White Hat Institute

Analyzing patterns and signatures of DoS attacks using wireshark

DoS is an attack used to deny authentic clients access to an asset, for example, getting to a site, network, emails, and so forth or making it very slow. DoS is the abbreviation for Denial of Service. This sort of assault is typically actualized by hitting the objective asset, for example, a web server with such a large number of solicitations simultaneously. It results in the server neglecting to respond to all the requests. The impact of this can either be smashing the servers or backing them off.

To analyze a pattern of a DoS attack in your network, first, we need to perform one. For this, we are going to use a tool called “macof. Macof is a member of the Dsniff suit toolset and, for the most part, used to flood the switch on a nearby system with MAC addresses.

Ex: (root@kali:~# macof -s -d -i eth0 -n 50).

dos 1

Let’s analyze the pattern of the captured packets. As you can see here, we have one device that is continually sending requests to another device with the same data length. This type of traffic indicates a typical DoS attack on the network.

dos 2

Now, let’s perform a DDoS attack and analyze the results. Distributed DoS attack is generally performed by several compromised machines that all target the same victim. It floods the network with data packets. To accomplish that, we will use the “macof” tool and target the whole system.

Ex: (root@kali:~# macof -i eth0).

dos 3

As you can see in the following screenshot, we have multiple packets with the same data length coming from the bogus source and destination IP addresses.

dos 4