DDOS
the name already says it all (Distributed Denial of Service), is a distributed attack coming from several IP’s(sites), this type of attack simply clogs a service making the attacked server unable to answer requests, This will only happen if your robots' request sending power exceeds the processing limits of the attacked server.
Therefore your test script cannot be considered a DDOS
, your attack is not distributed, it’s only coming from a single location...
How do I know the minimum time span I have to include
while inside for my pc not to catch during attack?
We have no way to respond, it will depend on the processing power of your PC
, a distributed attack is infinitely more efficient, as you can for example "talk" to 1000 zombie robots (infected Pcs in different places on the planet) send packets every 30 milliseconds, ie a while with a longer time that does not lock your PC would be compensated by the amount of zombies you have control!
Which door is better for the attack? I tried to use door 80, 21, 22,
that I’ve seen others attacking but I’m not sure if there’s a rule that
use to determine it or if they are only popular.
In theory any port that your target destination has opened, each port of your example determines an open service, port (80) is attacked when you want to take a site from the air, port 21 is attacked when you want to stop an FTP service, port (22) when you want to take down the SSH service...
How do I know the attack is working?
You will know when the port you are attacking stops responding, if you are attacking port 80 and manage to undermine all the processing power of the attacked server, no one will be able to access the site, Simm vc caused a denial of service if this happens ...
How do I know by another computer to recognize the attack? And how do I
could stop you from another computer?
First of all only the "owner" of the attacked network/server is able to prevent and identify something, if the attack is only one DOS
, some PC alone sending requests within a while
, it is relatively simple to contain the attack of a lobo solitário
, a good firewall denying all packets of the attacker’s IP will contain the attack... But if the attack is distributed the request will come from many different IP’s, sniff the network and try to find which IP’s are sending requests as if there is no tomorrow is the exit, with the IP’s in hand you will have q block one by one in your Firewall, this type of action is time consuming, finding all attackers in a distributed attack can take hours, this type of attack is really complicated to contain altogether...
Follow a real example of attack happening on my server, was a SYN-Flood
at my door 80
, I identified the attack almost the same time it started, I have socket connection control mechanisms, I have automatic alerts that trigger emails, call, send SMS, etc, if a given port has more connection than expected (My algorithm makes decisions based on the average of accesses that each port has, if this value extrapolates the alerts start to be sent), this same algorithm adds the attacker’s IP in the firewall to be blocked, this type of attack will not appear in the Web server logs(apache, Nginx, etc.), when such an attack happens (SYN Flood - flooding the port with SYN packets in an attempt to deny the service), whoever has access to the attacked server will be able to see several connections SYN_RCVD
open, whether using sniffers or looking at access statistics in your server interface, a real example run on my server at the time of attack:
netstat -na | grep SYN_RCVD | awk '{print $5}' | cut -d. -f -4 | sort | uniq -c
232 222.93.XXX.XX
The comeback told me I had 232
connections SYN_RCVD
from the IP 222.93.XXX.XX
Follows a Port Monitoring Graph 80
from my server, it is clear the discrepancy of accesses for when the attack started:
The first graph shows an attack going on, without connection control script, notices that for a long time took around 230
connections coming from the same IP, the second graph shows an attack attempt, had a connection peak of approximately 38
connections from the same IP, but the attack was contained after that peak by my algorithm!
This is a practical example of how to monitor and take action for attacks of this nature.
Usually the DDOS
or DOS
send a flood of packages SYN-ACK
, these packages consume resources from the wholesale server, the package stays open waiting for a response until it reaches a time-out, i.e., the package stays there occupying resource without ever having an answer...
You said it is possible to attack any port as long as it is open, but if there were no open ports it would be possible to overload the server firewall?
– Arthur Sally
A well-designed and structured network architecture the firewall doesn’t just sit on the server, it usually has a dedicated firewall at the edge that protects all the services that are below it, if that incoming firewall has the limit of analysis packets exceeded, will surely also fail...
– ederwander
I get it, thank you
– Arthur Sally
Then came this doubt now that is: if ping sends a message to an ip na and it usually has a return response then could I use it while to attack a computer inside it? And if ping uses port 445 what kind of message it sends?
– Arthur Sally