CEH Lab Manual Denial-of-Service Module 10 (CeH Lab Manual Page 1088© Valuable P Tox youn Iowdce B Webenenie (CoH Lab Manual Page 1085 Module 10 - Deniaot Service Denial of Service Denial-of Service is an attack on a computer or network: that reduces, restricts, or prevents accessibility of systenr resources to its legitimate users. Lab Scenario Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks have become a major threat to computer networks. ‘These attacks attempt to make a machine or network resource unavailable to its authorized users. Usually, DoS: and DDoS attacks exploit vulnerabilities in the implementation of TCP/IP model protocol or bugs in a specific OS. In a DoS attack, attackers flood a vietim’s system with nonlegitimate service requests or traffic to overload its resources, bringing the system down and leading to the unavailability of the vietim’s website—or at least significantly slowing the stem or network performance. The goal of a DoS attack is not to gain unauthorized access to a system or corrupt data, but to keep legitimate users from using the stem, Perpetrators of DoS attacks typically target sites or services hosted on high- profile web servers such as banks, credit card payment gateways, and even root ‘nameservers In general, DoS attacks target network bandwidth or connectivity. Bandwidth attacks overflow the network with a high volume of traffic using existing network resources, thus depriving legitimate users of these resources. Connectivity attacks overflow a computer with a flood of connection requests, consuming all available (OS resources, so that the computer cannot process legitimate users? reques Asan expert ethical hacker or penetration tester (hereafier, pen tester), you must possess sound knowledge of DoS and DDoS attacks to detect and neutralize attack handlers, and mitigate such attacks. ‘The labs in this module give hands-on experience in auditing a network against DoS and DDoS attacks. Lab Objectives ‘The objective of the lab is to perform DoS attack and other tasks that include, but is not limited to: * Perform a DoS aitack by continuously sending a large number of SYN packets # Perform a DoS attack (SYN Flooding, Ping of Death (PoD), and UDP application layer flood) on a target host * Peeform a DDoS attack * Detect and analyze DoS attack traffic "Detect and protect against a DDoS attack ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Tools ‘demonstrated in this lab are available in EACEH- ‘ToolsiCEHv11 Module 10 Denial- ofService Module 10 - Deniaot Service Lab Environment To carry out this lab, you need: # Windows Server 2019 virtual machine Windows Server 2016 vietual machine Windows 10 viewal machine Parrot Security viewal machine Web browsers with an Intemnet connection Administrator privileges to run the tools Lab Duration ‘Time: 45 Minutes, Overview of Denial of Service A_DoS attack is a type of security break that does not generally result in the theft of information. However, these attacks can harm the target in terms of time and resources. Further, failure to protect against such attacks might mean the loss of a service such as email. In a worst-case scenario, 2 DoS attack can mean the accidental destruction of the files and programs of millions of people who happen to be surfing the Web at the time of the attack. Some examples of types of DoS attacks: Flooding the victim’s system with more traffic than it can handle * Flooding a service (such as an internet relay chat (IRC) with more events than it can handle "Crashing a transmission control protocol (ICP) /internet protocol (IP) stack by sending corrupt packets = Crashing a service by interacting with it in an unexpected way Hanging a system by causing it to go into an infinite loop Lab Tasks Ethical hackers or pen testers use numerous tools and techniques t© perform DoS and DDoS attacks on the target nctwork. Recommended labs that will assist you in learning various DoS attack techniques include: Perform DoS and DDoS Attacks using y Various Techniques 11 Performa DoS Attack (SYN Flooding) i on a Target Host using Metasploit (CoH Lab Manual Page 1086 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1087 Module 10 - Deniaot Service 12 Pesfoom a DoS Attack on a Target v q Host using hping3 13 Perfonma DDoS Attack using HOIG | _V q 14 Pesfoom a DDoS Attack using LOTC v Detect and Protect Against DoS and DDoS 2 y Attacks 2A Detect and Prowect against DDoS v “Attack using Anti DDoS Guardian * Remarks 3C- Comme es prepares conte mmoont of os execins fox sect to pent ning the Sey cass and at dei fee te to enhance thet knowledge and sil. "Core «Lats execie() seta wer Core wre recommended by EC-Coomel to be pratioed orig the Sedny class ‘4Self- study - Lab exrcze() macd under self sad is for students to practise athe foe time, Stops to sevens the alton nb exercises can be Found inthe Fest page oF CEHI¥I1 volume 1 book. ‘*4iLabs - Lab esercise(¢) masked unde iLabs are avaiable in ou Labs solution, iLabs is « cloud based viral lab cavitonment preconfigured with vulreebiles, exploits, tools and scripts, and ean be accessed fiom anywhere with an Infernet connection Ifyou are interested fo learn more about our Habs solation, please contact your ting center vist hups/ abs. cccouncs ony. Lab Analysis Analyze and document the results related wo this lab exer target’s security posture. .. Give an opinion of your PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.2 Vaatie P Testy hoowlalge B Webevercive 1D Workbook review (CoH Lab Mana Page 1088 Module 10 - Deniaot Service Perform DoS and DDoS Attacks using Various Techniques As an eespert hacker and pen tester, your must implement varions techniques to lately DiS or DUS attacks om target computers or networks Lab Scenario DoS and DDoS attacks have become popular, because of the easy accessibility of exploit plans and the negligible amount of brainwork required while executing them. ‘These attacks can be very dangerous, because they can quickly consume the largest hosts on the Internet, rendering them