Under the supervision of

(IMS2013004)
Dr.Abhishek Vaish
(IMS2013041)

Abhinav Nautiyal
Kompal Gulati

Problem Definition
Application DDOS attacks has been among the most

trending attacks in the recent past. There has been a lot

of researches of DoS tools but the field lags in researchs
based on recently used tools in launching the attacks
against different well known private and government
organizations.

Objective
To analyze the DDoS tools on the basis of their

parameters and rank them on the basis of their

efficiency.

Introduction
What is a Denial of Service attack?
Using up resources and / or bandwidth of a server in a malicious way to

prevent legitimate users from accessing its services.

Some common DoS methodologies

SYN flood exploits poor implementation of TCP in some OSs.
Ping of Death uses inherent weakness in IP fragmentation and

reassembly
UDP Flooding
Bots

Classification of DDoS attacks.

The classification of DDoS attacks can be considered on the
basis of different DDoS attack tools and their analysis as
mentioned by Mohd. Jameel Hashmi, Manish Saxena.
Against users
Against hosts

fork() bomb
Intentionally generate errors to fill logs, consuming disk space,
crashing.
The power switch.
Against networks
UDP bombing
TCP SYN flooding
Ping of death
Smurf attack

Tools Analysed
LOIC (Low Orbit Ion Cannon)

LOIC is an open source DOS tool which was used by a very known group of hackers
anonymous. This tool is highly scalable and can be used in performing DDoS attacks, as
different users can join in via IRC (internet relay chat). This tool has a GUI based dashboard
which makes it easy for beginners to use. It is generally used for TCP, UDP and HTTP
flooding.
HOIC (High Orbit Ion Cannon)

HOIC is an advanced version of LOIC and is used by the hackers group anonymous. It performs
flooding at the targets end by sending numerous number of HTTP request. It does have an
added functionality of uploading scripts called as boosters which can be uniquely
customized depending upon on the target. This tool also provides the functionality of
controlling the speed of the attack in three different modes i.e. high, medium and low.
HULK (HTTP Unbearable Load King)

HULK is another very know tool for performing DDoS attack. It is unique in its own way as each
packet is crafted with unique request thus helping it to bypass the caching engines and
staying being undetected.

TORSHAMMER or Tors Hammer

Torshammer is a slow post DDoS tool which is extremely different as compared to others in
terms of its functionality. It is designed in Python and as the name suggests it runs through
a TOR network thus providing an added advantage of staying anonymous while performing
the attack.

Parameters for Analysis 1

On the basis of extensive literature review the following are the vital parameters on which each tool

mentioned will be judged and compared to each other.

Additional Script Up loader: It is a feature that provides the attacker to upload a customizable script
depending on the target.

Handshake: Initially a handshake is done between two systems to establish a connection which helps in
exchange of information. During this handshake a log of IP is maintained which keeps the track of all the
activities of the clients IP. This log helps in tracing the malicious IP addresses.

GUI Interface: GUI interface refers as Graphical User interface that allows the user to interact with the
tool. It is an advantage to all naive users as it doesnt require a high level expertise for operating the tool
to launch the attacks.

Spoofed IP: This property provides the feature of anonymity i.e. it helps the attacker to launch the
attacks by keeping its identity hidden.

Valid Packet Content: This describes the authenticity of the packets content which are sent during the
attack by the attacker.

Customizable Packet Rate: It defines the inbuilt feature by which the attacker can hold the rate of
packets that he sends during the attack.

Parameters for Analysis 2

Attacks

This parameter describes the type of attack done by what type of flooding at the
application layer.
Request-Flooding Attacks
HTTP GET Request: The client sends requested data packet to the server in form of

HTTP GET request.

HTTP POST Request: The client sends data that needs to be processed at servers

end by HTTP POST request.

HTTP Slow Read: The attacker forces the targeted server to forward a large

number of data which compels the server to breakdown.

Ranking Scoring System -1

By using arithmetic mean based scoring system we will

calculate the mean and rank the tools accordingly.

