„autobench – Automates the benchmarking of web servers using httperf.

autobench is used to to automate web server benchmarking. It runs httperf against the specified host or hosts, ramping up the number of requested connections, and logging the results in TSV or CSV format files.“

thanks for that cool tool.

This is a basic but yet very powerful way to stress-test your site.

WordPress, Blogspot but also TYPO3 without HipHop and PHP7 (check out this benchmark) seem to be quiet good targets for this attack.

I basically managed to bring down my own blog with MySQL giving up 😀 and also slowed down Blogspot sites and managed to render a TYPO3-powered site basically defect. Shocking. Just imagine what an attacker could do running httperf like on 10x hacked servers. argh.

„Autobench is a Perl script designed to assist in the automation of benchmarking with httperf. It runs httperf a number of times against the target server, increasing the requested request rate each time, and produces output in the form of a CSV or TSV file which can be imported directly into a spreadsheet for further analysis or graphing.

Autobench also enables the easy comparison of two different web servers – it can test two servers and amalgamate the results in the same table, enabling comparative graphs to be drawn quickly and easily.

Obtaining autobench

Autobench can be obtained from http://www.xenoclast.org/autobench/.

Download the autobench tarball to your client machine, untar it, and run

make; make install

to install the autobench script.“

src: http://www.xenoclast.org/doc/benchmark/HTTP-benchmarking-HOWTO/node6.html

compile from source:

hostnamectl; # tested with
 Static hostname: debian9
 Chassis: vm
 Operating System: Debian GNU/Linux 9 (stretch)
 Kernel: Linux 4.11.8cuztom
 Architecture: x86-64

/usr/local/apache2/bin/httpd -v
Server version: Apache/2.4.27 (Unix)
Server built: Jul 27 2017 07:13:53

/usr/local/apache2/bin/httpd -V
Server version: Apache/2.4.27 (Unix)
Server built: Jul 27 2017 07:13:53
Server's Module Magic Number: 20120211:68
Server loaded: APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture: 64-bit
Server MPM: worker
 threaded: yes (fixed thread count)
 forked: yes (variable process count)
Server compiled with....
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D HTTPD_ROOT="/usr/local/apache2"
 -D SUEXEC_BIN="/usr/local/apache2/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
# prepare a a software repository directory
mkdir /software;
cd /software;

# build from src
apt-get update;
apt-get install make;

# download src
wget http://www.xenoclast.org/autobench/downloads/autobench-2.1.2.tar.gz
wget http://www.xenoclast.org/autobench/downloads/autobench-2.1.2.tar.gz.asc
# mirror alternative:
wget http://dwaves.de/wp-content/uploads/2017/02/autobench-2.1.2.tar.gz
echo "-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

" >> autobench-2.1.2.tar.gz.asc;

# verify what we just downloaded
gpg --keyserver pool.sks-keyservers.net --recv-keys BCC7863F; # download author's public pgp key

gpg: requesting key BCC7863F from hkp server pool.sks-keyservers.net
gpg: key BCC7863F: public key "Julian T. J. Midgley <jtjm@xenoclast.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)

gpg --verify autobench-2.1.2.tar.gz.asc autobench-2.1.2.tar.gz
gpg: Signature made Thu 27 May 2004 07:01:33 PM CEST using DSA key ID BCC7863F
gpg: Good signature from "Julian T. J. Midgley <jtjm@xenoclast.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 52D9 1750 5721 7E58 C9E1 A7D5 3027 2F2E BCC7 863F

# this only works for 32Bit systems, for 64Bit you will have to compile from source

apt-get update;
apt-get install httperf; # autobench depends on this
tar fxvz autobench-2.1.2.tar.gz
cd autobench-2.1.2
make install

install pre compiled binary package:

wget http://www.xenoclast.org/autobench/downloads/debian/autobench_2.1.2_i386.deb;
# alternative mirror:
wget http://dwaves.de/wp-content/uploads/2017/02/autobench_2.1.2_i386.deb_.gz

sha512sum autobench_2.1.2_i386.deb; # your checksum should be the same as mine...

dpkg -i autobench_2.1.2_i386.deb; # install autobench

how to use it/examples:

autobench --single_host --host1 domain.com --uri1 /10K --low_rate 20 --high_rate 200 --rate_step 20 --num_call 10 --num_conn 5000 --timeout 5 --file results.tsv.txt; # run your webserver benchmark / DDoS stresstest

you will have to re-run the command because it generates some config on the first run.

if your website is down after that… i guess it is not DDoS battle proof…

run htop on your webserver and checkout if it’s hitting any RAM or other limits…

example results:

this was done from vm<->vm (same machine) with self-compiled version of apache2, where the server had only one core.

in file: autobench_example_results.tsv.txt

on screen: autobench-212_against_apache2_example_output.txt

about the package:

apt-cache show autobench
Package: autobench
Status: install ok installed
Priority: optional
Section: utils
Installed-Size: 105
Maintainer: Julian T. J. Midgley <jtjm@xenoclast.org>
Architecture: i386
Version: 2.1.2
Depends: httperf, libc6 (>= 2.3.2.ds1-4)
Recommends: gnuplot
/etc/autobench.conf 29053ba202bd8eefdcecc5413152a5b2
/etc/autobench.conf newconffile
Description: Automates the benchmarking of web servers using httperf
autobench is used to to automate web server benchmarking. It runs
httperf against the specified host or hosts, ramping up the number of
requested connections, and logging the results in TSV or CSV format
files. Graphs can be automatically generated using gnuplot.
Description-md5: 7346186f1d4a3cbbf1a4b3fe16376d5b

apt-cache show httperf
Package: httperf
Source: httperf (0.9.0-2)
Version: 0.9.0-2+b1
Installed-Size: 164
Maintainer: Alexander Reichle-Schmehl <tolimar@debian.org>
Architecture: i386
Depends: libc6 (>= 2.7), libssl1.0.0 (>= 1.0.0)
Description-en: An HTTP server performance tester
httperf is a tool to measure web server performance. It speaks the HTTP
protocol both in its HTTP/1.0 and HTTP/1.1 flavors and offers a variety of
workload generators. While running, it keeps track of a number of performance
metrics that are summarized in the form of statistics that are printed at
the end of a test run.
Description-md5: 2173cd93a1631220e1cebf53b9e2f4d4
Homepage: http://www.hpl.hp.com/research/linux/httperf/
Tag: admin::benchmarking, implemented-in::c, interface::commandline,
protocol::http, role::program, use::monitor
Section: web
Priority: optional
Filename: pool/main/h/httperf/httperf_0.9.0-2+b1_i386.deb
Size: 68126
MD5sum: b2d259412855b4610ee084740b0ccd3d
SHA1: 90d8965210b72ba8723f5c4afa4aafacec6e5380
SHA256: bba547282d07892953c275e5c4763ddbce16a60cfcb1460dbc4f3a73db87e01b



@github: https://github.com/menavaur/Autobench

author documentation: http://www.xenoclast.org/doc/benchmark/HTTP-benchmarking-HOWTO/