DDoS is not Dead: Building a Scalable DDoS Framework
- 7 mins
Abstract
I’m releasing my latest project, Stressful.io, an advanced DDoS framework for testing DDoS defenses at scale. I also provide a free simulation to non-profit organizations and startups focused on privacy and digital rights.
I have always been fascinated by DDoS attacks. You may have the most sophisticated defenses, yet your organization can be directly affected by a DDoS attack that takes down your payment gateway for 3 hours. DDoS attacks are a genuine concern that must be put on the organization’s radar, not on a postmortem after an attack.
Time is Money, Especially on Downtime
The cost of downtime is high and expensive for businesses, and it varies from industry to industry. A payment gateway processor downtime can affect many customers who rely solely on the payment gateway. An hour’s downtime costs millions of dollars in losses.
The same goes for an E-Commerce website. Some E-commerce have more than 30% of their revenue from Black Friday each year. A DDoS attack that disrupts users from making purchases on Black Friday can cause significant losses for the E-commerce business.
Furthermore, when a DDoS attack hits a SAAS platform and causes an outage, it will indirectly disrupt thousands (if not millions) of businesses and people’s lives worldwide. Please think of this as your day-to-day email provider, a CDN that delivers JavaScript for your websites, or even Google Docs I’m using to write this blog post.
ProtonMail DDoS Attack Changed My Perspective
Back when I was working at ProtonMail, I had the opportunity to witness one of the most significant attacks that happened in Europe in 2015 1 and 2018 2. These devastating attacks changed my perspective on DDoS attacks and their effectiveness.
ProtonMail Security has some of the most talented people that I have had the chance to work with. I can’t imagine how this attack could have been handled without the work of the amazing ProtonMail team.
We built up awesome technologies to prevent attacks that could breach the data of ProtonMail. Yet, a massive DDoS attack allowed attackers to disrupt the availability of ProtonMail to users. A DDoS attack cannot risk the security or privacy of ProtonMail. Still, it effectively put us in a stressful situation to fight back and return the services to normal.
If there is a primary lesson I learned from this experience, it is DDoS simulations matter. If we simulate a DDoS attack with similar capabilities and TTPs (tactics, techniques, and procedures), we would be prepared and more ready to handle an attack of this size. Putting DDoS and availability risks on the map became essential when building a security program of any size.
Building the Dream Product: Stressful Framework
I explored the current market and haven’t found a professional service that satisfies my vision of what should be available to companies. My idea is clear: as a customer, I want to have a trusted platform where I can consult to verify the existing DDoS defenses, show me what’s wrong based on research and proven tests, and how to patch weaknesses.
Trusting a security vendor blindly is always a bad idea. Companies in the market can easily sell snake oil, promising 100% protection. Without verification testing, I do not trust a security product to prevent attacks.
When I didn’t find a solution, I started building Stressful.io.
Researching TTPs
The research was the most challenging part of having this project come to reality. I started collecting repositories and historical archives for attacks witnessed in the past 15 years. I also monitored darknet sources for new trends and techniques. Every new research that involves DDoS attacks has been passionately reviewed and analyzed, and I built up a lab in the cloud to replicate attacks and rate research and techniques I have been seeing.
I also reverse-engineered tools published in the black market that are being used to conduct active attacks. I studied TTPs of different groups and built up my internal knowledge base for everything related to DDoS attacks.
This was majorly a side project that I had been imagining over the years, and in 2020, I took serious focus to complete the product.
Quality vs. Quantity Attacks
One factor that the market is entirely relies on in measuring the complexity of DDoS attacks is the total quantity the threat group was able to generate against the target. The thing is, generating traffic today is much easier than before. Today, a 50 GBPS DDoS attack is much easier to generate than ten years ago when the cloud era wasn’t as huge as before. Infrastructure deployment ten years ago wasn’t as accessible as today. Infrastructure-as-code has become the de facto for deploying a fully scalable infrastructure within minutes. The same goes for defense. Mitigating quantity DDoS attacks became much better over the years with cloud and CDN providers.
On the other side, DDoS attacks that focus on Application-layer exploitation were dismissed by most deployments I reviewed over the years. Additionally, DoS vectors that exploit and abuse a security vulnerability of a given product or application are patterns that I have been seeing.
Application-layer DDoS attacks are harder to defend and much more difficult to understand, and most security vendors do not protect against them. If a security vendor claims to protect against Application-layer DoS attacks, I would be happy to provide a demo to showcase all their weaknesses using the Stressful.io framework.
Stressful.io Architecture
I’m planning to release technical documentation in the future about the architecture I built for Stressful.io that fully relies on being cloud-native to scale.
After building the app on Stressful.io, I integrated the CD pipeline with Terraform to deploy the infrastructure used in simulations. I have built the integration with Microsoft Azure, Amazon AWS, and there will be an integration with Google Cloud soon.
Engine
Language of Choice?
I wrote the framework in Golang as I have seen great potential for DDoS in Golang. The networking API in Golang is much more reliable, and the concurrency and state management in projects are much more promising. Golang is the future for scalable and resource-extensive applications. I have been doing benchmarks on the Stressful, and I’m impressed by the various features Golang allows and provides.
Modules
I have built modules to support attacks for different vectors.
This is an example of modules I have been building in the framework:
- HTTP SlowPost Attack
- HTTP Slowloris attack (GET)
- HTTP Web Cache-Poisoning Attack
- HTTP SlowLoris (Infinite Headers)
- Amazon AWS Denial of Wallet Attacks
- Microsoft Azure Denial of Wallet Attacks
- HTTP/2 DoS Attacks
- HTTP DoS via Headless Browsers
- WordPress Resource Exhaustion
- HTTP Hash Collision Attack
- HTTP Memory Exhaustion
- Xerxes Attack
- SOAP XML Quadratic Blowup Attack
- SOAP XML Billion Laughs Attack
- HTTP Keep-Alive Flood Attack
- HTTP Unlimited Downloads
- HTTP GET Flood
- HTTP SlowPost (Infinite Uploads)
- HTTP HULK Attack
- MySQL Resource Exhaustion
This is just part of the modules I have developed. I also develop modules based on specific use cases and scenarios. Lastly, I will keep an up-to-date arsenal for DoS attacks and modules on the framework.
What’s next?
Contact me at info@Stressful.io for a free consultation demo for your organization. I also provide a free simulation to non-profit organizations and startups focused on privacy and digital rights.
Are you interested in DDoS capabilities for your company? Let’s have a chat and see how I can help!
Are you a researcher interested in the DDoS market and DDoS defenses?
Let’s connect and share thoughts. My contact details are available on the website.
- https://www.techrepublic.com/article/exclusive-inside-the-protonmail-siege-how-two-small-companies-fought-off-one-of-europes-largest-ddos/
- https://techcrunch.com/2018/06/27/protonmail-suffers-ddos-attack-that-takes-its-email-service-down-for-minutes/
Mazin Ahmed
Thoughts of a hacker