Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Powerful stressers for application/website testing.
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Powerful stressers for application/website testing.

armandorgarmandorg Member, Host Rep
edited December 2018 in General

As the title, i'm looking for some platform which i can test my websites/applicaitons agains 'Ddosers and stressers'. As much powerful as it can be, i do remember using one a while back ago, though i forgot what it was called.

I do know most of these sites which offer membership for such stressing tools are not that powerful and cloudflare can easily get you covered within it, but i do not use cloudflare and i would like to test my own anti-ddos 'platforms/solutions'. Kind of an expirement.

Thanks in advance.

«1

Comments

  • You can use this program for free:

    https://www.de.paessler.com/tools/webstress

  • Siege
    Jmeter

  • Is loic still a thing?

  • armandorgarmandorg Member, Host Rep

    @teamacc said:
    Is loic still a thing?

    Lol, yes.

    @Ympker said:
    You can use this program for free:

    https://www.de.paessler.com/tools/webstress

    You don't really think i would stress my protected anti-ddos website with my internet connection. Right?

  • jackbjackb Member, Host Rep
    edited December 2018

    @armandorg said:
    You don't really think i would stress my protected anti-ddos website with my internet connection. Right?

    If you're talking about using booters you're talking about funding criminals. LET isn't that sort of place.

    The only legit way to do this - assuming you are talking about anything other than layer 7 attacks - is to use a network local to the target that you have permission to use. I would assume there will be more flexibility on layer 7 attacks since they are unlikely to knock your neighbouring customers offline.

    Thanked by 1doghouch
  • For real-world load testing of a site, use SIEGE or Apachebench..

  • armandorgarmandorg Member, Host Rep

    @jackb said:

    @armandorg said:
    You don't really think i would stress my protected anti-ddos website with my internet connection. Right?

    If you're talking about using booters you're talking about funding criminals. LET isn't that sort of place.

    The only legit way to do this - assuming you are talking about anything other than layer 7 attacks - is to use a network local to the target that you have permission to use. I would assume there will be more flexibility on layer 7 attacks since they are unlikely to knock your neighbouring customers offline.

    I need to try every possible unlegit way to ddos, crash and stess the fuck out of my project's website/applications, if i want to be sure it won't happen in the future by some random person i'd rather do it now myself and know my 'weaknesses'.

  • armandorg said: I need to try every possible unlegit way to ddos, crash and stess the fuck out of my project's website/applications, if i want to be sure it won't happen in the future by some random person i'd rather do it now myself and know my 'weaknesses'.

    Doing it yourself via those sites would typically result in felony charges at least in the US for each attack launched.

    Thanked by 1armandorg
  • jackbjackb Member, Host Rep
    edited December 2018

    @armandorg said:

    @jackb said:

    @armandorg said:
    You don't really think i would stress my protected anti-ddos website with my internet connection. Right?

    If you're talking about using booters you're talking about funding criminals. LET isn't that sort of place.

    The only legit way to do this - assuming you are talking about anything other than layer 7 attacks - is to use a network local to the target that you have permission to use. I would assume there will be more flexibility on layer 7 attacks since they are unlikely to knock your neighbouring customers offline.


    I need to try every possible unlegit way to ddos, crash and stess the fuck out of my project's website/applications, if i want to be sure it won't happen in the future by some random person i'd rather do it now myself and know my 'weaknesses'.

    loader.io mentioned above should be fine for actually testing your application under load.

    If you use an actual booter you are just funding criminals and are breaking the law yourself.

    If you're wondering what the difference is:

    • Loader.io won't knock intermediaries or neighbours offline
    • Loader.io verifies ownership of the target before tests are initiated
    Thanked by 1armandorg
  • jsgjsg Member, Resident Benchmarker
    edited December 2018

    @armandorg

    For a realistic test you'll need (a) someone (could possibly be yourself) running stresstests from enough machines to really stress your server. A single one will almost always not be sufficient, and (b) someone with relevant knowledge.

    (a) because serious attackers will use many systems (think worst case "botnet")
    (b) because you need to know what and how to attack.

    Apachebench will almost certainly not cut it both for technical reasons (like # of open handles/sockets) and because those tools were built to test a web site/server with different load scenarios within a reasonable range.

    One a bit simplistic but still useful (and actually quite realistic) approach would be to have some async Python clients running on a couple of machines on your network.

    Btw. keep in mind to not only do load stress tests but also e.g. uncommon and illegal paths, headers, values etc., socket depletion and other games (e.g. timeouts), etc.

    Thanked by 1armandorg
  • FHRFHR Member, Host Rep

    Bees with Machine guns

    This actually sends HTTP requests, meaning it's more of a load tester and less of a DDOS tool.

