Tools for simulating DDoS attacks

Question

I wanted to test my website if it can sustain strong DDoS's, but I don't know which tools could I use to simulate them in my website. What tools are used to simulate DDoS?

I found bonesi but it was last updated 2 years ago.

score 14 · Answer 1 · edited Jan 12 '17 at 11:59

14

There are basically three types of DDOS attacks:

----->Application-layer DDOS attack
----->Protocol DOS attack
----->Volume-based DDOS attack

> Application layer

 DDOS attack: Application-layer DDOS attacks are attacks that target Windows,
               Apache, OpenBSD, or other software vulnerabilities 
               to perform the attack and crash the server.

> Protocol DDOS attack

DDOS attack : A protocol DDOS attacks is a DOS attack on the protocol level. 
               This category includes Synflood, Ping of Death, and more.

> Volume-based

 DDOS attack: This type of attack includes ICMP floods,
               UDP floods, and other kind of floods performed via spoofed packets.

There are many tools available for free that can be used to flood a server and test the performance of server . A few tools also support a zombie network to perform DDOS .

edited Jan 12 '17 at 11:59

Drifter104

3,693
2
22
39

answered Aug 18 '14 at 12:52

mightyteja

431
3
13

1

Apparently LOIC has a virus in it – Alex W Apr 01 '15 at 01:57
1

And the credits goes to http://resources.infosecinstitute.com/dos-attacks-free-dos-attacking-tools/ – Diego Vieira Nov 09 '15 at 00:10
There's a GO port of RUDY that works quite well too – Matt Fletcher Nov 26 '15 at 13:47
Lots of these links are dead or are covered in virus warnings... – Liam Nov 14 '16 at 17:19

score 7 · Answer 2 · answered Jun 14 '13 at 17:43

7

First you need to define what kind of attack you're trying to simulate.
Some common options include:

TCP connection pool exhaustion
Bandwidth exhaustion
CPU/Memory exhaustion

Next pick (or write)tools that can be used to simulate that type of attack (HTTP Load Testing programs are often used, but there are dedicated tools out there as well. I'm not going to list them - you can Google as well as I can.)

Finally, run the attacks against your environment.
This may require additional machines (for an internal test), or multiple external environments (to effectively simulate an external threat).

BIG IMPORTANT WARNING

You should schedule and announce your test window so users are aware of the possibility of an outage. Often simulations result in actual failures.

Under NO Circumstances should you run a DoS simulation/test attack against your environment without first notifying your hosting provider. This is especially true for external / full stack tests that will be going through your provider's network.

answered Jun 14 '13 at 17:43

voretaq7

79,345
17
128
213

Sorry for being sarcastic, but yeah, the first thing an attacker would do is to notify your provider. – berezovskyi Mar 24 '16 at 18:25
4

@ABerezovskiy I'm going to assume your sarcasm is because you're missing the reason for the notification: Most provider agreements (literally every one I've signed) prohibit this kind of testing without prior notice. If you violate that agreement and your test disrupts other people's service you will find yourself dropped off the network, and possibly facing legal action. An attacker has nothing to lose in this situation, a sysadmin or company has everything to lose. – voretaq7 Mar 24 '16 at 19:08
1

you are totally correct in regard to the legal matters and the consequences. However, the main reason such tests are carried out is to be prepared for unexpected attacks and often cheap providers who boast DDoS protection would null-route you after 10 minutes of the attack. In many cases you actually test the response of the provider. A quick check for Kimsufi landing page: *Anti-DDos protected and connected to a high performing global network*. TOS: *OVH reserves the right to interrupt the Customer's Service if it poses a threat to [...] the stability of the OVH infrastructure.* – berezovskyi Mar 24 '16 at 19:42
I think you could use both approaches depending on what you really want to test: a transparent stress test in a sandboxed environment, or a properly/ethically instrumented attack/test for the organisation readiness to deal with the crisis. Those are 2 different tests with distinct targets. – Amy Pellegrini Feb 08 '19 at 11:42

score 1 · Answer 3 · answered Jun 14 '13 at 17:13

1

I don't have much experience with it, but take a look at LOIC (http://sourceforge.net/projects/loic/). You'll have to setup a number of clients, but you should be able to essentially DDoS yourself.

answered Jun 14 '13 at 17:13

Jim G.

2,607
1
18
19

This is a DoS tool that exploits the HTTP protocol to bring down web servers (basically opening tons of connections but never completing them). Won't work for a testing case. – Nathan C Jun 14 '13 at 18:21

score 1 · Answer 4 · answered Jun 14 '13 at 18:14

A 'strong' DDoS attack is highly relative to your environment, and would be near impossible to replicate by yourself if we're talking about a public website and not within a controlled environment. A DoS attack is one thing, in order to simulate a real Distributed denial of service attack you need a real test-bed of botnet(s) which I'm sure you don't own (<<). It's not difficult to find a free/fee-for-all botnets that you can use with certain 'off-hacker-sites' applications, but would/should you really trust these to not do more damage than you expect? The last thing you want is being in a hacker's radar, and/or associated with a vulnerable site.

IMHO, a good DDoS will always win... specially if you don't have the good disaster recovery/business continuation plan.

This is coming from someone who's lived through a DDoS (DNS amplification attack), it's no picnic and even though it's highly exciting, it's nothing you want happened to your network/website/host.

score 1 · Answer 5 · answered Aug 18 '14 at 13:17

https://www.blitz.io/

They can sort of simulate a DDOS attack for you. They use Amazon Web Services to get a whole bunch of IPs to simulate a DDOS. Considering that most DDOS attacks use large amounts of compromised servers across various geographic areas, it would be very difficult to "simulate" a DDOS attack without being in possession of an entire global bot-net.

There are various services that can simulate a high load DOS attack though. A few resources are:

https://httpd.apache.org/docs/2.0/programs/ab.html

"ab is a tool for benchmarking your Apache Hypertext Transfer Protocol (HTTP) server. It is designed to give you an impression of how your current Apache installation performs. This especially shows you how many requests per second your Apache installation is capable of serving."

Looks like Blitz is no longer an option, their front page currently says "Blitz will be shutting down on October 1, 2018" :-( — Nexus, Sep 28 '18 at 07:17

score 1 · Answer 6 · answered Aug 18 '14 at 13:19

Another solution would be to use beeswithmachineguns. It's a utility for arming (creating) many bees (micro EC2 instances) to attack (load test) targets (web applications).

Again, none of these instances will truly replicate a "real" DDOS attack because certain tactics you may use (i.e. blocking ranges of IPs) won't work against a real DDOS botnet of compromised IPs across the globe.

Tools for simulating DDoS attacks

6 Answers6

BIG IMPORTANT WARNING