useless. ‘The impact of these attacks includes loss of goodwill, disabled networks, financial loss, and disabled organizations. Ina DDoS attack, many applications pound the target browser or network with fake exterior requests that make the system, network, browser, or site slow, uscless, and disabled or unavailable. “The attacker initiates the DDoS attack by sending a command to the zombie agents “These zombie agents send a connection request to a large number of reflector systems with the spoofed IP address of the victim. The reflector systems sce these requests as coming from the victim’s machine instead of as zombie agents, because of the spoofing of the source IP address. Hence, they send the requested information (response to connection request) to the victim. The vietim’s machine is flooded with unsolicited responses from several reflector computers at once. This may reduce performance or may even cause the victim’s machine to shut down completely. As an expert ethical hacker or pen tester, you must have the required knowledge to perform DoS and DDoS attacks to be able to test systems in the target nerwork In this lab, you will gain hands-on experience in auditing network resources against DoS and DDoS attacks. Lab Objectives + Pesfoem a DoS attack (SYN flooding) on a target host using Metasploit © Pesform a DoS attack on a target host using hping3 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.(CeH Lab Manual Page 1089 Module 10 - Deniaot Service * Perform a DDoS attack using HOIC Perform a DDoS attack using LOIC Lab Environment To carry out this lab, you need: # Windows Server 2019 vierul machine * Windows Server 20016 virtual machine * Windows 10) virtual machine © Parrot Security virtual machine = Web browsers with an Intemet connection * Administrator privileges to run the tools © HOIC located at EACEH-Tools\CEHv11 Module 10 Denial-of ServicelDoS. and DDoS Attack ToolsiHigh Orbit lon Cannon (HOIC) © LOIC located at EXCEH-ToolsiCEHV11 Module 10 Denial-ofServicelDoS. ‘and DDoS Attack ToolsiLow Orbit lon Cannon (LOIC) You can also download the latest version of the above-mentioned tools from their official website. IF you decide to download the latest version, the sereenshots shown in this lab might differ from what you see on your screen. Lab Duration ‘Time: 35 Minutes Overview of DoS and DDoS Attacks DDoS attacks mainly aim at the network bandwidth; they exhaust network, application, or service resources, and thereby restrict legitimate users from accessing, their system or network resources. Jn general, the following are categories of DoS/DDoS attack vectors: * Volumetric Attacks: Consume the bandwidth of the target network or service Attack techniques: © UDP flood attack © ICMP flood attack © Ping of Death and smurf attack © Pulse wave and zero-day attack * Protocol Attacks: Consume resourees like connection state tables present in the network infrastructure components such as load-balaneers, firewalls, and application servers, ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.TASK 1 & SYN dooding hes advantage ofa aw with repanl wo ho inmplement the TCP tee way hare This snack occurs when the inane sends unimied SYN packets (mepiests 0 the est sso, © ThepmecssoF transiting sch packs iether than the tan handle. Normal the connection exablals with dhe TCP these way Inde, ad the host Ieps teck of the ply pen conncetons while tags stesng «queue foe response ACK, pockers (CoH Lab Manual Page 1000 Module 10 - Deniaot Service Attack techniques: © SYN flood attack (© Fragmentation attack (© Spoofed session flood attack © ACK flood attack "Application Layer Attacks: Consume application resources or services, thereby making them unavailable to other legitimate users, Arack techniques: © HITPC /POSF attack (© Slowlosis attack © UDP application layer flood attack: Lab Tasks Perform a DoS Attack (SYN Flooding) on a Target Host using Metasploit Here, we will use the Metasploit tool to perform a DoS attack a target host. SYN flooding) on Note: In this task, we will use the Parrot Security (40.40.10.43) vierwal machine to perform SYN flooding on the Windows 10 (10.10.10.40) virtual machine through port 21 1. Turn on the Windows 40 and Parrot Security virtual machines. 2 Switch to the Parrot Security virtual machine. In the login page, the attacker username will be selected by default. Enter password as toor in the Password fick! and press Enter to log in to the machine Figue 1.1.1: Past Sees "Ifa Parrot Updater pop-up appears at the top-right comer of Desktop, ignore and close it. * Ifa Question pop-up window appears asking machine, click Ne to close the window you to update the Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10- Deniatot Service 3. Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window 4, A Parrot Terminal window appeus. In the terminal window, type sudo su and press Enter to run the programs as a root user, 5. In the [sudo] password for attacker ficld, type tear as a password and press Enter. Note: ‘The password that you type will not be visible. 6. Now, ype ed and press Enter fo jump to the root directory 7. First, determine whether port 21 is open of not. ‘This involves using Nimap to determine the state of the port. 8. On the Parrot Terminal window, ype nmap -p 24 (here, target IP address is 10,10.10.10 [Windows 10}) and press Enter. ASK 1.4 Check for = ‘Open Port Note: -p: specifies the port to be scanned. ‘The result appears, displaying the port status as open, as shown in the sereeashot. Note: If the port in your lab environment turns out to be closed, look for an open port using Nmap. 10. Now, we will perform SYN flooding on the target machine (Windows 410) using port 21 CEH Lab Manual Page 109 Ethical Hacking and Countermeasures Copyigh © by EE-Counell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10- Deniatot Service 11. In this task, we will use an ausiliary module of Metasploit called synfleod to perform a DoS attack on the target machine, Drasx a2 12. Type msfeonsole from a command-tine terminal and press Enter (0 ——— launch msfconsole. Perform DoS Attack 13, In the msf command line, type use auxiliary/dositepisynflood and press Enter to launch a SYN flood module. © Mazepbicisa penetration testing Pf that alls a er to nd expat and ‘aida vanenbics that ea be se 14. Now, determine which module options need to be configured to begin perform DoS ars the DoS attack. 