Question

Description:

In this assignment, you will be launching a denial of service attack on a web server. We will be using hping3, a command-line oriented network security tool inside Kali Linux (an advanced penetration testing Linux distribution).

Setting up the victim machine

Download the Windows XP virtual machine with WebGoat server installed, using the following link. We will use this machine as the victim machine and launch a DoS attack on the WebGoat server.https://drive.google.com/open?id=0BwCbaZv8DevUejBPWlNHREFVc2s

Open the victim machine and launch a new command prompt. Determine the ip address of the victim machine by typing the following command:

Ipconfig

Note: Do not use or close the command prompt running WebGoat

Make sure the WebGoat is running by opening the chrome browser inside victim machineand browsing to the following URL:

localhost:8080/WebGoat/

Open Windows task manager inside the victim machine and click on performance. You will see a low CPU usage.

Setting up the attacker machine

Download the Kali Linux virtual machine using the following link. We will use this machine as the attacker’s machine.

https://drive.google.com/open?id=0BwCbaZv8DevUdUwtcDduZWd1WE0

Login to the machine using the following credentials:

Username: root

Password: toor

Open the firefox browser by clicking on Firefox ESR from the left pane inside attacker machine. You should be able to browse to the following URL and access the victim server from inside attacker machine:

Victim machine ip address: 8080/WebGoat/

Launch the terminal by clicking on Terminal from the left pane.

Type the following command in attacker machine’s terminal after replacing the destination ip address with the ip address of the victim machine:

hping3 –c 10000 -S -p 8080 --flood --rand-source destination ip address

To understand the parameters in the above command, use the following reference manual

http://www.hping.org/manpage.html

Your goal is to figure out which type of denial of service attack is launched when you run the

above command.

Open Wireshark from the attacker machine by clicking on Applications -> 09 - sniffing and spoofing -> Wireshark

Click on Capture -> options -> eth0 -> start capture.

Analyze the packets as they are being captured. You can stop the capture after a while. Look at the source and destination ip address, protocol, and info columns of each packet.

Q. What type of DoS attack was launched? Explain using the packets you found in Wireshark. Add a relevant screenshot.

Also look at the CPU usage inside the task bar of the victim machine as soon as you launched the attack.

Q. Does the CPU usage of victim machine increase during the attack? Take a screenshot of the CPU usage history during the attack.

Wait for a while and try to access the victim web server again from the attacker’s machine

using the following URL:

Victim ip address: 8080/WebGoat/

Q: What happens when you try to access the web server? Does it take longer to load the URL? If you got an error, what was it?

Q. Briefly explain what did the following command do? What did each of its parameters mean?

hping3 –c 10000 -S -p 8080 --flood --rand-source destination ip address

The syntax’s used in this command:

hping3 = Name of the application binary.

-c 100000 = Number of packets to send.

-d 120 = Size of each packet that was sent to target machine.

-S = I am sending SYN packets only.

-w 64 = TCP window size.

-p 21 = Destination port (21 being FTP port). You can use any port here.

--flood = Sending packets as fast as possible, without taking care to show incoming replies. Flood mode.

--rand-source = Using Random Source IP Addresses. You can also use -a or –spoof to hide hostnames. See MAN page below.

www.hping3testsite.com = Destination IP address or target machines IP address. You can also use a website name here. In my case resolves to 127.0.0.1 (as entered in /etc/hosts file)

Answer 1

1. A distributed DoS attack was launched using TCP SYN packets on port 8080. The CPU utilization spikes very high on the victim's machine as the attack is launched.

2. CPU usage increases and fluctuates during the attack

E Windows Task Manager File Options View Shut Down Help Applications Performance Networking Users CPU Usage CPU Usage History 2% PF Usage Page File Usage History 145 MB Totals Handles Threads Processes Physical Memory (K) 5474 oal 290 Available 523760 340184 161540 24 System Cache Commit Charge (K) Total Limit Peak Kernel Memory (K) Tota 148768 32740 23568 9172 1276448 Paged 157284 Nonpaged Processes: 24 CPU Usage: 2% Commit Charge: 145M 1246M

3. Web page loads very slowly and sometimes give http error 408 due to timeout

4. -c 100000 = Number of packets to send.

-S = send SYN packets

-p 8080 = send to destination port 8080

--flood = Send packets as fast as possible, without taking care to show incoming replies.

-rand-source = Use Random Source IP Addresses.

destination ip address = IP address of the victim