DDoS attacks are nasty stuff.
Even such simple programs as – autobench – Automates the benchmarking of web servers using httperf – can sufficiently choke a webserver by spawning hundreds and thousands of mysql processes – exhausting all resources of the server – rendering your server’s services slow or even unavailable.
some recommend complicated iptable rules to decrease severity of such an attack.
but modifying iptables directly – is not supported – if firewalld is used (as is the default with RHEL7/CentOS7)
# check what ports are active/open in your firewall (probably for a reason) /bin/firewall-cmd --list-ports modinfo xt_recent filename: /lib/modules/4.18.19/kernel/net/netfilter/xt_recent.ko alias: ip6t_recent alias: ipt_recent license: GPL description: Xtables: "recently-seen" host matching author: Jan Engelhardt <@medozas.de> author: Patrick McHardy <@trash.net> modprobe xt_recent # for each open port go: # 80/tcp /bin/firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 0 -p tcp --dport 80 -m state --state NEW -m recent --set /bin/firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT_direct 1 -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 30 -j REJECT --reject-with tcp-reset /bin/firewall-cmd --reload
src: https://www.certdepot.net/rhel7-mitigate-http-attacks/
autobench is used to to automate web server benchmarking. It runs httperf against the specified host or hosts, ramping up the number of requested connections, and logging the results in TSV or CSV format files.”
thanks for that cool tool.
This is a basic but yet very powerful way to stress-test your site.
WordPress, Blogspot but also TYPO3 without HipHop and PHP7 (check out this benchmark) seem to be quiet good targets for this attack.
I basically managed to bring down my own blog with MySQL giving up 😀 and also slowed down Blogspot sites and managed to render a TYPO3-powered site basically defect. Shocking. Just imagine what an attacker could do running httperf like on 10x hacked servers. argh.
“Autobench is a Perl script designed to assist in the automation of benchmarking with httperf. It runs httperf a number of times against the target server, increasing the requested request rate each time, and produces output in the form of a CSV or TSV file which can be imported directly into a spreadsheet for further analysis or graphing.
Autobench also enables the easy comparison of two different web servers – it can test two servers and amalgamate the results in the same table, enabling comparative graphs to be drawn quickly and easily.
Obtaining autobench
Autobench can be obtained from http://www.xenoclast.org/autobench/
Download the autobench tarball to your client machine, untar it, and run
make; make install
to install the autobench script.
src: http://www.xenoclast.org/doc/benchmark/HTTP-benchmarking-HOWTO/node6.html
compile from source:
hostnamectl; # tested with Static hostname: debian9 Chassis: vm Operating System: Debian GNU/Linux 9 (stretch) Kernel: Linux 4.11.8cuztom Architecture: x86-64 /usr/local/apache2/bin/httpd -v Server version: Apache/2.4.27 (Unix) Server built: Jul 27 2017 07:13:53 /usr/local/apache2/bin/httpd -V Server version: Apache/2.4.27 (Unix) Server built: Jul 27 2017 07:13:53 Server's Module Magic Number: 20120211:68 Server loaded: APR 1.4.8, APR-UTIL 1.5.2 Compiled using: APR 1.4.8, APR-UTIL 1.5.2 Architecture: 64-bit Server MPM: worker threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/usr/local/apache2" -D SUEXEC_BIN="/usr/local/apache2/bin/suexec" -D DEFAULT_PIDLOG="logs/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf"
hey:
hey – HTTP load generator, formerly known as rakyll/boom (written in Go)
# possible example
hey -n 5000 -c 2000 -m GET http://website.com/
Usage: hey [options...]
Options:
-n Number of requests to run. Default is 200.
-c Number of workers to run concurrently. Total number of requests cannot
be smaller than the concurrency level. Default is 50.
-q Rate limit, in queries per second (QPS) per worker. Default is no rate limit.
-z Duration of application to send requests. When duration is reached,
application stops and exits. If duration is specified, n is ignored.
Examples: -z 10s -z 3m.