15. Type show options and press Enter. This displays all the options associated with the auxiliary module. 16. Hece, we will perform SYN flooding on port 21 of the Windows 10 machine by spoofing the IP address of the Parret Seeurity machine with that of the Windows Server 2019 (10.10.10.18) machine 17. Issue the following commands + set RHOST (here, 10.10.10.1 + set RPORT 21 = set SHOST (here, 10.10.10.19) (EH Lab Manual Page 1092 Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘A RightsReserved. Reproduction Suit Prohited.Module 10- Deniatot Service Note: By setting the SHOST option to the IP address of the Windows Server 2019 machine, youa spoofing the IP address of the Parrot Security machine with that of Windows Server 2019. 18, Once the auxiliary module is configured with the required options, start the DoS attack on the Windows 1 virvual m: 19. To do so, type exploit and press Enter. ‘This begins SYN flooding the Windows 10 virtual machine. gn 1.1.7: tiatig Do attack Brase 1.3 20. To confirm, switch to the Windows 10 virtual machine and log in with Emits the credentials Admin and Pa$$wOrd. DoS Attack 21 -k the Type here to search ficld present at the bottom of Desktop nd type wireshark. Click Wireshark from the results, 22. ‘The Wireshark Network Analyzer window appears. Double-click on the primary network interface (here, Ethermet0) to start capturing the network teaffic. Note: ‘The network interface might differ in your lab environment. CEH Lab Manual Page 1092 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10 - Deniaot Service Capture ne thee: ‘rtetaes oon Local Are Connection* Local Aves Connection* 7 bac Adapt “eater forooposck Wai Osta Learn ‘User's Guide ~ Wiki ~ Questions and Anewers ° Maidng sts] Youareruring vives 305 (/30.5-¢7525885477), Youre autmatcundtes. ‘igre 1.1.5 Capesing este oh Wins 23. Wireshark displays the traffic coming, from the machine, Here, you can obsecve that the Source IP addrcss is that of the Windows Server 2019 (20.10.10.49) virwual machine. ‘This implies that the IP address of the Parrot Security machine has been spooied. re ae Yor Go Cate Andce Sacs Tesh Wiles Teal Help 26 (GRE QeseFes Baaag Figure 1.19: Anang the te (CoH Lab Manual Page 1004 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10 - Deniaot Service 24. Observe that the target machine (Windows 10) has drastically slowed, implying that the DoS attack is in progress on the machine. If the attack is continued for some time, the machine’s resources will eventually be completely exhausted, causing it to stop responding, 25. Once the performance analysis of the machine is complete, switch to the Parrot Security virtual machine and press Gtrl#€ (0 terminate the attack. oe 1.10 Tenmiating the tack 26. his concludes the demonstration of how to perform SYN flooding on a target host using Metasploit. 27. Close all open windows and document all the acquired information. D TASK 2” Perform a DoS Attack on a Target Host using hping3 Here, we will use the hping3 tool to perform DoS attacks such as SYN flooding, Ping of Death (PoD) attacks, and UDP application layer flood attacks on a target host. dpingdioa the TCP/IP pretocel hat sends ICMP echo mips ad apport TCP, UDP ICMP, ad sa IP protocol GB rask Perform SYN Flooding using hping3 CEH Lab Manual Page 1095, 1. ‘Turn on the Windows Server 2019 virtual machine. Note: Ensure that the Windows 40 and Parrot Security virwal machi 2. On the Windows 10 virtual machine, click the Type here to search ficld at the bottom of Desktop and type wireshark. Click Wireshark from the results. 3, The Wireshark Network Analyzer window appears. Double-click on the primary network interface (herc, Ethernet0) to start capturing the nerwork traffic. 4. Wireshark starts capturing the packers; leave it running. 5. Switch to the Parrot Security virtual machine. Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window 6. A Parrot Terminal window appears. In the terminal window, type sude su and press Enter (o run the programs as a root user. In the [sudo] password for attacker fick, type toor as a password and press Enter. Note: The password that you type will not be visible. 8. Now, type ed and press Enter to jump to the soot directory Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.> ping perioem: network seconity ain, firewall tng, marae path MIU dacoven sdvoncal inecrour, remete OS fingespriating, remote opie wan TCPAP sacks audi, aed oer functions. (EH Lab Manual Page 1096 Module 10- Deniatot Service 9. In the terminal window; ‘ype hping3 -8 -a -p 22 —flood ancl press Enter. Note: Here, the target IP address is 40,40.40.40 [Windows 10), and che spoofable IP address is 10.40.10.19 [Windows Server 2018]) Note:-8: sets thes port; and ~leod: sends a huge number of packets. IN flag; -a: spoofs the IP address; -p: specifies the destin 10, This command initiates the SYN flooding attack oa the Windows 40 virtual machine. Aftera few seconds, press Gte¥#G (0 stop the SYN flooding of the tanget machine. Note: If you send the SYN packets for a long period, then the target system may crash, 1. Observe how, in very little time, the huge aumber of packets are sent to the target machine. Fig 1.2.1: Atak see launeed fon Prot Sscary 12. ping3 floods the victim machine by sending bulk SYN packets and ‘overloading the victim's resources, 13, Switch to the Windews 10 virtual machine and observe the TCP-SYN packets captured by Wireshark. Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10 - Deniaot Service le Edt. View Go Cope Anaiae Sut Teephery Wiles Toots Hep Bao (ERE QeeeFtSEaaat Wet sapey Be ce igre 1.22: Wiruhark with packets tae 14, Now, observe the graphical view of the captured packets. To do so, click ‘Statistics from the menu bar, and then click the UO Graph option from the TA Carrington Brera Capture Propenes Cortese ech deere Pretcl chy ‘gue 25. Wieshare 1/0 Grp opon 15, ‘The Wireshark . 