Benchmarking Denial of Service

Let the testing begin!
tools

There are a lot of tools out there, some terrible and some better. Will test out the most common ones and figure out how they work and perform and what makes them so unique.

 

Virtualization
I am not taking any chances by running a executable file without knowing the source code, so lets boot up a few virtual machines. The target web-server is hosted at a remote location to get more accurate results from real network behaviour like TCP RTT, and NAT limitations.

 

I will test and rate the different tools in subjects that I think is important for a Layer 7 HTTP DoS attack. Screenshots are taken after the first 30sec of an attack, along with a Wireshark capture to show how the TCP attack stream looks like. I will also display some of the server requests to show if this type of attack can easily be detected and blocked by a IPS or IDS, but will not consider rate-limiting as a defense.

 

Rating System:
Each tool starts with a base score of 10. I may add or remove up to 2 point for each subject.

 

 

LOIC – Low Orbit Ion Cannon [11]

Screenshot
Wireshark Capture

Low Orbit Ion Cannon is one of the easiest tools to use, it’s actually more hassle to download it because of virus warnings and blacklisted urls. LOIC does not perform very well against web-servers, but it got a powerful Layer 4 TCP and UDP attack option. This tool has also a Hivemind mode, which let attackers take remote control of the LOIC system to perfrom a DDOS attack. The Hivemind mode turns your client into a zombie, so watch out – you could be attacking fbi.gov. The traffic itself is very easy to filter since its nothing more than empty http requests.
 

HOIC – High Orbit Ion Cannon [8]

Screenshot
Wireshark Capture

High Orbit Ion Cannon on the other hand got a few more attack options. You can tailor you’r own web-requests through booster scripts to optimize the damage. HOIC is way more randomized than LOIC, which makes it difficult to filter. Making your own booster scripts requires some coding knowledge, so this may not be the best tool for beginners.
 

XOIC [6]
This tool does not support layer 7 attacks.

Screenshot
Wireshark Capture
Not much to say about XOIC. It got a weak layer 4 attack and does not even make a dent in a low-performance web server.
 

Hulk – HTTP Unbearable Load King [11]

Screenshot
Wireshark Capture

Hulk does exactly what the title say – Load King. It’s a very simple python script made to generate a lot of web-requests over a short amount of time which increases the web-servers response time. By default it bypasses server-cache, but this is not enough to kill a web-server. There is nothing fancy to it and it’s not difficult to filter because of the attack pattern.
 

[py]Slowloris [15]

Screenshot
Wireshark Capture

This one supports HTTPS and SOCKS (proxies, TOR, etc.). The original Slowloris is slightly more difficult to use than the GUI Pyloris. Unlike other DoS tools, Slowloris does not rely on high CPU load but rather occupying as many connections as possible making the target server unreachable.
 

RUDY – R-u-dead-yet [5]

Screenshot
Wireshark Capture

R-U-Dead-Yet is one of the few HTTP POST attack tools. Rather than flooding with GET requests, it sends 1 and 1 byte to keep a web-session open as long as possible. Multiply this and you will eventually starve the server for client connections. Depending on the web-servers configuration, a active POST attack may hold a session open for 5-10min. Due to stability issues, lack of friendliness – this one hits the bottom of my list.
 

ARME – Apache httpd Remote Denial of Service (memory exhaustion) [9]

Screenshot
Wireshark Capture

Probably worked against old Apache servers. Today most web-servers got good memory handling which makes this tool obsolete. It got a “detection” mode which allows the program to check if the target server is vulnerable or not.
 

Torshammer [15]

Screenshot
Wireshark Capture

Same concept as R-U-Dead-Yet, except better in most ways. It’s harder to detect, more stable, TOR support and gives you more control options. Each session-holding request requires one process(thread as described in the options), so make sure you use a higher amount of processes than what the target web-server can handle.
 

 

Summary:
These tests where done against a Apache server, so the result may not be the same against IIS or nginx. Most tools where easy to use, but they lack stability, customizability and SSL(HTTPS). After seeing this, I decided to start making my own DoS tool (Unicorn Cannon), which hopefully will fill those gaps I’m looking for.

Continue reading about how to make a simple DoS script

12 Responses to “Benchmarking Denial of Service”

  1. Anonymous says:

    Everything composed made a bunch of sense.
    But, think on this, what if you added a little information?
    I am not saying your information is not good, but what
    if you added a title that grabbed folk’s attention?
    I mean Unicorn Cannon – Public Tools | 0x41 is kinda vanilla.

    You might glance at Yahoo’s front page and watch how they write article titles to get people to open the links.
    You might add a related video or a pic or two to get people
    excited about everything’ve got to say. In my opinion,
    it might make your website a little bit more interesting.

  2. Anonymous says:

    Quality articles or reviews is the secret to attract the viewers to pay a quick visit the website, that’s
    what this web page is providing.

  3. Үеs! Finally someone writes aƄout автоматы gaminator онлайн.

  4. It’s a shame yοu don’t havе a donate buttⲟn! I’d definitеly
    dnate to this outѕtanding Ƅlog! I guess forr now i’ll settle for book-marking and
    adding үour RSS ffeed to my Google account. I look forwaгd to new սpdates
    and wіll taalk abkut this blog with my Facebook ցroup. Talк soon!

  5. It’s really a nice and useful piece of info. I’m happy that
    you just shared this useful info with us.

    Please stay us up to date like this. Thank you for sharing.

  6. g-clud says:

    Hi, this weekend is pleasant designed for me, because this point in time i am reading this impressive educational paragraph here at my
    home.

  7. vimax says:

    Fߋr ⅼatest newss ʏou have to visit internet ɑnd on the wweb Ι foսnd tһіs website as а
    bеst web site f᧐r mоst rеcent updates.

  8. Pro Keto Rx says:

    Loving the information on this web site, you have
    done outstanding job on the blog posts.

  9. Hi, i feel that i saw you visited my website thus
    i got here to return the choose?.I’m attempting to to find issues to improve my web site!I
    assume its good enough to make use of some of your ideas!!

  10. Unquestionably believe that that you stated.
    Your favourite justification seemed to be at the internet
    the easiest factor to keep in mind of. I say to you,
    I definitely get irked even as folks think about concerns that they plainly don’t recognize about.
    You controlled to hit the nail upon the highest as smartly as outlined out the entire thing
    without having side effect , people can take a signal.
    Will likely be again to get more. Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *