Mastering DoS and DDoS Attacks in a Kali Linux Lab Environment: Hands-On Tutorial with Practical Exercises

 

1. Course Overview

 

Note: This lab environment differs from the previous chapter’s environment. Please do not continue using the prior one. If it is still active, end the session and restart the experiment environment.

This course is a hands-on tutorial. To clarify the operations in the lab, theoretical content will also be incorporated. Furthermore, the most valuable articles will be recommended to strengthen your theoretical foundation while performing practical exercises.

Note: Due to high configuration costs, the cloud machine used for the lab has a limit on the number of uses—up to a maximum of six times per experiment.

2. Learning Methodology

 

The Kali series courses on Shiyanlou consist of five training camps. This specific training camp focuses on web application attack methods. The course includes 20 labs, each with detailed steps and screenshots, making it suitable for learners with basic Linux knowledge who wish to quickly get hands-on experience with Kali penetration testing.

The learning approach involves extensive practice and asking questions. After starting an experiment, follow the steps incrementally and ensure you understand the details of each step.

If the experiment suggests reading materials in the initial sections, make sure to go through them before proceeding. Theoretical knowledge is the essential foundation for practical implementation.

3. Lesson Content Overview

 

In this lab, we will get an introduction to Kali Linux and the concept of penetration testing. The following tasks need to be completed sequentially:

• Introduction to DoS
• The principle of SYN flooding
• Practical exercise on DoS

4. Recommended Reading

 

The following materials are recommended for this lab:

1. Using the AB Stress Testing Tool

5. Denial of Service Attack

 

5.1 Introduction

 

What exactly is DoS? DoS stands for Denial of Service, which is an attack aimed at making a computer or network unable to provide normal services.

To understand DoS more vividly, let’s use a metaphor. Imagine a street restaurant that serves customers. If a gang wants to DoS the restaurant, they might deploy various tactics, such as occupying tables without paying, blocking the entrance, or harassing the staff, making it impossible for the restaurant to operate. Similarly, computer and network systems provide Internet services to users. A hacker attempting a DoS attack may employ analogous methods. The most common types of DoS attacks today are bandwidth-based attacks and connectivity-based attacks. Bandwidth attacks overwhelm the network with large amounts of traffic, consuming all available resources and finally preventing legitimate user requests from reaching their destination. Connectivity attacks overload a machine with numerous connection requests, consuming its operating system resources and eventually making it impossible to handle legitimate requests.

Traditionally, the primary constraint for attackers has been network bandwidth. Due to limited network scale and speed, attackers could not send excessive requests. Although attacks like the “Ping of Death” required only a small number of packets to crash an unpatched UNIX system, most DoS attacks relied on considerable bandwidth—something individual hackers often had difficulty accessing. To overcome this limitation, attackers developed distributed attack strategies. By using tools that aggregate bandwidth from multiple sources, they could launch intensive requests against a single target. This approach gave rise to Distributed Denial of Service (DDoS) attacks.[1]

Whether it’s a DoS or a DDoS attack, the goal remains the same: to disrupt the victim’s ability to receive or respond to legitimate external requests. Despite variations in how attacks are implemented, their underlying objective is consistent—to interrupt a service. (This excerpt is sourced from Baidu Encyclopedia.)

Most DoS attacks rely on packet flooding. Flooding, as the term implies, involves inundating a server with data packets, leaving it unable to function correctly. The primary types of flooding attacks include:

• UDP flood
• SYN flood
• Abnormal TCP flood

Common flooding attack methods include:

• Ping Flood: Overwhelming the victim with massive numbers of ping packets.
• Ping of Death: Sending modified ping packets, such as fragmented packets with logical errors or oversized packets exceeding IP protocol limits.
• Teardrop Attacks: Sending damaged IP packets, such as overlapping packets or packets with excessive payloads, to the target system.
• UDP Flood: Bombarding the server with numerous small UDP packets.
• SYN Flood: Exploiting the TCP connection process to consume system resources.
• CC (Challenge Collapsar): Crafting business-specific, resource-intensive requests to overload the server, forcing it into a state of exhaustion.

Additionally, there are advanced attacks such as ARP spoofing.