10 Graphs . Ethernet0 window appears, displaying. the graphical view of the captured packets. Observe the huge number of TCP packets sent by Wireshark, as shown in the sereenshot. 16, Afice analyzing the UO Graph, click Close to close the Wireshark . 10 Graphs . Ethernet0 window. (CoH Lab Manual Page 1097 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.task Perform Ping of Death (PoD) Attack Using hping3: Module 10 - Deniaot Service Wireshark 10 Graphs: Ethernet0 a ipcete line echt Nove a Themes pana ter eke Nove a ePemen ——tepamaonfogs MBs Pace Nove 5 +) [=| (BB wow © oom One renal line <| | Cmectay ues [ne seme || cor] (pe) Cee | me Figure 124 Wireshark -10 Gap 17. Close the Wireshark main window. If an Unsaved packets. pop-up appears, click Stop and Quit without Saving. 18. Now, we shall pesform a PoD attack on the target system. 19, Switch to the Parrot Security virtual machine. In the Terminal window, type hping3 -d 65538 -S -p 21 —flood (here, the tanget IP adclress is 10.10.40.10 [Windows 40)) and press Enter. Note: -d: specifies data size; -8: sets the SYN flag; -p: specifies the destin port; and ~fleed: sends a huge number of packers ge 1.25: Anak success launch fom Pact Soaiy 20. ‘This command initiates the PoD attack on the Windows 10 virtual machine. Note: In a PoD attack, the attacker tries to crash, freeze, or destabilize the targeted system or service by sending malformed or oversized packers using a simple ping command, Ethical Hacking and Countermeasures Copyright © by E-Coumell (CeH Lab Manual Page 1008 "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10 - Deniaot Service For example, the attacker sends a packet that has a size of 65,538 bytes 10 the target web server. This packet size exceeds the size limit prescribed by RFC 791 IP, which is 65,535 bytes. The scceiving system’s reassembly process might cause the system to crash 21. ping3 floods the victim machine by sending bulk packets, and thereby ‘overloading the victim’s resources. 22. Switch to the Windows 10 virtual machine, click the Type here to search ficld present at the bottom of Desktop, and type task. Click Task Manager from the results. Povformance 23. ‘The Task Manager window appears; by default, the Processes tab appears, as shown in the screenshot. Background processes (42) > Adobe Acrobat Update Ser. 1 Aeplction FameHos [Fl Girt for NS serice COM Surogate TF COM Suregate > TF COMSuregate > E] cotara 2) gure 1.20 Task Manager window (CEH Lb manual age 1089 ‘Ethical Hacking and Countermensures Copyright © by EC-Coumell ‘Al RightsReserved, Reproduction f Strictly Probie,Module 10- Deniatot Service 24. Click the Performance tab 10 view the performance of various system components (GPU, Memory, Disk, Ethernet). 25, Under the erformance tab, by default, the CPU performance is displayed in the right-hand pane. Observe that the CPU Utilization percentage is 100%, indicating a DoS attack on the system, 26. Observe the degradation in the performance of the system, which might result in the system crashing, Note: ‘The results might differ in your lab environment. Ta vonage a Fle Options ce CPU inten) Coretta i5-7400 CPU @ 3.00GH2 Memory oy Biskoces Ethernet, - abl 22 tM sion ra Tee 100% 3.00 GHz ; Cc] Ethernet ocezee Thesds Handles Vital nacine Ye = 84 = 1053. 39173 wa 0:03:37:42 Figur 1.27: Performance Tab: CPU Uilaton 7 Switch to the Parret Security virtual machine. In the Terminal window, press GtH#6 to terminate the PoD attack using hping3. Figure 1.28 Terminate PoD atack (EH Lab Manual Page 1200 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10- Deniatot Service 28. Now, we shall perform a UDP application layer flood attack on the Windows Server 2019 virtual machine using NetBIOS determine whether NetBIOS port 139 is open or not wt 139. To do so, first, (Check for Open NetBI0s Port 29. In the texminal window, type nmap -p 139 (ere, the target IP address is 40.40.40.49 [Windows Server 2019)) and press Enter. Note: Heze, we will use NetBIOS port 139 to perform a UDP application layer flood attack Doser 30. Now, type hping3 2 -p 138 —flood (here, the target IP a address is 40.40.10.48 [Windows Server 2019)) and press Enter. Perform UDP Application Layer Note: -2: specifics the UDP mode; -p specifics the destination port; and ~fleod: Flood Attack using Sends a huge number of packets, hping3 31. Switch fo the Windows Server 2019 virtual machine and log in with the credentials Administrator and Pa$SwOrd. 32. Click the Type here to search icon adh at the bottom of Desktop and type wireshark. Click Wireshark from the results. Note: You might experience degradation in the Window Server 2019 machine's performance. (EH Lab Manual Page 1208 Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘A RightsReserved. Reproduction Suit Prohited.Module 10 - Deniaot Service 33. The Wireshark Network Analyzer window appears. Double-click on the primary network interface (here, EthermetO) co start capturing the network traffic. Note: The network interface might differ in your lab environment. Md The Wireshere Network Analyzer - Oo x Fle Et View Go. Coplue Anahse Siics Telephory Wales Tess Help EC@EPREQereTAEwaaag# [Meteor core =) emi. Capture see: (Motes down Lecel Ares Connection" 9 “ Leal res Connection"? NscapLocpbeck Adapter aah SS ‘Bape Tor Topoack Wai Captae y Fig 1.2.1: Capac tafie througs Wiehe 34, Wireshark displays the network's flow of traffic. Here, observe the huge ‘number of UDP packets coming from the Souree IP acklress 10.10.1043 via port 138, Cpu fom Bene le Ede View Go. Cape Arabae Stites Tephony Wiles: Toole Hep ECOUBRE Gesetesiaaag (62 5721 + 139 Lend gue 1.2.12: Anahi the ne (CoH Lab Manual Page 1202 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.