Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

DDoS Attacks: What They Are and How to DDoS

What is a DDoS attack? There may come a time when your job requires you to know how to DDoS. Learn the answer and follow the guide from Pluralsight!

Nov 15, 2012 • 3 Minute Read

Updated 10/6/2020


A DDoS (Distributed Denial-of-Service) attack is very similar to a DoS (Denial-of-Service) attack, with the only difference being that the same attack is carried out by many different people (or botnets) at exactly the same time. Therefore, DDoS is all a matter of scale.

 

After you select a service to target, follow these five steps to mount a DoS attack:

  1. Launch a DoS tool, like LOIC.

  2. Specify the IP address of the server you want to attack. 

  3. Choose a port you know is open and that accepts incoming connections.

  4. Select TCP.

  5. Click on the button to start the attack.

 

To mount a DDoS attack, do the same as for a DoS attack, except with the HOIC tool. This is how to DDoS: 

  1. Find and pick a service.

  2. Select an open port.

  3. Launch HOIC.

  4. Increase the Threads. 

  5. Target the desired URL.

  6. Increase the Power to High.

  7. Select your Booster.

  8. Mount the attack.

 

Let’s first go over a DoS attack so that a DDoS attack can be better understood. 

What Is a Denial-of-Service Attack (DoS)?

DoS is a cyberattack designed to overwhelm an online service, make their system crash, thus denying service to customers, employees, etc. To pull off a DoS attack, all you have to do is:

  1. Find and pick a service to target.

  2. Select an open port.

  3. Overwhelm the service.

At its core, a DoS attack is pretty straightforward and simple to pull off. The real question here is whether you have enough scale to overwhelm your target system.

Here is a breakdown of each step.

Find and Pick a Service to Target

The first step to mounting a DoS is to find a service you can target. This would need to be something with open ports and vulnerabilities, and that will accept incoming connections.

Some of the services that might meet these criteria are:

  • Web servers

  • DNS servers

  • Email servers

  • FTP servers

  • Telnet servers

What makes these services so easy to target is that they accept unauthenticated connections. 

Select an Open Port

View a list of open ports in Windows by opening the DOS command line, entering netstat, and pressing Enter. To view the ports a computer communicates with, type netstat -an |find /i “established”.

Port settings vary program by program, but the general idea is the same across the board. When trying to access a port, you’ll know it’s not accessible if “Connecting…” hangs and then the window goes away. If it is accessible, you’ll get an empty window or see display text similar to “220 ESMTP spoken here.”

If you’d rather, here are three tools you can use to find open ports:

  1. Telnet

  2. CurrPorts

  3. TCPEye

Overwhelm the Service

Ideally, you’d choose a service that doesn’t have a maximum limit to the number of connections it allows. The best way to find out whether a service doesn’t have an upper boundary is to send it a few hundred thousand connections and then observe what happens.

To achieve optimal effect, you must send specific queries and information. For example, if you’re targeting a web server with a search engine, don’t just request a web page or hit F5 a bunch of times. Request a complex search query that’s going to consume a significant amount of horsepower to resolve. If doing that just once makes a noticeable impact on the backend, then doing that a hundred times a second will probably bring the server down.

You can do the same thing against a DNS server. You can force it to resolve complex DNS queries that aren’t cached. Do it often enough and it’ll bring down the server.

For an email service, you can send lots of large email attachments, if you can get a legitimate account on its server. If you can’t, it’s pretty easy to spoof it.

If you can’t target any specific service, you can simply flood a host with traffic, except the attack might not be as elegant and would certainly require a bit more traffic. 

Once you’ve overwhelmed the system, the environment is primed for an attack.

How to Mount a DoS Attack

Once you’ve done the network footprinting, scanning, and enumeration processes, you should have a good idea of what’s going on in the network you’re targeting. Here’s an example of one particular system you’d like to attack. It’s 192.168.1.16 (a Windows 2008 Domain Controller and web server).

