How to Perform Denial of Service (DoS) Attacks for CEH?

Introduction

Denial of Service attacks remain one of the easiest and most destructive threats today. Even though real-world DoS against public sites is illegal, CEH teaches these techniques so ethical hackers can test resilience, detect attacks, and recommend proper mitigation.

CEH v13 covers volumetric, protocol, and application-layer DoS with heavy emphasis on detection and prevention.

Types of DoS/DDoS Attacks You Must Know for CEH

• Volumetric Attacks (UDP, ICMP flood)
• Protocol Attacks (SYN flood, Smurf, Fraggle)
• Application Layer Attacks (HTTP flood, Slowloris, R-U-Dead-Yet)
• Reflection & Amplification (DNS, NTP, SSDP)

Application-layer attacks are the most common in modern scenarios.

SYN Flood Attack – The Classic Protocol Attack

• Sends thousands of SYN packets with spoofed source IP
• Target keeps half-open connections until timeout
• Exhausts backlog queue

hping3 – The Most Powerful DoS Tool in CEH

• hping3 --flood --rand-source -1 target → ICMP flood
• hping3 -S -p 80 --flood --spoof 1.2.3.4 target → SYN flood
• hping3 --udp -p 53 --flood --data 1000 target → UDP flood

Master hping3 – it appears in every lab.

Slowloris & R-U-Dead-Yet (HTTP DoS)

• Slowloris: Keeps connections open by sending partial HTTP headers
• Very low bandwidth but deadly against Apache/Nginx
• Python version included in Kali

Reflection & Amplification Attacks

• DNS amplification: Spoofed query → huge response to victim
• NTP monlist, SSDP, Memcached attacks
• Can generate 50–100× amplification

These are favorite theory questions.

LOIC & HOIC – GUI Tools Used in Real Attacks

• Low Orbit Ion Cannon – simple point-and-click DoS
• Supports TCP, UDP, HTTP floods
• Often used in hacktivist campaigns

Detection Techniques Every Ethical Hacker Must Know

• Netflow/sFlow monitoring
• SYN vs ACK ratio monitoring
• Traffic baseline anomalies
• IDS signatures (Snort, Suricata)

Build detection rules in your own lab.

Prevention & Mitigation Strategies (Exam Favorite)

• SYN cookies & rate limiting
• BCP38 – ingress/egress filtering
• Cloud-based DDoS protection (Cloudflare, AWS Shield)
• WAF for Layer 7 attacks
• Anycast routing & scrubbing centers

Safe & Legal Lab Practice for CEH Students

• Never test on real websites or networks
• Use VulnHub “DoS” machines
• Build isolated lab: Kali + Ubuntu server + pfSense
• TryHackMe & Hack The Great Escape room

Conclusion

DoS is one of the few CEH modules where you learn attacks mainly to defend against them. Understanding how SYN floods, Slowloris, and amplification attacks work helps you configure firewalls, IDS, and cloud protections correctly.

Spend 10–15 days mastering hping3, Slowloris, detection rules, and prevention – it will easily earn you 8–12 theory marks and confidence in practical scenarios.

Join a CEH course that includes dedicated DoS labs with real traffic simulation.

Frequently Asked Questions

Is performing DoS legal during CEH practice?

Only in your own isolated lab or authorized targets. Never on public internet.

Which DoS attack is most common today?

Application-layer (HTTP flood) and DNS amplification.

Can one machine perform strong DDoS?

Only small sites. Real DDoS needs botnets or cloud bots.

Is LOIC still used?

Yes, in low-skill attacks and activist campaigns.

Which tool is best for SYN flood?

hping3 – full control and spoofing.

Does CEH practical have live DoS challenge?

Rarely live DoS, but you must identify attack type from logs.

How to stop Slowloris attack?

Use Nginx + limit_conn, or Cloudflare WAF.

Is hping3 pre-installed in Kali?

Yes, comes by default.

Can firewall stop all DoS?

No, but can mitigate most volumetric and protocol attacks.

Why learn DoS if it’s illegal?

To defend properly – blue team needs red team knowledge.

Which attack needs least bandwidth?

Slowloris – only a few KB/s can kill Apache.

Is Memcached attack still possible?

Yes, if servers are exposed to internet.

Best way to detect DoS?

Monitor traffic spikes and SYN/ACK ratio.

Do I need coding for DoS attacks?

No. Most tools are ready-to-use.

How to start practicing today?

Setup Kali + Ubuntu VM → launch hping3 SYN flood in 10 minutes.