= TASK 3 NOI digh One Tom Gammon) is network sires and Dos/DDoS sack application This tools waiten inthe BASIC langue. His despa to tock up Seen URLs Simkancoasy, [ese HTTP, POST. and GET rogues toa computer thats i ing Gul. (CoH Lab Manual Page 1203 Module 10 - Deniaot Service 35. Switch to the Parret Security virtual machine. In the Terminal window, press Ctrl¥6 to terminate the DoS attack. Note: Here, we have used NetBIOS post 139 to perform a UDP application layer flood attack. Similarly, you can employ other application layer protocols to perform a UDP application iayer flood attack on a target network, ‘Some of the UDP based application layer protocols that attackers can employ to flood target networks include: * CharGEN (Port 19) = SNMPv2 (Port 161) TFTP (Port 69) NetBIOS (Port 137,138,139) © QOTD (Port 17) = NTP (Port 123) © RPC (Port 135) * Quake Network Protocol (Port 26000) * SSDP (Port 1900) © CLDAP (Port 389) 36. This concludes the demonstration of how to perform DoS attacks (SYN flooding, PoD attacks, and UDP Application Layer Flood Attacks) ona target host using hping3. 37. Close all open windows and document all the acquired information, 38, Turn off the Windows 10 and Windows Server 2019 virtual machines, Perform a DDoS Attack using HOIC Here, we will use the HOIC tool to perform a DDoS attack on the target machine. Note: In this task, we will use the Windows 10, Windows Server 2019 and Windows Server 2046 virtual machines to launch a DDoS attack on the Parret Security virtual machine. 1, Turn on the Windows 10, Windows Server 2019, and Windows Server 2016 virtual machines. 2. On the Windows 10 virtual machine, log in with the credentials Admin and PaS$wOrd. Navigate to EACEH-Tools\CEHV11 Module 10 Denial-of- ServicelDoS and DDoS Attack Tools and copy the High Orbit lon Cannon (HOIC) folder to Desktop. Note: To perform the DDoS attack, run this tool from various virtual machines, at once. If you run the tool directly from the shared deive in the virtual machines ‘one at a time, errors might occur. ‘T'o avoid errors, copy the folder High Orbit ton ‘Cannon (HOIC) individually to each machine’s Desktop, and then sun the tool. 3. VoIP (Port 5060) Similarly, follow the previous step (Step #2) on the Windows Server 2019 and Windows Server 2016 virtual machines. Note: On the Windows Server 2019 and Windows Server 2016 virtu:l machines, the High Orbit lon Gannon (HOIC) folder is located at ZAGEHV Module 10 Denial-of ServicelDoS and DDoS Attack Tools. ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Task Configure HOIC & NOI gh Osie Ton Cannon oes & highspeed mol thnaded HTTP Flea be Seaping system allows the deployment of hoostes” which a seapr dere! thas DDoS comuamesutes sed increase DoS op CEH Lab Manual Page 1208 Module 10- Deniatot Service 4. Now, switch to the Window 40 virtual machine and navigate to Desktop. Open the High Orbit fon Cannon (HOIC) folder and double-click hoic2.1.ex0. ‘Note: [fan Open File - Security Warning pop-up appears, click Run. 5. ‘The HOIG GUI main window appears; click the “#” button below the TARGETS section. 6. The HOIG + [Target] pop-up appears. ne target URL such as hetpz![Farget IP Address] (here, the target ID? address is 10.40.40.43 [Parrot Security) in the URL. field. Slide the Power bar to High. Under the Booster section, sclect GenericBoost.hoie from the drop-down list, and click Ad. HOLC.” [Target] = x Target URL http: //10.10.10.13 Low Medium Booster (leave blank unless u know what ur doing) [GenericBoostthoic 7] Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10- Deniatot Service Set the THREADS value to 20 by clicking the > button until the value is reached. ge 13 Sting the THREADS Value 8. Now, switch to the Windows Server 2019 2nd Windows Server 2016 vistual machines and follow Steps 4-7 to configure HOIC Note: In the Windows Server 2019 and Windows Server 2046 virwual machines, Jog in with credentials Administration /Pa$SwoOrd. TRE rrr 9 Once HOtG is configured on all machines, switch o each machine (Windows TT 10, Windows Server 2019, and Windows Server 2016) and click the FIRE Perform TEH LAZERE button to initiate the [DDoS attack on the target the Parrot DDoS Attack Security machine. (EH Lab Manual Page 1208, Ethical Hacking and Countermeasures Copyright © by E-Coumell ‘A RightsReserved. Reproduction Suit Prohited.Module 10- Deniatot Service 10. Observe that the Status changes from READY to ENGAGING, as shown in the screenshot 1, Switch to the Parrot Security virtual machine. 12. Click Applications in the top-left comer of Desktop: Pentesting > Information Gathering ~> wireshark. ind navigate (0 15. A security pop-up appears, enter the password as teor in the Password ficld and click OK. 14, The Wireshark Network Analyzer window appears; double-click oa the primary network interface (here, eth®) to start capturing the network traffic. Fle Edit View Go Capture Analyze Statistics Telephony Wireless Tools Help ES =) Expression. + Welcome to Wireshark Capture using ths ite: [ urefl Allinterfaces shown = teapback to nop - User's Guide - Wiki - Questions and Answers - Mailing Lists ‘You are sunning Wireshark 2.6.8 (Git 2.6.8 packaged a5 2.6.81) Fie 16 Wires wow (EH Lab Manual Page 1206 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Tas 3.3 Analyze the Captured Packets (CoH Lab Manual Page 1207 Module 10 - Deniaot Service 15, Observe that Wireshark starts capturing a large volume of packets, which ‘means that the machine is experiencing a huge number of incoming packets. "These packets arc coming from the Windows 10, Windows Server 2019, and Windows Server 2046 vietwal machines. Fle Eat View Go Capture Anaize Stalitks Telephony Miles Tons Hap Anno ROcrsk 1s e 7524033010 A019 TOTO TOTS TOP Gate 745 60 [GYRE Gee] Soae0 WIT=CO! Fu 7: Wes pag he pce 16, Leave the machine intact for 510 minutes, and then open it again. Observe that the performance of the machine is slightly affected and that its response is sowing down. 17, In this lab, only three machines are used to demonstrate the looding of a single machine. If there are a large number of machines performing flooding, then the target machine’s (here, Parrot Security) resources are completely consumed, and the machine is overwhelmed. Note: In real-time, a group of hackers operating hundreds or thousands of machines configure this tool on their machines, communicate with each other through IRCs, and simulate the DDoS attack by Dooding a target machine or website at the same time. The targetis overwhelmed and stops responding to user requests or starts dropping packets coming from legitimate users. ‘The larger the umber of attacker machines, the higher the impact of the attack on the target machine of webs 18 On completion of the task, click FIRE TEH LAZER! again, and then close the HOIC window on all the attacker virtual machines. Also, close the Wireshark window on the Parrot Security virtual machine. 