5.2 Principles

 

DoS attacks are straightforward in nature. Let’s take SYN flooding as an example to understand how they work.

SYN attacks are among the most common and easily exploitable attack methods. One notable case occurred in 2000 when Yahoo’s website was under attack. The attackers employed a simple yet effective SYN flooding tactic, leveraging the TCP three-way handshake process to conduct the attack. (If you wish to gain a deeper understanding of networking, start with beginner-level courses on networking concepts, where detailed data packet analysis of the three-way handshake will be covered.)

TCP (Transmission Control Protocol) is one of the core protocols in the Internet protocol suite. Originating from early network implementations, TCP supplements the Internet Protocol (IP). The suite is commonly referred to as TCP/IP. TCP ensures reliable, ordered, and error-checked data transmission between applications on hosts within an IP network. Major Internet applications, such as web browsing (WWW), email (SMTP, POP), remote management (Telnet), and file transfer (FTP), rely heavily on TCP. (Excerpt sourced from Wikipedia – DDoS.)

Let me know if you’d like completion for the remaining sections or further refinements to this part!

Use the command sudo virsh start Metasploitable2 to start the target system:

Starting the virtual machine could take some time. Wait for approximately 4 minutes, and then you can log into the Kali terminal using the command ssh root@kali:

If you encounter a situation like this, it indicates that the Kali virtual machine has not fully started yet:

You can simulate a SYN flood attack using this command:

hping3 -S -P -U --flood -V --rand-source 192.168.122.102

This command utilizes the hping3 tool to set SYN, PUSH, and URG flags while sending a flood of packets to 192.168.122.102. The --rand-source parameter ensures that the source IP address in the packets is randomized rather than using the host’s IP address.

After a short wait, revisit 192.168.122.102/mutillidae, and you’ll observe that it loads abnormally slowly, remaining stuck in a loading state indefinitely:

This slow response is a direct result of a DoS (Denial of Service) attack. The server is still operational because the volume of packets sent isn’t yet overwhelming its capacity.

At the same time, if you attempt to log into the target machine using ssh msfadmin@target, you’ll notice significant delays, with the password prompt taking an unusually long time to appear:

If the impact seems minimal, you can stop the hping3 attack in Kali by pressing ctrl+c.

Alternatively, you can utilize Apache’s stress testing tool ab with the following command:

ab -n 10000000 -c 600 http://192.168.122.102/mutillidae

This command simulates sending 10 million requests to the target machine with a concurrency level of 600. You can then attempt to log into the target machine via SSH to observe the impact.

Here’s the translation of the plain text content while keeping all original HTML tags and structure intact:

—

By using top, check the current system load:

We can see here that the system’s load is very high, and all the processes are apache2. This is a Dos (Denial of Service) attack, which floods the target server with an overwhelming number of requests, causing it to fail at processing normal requests.

5.3 Prevention

After understanding the principle of Dos attacks, we can clearly see that the attack works by sending a large number of data packets to overload the server’s CPU. To prevent such attacks:

• Configure tools like Apache or Nginx to limit the number of connections from a single IP.
• Set connection limits in iptables for SYN requests.
• Enable net.ipv4.tcp_syncookies. When the SYN wait queue overflows, cookies will handle the situation, mitigating smaller-scale SYN attacks.

These measures address SYN flood attacks specifically. However, Dos attacks come in various forms. The concept remains similar—overwhelming the target system. A more advanced version of Dos is DDos, which stands for Distributed Denial of Service. With increasing server capabilities, attacks from a single device may no longer suffice, leading to the rise of DDos.

DDos is essentially a distributed version of Dos. Instead of relying on a single device, an attacker utilizes multiple machines to launch an attack, overwhelming the target server until it can no longer function properly.

6. Summary

In this lab, we covered the following topics. If you have any questions, feel free to engage with us on Shiyanlou Q&A:

• Introduction to Dos
• SYN principle in Dos attacks
• Dos attack in practice
• Prevention of Dos attacks

Be sure to complete the entire experiment hands-on. It may seem simple to read through, but real-world practice introduces various challenges. Overcoming issues during experimentation is a valuable learning process.