Am curious about simulating cyber attacks (e.g. DDOS) on my own little website, for my curiosity. Am a software developer but know embarrassingly little about security and exploits.<p>Should mention I have a few laptops (2020 Macbook Pros) at my disposal to act as DIY Botnets.<p>EDIT:
Thanks everyone. It seems to me the suggestions for DDOS'ing converge on hitting a expensive query/operation many times and this can be aided by various tools, such as botnets and load testing tools.<p>What about other "common" security exploits? ie, exploits that are commonly unprotected against and can cause damage to a website?<p>Also...I have websites hosted on Bluehost (wordpress) and Namecheap. Do these hosting services automatically protect me from the DDOS tactics suggested?
- pay a shady botnet to do it for you<p>- buy a bunch of VMs and curl your site's weakest point (don't wait for the http response) / use loadtesting tools<p>- change the site infra to support 1 request per second at most, and hit it with 2! :D<p>- posting the url here will get you far<p>- develop an app for your site, make it super popular and let it call home (an unidentifiable and cache breaking request -- many have fallen to this)<p>Depending on the deployment and the site's infra, this can be trivial. Or you might need to pay a botnet (or create an app with x milion downloads, whatever is easiest).
You can start by using Apache Benchmark: <a href="https://httpd.apache.org/docs/2.4/programs/ab.html" rel="nofollow">https://httpd.apache.org/docs/2.4/programs/ab.html</a>
You could try posting it on HN and asking for feedback.<p>A few laptops with a few shells with curl to download the full main page or an image would be a possible self-run stress test. A DDoS is in practice stress testing gone to far (and without permission).
Be careful with this. A DDOS will not only affect your own website but also the infrastructure around it. Your ISP’s servers and routers will be impacted, and it may cost them a lot of money to deal with your test DDOS. It will also affect other customers of that ISP and other people on the Internet. Be sure to get written permission.
Find an expensive query on your website like search or logging in and then spam requests to it from multiple machines. If you are just doing a pure flood of traffic to saturate the available bandwidth you can be accidently affecting the stability of other services hosted nearby.
As others alluded to, DDOS is basically just an unplanned load test. So you can simulate one with load testing tools.<p><a href="https://azure.microsoft.com/en-us/products/load-testing/#overview" rel="nofollow">https://azure.microsoft.com/en-us/products/load-testing/#ove...</a><p><a href="https://aws.amazon.com/solutions/implementations/distributed-load-testing-on-aws/" rel="nofollow">https://aws.amazon.com/solutions/implementations/distributed...</a><p><a href="https://loadninja.com/features/" rel="nofollow">https://loadninja.com/features/</a><p><a href="https://loadium.com/features" rel="nofollow">https://loadium.com/features</a><p>Most hosts don't protect you from DDOS automatically, CloudFlare provides some level of protection for free now. You'll have to check with BlueHost to see if they have anything. Otherwise, I think you can sign up for CloudFlare's service even if your site isn't hosted there.<p><a href="https://www.cloudflare.com/ddos-hub/#DDoS-Page-Pricing-AS" rel="nofollow">https://www.cloudflare.com/ddos-hub/#DDoS-Page-Pricing-AS</a><p>For other common security exploits as well as mitigations, you're probably looking for the OWASP Top 10: <a href="https://owasp.org/Top10/" rel="nofollow">https://owasp.org/Top10/</a><p>Testing for this sort of thing falls under the realm of vulnerability scanning tools for the languages you are using. Several OWASP projects aim to make this easy and are implemented in many common languages, especially Dependency-Check, FindSecBugs, and APICheck.<p><a href="https://owasp.org/projects/" rel="nofollow">https://owasp.org/projects/</a><p>You can dig through those projects or go looking for "<language> findbugs/findsecbugs/vulnerability scanner/etc". There are also commonly tools available for codified password detection, dead-code checks, and data-flow analysis, on top of the often used find-bugs and style guide checkers. Several widely used repositories, such as JFrog, provide scanning for stuff you upload and it's dependencies. SonarQube is also a big player in this space with integrations for many repos and CI/CD tools.<p><a href="https://jfrog.com/knowledge-base/best-practices-for-package-vulnerability-scanning/" rel="nofollow">https://jfrog.com/knowledge-base/best-practices-for-package-...</a><p><a href="https://www.sonarqube.org/" rel="nofollow">https://www.sonarqube.org/</a>