19. This concludes the demonstration of how to perform a DDoS attack using HOIC. 20. Close all open windows and document all the acquired information, Ethical Hacking and Countermeasures Copyright © by E-Counel "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10 - Deniaot Service TG task 4 Performa DDoS Attack using LOIC Here, we will use the LOIC tool to perform a DDoS attack on the target system, Note: In this task, we will use the Windows 10, Windows Server 2019, and Windows Server 2046 virtual machines to launch a DDoS attack on the Parrot ‘Security virwal machine. 1. On the Windows 40 viral machine, navigate to EACEH-ToolsiCEHv' Module 10 Denial-of-ServicelDoS and DDoS Attack Tools\Low Orbit lon TB TasK 4.4 Configure Gannon (LOIG) and double-click LOIG.exe. Loic Note: If an Open File - Security Warning pop-up appears, cick Rum. ot O%H 2. “The Low Orbit fon Cannan rain window appears stres teting ard DoS 3. Perform the following settings tack application. We can Shoal tan appixton "Under the Select your target section, type the target IP adkdress under teed DOS atk asi the WP ficld (here, 10.40.10.43), and then click the Leek on button to add smontly taxes web appkcatons. We can use LOIG on tage sitet fod the server wth TCP packets UDP packets or HIVTP rouse with the intendon of dspting the seooce ofa porislar howe the tanget devie = Under the Attack options section, select UDP from the drop-down list in Method. Set the threads valuc to 10 under the Threads fickl. Slide the power bas to the middle. 10.10.10.13 Fue 141 L01C 4. Now, switch to the Windows Server 2019 and Windows Server 2016 virtual machines and follow Steps 4-3 to launch LOIC and configure it. Note: On the Windows Server 2019 and Windows Server 2016 victual machines, LOIC is located at 2ACBHv41 Module 10 Denial-of-Service\DoS and DDoS Attack ToolsiLow Orbit lon Cannon (LOIC). (CoH Lab Manual Page 1208 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.TE TaAsK 4.2 DDoS Attack (CoH Lab Mana Page 1209 Module 10 - Deniaot Service 5. Once LAIG is configured on all machines, switch to each machine (Windows 10, Windows Server 2019, ancl Windows Server 2016) an click the IMMA CHARGIN MAH LAZER button under the Ready? scction to initiate the DDoS attack on the target Parrot Seeurity machine 10.10.10.13 gure L412: Peg DDS tack 6. Switch to the Parrot Seeurity vierual machine 7. Click Applications in the top-left comer of Desktop and navigate to Pentesting > Information Gathering > wireshark. 8. A security pop-up appeaes, enter the password as teor in the Password ficld and click OK. 9. The Wireshark Network Analyzer window appears. Double-click on the primary network interface (here, eth®) to start capturing the network traffic. Fle Edt View Go Capture Analyze Statistics Telephony Wireless Tools Help ES=] expression. + Welcome to Wireshark Capture using this ter: [][Enters capture fiter_lnterfaces shown Dt Loopback to — flog fqueve = uwsbmont = vwsbmon2 © Ciscoremotecopturescscodump = ign 14.8 Winer wow Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Gita & Youamsboue ‘other Dos end DDoS stack nk sch as KOIC (ip /anoackicn bt ‘pet com), HULK (apes doen), ‘Tors Hammer Uheps/ scene), ral Slowlocs (aps fgchub cons wo perform Dos and DDoS fick (CoH Lab Manual Page 1210 Module 10 - Deniaot Service 10, Observe that Wireshark starts capturing a large volume of packets, which ‘means that the machine is experiencing. a huge number of incoming packets. "These packets arc coming from the Windows 10, Windows Server 2019, and Windows Server 2046 virtual machines. =) Beeston. + Protocol Len nfo ‘Tresaa0. : oe 74 64007 e250 33 wor 74 6aE 7704038. 10.18.10. 18. op 74 64834 7784878. 30:13 Vo 74 6488 7708138. 19. 33 WP 74 BABE 1177678. 13 wor 74 50870 = "7782183. vop 74 50860 793028. : 33 WP 74 50868 7793821. 43 vo 78 50875 roaaese. oe 7459761 wor 7450770 Frane 1: 179 bytes on wire (1432 bits), 179 bytes captured (1432 bits) on interface Ethernet IT, Src: Vaware_c@:69:02 (00:50:56:c0:00:02), Dst: IPvancast_7F:tF:ta (61: Internet Protocol Version 4, sre: 18.10.10.3, Ost User Datagram Protocol, sre Port: 57450, Dst Port Fig Wreck paige pes 11. Leave the machine intact for 5-100 minutes, and then open it again. You will “observe that the performance of the machine is slightly affected and that its response is slowing down. 12. On completion of the task, click IMMA CHARGIN MAH LAZER again, and then close the LOIC window on all the attacker virtual machines. 15. his concludes the demonstration of how to perform a DDoS attack using LOIC. 14, Close all open windows and document all the acquired information, 5. Turn off the Windows 10, Windows Server 2019, Windows Server 2016, and Parrot Security virtual machines. ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10 - Deniaot Service Lab Analysis “Analyze and document the results related to this lab exercise, Give your opinion about the target’s security posture and exposure. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB. MINo WiLabs (CoH ab manual Page 1281 ‘Ethical Hacking and Countermensures Copyright © by EC-Coumell ‘Al RightsReserved, Reproduction f Strictly Probie,on Kk © Vatuae Information PF Toxo Kaowladge Bl Web krecive 1D Workbook Review (CoH Lab Manwal Page 1212 Module 10 - Deniaot Service Detect and Protect Against DoS and DDoS Attacks DoS and DDoS attack detection teobniques are based on identifying and discriminating between ilegitimate traffic increases and flash events from legitimate packet traffic Lab Scenario DoS/DDOS attacks are one of the foremost security threats on the Internet; thus, there is a greater necessity for solutions to mitigate these attacks. Early detection techniques help to prevent DoS and DDoS attacks. Detecting such attacks is. tricky job. A DoS and DDoS attack traffic detector needs to distinguish between genuine and bogus data packets, which is not always possible; the techniques employed for this purpose are not perfect. There is always a chance of confusion between traffic generated by a legitimate network user and traffic generated by a DoS or DDoS attack. One problem in filtering bogus from legitimate teaffic is the volume of traffic. Itis impossible to scan each data packet fo ensure security from a DoS or DDoS attack. All the detection techniques used today define an attack as an abnormal and noticeable deviation in network traffic statistics and characteristics. These techniques involve the statistical analysis of deviations to categorize malicious and genuine traffic. As a professional ethical hacker or pen tester, you must use various DoS and DDoS attack detcetion techniques to prevent the systems in the network from being damaged. This lab provides hands-on experience in detecting DoS and DDoS attacks using various detection techniques. Lab Objectives Detect and protect against DDoS artacks using Anti DDoS Guardian Lab Environment To carry out this lab, you nced: *® Windows 10) virtual machine ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.m TAsK 4 BirasK 1.4 Install and Launch Anti DDoS Guardian (CoH Lab Mana Page 1213 Module 10 - Deniaot Service Windows Scever 2019 vietual machine # Windows Server 2016 virtual machine * A browser with an Intemet connection * Administrator privileges to run the tools + Anti DDoS Guardian located at EAGEH-Tools\CEHV14 Module 10 Denial oF ServicelDoS and DDoS Protection Tools\Anti DDoS Guardian * You can also download the latest version of the above-mentioned tools from their offical websites. If you decide to download the latest version, the sercenshots shown in this lab might differ from what you see on your sereen. Lab Duration ‘Time: 10 Minutes Overview of DoS and DDoS Attack Detection Detection techniques are based on identifying and discriminating the illegitimate traffic inerease and flash events from the legitimate packet traffic. The following are the three types of detection techniques: "Activity Profiling: Profiles based on the average packet rate for a network flow, which consists of consecutive packets with similar packet header information * Sequential Change-point Detection: Filters network traffic by IP addresses, targeted port numbers, and communication protocols used, and stores the traffic flow data in a graph that shows the traffic flow rate over time + Wavelet-based Signal Analysis: Analyzes network traffic in terms of spectral components Detect and Protect against DDoS Attack using Anti DDoS Guardian Here, we will detect and protect against a DDoS attack using Anti DDoS Guardian, Note: In this task, we will use the Windows Server 2019 and Windows Server 2016 virtual machines to perform 2 DDoS attack on the target system, Windows 10. 1. ‘Turn on the Windows 10, Windows Server 2019 and Windows Server 2016 virtual machines. 2. Login to the Windows 40 virtual machine, navigate to EACEH- Tools\CEHV11 Module 10 Denial-of.Service\DoS and DDoS Protection Tools\anti DDoS Guardian © and = double. ~— click Anti_DDoS Guardian setup.exe. ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10- Deniatot Service ‘Note: If a User Account Control pop-up appears, click Yes. = Ani DDos 3. The Setup - Anti DDoS Guardian window appears; click Next. Follow eee the wizard-driven installation steps to install che application. oc IS een, Teele rsp seen, Cain eve, smal crven FTP rer Welcome to the Anti DDoS ‘Belup Anti DDoS Guardian " : Zz VOIP PBK ands? FE Guardian Setup Wizard AcaDDS Cumin z ‘nt Ans arn 5.00 jmp ‘od ourgoing packet in tis recommended that you dose all other applications before fe Tene hee a (ck Next to continue, of Cancel to ext Sep. Ey z FI i 8 8 3 Fig 2115p - An DD Gunn & _Ieclisplays dhe local 4. In the Stop Windows Remote Desktop Brute Force wizard, uncheck the ae install Stop ROP Brute Force option, and click Next. cache ow ort 8 I Sip Ra DOS Coan a, stop Windows Remote Desktop bate ni ce e yuma a etl Stop Wo Reno Gen ute Frc? ‘Tick te folonng checkbox if you want to nstl Stop ROP Brute Force instal Stop ROP Brute Force ‘Do youneed to nstal Stop RDP Brute Force? \Windows Remote Desktop Connection suse to comect to yout host computers from remte computers. Attackers may access your host computers through Window Remote Destap Cornecton with random Usernames and pases. I you fed there ‘me many faied iogon records n the Windows Seat Log, youneed tora ie ‘eal. ge 21.2: Sap Windows Remote Dest Tate Fore wiz (CoH Lab Manual Page 1214 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1215 3. 6. Module 10 - Deniaot Service ‘The Select Additional Tasks wizard appears; check the Greate desktop shorteut option, and click Next. Satu" Art DDoS Guardian Select Additional Tasks ‘which adaitona teks shouldbe performed? ‘Select the additonal tasks you would ke Setup to perform while instaling Ant OD0S ‘Guardian, then dick Next. Adatoral shortcuts: Cl create 2 Quick Launch shortcut igure 2.1.3 Select Adina Tsk wad “The Ready to Install wizard appears; click Install ‘Stop Ant DDoS Guardian Ready to Install ‘Setup now ready to begin nstaling Ant DDoS Guardian on your computer. ‘Chk instal to continue with te instalation, or cick Backif you want to review or ‘change eny settings. [Destnaton locaton: : Program Fes (x86) Ant DDoS Guardian 5.0 Start Menu folder: ‘rit DDoS Guardian 5.0 ‘Additonal tasks ‘Adaibona shorts: ‘Create 8 desktop shortest ge 2.14: Read o Intl wind ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10- Deniatot Service 7. ‘The Completing the Anti DD0S Guardian Setup Wizard window appears; uncheck the Launch Mini IP Blocker option and click Finish. DT Setup Anti 0005 Gusrdien Completing the Anti DDoS Guardian Setup Wizard Setup has fished intalng Ant DDoS Guardan on your Computer. The appication may be launched by selecting the Irstaled shortouts (ick Fish to ext Setup. EZ Launch Anti 0005 Guardian Ty tanch Min locker Cre TUTE ST BUM ECtt] Figure 21.5 Completing the Anti DDoS Guana Setup Wil window 8. ‘The Ant-DDeS Wizard window appears; click Continue in all the wizard steps, leaving all the default settings. In the last window, click Finish. 