-o Output type. If none provided, a summary is printed.
"csv" is the only supported alternative. Dumps the response
metrics in comma-separated values format.
-m HTTP method, one of GET, POST, PUT, DELETE, HEAD, OPTIONS.
-H Custom HTTP header. You can specify as many as needed by repeating the flag.
For example, -H "Accept: text/html" -H "Content-Type: application/xml" .
-t Timeout for each request in seconds. Default is 20, use 0 for infinite.
-A HTTP Accept header.
-d HTTP request body.
-D HTTP request body from file. For example, /home/user/file.txt or ./file.txt.
-T Content-type, defaults to "text/html".
-a Basic authentication, username:password.
-x HTTP Proxy address as host:port.
-h2 Enable HTTP/2.
-host HTTP Host header.
-disable-compression Disable compression.
-disable-keepalive Disable keep-alive, prevents re-use of TCP
connections between different HTTP requests.
-disable-redirects Disable following of HTTP redirects
-cpus Number of used cpu cores.
(default for current machine is 4 cores)
autobench:
is a perl script based on httperf, unfortunately it is not actively developed anymore and only available for 32bit systems
httperf can (of course) also be used directly like this:
(WARNING! DO NOT DO THIS AGAINST PUBLICLY AVAILABLE WEBSITES! IT MIGHT BE SEEN AS AN ATTACK AND THE USER’S IP MIGHT GET BLOCKED BECAUSE OF THIS! ALSO IT JUST WASTES ENERGY!)
httperf --server=website.com --uri=/ --num-conns=5000 --num-calls=50 # trying to install autobench # prepare a a software repository directory mkdir /software; cd /software; # build from src apt-get update; apt-get install make; # you might also need dirmngr gpg: failed to start the dirmngr '/usr/bin/dirmngr': No such file or directory gpg: connecting dirmngr at '/run/user/1000/gnupg/S.dirmngr' failed: No such file or directory gpg: keyserver receive failed: No dirmngr apt install dirmngr # download src wget http://www.xenoclast.org/autobench/downloads/autobench-2.1.2.tar.gz wget http://www.xenoclast.org/autobench/downloads/autobench-2.1.2.tar.gz.asc # mirror alternative: wget --no-check-certificate https://dwaves.de/software/bench/autobench-2.1.2.tar.gz echo "-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBAth7tMCcvLrzHhj8RAlKnAKCGkPuD2EwmFU83ARReloajFv+4YQCglexA rISpqnFPIRjiag3bA6vmKxc= =qAsG -----END PGP SIGNATURE----- " >> autobench-2.1.2.tar.gz.asc; # verify what we just downloaded gpg --keyserver pool.sks-keyservers.net --recv-keys BCC7863F; # download author's public pgp key gpg: requesting key BCC7863F from hkp server pool.sks-keyservers.net gpg: key BCC7863F: public key "Julian T. J. Midgley <jtjm@xenoclast.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg --verify autobench-2.1.2.tar.gz.asc autobench-2.1.2.tar.gz gpg: Signature made Thu 27 May 2004 07:01:33 PM CEST using DSA key ID BCC7863F gpg: Good signature from "Julian T. J. Midgley <jtjm@xenoclast.org>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: 52D9 1750 5721 7E58 C9E1 A7D5 3027 2F2E BCC7 863F # this only works for 32Bit systems, for 64Bit you will have to "compile from source" apt-get update; apt-get install httperf; # autobench depends on this tar fxvz autobench-2.1.2.tar.gz cd autobench-2.1.2 make make install
install pre compiled binary package:
wget http://www.xenoclast.org/autobench/downloads/debian/autobench_2.1.2_i386.deb; # alternative mirror: wget --no-check-certificate https://dwaves.de/software/bench/autobench_2.1.2_i386.deb sha512sum autobench_2.1.2_i386.deb; # your checksum should be the same as mine... ece6efc7b92038d9160faac95ddfaac4b11aff90c0a8a94d6b2f4987d9c6b0aa7781bf0a6c2c1458edc87dd4fe3c43a6d6aa554d39a3547829f5751337cc8e51 dpkg -i autobench_2.1.2_i386.deb; # install autobench
how to use it/examples:
autobench --single_host --host1 domain.com --uri1 /10K --low_rate 20 --high_rate 200 --rate_step 20 --num_call 10 --num_conn 5000 --timeout 5 --file results.tsv.txt; # run your webserver benchmark / DDoS stresstest
you will have to re-run the command because it generates some config on the first run.
