DDoS is not Dead: Building a Scalable DDoS Framework- 8 mins
I’m releasing my latest project, Stressful.io, an advanced DDoS framework for testing DDoS defenses at scale. I’m also providing a fully free simulation to non-profit organizations and startups focused on privacy and digital rights.
I have always been fascinated by DDoS attacks. You may have the most sophisticated defenses, yet, your organization can be directly affected by a DDoS attack that takes down your payment gateway for 3 hours. DDoS attacks are a real concern that needs to be put on the organization’s radar, not on a postmortem after an attack happens.
Time is Money, Especially on Downtime
The cost of downtime is high and expensive for businesses, and it varies from one industry to another. A payment gateway processor downtime can affect many customers that solely rely on the payment gateway to operate. An hour’s downtime costs millions of dollars in losses.
The same goes for an E-Commerce website, some E-Commerces have more than 30% of their revenue coming from Black Friday each year. A DDoS attack that disrupts users from making purchases on Black Friday can cause major losses for the E-commerce business.
ProtonMail DDoS Attack Changed My Perspective
Back when I was working at ProtonMail, I had the opportunity to witness one of the largest attacks that happened in Europe in 2015 1 and 2018 2. These attacks were devastating and changed my perspective on DDoS attacks and their effectiveness.
ProtonMail security has some of the most talented people that I have had the chance to work with. I can’t imagine how this attack could have been handled without the work of all the amazing ProtonMail team.
We had built up awesome technologies to prevent attacks that could breach the data of ProtonMail, yet, a massive DDoS attack allowed attackers to disrupt the availability of ProtonMail to users. A DDoS attack is not capable of risking the security nor the privacy of ProtonMail, but it was effective to put us in a stressful situation to fight back and return the services back to normal.
If there is a main lesson I learned from this experience is DDoS simulations matter. If we simulate a DDoS attack with similar capabilities and TTPs (tactics, techniques, and procedures), we would be prepared and possibly more ready to handle an attack with this size. Putting DDoS and availability risks on the map became important for me when building a security program of any size.
Building the Dream Product: Stressful Framework
I explored the current market and haven’t found a professional service that satisfies my vision of what should be available to companies. My vision is clear: as a customer, I want to have a trusted platform where I can consult for verifying the existing DDoS defenses, to show me what’s wrong based on research and proven tests, and to show me how to patch weaknesses.
Trusting a security vendor blindly is always a bad idea, companies in the market can easily sell snake oil, promising 100% protection. Without verification testing, I do not trust a security product in preventing attacks.
When I didn’t find a solution, I started the journey of building Stressful.io.
The most difficult part in having this project come to reality was the research part. I started collecting repositories and historical archives for attacks that have been witnessed in the past 15 years. I also monitored darknet sources for new trends and techniques. Every new research that involves DDoS attacks has been passionately reviewed and analyzed, and I built up a lab in the cloud to replicate attacks and rate researches and techniques I have been seeing.
I also reverse-engineered tools published in the black market that are being used to conduct active attacks. I studied TTPs of different groups and built up my internal knowledge-base for everything related to DDoS attacks.
This was majorly a side project that I have been imagining over the years, and in 2020, I took serious focus to complete the product.
Quality vs. Quantity Attacks
One factor that the market is fully relying on measuring the complexity of DDoS attacks is the total quantity the threat group was able to generate against the target. The thing is, generating traffic today is much easier than before. A 50 GBPS DDoS attack today is much easier to generate than 10 years ago, where the cloud era wasn’t as huge as before. Infrastructure deployment 10 years ago wasn’t as accessible as today. Today, Infrastructure-as-code became the de-facto for deploying a fully scalable infrastructure within minutes. The same goes for defense, mitigating quantity DDoS attacks became much better over the years with cloud and CDN providers.
On the other side, DDoS attacks that focus on Application-layer exploitation were being dismissed by most deployments I have personally reviewed over the years. Additionally, DoS vectors that exploits and abuses a security vulnerability of a given product or application are patterns that I have been seeing.
Application-layer DDoS attacks are harder to defend, much difficult to understand, and most security vendors do not protect against them. If a security vendor claims to protect against Application-layer DoS attacks, I would be happy to provide a demo to showcase all their weaknesses using the Stressful.io framework.
I’m planning to release technical documentation in the future about the architecture I built for Stressful.io that fully relies on being cloud-native to scale.
After building the app on Stressful.io, I integrated the CD pipeline with Terraform to deploy the infrastructure used in simulations. I have built the integration with Microsoft Azure, Amazon AWS, and there will be an integration with Google Cloud soon.
Language of Choice?
I wrote the framework in Golang as I have been seeing great potential for DDoS in Golang. The networking API in Golang is much reliable, and the concurrency and state management in projects are much promising. Golang is the future for scalable and resource-extensive applications. I have been doing benchmarks on the Stressful, and I’m impressed by various features Golang allows and provides.
I have built modules to support attacks for different vectors.
This is an example of modules I have been building in the framework:
- HTTP SlowPost Attack
- HTTP Slowloris attack (GET)
- HTTP Web Cache-Poisoning Attack
- HTTP SlowLoris (Infinite Headers)
- Amazon AWS Denial of Wallet Attacks
- Microsoft Azure Denial of Wallet Attacks
- HTTP/2 DoS Attacks
- HTTP DoS via Headless Browsers
- WordPress Resource Exhaustion
- HTTP Hash Collision Attack
- HTTP Memory Exhaustion
- Xerxes Attack
- SOAP XML Quadratic Blowup Attack
- SOAP XML Billion Laughs Attack
- HTTP Keep-Alive Flood Attack
- HTTP Unlimited Downloads
- HTTP GET Flood
- HTTP SlowPost (Infinite Uploads)
- HTTP HULK Attack
- MySQL Resource Exhaustion
This is just part of the modules I have developed. I also develop modules based on specific use-cases and scenarios. Lastly, I will be also keeping an up-to-date arsenal for DoS attacks and modules on the framework.
Contact me on info@Stressful.io to get a free consultation demo for your organization. I’m also providing a fully free simulation to non-profit organizations and startups focused on privacy and digital rights.
Interested in DDoS capabilities for your company? Let’s have a chat and see how I can help!
Are you a researcher interested in the DDoS market and DDoS defenses?
Let’s connect and share thoughts. My contact details are available on the website.