 To attack it, follow these 5 steps:

1. Launch your favorite tool for attacking systems. I like the Low Orbit Ion Cannon (LOIC). This is the easiest tool to understand because it’s pretty obvious what it’s doing. 

Other DoS tools that can be used to attack include XOIC, HULK, DDOSIM, R.U.D.Y., and Tor’s Hammer.

2. Specify the IP address of the server you want to attack, which in this case is 192.168.1.16. Lock on to it. 

3. Choose a port you know is open and that accepts incoming connections. For example, choose port 80 to mount a web-based attack.

4. Select TCP to specify which resources to tie up.

5. Click on the button to mount the attack.

 

You’ll see the requested data increasing rapidly. 

 

The data increases may eventually start to slow down a bit, partially because you’ll be consuming resources on the client, and also because the server itself would either be running out of resources or starting to defend itself against your attack. 

What to Do When the Host Begins to Defend Itself

Some hosts can be configured to look for patterns, identify attacks, and start to defend themselves. To counter their defense, you can:

  1. Stop the attack momentarily (by clicking the same button you clicked to mount the attack).

  2. Change the port you’re attacking.

  3. Slow the attack a little bit, which adds confusion.

 

In our example, you’ll change the port from port 80 to port 88 (if you review the screenshot on the Advanced Port Scanner, you’ll see that port 88 is also open). Once you’re done changing the settings, you can resume the attack by clicking the attack button again.

You’re now attacking a different port (which amounts to a different service) in a slightly different way and at a different speed. Speed is only important if you’re attacking from one client.

That is how an attack would look like when you do this kind of DoS from only one machine. 

What Is a DDoS Attack? Attacking Multiple Clients at Once

A Distributed Denial of Service (DDoS) attack is performed with the goal of taking down a website or service by flooding it with more information or processing than the website can handle. It’s practically the same as a DoS attack, the difference being that it’s carried out by many different machines at once. 

Depending on the situation, one client attacking this way may or may not immediately affect the performance of the server, but a DDoS attack doesn’t have to stop with just one client. Typically, you would mount this attack against different ports at different times, and try to footprint whether your actions are affecting services. Better yet, it will shut down the server. 

If the attack is producing the desired effect, you could scale it up by running the LOIC on a dozen (or even hundreds) of machines at the same time. A lot of this action can be scripted, meaning you can capture the traffic and replay it at the command line on different targets. Or, you can play it as part of a script from different attackers, which could be your peers, your zombies, or both. Often, malware (botnets, explored below) is used to launch the attacks because malware can be timed to launch at exactly the same moment.

This is when speed becomes less important because you have a hundred different clients attacking at the same time. You can slow things down at each individual client and still be able to mount quite an effective attack. 

The screen would look the same on each individual machine if you mounted the attack from hundreds or thousands of machines, as if you were doing it on a single machine.

What Is a Botnet?

As explained by the Internet Society:

“A botnet is a collection of Internet-connected user computers (bots) infected by malicious software (malware) that allows the computers to be controlled remotely by an operator (bot herder) through a Command-and-Control (C&C) server to perform automated tasks on devices that are connected to many computers, such as stealing information or launching attacks on other computers. Botnet malware is designed to give its operators control of many user computers at once. This enables botnet operators to use computing and bandwidth resources across many different networks for malicious activities.”

Although a great help to hackers, botnets are more of a scourge to much of online society. Botnets:

  • Can be spread throughout wide distances, even operating in different countries.

  • Restrict the internet’s openness, innovation, and global reach.

  • Impact fundamental user rights by blocking freedom of expression and opinion, and violating privacy. 

How to Do a DDoS Attack

To mount over 256 simultaneous DDoS attacks that will bring a system down, a team of several users can use High Orbit Ion Cannon (HOIC) at the same time, and you can employ the “booster” add-on script.

