If you watch the video and listen to my inconsistent mutters then you're in for a real treat; I was pretty tired when I recorded this, and I hope the tutorial makes sense. However, that shouldn't lessen the impact a denial of service attack has on a website or company.
Just in case you have NO idea what I'm talking about, a denial of service attack is literally what the name implies: denying service to legitimate customers by congesting a systems resources with impunity. The news usually reports when huge companies — Visa, PayPal, and WikiLeaks — are attacked because of the overwhelming financial impact these attacks can have on a company, but DoS (or more specifically DDoS, distributed denial of service) attacks are happening every minute, as evident by this handy DDos Map.
DDoS, distributed denial of service, is when many, many computers are attacking a server at once; whereas DoS is technically one computer attacking a server. Today I'm going to use a program called Slowloris to cause a denial of service attack on an internal server and on the Internet (for which I have full permission). This DoS style of attack is typically what patriot-turned-hacktivist 'Th3J35t3r' uses to bring down jihadi websites, and some have even speculated that Jester's program, XerXes, is just a GUI on top of a modified version of Slowloris. Let's find out...
What You Will Need
- Kali Linux (either a bootable LiveCD or bootable USB image)
- Internet connection
- LBD [load balance detector] (included in Kali Linux)
Slowloris DoS Attack
Again, sorry for the rambling on the video. First, I attack my own internal server that runs my testing site just as an example. Then I attack an actual running website out there on the internet. I have FULL permission to do so. Please only use this program against websites you have authorization to use it against. DoS and DDoS-ing is ILLEGAL in many jurisdictions. Here are the steps so you can follow along a complete attack:
- Run LBD against a target to find out if it has load balancing enabled. If it does, move on. Your attack will be worthless.
- Also under LBD, the server version will be listed. Make sure the server can be exploited by checking the list on Slowloris' website.
- Download Slowloris using the 'wget' command.
- Change permissions to 755.
- Run the Slowloris '-test' option to see how long a socket can keep a connection open.
- Launch the attack.
It's really that easy. Now, let's get to the hack: