How to simulate DDoS attacks from the Internet?

  • The idea behind security tests is easy. You want to know what a hacker can do - you hire a security expert who acts like a hacker to see how far he can get. You want to know what an evil admin can do - your security experts gets admin privileges and does his job that way.

    I am aware that there are other and maybe better ways to perform an audit, but these are common approaches that work. Unfortunately it gets difficult when the threat is not a single person or a team of hackers, but a distributed bot-network that spams you with more or less intelligent requests. How can you test such a scenario? Lets say I have my infrastructure ready and I am confident that my systems can withstand a certain amount of pressure from a DDoS attack. Now I want to verify my expectations and perform a DDoS test from the Internet.

    Where can I legally get a DDoS simulator? I do not want to buy resources from an illegal bot-net and I only want to work with experts in this field. Are there companies who perform such tests for you or can you at least rent systems that are powerful enough to simulate a DDoS attack? I am aware of the legal issues like informing all involved parties like providers and the like - this question is focused on how such a test can be performed. I am also not looking for a list of companies that can do that, I am interested what is state of the art in this field and which services are available on the market. are one of the companies to offer this service, though it seems to be mostly web based load testing. I believe they use Amazon Web Services to achieve the high load they require.

    I've used two different applications to stress test web applications that I've built. Apache Bench Seige They may or may not be enough to test your network pipe against a large DDoS, but running these on a few different outside boxes could get you in the ballpark.

    You could try something like Bees with machine guns which spins up lots of EC2 instances to attack / load test a target. Obviously only use this against sites you own or have permission to target, otherwise Amazon will likely lock you out of your account.

    How come noone mentioned LOIC?

    In my experience I've come across the Low Orbit Ion Cannon. it is a common tool for ddos attacks. It is open source now I believe.

    If you're looking for a professional service who can do this for you, take a look at RedWolf Security -!ddos_testing/cqd6 I've heard good things about their service, although I haven't used it, and I don't work for them.

    you can also try comsec and their comsimulator: they can generate a DDos with the sizing your like ;)

  • Jeff Ferland

    Jeff Ferland Correct answer

    10 years ago

    I think you seek the use of a packet generator and a corresponding number of systems generating packets to match the load you seek. Use random valid IP addresses for the packet source addresses and you should find yourself quite annoyed when it comes time to filter.

    You can do all of that without ever sending a bit across your ISP's link. If you get DDOS'd in such a way that bandwidth is maxed out rather than services, then your ISP will need to choke off the traffic prior to it reaching your link.

    Just to remember, in case the ISP chokes traffic, the (D)DOS attack is sucessful in the sense, that it rendered your server unreachable, even if it WOULD HAVE handled the additional traffic.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used