-based versatile packet generator, written in C, with the ability to customize L2, L3 and L4 packet headers. In addition to IP, TCP and UDP packet headers, it supports VLAN tags, MPLS labels, BPDU and CDP tuning. The tool comes with a built-in Cisco-like CLI and supports 2 modes – “direct” and multi-threaded “interactive”. The direct mode enables the user to cook a bespoke packet directly from the CLI, with every packet parameter specified as an argument when launching the tool. Additionally, this mode offers a raw-layer-2 scheme, where every Bit in the packet can be specified. The interactive mode comes with its own interface, where an arbitrary number of packet types can be created and run in parallel streams. When in this mode, the tool reads its configuration from a file, which may include connection details, so you can Telnet to the tool and conveniently land directly in the interactive mode CLI.

LOIC (Low Orbit Ion Canon) – A graphical UI-based tool, freely available on the Internet, in both binary and web-based (written in JavaScript) versions. This tool can be used to generate L4 (TCP, UDP and ICMP) or L7 (HTTP) flood traffic to the target and does not require special knowledge or skills. It is also equipped with slow attack options (ReCoil and SlowLOIC), designed to drain server resources, making them unable to respond to legitimate requests. This is achieved by opening large numbers of TCP connections and keeping them open by sending partial headers (SlowLOIC) or, slowing download speeds to near-zero (ReCoil). LOIC also has the option to be controlled remotely, over an IRC channel – in Hive Mind and OverLord modes – where commands are encoded in a hyperlink which can be placed anywhere on the Internet – often leveraging a commonly used social network or forum.

HOIC (HIGH Orbit Ion Canon) – A Windows-based tool, inspired by LOIC, which focuses on HTTP floods only and can use both HTTP GET and POST methods. As is the case with LOIC, running this tool from a single computer is less likely to bring a web server down – the DDoS is achieved by having multiple devices involved, although a lower number of devices is required compared to LOIC.  To get the maximum attack size possible, the tool is even able to suggest the number of threads, up to 256, which it is safe to run on the chosen host device, based on its hardware capabilities. This is helpful as the tool will likely crash if too many threads are used. Some editions of the HOIC tool have the custom threads options removed, for simplicity, and replaced with a “TURBO” on/off switch. The real power of the tool is revealed when using “boosters”. Boosters are *.hoic text files containing randomization options for a variety of HTTP headers, making an attack much harder to mitigate, even automatically. For example, it may contain lists of values for User-Agent, Keep-Alive, referer, cookie, URL, etc. and it can also contain a string to insert from PostBuffer, to deliver follow-on actions using the POST method.

XOIC – Another modification of the LOIC Windows-based tool, which can generate TCP/UDP/ICMP/HTTP floods. It comes with 3 options – “TEST MODE” (basic), “MAKE A DoS” and SEND MESSAGE (DoS option where the text message can be included to protocol data portion). The main advantage compared to LOIC and HOIC (without boosters), is its ability to randomize requests to the server, making it harder to detect and block automatically using a pattern match.

HULK (HTTP Unbearable Load King) – A DoS tool and HTTP traffic stress generator, published by Barry Shteiman as proof-of-concept demonstration of web server weakness, originally written in Python. The strength of the tool is its ability to generate multi-threaded randomized HTTP GET queries.  This enables an individual instance of the tool to bring down small web servers very quickly. The tool has the ability to randomize HTTP headers (such as User-Agent and referer) and can perform multi-vector URL transformation, with custom random parameter names that can be attached to each URL, for each request.  It also makes use of the ‘no-cache’ option to get a unique page returned each time, with variable Keep-Alive time windows used in an attempt to keep connections open.

BoNeSi – A DDoS Botnet Simulator tool that generates ICMP, UDP and TCP (HTTP) flooding from a Botnet of a defined size. BoNeSi allows the protocol, packet-per-second rate, number of packets sent, payload size, target URL, MTU and fragment bit in IP header to be configured. Additionally, source IP addresses, URLs and User-Agent values can be loaded from appropriate text files. And, for convenience, the BoNeSi GitHub page even hosts a file containing fifty-thousand source IP addresses and a separate file containing an extensive URL list. To make the traffic appear more realistic, the tool randomizes the source port, TTL field and TCP options – 7 real-life TCP options, with different length and probability, are used. There are some limitations though, as to ability to use the tool against hosts across the Internet.  Since it is spoofing source IP addresses, TCP sessions cannot be established, as the return traffic is not routed back to the host running the tool. Despite this limitation, UDP and ICMP attacks can be used to successfully consume the bandwidth and resources of the remote host.

Kali – This is basically a Linux distribution (Debian based), pre-loaded with dozens of tools for information gathering, vulnerability analysis, running exploits, etc. Among these, are Stress Testing tools which can easily be misused to launch DDoS attacks.

With such a proliferation of readily available, relatively easy to use, tools, it should be no surprise why DDoS attacks continue to increase not only in frequency, but also sophistication of the attacks.  With it now being so easy for Cybercriminals to experiment with crafting attacks designed to evade manual or legacy approaches to DDoS defense, it’s critical that organizations looking to ensure business continuity invest in the latest generation of solutions which include automatic, behavioral-based, protection.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us