Tools for simulating DDoS attacks [closed]

Solution 1:

There are basically three types of DDOS attacks:

----->Application-layer DDOS attack
----->Protocol DOS attack
----->Volume-based DDOS attack

> Application layer

 DDOS attack: Application-layer DDOS attacks are attacks that target Windows,
               Apache, OpenBSD, or other software vulnerabilities 
               to perform the attack and crash the server.

> Protocol DDOS attack

DDOS attack : A protocol DDOS attacks is a DOS attack on the protocol level. 
               This category includes Synflood, Ping of Death, and more.

> Volume-based

 DDOS attack: This type of attack includes ICMP floods,
               UDP floods, and other kind of floods performed via spoofed packets.

There are many tools available for free that can be used to flood a server and test the performance of server . A few tools also support a zombie network to perform DDOS .

1. LOIC (Low Orbit Ion Canon)

2. XOIC

3. HULK (HTTP Unbearable Load King)

4. DDOSIM—Layer 7 DDOS Simulator

5. R-U-Dead-Yet

6. Tor’s Hammer

7. PyLoris

8. OWASP DOS HTTP POST

9. DAVOSET

10. GoldenEye HTTP Denial Of Service Tool

Solution 2:

First you need to define what kind of attack you're trying to simulate.
Some common options include:

• TCP connection pool exhaustion
• Bandwidth exhaustion
• CPU/Memory exhaustion

Next pick (or write)tools that can be used to simulate that type of attack (HTTP Load Testing programs are often used, but there are dedicated tools out there as well. I'm not going to list them - you can Google as well as I can.)

Finally, run the attacks against your environment.
This may require additional machines (for an internal test), or multiple external environments (to effectively simulate an external threat).

BIG IMPORTANT WARNING

You should schedule and announce your test window so users are aware of the possibility of an outage. Often simulations result in actual failures.

Under NO Circumstances should you run a DoS simulation/test attack against your environment without first notifying your hosting provider. This is especially true for external / full stack tests that will be going through your provider's network.

Solution 3:

I don't have much experience with it, but take a look at LOIC (http://sourceforge.net/projects/loic/). You'll have to setup a number of clients, but you should be able to essentially DDoS yourself.

Solution 4:

A 'strong' DDoS attack is highly relative to your environment, and would be near impossible to replicate by yourself if we're talking about a public website and not within a controlled environment. A DoS attack is one thing, in order to simulate a real Distributed denial of service attack you need a real test-bed of botnet(s) which I'm sure you don't own (<<). It's not difficult to find a free/fee-for-all botnets that you can use with certain 'off-hacker-sites' applications, but would/should you really trust these to not do more damage than you expect? The last thing you want is being in a hacker's radar, and/or associated with a vulnerable site.

IMHO, a good DDoS will always win... specially if you don't have the good disaster recovery/business continuation plan.

This is coming from someone who's lived through a DDoS (DNS amplification attack), it's no picnic and even though it's highly exciting, it's nothing you want happened to your network/website/host.