    Thanked by 1armandorg
  • @jsg said:
    @armandorg

    For a realistic test you'll need (a) someone (could possibly be yourself) running stresstests from enough machines to really stress your server. A single one will almost always not be sufficient...

    Agreed.

    Thanked by 1armandorg
  • @armandorg said:

    @jackb said:

    @armandorg said:
    You don't really think i would stress my protected anti-ddos website with my internet connection. Right?

    If you're talking about using booters you're talking about funding criminals. LET isn't that sort of place.

    The only legit way to do this - assuming you are talking about anything other than layer 7 attacks - is to use a network local to the target that you have permission to use. I would assume there will be more flexibility on layer 7 attacks since they are unlikely to knock your neighbouring customers offline.


    I need to try every possible unlegit way to ddos, crash and stess the fuck out of my project's website/applications, if i want to be sure it won't happen in the future by some random person i'd rather do it now myself and know my 'weaknesses'.

    I can see the problem... Whatever you're gonna do, the right thing to do would be to ask permission from whatever host/network you'll be testing. They won't appreciate it if you start stressing the network and if you're not careful you'll break the law as well.

    Thanked by 1armandorg
  • armandorgarmandorg Member, Host Rep

    Thanks for the recommandations, i will ofcourse let my datacenter know of my intentions and the test that i will proceed. Although there’s no law here regarding this, you can ddos as much as you want even your ‘competition’, nobody will say a thing. Unless you ddos or do anything agains a goverment website or application, than you will have serious troubles.

  • @armandorg said:
    Although there’s no law here regarding this, you can ddos as much as you want even your ‘competition’, nobody will say a thing. Unless you ddos or do anything agains a goverment website or application, than you will have serious troubles.

    Must be great, living in 'The Wild West' :)

    Thanked by 1armandorg
  • armandorgarmandorg Member, Host Rep

    @Saragoldfarb said:

    @armandorg said:
    Although there’s no law here regarding this, you can ddos as much as you want even your ‘competition’, nobody will say a thing. Unless you ddos or do anything agains a goverment website or application, than you will have serious troubles.

    Must be great, living in 'The Wild West' :)

    It has it’s benefits ;)

    Thanked by 1Saragoldfarb
  • @armandorg said:

    @Saragoldfarb said:

    @armandorg said:
    Although there’s no law here regarding this, you can ddos as much as you want even your ‘competition’, nobody will say a thing. Unless you ddos or do anything agains a goverment website or application, than you will have serious troubles.

    Must be great, living in 'The Wild West' :)


    It has it’s benefits ;)

    Sans sherif.

    Thanked by 1mfs
  • desperanddesperand Member
    edited December 2018

    This very depends on what exactly you wish to do.

    The market of stupid kids which scan the whole network for exploits on different servers IoTs and whatever is dead because of IQ < 30 in this market somewhere in 2013 or 2014 by OVH, Voxility, and many other networks.

    First of all, check the link below:

    https://github.com/denji/awesome-http-benchmark

    Next:

    If you wish to test with good bench results try Yandex tank:

    The second very good software for website testing is https://github.com/codesenberg/bombardier

    What about DDoS / L4 attacks, I can't help you with that.

    What about DDoS / L7 attacks - I don't know too, but the market always sucks because of using super stupid WordPress/Joomla exploits which make almost very stupid DDoS attacks against sites without any really good bench.

    The best thing what you can try to do - is a provocation for DDoS on an anonymous board via exposing your real IP/server/domain name.

    Or you can try to provoke via organizing any community-centric software/platform/whatever.

    Or you can try to offer for free your services for MMORPG servers. Usually, MMORPG can easily be a target of 500-900Gbit/s attacks (not kidding here, competition market is very dangerous).

  • desperand said: Or you can try to offer for free your services for MMORPG servers. Usually, MMORPG can easily be a target of 500-900Gbit/s attacks (not kidding here, competition market is very dangerous).

    Yep, stolen content, stolen/infringing assets, stolen game, and donation begging nonstop while ddosing all the other competitors to get more donations and profiting off stolen content

  • @armandorg said:
    Thanks for the recommandations, i will ofcourse let my datacenter know of my intentions and the test that i will proceed. Although there’s no law here regarding this, you can ddos as much as you want even your ‘competition’, nobody will say a thing. Unless you ddos or do anything agains a goverment website or application, than you will have serious troubles.

    Your provider must loooooooove you...

  • You can try scanning for servers with incorrectly set up DNS/NTP/Memcache/CharGEN and use them for AMPing attacks

    Then with the lists you just need a server with a spoof-friendly ISP.

    IoT can be done if you can develop your own code, but malware like Mirai will kick you off if it detects you.

