DoS attack on Metasploitable

In this blog:

• Finding target IP (Reconnaissance).

• Identifying attack method.

• Running TCP-connect script.

• Netstat in Metasploitable.

• Setting firewall up.

This blog is one of a 4 part series on Metasploitable ➡️

➡️ Find my tutorial on creating a Metasploitable lab here.

➡️ Click here to see how to connect Kali Linux to Metasploitable.

➡️ Click here to see how to fix a common timer error that occurs during bootup.

➡️ Click here to see how to deface Metasploitable's webpage.

Finding target IP (Reconnaissance)

We can find the Metasploitable machine IP address by typing

ifconfig 

in the terminal.

Identifying attack method

Over on the kali machine, type ➡️

nping -help | grep ‘TCP’

This retrieves the help page for the nping command but finds the word TCP in the results and returns it.

Nping is an open source command line tool that generates network packets and can analyse responses and measure the stats for connections -- basically more powerful version of the ping command.

We will use the tcp-connect command for this attack as this will flood the target server with TCP connect requests and render it unusable to legitimate traffic.

Running TCP-connect script

Open the website that we want to attack in a web browser.

Type this command ➡️

nping --tcp-connect -rate 10000 -c 10000 -q <metasploitable IP address>

The flag -c ➡️

-c 10000 

Specifies the number of times that we wish to target each host. In this case, there is just one host and we will send TCP-connect requests to it 10,000 times.

The website is now taken down with more SYN connection attempts than the server can handle.

Your machine might start throttling once this has started.

The attack will stop by itself after a bit.

Netstat in Metasploitable

In Metasploitable, type ➡️

netstat -ant | less

This will show network connections and interfaces in numeric format.

a = all, n = numeric, t = tcp.

Go back to the kali machine and connect to the website again.

Running the netstat command again shows our connection from our host IP address on port 80.

Starting the tcp-connect command again and checking the network interfaces on Metasploitable, we can see that the website has been taken down due to a flood of TCP SYN requests.

All the requests are coming from different ports each time which exhausts the webserver’s resources and prevents legitimate users from connecting to it.

Setting firewall up

To defend against SYN flood attacks like this, we need to block suspicious ports using a firewall.

On Metasploitable, type ➡️

sudo ufw enable 

Then type ➡️

sudo ufw deny from <Kali IP address>

This will reject connection attempts from the IP address we provide.

To check that the rule has been added, type ➡️

sudo ufw status 

Now trying to access the webserver from our Kali machine will result in a time out error as we are not allowed to enter the network.

Checking the network interfaces on the Metasploitable machine shows no connection attempts from our Kali machine even though I am running the SYN flood attack.