Thursday, October 17, 2013

How to perform a Denial of Service attack to crash a website?

Denial of service is a very aggressive attack usually launched against websites as a form of protest or activism. The ultimate aim is to bring down or crash the web server. There are many readymade tools for this. Here, I will give instructions on how to use a very simple DoS tool called Low Orbit Ion Cannon (LOIC). LOIC is a free and open source and can be found in Sourceforge.

Please note that the information provides here is only for educational purpose. 

First download LOIC from here. The original version requires Microsoft .net to run. If you are using a Linux system, then you can use the java version, Java LOIC.
Once downloaded, you can go ahead and run the tool. The directions are pretty straight forward.

1. Enter the URL of the website you are planning to attack. There is also an option to enter the IP address.
2. Once the URL is entered, click on "Lock On"
3. Select the protocol you want to use. TCP is fine.
4. Enter the no of simultaneous threads. (In other words, the severity of your attack) 500 to 1000 threads will do.
5.Finally, click on the large button labelled as "IMMA CHARGIN MAH LAZER"

That will start the attack.  In the bottom, you will see a substantial increase in the no. of requested connections. This means your attack is on. After some time, the website will slow down and eventually stop responding(crash). The best way to observe this is by creating a web server in a virtual lab and attacking it. You can then analyze the web server logs  for more information.

Note: Please don't use tool on any website other than your own. It is a very powerful tool and you could get in trouble with the law.

What are Denial of Service (DOS) attacks?

Denial of Service attacks have become more widely known due to extensive media coverage. But what exactly is a denial of service attack? Simply put, a denial of service attack is a type of cyber attack wherein a website or service is brought down by a hacker or a group of hackers by flooding it with bogus traffic. The web server becomes overloaded with this bogus traffic and the service eventually crashes.

This means that if a hacker performs a denial of service attack against a website, say for example a bank website, then all the online transitions of that bank will be halted. Both companies and individuals are no long able to log into their netbanking accounts for the duration of the attack, leading to loss in revenue for the bank. The bank will also lose reputation and credibility for failing to protect their IT infrastructure.  Similarly, if Gmail was attacked, millions of users will not be able to access their email accounts. In a typical DoS attack, one hacker performs the attack using a DoS tool or script. This is easy to mitigate. The only thing one needs to do is block the IP address of the attacker. To overcome this, hackers use a technique called Distributed Denial of Service or DDoS.

What are Distributed Denial of Service(DDoS) Attacks?

DDoS attacks involve hundreds, if not thousands of "volunteers" who install the DoS tool in their systems and launch a coordinated attack on the target at a specified time. This was the case when Anonymous hacker group took down Paypal  and Mastercard websites some time back. In case there are no "volunteers" involved, hackers use a networks of zombies called botnets to perform the same attack. These zombies are basically normal home computers which have been hacked and infected with the DoS tool. The controller is able to issue remote commands to these "bots" so that they can start attacking a particular website without the owners even noticing. 
Hackers and hactivists perform denial of service attacks by using an array of readymade tools. one such tools is called the Low Orbit Ion Cannon(LOIC). It is a simple GUI tool and volunteers can use it to launch attacks once they receive the green light from the controllers, usually via IRC or social networks. There are many other DoS tools such as HOIC,Hulk Web server, RUDY (R-U-Dead-Yet), Silent  DDoSer etc.

This disruption in service is one of the biggest challenges for companies today. There is no fool proof method to protect against DDoS attacks.  There are many ongoing research on how to mitigate DDoS attacks. As of now, big companies rely on IDS and firewalls and the cooperation of the ISPs to mitigate such attacks.

Would you like to know how to perform a denial of service yourself? Read my other article on how to perform DoS attack here.

Monday, October 14, 2013

Netbeans IDE: Is It Any Good? [OPINION]

 In 2009, CBSE, the Indian board of secondary education changed the IP or Informatics Practices (Informatics Practices is an additional subject) text books of Class XI and Class XII. A new syllabus, Java Swing under Netbeans was introduced. This is a welcome change from the earlier, Visual Basic 6. I'm guessing the choice was because CBSE wanted to make programming fun by letting students develop GUI applications by drag and drop method. Visual Basic fulfilled that role as it had drag and drop features to create GUIs and it was easy to learn. But visual basic is outdated and the interface looks primitive. Microsoft stopped releasing any new updates since 1998, and it Officially ended support for Visual Basic 6 in 2008. That means the last stable version, VB6 was released in 1998. With VB 6 out of the picture, I guess the intelligent choice was Java Swing under Netbeans IDE.

When I was in Class XI, we were the first batch of CBSE students to start using the Netbeans IDE. For all those years, our teachers were used to VB6, and the sudden change meant they also had to adapt to the new language and environment. It took them some time to get used to it, but they eventually got used to it since they already knew java core. The new syllabus for Informatics Practices was actually a combination of Netbeans, MySQL and a bit of web technologies like HTML and XML.

So, all over India, students started learning Java Swing programming without any prior programming knowledge or experience. I think learning swing programming without learning core java first is not a very good idea. The only consolation is that GUI programming is relatively fun compared to the usual  command line interface. This is good for getting students to like programming.  

Since Netbeans was relatively new for all these students (me included), a lot of questions were raised on whether it  can be used to develop "real life" applications or  what programs can be developed in it. Well the answer is, simply put, there is no limit to the applications you can develop using Netbeans. In fact, Netbeans is a popular IDE for developing a huge number of high end enterprise applications and programs. Here is a huge list of extremely sophisticated projects developed using the Netbeans IDE. Also, here is an interesting project on home automation called Jarvis. It was developed using Netbeans IDE. You can create your college projects, socket programs, database driven programs, enterprise applications etc. The sky is the limit. And the best part? You program will run in every operating system as Java is platform Independent. 

A java program running on Linux and Windows

The programs that are taught in class is not enough to develop real life applications. So how does one go about learning Netbeans? There are excellent tutorials on YouTube. Check out ProgrammingKnowledge and VertexDigitalArts. Have a look at this blog for Netbeans related stuff. You can get help about Netbeans from the official Netbeans forum or on stackoverflow. You can also download the NCERT text books for Class 11 and Class 12.
In my third year of college we learnt Java core but I wasn't able to develop any GUI applications using it. The only GUI we learnt was Java applets, and in  that, everything  had  to be hand coded. So, I had to switch back to Swing whenever I needed to develop GUI applications. . I wish Netbeans IDE was a part of our curriculum.

Common Netbeans Questions:

How to run Netbeans programs from the desktop?
So, you want to run an application with a double click from the desktop? Goto your project tree in Netbeans and right click on it. Click on the option Clean and Build.  Once that is done, navigate to the Netbeans folder where your project is stored. You will see a folder called dist. Inside that folder, you will find the JAR executable. Double click on that to run your program. You can create a shortcut to your program in the desktop.

How to convert Netbeans jar files to .exe
You can convert your JAR file into exe in different ways. You can use JSmooth Exe wrapper. You can also use JarToExe. Once you download these programs, the process is pretty straightforward.

How to create an installer to distribute your Netbeans application.
So, you created your first project using Netbeans and want to distribute it to your friends? Sending the jar file is hardly professional, so you need to create an installer. Excelsior Installer is an excellent tool which lets you do just that. Here is a video tutorial on how to create an exe installer using Excelsior.

How to distribute a Netbeans application with MySQL database?
If you want to distribute your database application, it is best to use single file databases such as SQLite or JavaDB instead of MySQL or Oracle. If you need the program to function in a client server environment, then you have no choice but to use MySQL, but then you will have to manually install the database server or create scripts to create the tables.

If you have any queries, you can ask in the comment section and I will try my best to answer them.

Friday, October 4, 2013

5 simple ways you can protect yourself from hackers

1. Use Two-step verification

Most of us use free email providers like Yahoo and Gmail. These email services have the option to enable  2-step verification.  All you need is a mobile phone number. Whenever you login to your Gmail account from  any new or unknown computer, Gmail will send a verification code to your mobile via SMS. Once you enter this code in the website, you are granted access. The advantage here is that even if by any chance someone manages to get hold of your password, they still  won't be able to access your account. Here is an article on Two-step verification.

2. Encrypt your files using TrueCrypt  TrueCrypt is no longer secure

When hackers get into your computer, depending on the purpose of the hack, they will look for your photos, important documents, credit card details, usernames and passwords etc. This is dangerous, especially because many people have the tendency to store credit card or net banking details in plain text for ease access. In order to prevent this, you can use a free encryption tool known as TrueCrypt.  TrueCrypt is one of the most powerful encryption tools and is thought to be unbreakable. Here is an article on how to set up TrueCrypt

3. Use a password manager such as KeePass

Nowadays, we have many online accounts in different websites and it is advisable to use a different password for each of those accounts to stay secure. Now, how does one remember all these passwords? It may be manageable to some extent if you have a sharp memory, but if you are like me, you will need a password manager to help you remember your passwords. KeePass is an excellent software that does just that. It uses a Master password that will secure your other passwords inside the database. You can then store this (tiny) database file in the cloud and access it from anywhere using Dropbox. The plus side is that you just have to remember one (preferably long) password.

4. Use VPN when accessing internet from public networks

As illustrated in my previous article on man in the middle attack, we know it is extremely easy for a hacker to sniff your username and password over the LAN or wifi. This is especially true if you are accessing the internet from a public wifi network such as airports or coffee shops. This is because normal web traffic is unencrypted. So, how do we protect ourselves from this? We use a VPN connection to encrypt the internet traffic. For this, you may want to use free VPN providers. Here is an article on how to set up VPN on Windows 7.

5. Install antivirus and firewall

This is the most basic and fundamental guideline for computer safety. Even in today's world of viruses and other malware, many people continue to ignore the antivirus. An antivirus protects your computer from all kinds of malware. It is not just enough to install an antivirus, it has to be updated regularly. For a hacker, it is extremely easy to hack into computer which has no antivirus installed. Avast is an excellent free antivirus. A personal firewall is also an added safety. ZoneAlarm is a good free firewall.