  • AlbaHostAlbaHost Member, Host Rep
    edited December 2018

    @armandorg said:
    Thanks for the recommandations, i will ofcourse let my datacenter know of my intentions and the test that i will proceed. Although there’s no law here regarding this, you can ddos as much as you want even your ‘competition’, nobody will say a thing. Unless you ddos or do anything agains a goverment website or application, than you will have serious troubles.

    Just curious, which country are referring to that it does have such law to allow you such things? And or no law for such activities?

  • armandorgarmandorg Member, Host Rep

    @doghouch said:

    @armandorg said:
    Thanks for the recommandations, i will ofcourse let my datacenter know of my intentions and the test that i will proceed. Although there’s no law here regarding this, you can ddos as much as you want even your ‘competition’, nobody will say a thing. Unless you ddos or do anything agains a goverment website or application, than you will have serious troubles.

    Your provider must loooooooove you...

    It's, complicated. : |

    Thanked by 1eol
  • jh_aurologicjh_aurologic Member, Patron Provider

    @PrivacyInfinity said:
    You can try scanning for servers with incorrectly set up DNS/NTP/Memcache/CharGEN and use them for AMPing attacks

    Which is already illegal in most countries. I dont propose to do so, once your provider will notice you will get suspended in no time.

  • eva2000eva2000 Veteran
    edited December 2018

    I use the following for quick tests

    For HTTP/1.1 benchmarking

    For HTTP/2 HTTPS benchmarking

  • I'm pretty shocked this thread is being allowed to continue. I feel like there are other forums he can use to search for this type of information and it sends the wrong message about what LET is for but maybe that's just me.

    Thanked by 1mfs
  • stefemanstefeman Member
    edited December 2018

    @IThinkUFailed said:
    I'm pretty shocked this thread is being allowed to continue. I feel like there are other forums he can use to search for this type of information and it sends the wrong message about what LET is for but maybe that's just me.

    Yeah lets censor everything including all the legit info just because one user is feeling bad about the thread. Go **** yourself ;) When has LET (or its users) become this closed minded? Nobody mentioned any illegal booter/stresser services here by name. And people are still contributing to the thread.

    Now, that this has been said, I personally suggest loader.io as i've used them before to test my forums against Layer 7 attacks. They also check your identity and wont ruin your host.

    Thanked by 1armandorg
  • IThinkUFailedIThinkUFailed Member
    edited December 2018

    @stefeman said:

    @IThinkUFailed said:
    I'm pretty shocked this thread is being allowed to continue. I feel like there are other forums he can use to search for this type of information and it sends the wrong message about what LET is for but maybe that's just me.

    Yeah lets censor everything including all the legit info just because one user is feeling bad about the thread. Go **** yourself ;) When has LET (or its users) become this closed minded? Nobody mentioned any illegal booter/stresser services here by name. And people are still contributing to the thread.

    Now, that this has been said, I personally suggest loader.io as i've used them before to test my forums against Layer 7 attacks. They also check your identity and wont ruin your host.

    Sorry that my feelings about this thread shook something inside you so profoundly that you felt to be abusive towards me but I am entitled to voice my concerns and feelings about any topic I want to.

    The below quotes from the OP are why this concerns me.

    Although there’s no law here regarding this, you can ddos as much as you want even your ‘competition’, nobody will say a thing. Unless you ddos or do anything agains a goverment website or application, than you will have serious troubles.

    Not to mention this is in the rules:

    LET is White Hat
    We do not allow discussion of how to commit illegal activities such as D/DOS attacks, spamming, hacking, etc. Threads on these subjects will be closed and removed. Discussion of defense against these acts is welcome.
    LET is not the place to boast about your DDOS attacks, share your tango downs, or rally the hacking underground to avenge a digital wrong. Discussions encouraging these activities will be closed and removed.

    Thanked by 1vimalware
  • armandorgarmandorg Member, Host Rep
    edited December 2018

    @IThinkUFailed said:
    The below quotes from the OP are why this concerns me.

    Although there’s no law here regarding this, you can ddos as much as you want even your ‘competition’, nobody will say a thing. Unless you ddos or do anything agains a goverment website or application, than you will have serious troubles.

    Not to mention this is in the rules:

    LET is White Hat
    We do not allow discussion of how to commit illegal activities such as D/DOS attacks, spamming, hacking, etc. Threads on these subjects will be closed and removed. Discussion of defense against these acts is welcome.
    LET is not the place to boast about your DDOS attacks, share your tango downs, or rally the hacking underground to avenge a digital wrong. Discussions encouraging these activities will be closed and removed.

    Hold on, right there. I mentioned that my country does not care if such thing happens, i never stated i was going to take actions agains any of my competitors.

    The thread purpose is to discuss what solution can i use to ddos/crash/take down/test my own network/servers.. etc. So i know what where i should 'invest' in protecting it now from happening in the future by someone else.

    These are security measures, no need to cry about it

This discussion has been closed.