9. Click show hidden icons GMB) from the bottom-right comer of Desktop and click the Anti DDoS Guardian icon Figute 21.6: Launch An DDoS Guseian (CoH Lab Manual Page 1216 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10- Deniatot Service 10. ‘The Ant! DDeS Guardian window appears, displaying information about incoming and outgoing traffic, as shown in the screenshot 04 2saneace0cm le isis ame ono mona JO bess sma oss Son utrcemeaarecct 11. Now, switch to the Windows Server 2019 and log in with the credentials Administrator and Pa$SwOrd. Eras 12 —————— _ 12. Navigate to Desktop, open the High Orbit fon Cannon (HOIG) folder, Configure and double-click hole2.1.exe. HoIc Note: If an Open File - Seeurity Warning pop-up appears, click Run. ¢ HOIG GUI main window appears. Click the “#” button below the TARGETS section CEH Lab Manual Page 1217 Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10- Deniatot Service 14. The HOIG - [Farget] pop-up appears. ‘Type the target URL. such as hetpulfTarget IP Address} (ere, the target IP adress is 10.10.10.40 [Windows 10)) in the URL field. Slide the Power bar to High. Under the Booster section, sclect GenerieBoost-hole from the drop-down list and click wee acm: = <] Low Medium Booster (leave blank unless u know what ur doing] ge 219 HOKE Tag eg 15, Set the THREADS value (0 20 by clicking the > bution until the value is seached. 16, Now, switch to Windows Server 2016 and log in with the credentials Administrator and PaS$wOrd. Follow Steps 12- 15 to launch and configure HOI CEH Lab Manual Page 1218, Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10- Deniatot Service 17. Once HOIC is configured on both machines, switch to each machine (Windows Server 2019 at] Windows Server 2016) and click the FIRE TEH LAZER! button to initiate the DDoS attack on the target Windows 10 machine. ge 2111 Gk FIRE THELAZER 18. Observe that the Status changes from READY to ENGAGING, as shown in the screenshot. Fg 21.12 Pein DDS tack CEH Lab Manual Page 1219, Ethical Hacking and Countermeasures Copyright © by E-Coumell "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10 - Deniaot Service 19. Switch back to the Windows 40 virtual machine and observe the packets captured by Anti DDoS Guardian. 20. Observe the huge number of packets coming from the host machines cated (10.10.10.18 Windows Server 2619] and 10.10.10.16 [Windows Server voumeceent Sw perry er stems datacom gue 2.15 An DDoS Gian 21. Double-click any of the sessions 10.10.10.19 or 10.10.10.16. Note: Here, we have selected 10.10.10.16. You can select cither of them. 22, The Anti DDoS Guardian Traffic Detail Viewer window appears, displaying, the content of the sclected session in the form of raw data. You can obsceve the high number of incoming, bytes from Remote IP address 10.10.10.16, as shown in the sereenshot. 23. You can use various options from the left-hand pane such as Clear, Stop Listing, Using the Bleck IP option blocks the IP ‘ending the huge number of packets (CoH Lab Manual Page 1320 ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.Module 10 - Deniaot Service 24. In the Traffle Detaill Viewer window, click Block IP option from the left pane. ‘Anti DDOS ¢ rr Bee he ‘Display he content of each session n the form of raw data Note: Not al packets wil be showed for the reason of splay speed. Ciearic) peed ati acne Stop ListinglL) |] cuerabves: seam Block (8) pan Fille) i aara poe Aloe ota TC, Sac er, es on i'Sa24 aca acetone ok TC, Sacer: 757, Deshaton sr 60 fi'tsos an cnrg sosatlous Potent TO, Saaz pat, Desestenprs KE os metgorgeaderloed Pata Tr, Sac out: 60, Detotenpire WHE posse ncugarg pasado) Motes Saaz par, barrstenprs 786 os antag patio tea Tr, Sac pr: 80 Detain pre NE gue 21.14 Tali Details Viewer wieeow ReSDUS Give OE aS Fie View Took Hep Q9a@2s.ReRCGeea Dcporioen ime OutgorgujeeeonngGies Loa Aste Renta DAdeess—intrnate“ 2 Youem stows ‘other DoS and DDoS ppetecion tools uch xs Imperra Incapeula ‘Dos Protection (hips /wnsincapoolne ‘rn, DOSarreas DDoS. Figure 21.15 Moke IP aes session protection sere 26, Similarly, you can Block IP the address of the 10.40.40.49 session, fips fwedomente *Y ve DDoS GUARD 27, On completion ofthe tak click FIRE TEM LAZERI yin, and then close the wps//os-ganl ne), : : vi oes dog HOIC window on all attacker virrual machines (Windows Server 2049 and aps: clonal e Windows Server 2016). Seem yD ‘This conc the derontnton of how to det an pot against sce en a DDoS attack using Anti DDoS Guardian. 29, Close all open windows and document all the acquired information, (CoH Lab Mana Page 1321 ‘Ethical Hacking and Countermessures Copyright © by EC Count "Al RightsReserved. Reproduction fSrcty Prohibited.(CoH Lab Manual Page 1222 Module 10 - Deniaot Service 30. Navigate to Control Panel > Programs ~ Programs and Features and uninstall Anti DDoS Guardian, 31. ‘Turn off the Windows 10, Windows Server 2019, and Windows Server 2016 vistual machines. Lab Analysis “Analyze and document the results related to this lab exercise. Give your opinion about the target's security posture and exposure. PLEASE TALK TO YOUR INSTRUCTOR IF YOU HAVE QUESTIONS RELATED TO THIS LAB OYes YINo Platform Supported © Classroom DiLabs ‘Ethical Hacking and Countermessures Copyright © by EC Coun "Al RightsReserved. Reproduction fSrcty Prohibited.