if your website is down after that… i guess it is not DDoS battle proof…
run htop on your webserver and checkout if it’s hitting any RAM or other limits…
on the server you can monitor the amount of connections per ip, with this script/command:
cat /scripts/monitor_concurrent_connections.sh while true; do echo "================ show amount of connections per ip =================="; netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n sleep 1; clear; done
example results:
this was done from vm<->vm (same machine) with self-compiled version of apache2, where the server had only one core.
in file: autobench_example_results.tsv.txt
on screen: autobench-212_against_apache2_example_output.txt
about the package:
apt-cache show autobench Package: autobench Status: install ok installed Priority: optional Section: utils Installed-Size: 105 Maintainer: Julian T. J. Midgley <jtjm@xenoclast.org> Architecture: i386 Version: 2.1.2 Depends: httperf, libc6 (>= 2.3.2.ds1-4) Recommends: gnuplot Conffiles: /etc/autobench.conf 29053ba202bd8eefdcecc5413152a5b2 /etc/autobench.conf newconffile Description: Automates the benchmarking of web servers using httperf autobench is used to to automate web server benchmarking. It runs httperf against the specified host or hosts, ramping up the number of requested connections, and logging the results in TSV or CSV format files. Graphs can be automatically generated using gnuplot. Description-md5: 7346186f1d4a3cbbf1a4b3fe16376d5b apt-cache show httperf Package: httperf Source: httperf (0.9.0-2) Version: 0.9.0-2+b1 Installed-Size: 164 Maintainer: Alexander Reichle-Schmehl <tolimar@debian.org> Architecture: i386 Depends: libc6 (>= 2.7), libssl1.0.0 (>= 1.0.0) Description-en: An HTTP server performance tester httperf is a tool to measure web server performance. It speaks the HTTP protocol both in its HTTP/1.0 and HTTP/1.1 flavors and offers a variety of workload generators. While running, it keeps track of a number of performance metrics that are summarized in the form of statistics that are printed at the end of a test run. Description-md5: 2173cd93a1631220e1cebf53b9e2f4d4 Homepage: http://www.hpl.hp.com/research/linux/httperf/ Tag: admin::benchmarking, implemented-in::c, interface::commandline, protocol::http, role::program, use::monitor Section: web Priority: optional Filename: pool/main/h/httperf/httperf_0.9.0-2+b1_i386.deb Size: 68126 MD5sum: b2d259412855b4610ee084740b0ccd3d SHA1: 90d8965210b72ba8723f5c4afa4aafacec6e5380 SHA256: bba547282d07892953c275e5c4763ddbce16a60cfcb1460dbc4f3a73db87e01b
manpages:
links:
https://www.linux.com/news/using-free-software-http-load-testing/
http://curl-loader.sourceforge.net/
@github: https://github.com/menavaur/Autobench
author documentation: http://www.xenoclast.org/doc/benchmark/HTTP-benchmarking-HOWTO/
http://www.xenoclast.org/autobench/
https://dwaves.de/2016/09/08/ddos-as-a-service-vdos-poodlestresser-and-israel-fbi-arrests/
https://www.percona.com/blog/2007/11/13/10-ways-to-crash-or-overload-mysql/
https://www.rivalhost.com/ddos-protection-ways-protect-ddos-attacks/
liked this article?
- only together we can create a truly free world
- plz support dwaves to keep it up & running!
- (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
- really really hate advertisement
- contribute: whenever a solution was found, blog about it for others to find!
- talk about, recommend & link to this blog and articles
- thanks to all who contribute!
