[Legion Leak] Ultimate Guide To DoS Attack Methods

This post is leaked from the premium section of "Legion" on the competing hack forum. There will be 5 new leaks a day. There may be some format problems due to UTF8 character encoding.

CommanderBoss Wrote:What is a DoS attack?

A DoS Attack is a Denial of Service attack. Such attacks are used to disable many types of internet applications including home connections, websites, and game servers to name a few. If the attack comes from multiple computers or servers, then it is a DDoS attack, or Distributed Denial of Service attack.

The two main types of DoS attacks:

The two main types of DoS attacks are layer 4 and layer 7 attacks. Layer 4 attacks attack the network while layer 7 attacks target the webservers themselves. Layer 4 attacks are typically used for home connections but can be used to take down some websites and servers too. Layer 7 attacks are used for websites and cannot be used to take down an individual home connection. They are sometimes referred to as “Application Attacks.”

Types of Layer 4 attacks

UDP – A UDP (User Datagram Protocol) flood sends a large number of UDP packets to random ports on a remote host. The remote host is then forced to repeatedly check for an application listening on that port. When none is found, a reply is sent with an ICMP Destination Unreachable packet. Doing this repeatedly uses up the host’s resources and a successful attack causes all resources to become totally consumed. Hence, a denial of service is achieved. UDP attacks are often used for home connections but can also be used on game servers and websites.

UDP Lag – A UDP lag attack functions the same way as a UDP attack but attacks for two seconds then pauses for one. The purpose of it is to create a laggy experience and not completely take down a remote host.

SUDP – Spoofed UDP attacks are slightly different than UDP attacks. The packets are sent from a spoofed IP address, which reduces the risk of being caught.

SYN – An SYN attack exploits a weakness in the TCP (Transmission Control Protocol) three-way handshake. Under normal circumstances, TCP connection works as follows:
1. A client request a connection by sending an SYN (synchronization) request.
2. The server responds with an SYN-ACK (acknowledged) packet.
3. The client answers with an ACK (acknowledgement) and the connection is completed.
This can easily be taken advantage of. During an SYN attack, the attacking client does not ever send the ACK packet back to the remote host. Multiple SYN requests are sent and the ACK is never sent back to the remote host. As a result, multiple partially opened connections are maintained. Eventually, so many are opened that legitimate requests cannot be processed and a DoS is achieved. SYN attacks can be used on home connections or websites but are really only used for websites.

SSYN – Spoofed SYN attacks are similar to SYN attacks. The difference is that the SYN requests are sent from spoofed IPs so the SYN-ACK requests never reach the attacker. For this reason, the spoofed IPs do not respond with an ACK because they never sent an SYN request.

Types of Layer 7 Attacks

RUDY (Are You Dead Yet) – Rudy is a low and slow DoS method because it generates a low amount of traffic at a slow rate. This allows it to bypass standard DoS protection. RUDY works by exploiting how the HTTP protocol works. When a user enters data through a form such as a search bar or login screen, data is sent via an HTTP POST request. When a legitimate user enters such data, it is sent over a few packets and the server simply handles it and moves on to the next request. When attacking using RUDY, data is sent through a form one byte at a time, at random intervals. This prevents the server from closing the connections and makes it wait for the request to be completed. These connections mimic legitimate traffic from slow internet connections so they effectively evade most DoS protection. When enough of these requests are sent, the server refuses new and legitimate connections, and the DoS is completed.

ARME (Apache Remote Memory Exhaustion) – ARME is used only on webservers running Apache. It is very effective because it depletes all of the server’s memory. Obviously a server cannot function without memory, so it is effectively disabled.

SLOW – Slowloris is another low and slow DoS attack method but it works differently than RUDY. Slowloris also exploits the HTTP protocol, but differently. Every HTTP request must be terminated by new line characters. A normal HTTP GET request is contained within one packet and quickly ended by the new lines at the end of the message. When slowloris is used, the GET request is sent without the termination sequence. This causes the server to leave the connection open and wait for it. Servers allocate a small amount of resources per connection because a standard connection does not last very long. When attacking with slowloris, thousands of requests or more are sent to the server and they all remain open. Once enough resources are wasted maintaining these connections, the server cannot handle any other traffic and a DoS is achieved. Slowloris attacks are particularly effective against Apache servers but are not limited to them the way ARME is.

HTTP Flooding

There are three different types of HTTP floods: GET, HEAD, and POST. GET requests retrieve static data such as images. POST requests are used when submitting data into a form and require more resources to process. HEAD requests are like GET requests except they only ask for the response headers to be returned, not the entire resource. For this reason, they require the least amount of resources to process and make the least effective HTTP flood method. All HTTP floods are layer 7 attacks.

GET – As stated above, GET requests retrieve things such as images. The attacker makes many requests for various pieces of static data on the webserver in the hopes that it will consume all of the server’s resources. GET requests consume less resources than POST requests but the attacker gain help from legitimate users when using this type of attack. This is because normal traffic will require the sending of GET requests, such as simply accessing the website via the URL bar. The same can hold true for POST as well because normal users might still send POST requests, but GET requests are much more common.

HEAD – Same as GET but consumes less resources and cannot enlist the help of normal users as a normal user will send a GET request if anything.

POST – POST attacks are usually more effective simply because they involve forms. These forms involve parameters which cost more resources to process than a simpler GET request.

I am aware of the fact that I am missing some attack types but these are the most common ones. I will do my best to update this thread with missing ones in the future. If you have any questions, feel free to ask.