To do a DDoS attack, find and pick a service, select an open port, and overwhelm the service by  following these steps:

  1. Launch HOIC.

  2. Increase the Threads. 

  3. Target the desired URL.

  4. Increase the Power to High.

  5. Select your Booster.

  6. Mount the attack.

Why Do Illegal Hackers Perform DoS and DDoS Attacks?

DoS attacks and DDoS attacks are overly destructive and can take some work to launch, but they are used by cybercriminals as a weapon to use against a competitor, as a form of extortion, or as a smokescreen to hide the extraction of sensitive data. 

Also, sometimes attacks are mounted for one or more of these reasons:

  • Internet-based turf wars.

  • An expression of anger or a punishment.

  • Practice, or just to see if it can be done.

  • For the “fun” of causing mayhem.

The harm caused by DDoS attacks is extremely significant. Cisco has reported some eye-opening facts and estimates:

  • The number of global DDoS attacks will double from 7.9 million in 2018 to 15.4 million by 2023.

  • The average size of a DDoS attack is 1 Gbps, which can take an organization completely offline.

 

A 2019 ITIC survey found that “a single hour of downtime now costs 98% of firms at least $100,000. And 86% of businesses say that the cost for one hour of downtime is $300,000 or higher.” Thirty-four percent say it costs $1 million to $5 million to be down for one hour.

A recent example of a DDoS attack is the Amazon Web Services attack in February 2020. The cloud computing giant was targeted and sent up to an astounding 2.3 terabytes of data per second for three days straight. 

If you want to browse worldwide attacks taking place in real-time (or close to it), check out a cyber attack threat map.

How to Protect Your Business from DoS and DDoS Attacks

To protect your business from DoS and DDoS attacks, here are some recommendations:

  1. Install security software and keep it updated with the latest patches.

  2. Secure all passwords.

  3. Use anti-DDoS services to recognize legitimate spikes in network traffic, versus an attack.

  4. Have a backup ISP so that your ISP provider can re-route your traffic.

  5. Use services that disperse massive attack traffic among a network of servers.

  6. Update and configure your firewalls and routers to reject fraudulent traffic.

  7. Integrate application front-end hardware to screen and classify packets.

  8. Use a self-learning AI system that routes and analyzes traffic before it reaches company computers. 

  9. Employ an ethical hacker to seek and find unprotected spots in your system.

 

It is a difficult task to protect your business from DoS and DDoS attacks, but determining your vulnerabilities, having a defense plan, and coming up with mitigation tactics are essential elements of network security.

Learn More About Ethical Hacking

Ethical hacking is an important and valuable tool used by IT security professionals in their fight against expensive and potentially devastating cyber breaches. It uses hacking techniques to obtain information on the effectiveness of security software and policies so that better protection of networks can be enacted. 

The basic guiding principles to follow when hacking legally are:

  • Never use your knowledge for personal gain.

  • Only do it when you have been given the right.

  • Don’t use pirated software in your attacks.

  • Always have integrity and be trustworthy.


Now that you know what a DDoS attack is (and how to DDoS), if you want to learn more about how to ethically hack computer network systems, Pluralsight has all the resources you need. Read Ethical Hacking: Hardware and Software Tools of the Trade or take one of our numerous ethical hacking courses!

Mike Danseglio

Mike D.

has worked in the IT field for more than 20 years. He is an award-winning author, public speaker, and instructor on a variety of technology topics including security, virtualization, cloud computing, wireless and wired networking, and IT lifecycle processes. His operations experience includes managing the Xbox LIVE operations team, the largest cloud computing operations team in the world, and consulting on operations efficiency with countless clients around the world.

Mike has published several books (including two for O’Reilly) and numerous papers. He is a frequent conference speaker and classroom instructor on IT operations, computer security, and technology frameworks. Mike holds a number of certifications and accreditations including Certified Information Systems Security Professional (CISSP) practitioner and instructor.

More about this author