On Sunday, May 10, 2020, we will DDoS our own website, intelx.io. We will live tweet and update this blog post with any developments and the outcome. The attack will be executed in the same fashion as an actual attack: we’ll do some research, then pay a shady DDoS provider in Bitcoin (and hope they don’t scam us) and launch an actual DDoS attack against our own website.
Note: We own 100% of our infrastructure including the servers, network equipment, and even our own BGP router. We are our own ISP and operate our own Autonomous System and IP addresses. We do not recommend anyone to launch DDoS attacks.
The first step is to find an actual DDoS provider. They are often advertised on hacking forums and can be found via search engines.
There is a recent blog post here discussing law enforcement actions against DDoS providers.
Accessible via http://synstresser.to/ and https://synstresser.com/, it claims to support “Layer 3, Layer 4, and Layer 7 DDos methods”. It claims to bypass multiple DDoS-protection providers, including “Cloudflare on all its modes, Blazingfast, CyberDDOS, Sucuri WAF, and almost all other DDOS protections”.
The Telegram account, “jeffspender”, is linked in the footer as the contact person. There is a YouTube channel https://www.youtube.com/watch?v=6naFV90FaU8 which joined in October 31, 2018.
The pricing starts at €50 for 10 minutes. 3 hours cost €135. There are multiple upgrades, including the option to launch “concurrent attacks” (which does not make much sense since DDoS attacks are already distributed by nature; i.e., concurrent attacks from many machines) as well as “Premium +€150” and “Enterprise +€300” “attack network” options.
Here is a GIF ad:
According to our whois data at https://intelx.io/?did=95636af6-f7b0-4240-9615-10aa031747b4, the domain synstresser.com was registered on 2019-12-04 via the Chinese registrar todaynic.com.
Another one is torstress.com. It lists the Telegram contacts “torstress” and “xCrucial”.
There is a free tier, but it does not mention how strong the free attack is. The paid packages start at $15 per month for “1200 seconds per attack” and go up to $500 per month for “10800 seconds per attack”.
torstress.com was registered on 2020-03-22 via the Chinese registrar todaynic.com.
The website https://slayer.st/ lists a bunch of others. Note that no DDoS service here was vetted and they may or may not be scams. Most of them offer a free trial (like launching the attack for 60 seconds), which is good enough for the use case here.
Signup is easy as the DDoS services often don’t even require an email address.
We have first tested targeting our network equipment with ddos services that offer free attacks.
Test 1: “databooter.to”. This resulted in a very small attack in Kbit traffic (which is not even worth mentioning) and single digit source IPs.
Test 2: stressthem.to. The attack (free tier) reaches 1 Gbit. Our switch remained operational though, only 15% CPU spike and no practical impact.
Test 3: torstress.com. The user interface is a but biggy, but the service does the job. We measured more than 150,000 packets per second which is decent, especially as it’s free.
Live attack: We are using synstresser.com for the actual live attack. We launched a bunch of different attacks over the course of 2 hours.
A first initial one using HTTP for 60 seconds was not successful. Only 730 requests arrived at our server – the full log is here https://pastebin.com/GS2nE2U1. A later attack with HTTP resulted in more than 10,000 requests which still had not significant impact.
We tested other DDOS modes including “TCP-SSYN” which launches a TCP-SYN attack. It was able to slow down incoming connections, but did not result in a complete denial of service.
This attack resulted in over 2.5 million unique IPs sending 7 million packets in 1 minute. The IP addresses are potentially spoofed.
The impact can be measured in numerous ways. The most obvious one: is the site accessible? Does the attack have a lasting impact?
On a technical level, there are many questions that boil down to “how big is the attack?”:
Since we are our own attacker, some of them (like the type of attack) can be obviously influenced by ourselves. Still, it makes sense to record the attack and verify.
No attack had any permanent effect.
May 2020: New dorks website, Tor, DDoS test and a Europol takedown Our dataset continues to grow significantly: 17,660,962,195 selectors In the past few months, we have invested in 200+ TB of enterprise storage which allows us to scale up data collection even more. As for the public web, we are currently crawling these TLDs:
Tor .onion domains are the hashes of public keys. Generally, they look random, but it is possible for am Tor hidden service operator to generate onion domains that start with a human readable part such as “silkroad7rn2puhj.onion”. Those are called “vanity onion addresses” and there are tools like Shallot and Eschalot that will create the
Certain actors spam Tor by creating many duplicate websites under different .onion domains and then linking them to each other. The cost of doing that is pretty low, considering that all you need is creating a new public key pair (the onion domain is the hash of the public key). In theory anyone can create