Every attack vector holds a value of either zero(0) or one

(1).
We will analyze the tools on different attack vectors and

assign them
Zero If the attack vector does not exist in the tool
One - If the attack vector exist in the tool.
Will calculate the mean.

Ranking Scoring System -2

Results

Results
For LOIC:

For HULK:

P = (X2+X3+X71)/7
= (1+1+1)/7 = 0.43

P = (X2+ X71)/7
= (1+1)/7 = 0.28

For HOIC:

P=
(X1+X2+X3+X5+X6+X71)
/7
= (1+1+1+1+1+1)/7
= 0.86

For Torshammer:

P=
(X2+X4+X5+X71+X72+X73)
/7
= (1+1+1+1+1+1)/7
= 0.86

Conclusion
The application DDoS attack are mostly non volumetric and

very popular these days. On the basis of the defined ranking

scoring system we found two tools with highest values i.e.
HOIC and Torshammer having 0.86 as the highest values.
Each of these tools is unique in their own way. We would
recommend the industries to consider these tools while
deploying controls against these types of attacks.

Recommendation and Scope for

future work
Our research project is only limited to only one layer of OSI

model i.e. the application layer of DDoS attacks. With due

course of time the parameters for analysis and the ranking
scoring system can be improved for the better results.

References
[1] Monowar H. Bhuyan,H. J. Kashyap1, D. K. Bhattacharyya and J. K. Kalita , Detecting
Distributed Denial of Service Attacks:Methods, Tools and Future Directions, The
ComputerJournal, December 2012.

[2] Hoffman, Stefanie. "DDoS: A Brief History." Web log post.

Https://blog.fortinet.com/post/ddos-a-brief-history.Fortinet, 25 Mar. 2013.

[3] Mohd. Jameel Hashmi, Manish Saxena, Dr. Rajesh Saini,Classification of DDoS
Attacks and their Defense Techniques using Intrusion Prevention System, International
Journal of Computer Science & Communication, Networks,Vol2(5),607-614.

[4] Stephen M. Specht and Ruby B. Lee, Distributed Denial of Service:Taxonomies of

Attacks, Tools and Countermeasures, 17TH International Conference on Parallel and
Distributed Computing Systems, pp. 543-550, September 2004.

[5] Vangie Beal, DDoS attack Distributed Denial of Service,Webopedia.

[6] NextGen DDoS Experts,Taxonomy of DDoS Attacks,

RioRey, RioRey_Taxonomy_Rev_2.6_2014, 2014.
[7] The Fedral Emergency Team, Anonymous announce to attack big corporate websites,
CERT, 25 May 2012.

[8] United States Computer Emergency Readiness Team,Anonymous DDoS Acitivity,

US-CERT, 23 April 2012.

[9] Hardeep Singh, Anonymous attack on Indian Government Continues,Infi-Zeal

Technologies, 21 May 2012.

[10] Pavitra Shankdhar, DOS Attacks and free DOS Attacking Tools, Infosec Institute, 29
October 2013.

[11] Bliznet, Bliznet,Packet Storm Security,9 Dec 1999.

[12] Thomas OConnor, DOSnet.c, Packet Storm Security,5 September 2002.
[13] Exptirpater, ddnsf.tar.gz , Packet Storm Security,Distributed DNS Flooder v0.1b, 27
March 2001.

[14] Flitz, Flitz, Packet Storm Security, 20 February 2007.

[15] Knigth, Packet Storm Security, 12 July 2001.
[16] Mstream, Packet Storm Security, 1 May 2000.
[17] Omega v3 Beta, Packet Storm Security, 31 August 2000.
[18] Peer-to-peer UDP Distributed Denial of Service (PUD),Packet Storm Security.
20 February 2007 .
[19] Skydance v3.6, Packet Storm Security, 19 July 2001.

[20] StacheldrahtV4, Packet Storm Security, 8 February 2000.

[21] Tribe Flood Network (TFN),Packet Storm Security, 23
September 1999.