Tuesday, December 11, 2012

How to Simulate a HTTP GET BotNet DDoS Attack

Today I would like to share a cool tool called Bonesi DDoS Botnet Simulator.

web page : http://code.google.com/p/bonesi/

BoNeSi is able to simulate a TCP based HTTP-GET flood on a victim.3way handshake is completed. Its a much more advanced testing technique than Syn Http Flood, hping can only send tcp packet flags.
Since non spoofed IP connections require correct routing setup, this tool can only be used in closed testbed setups.

It can establish several thousands of HTTP connections from different IP addresses defined at iplist.txt making this tool to simulate advanced bot networks.

How does TCP Spoofing work?
BoNeSi sniffs for TCP packets on the network interface and responds to all packets in order to establish TCP connections. For this feature, it is necessary, that all traffic from the target webserver is routed back to the host running BoNeSi
HTTP-Flooding attacks can not be simulated in the internet, because answers from the webserver must be routed back to the host running BoNeSi.

It can be used to test firewall systems, routing hardware, DDoS Mitigation Systems or webservers directly.



my test usage was,
# bonesi -i 50k-bots.txt -p tcp -r 0 -u http://cagdastestlab.com -b useragent.txt -d eth1 -v 213.153.205.182:80



Usage: bonesi [OPTION...] <dst_ip:port>
 Options:
  -i, --ips=FILENAME               filename with ip list
  -p, --protocol=PROTO             udp (default), icmp or tcp
  -r, --send_rate=NUM              packets per second, 0 = infinite (default)
  -s, --payload_size=SIZE          size of the paylod, (default: 32)
  -o, --stats_file=FILENAME        filename for the statistics, (default: 'stats')
  -c, --max_packets=NUM            maximum number of packets (requests at tcp/http), 0 = infinite (default)
      --integer                    IPs are integers in host byte order instead of in dotted notation
  -t, --max_bots=NUM               determine max_bots in the 24bit prefix randomly (1-256)
  -u, --url=URL                    the url (default: '/') (only for tcp/http)
  -l, --url_list=FILENAME          filename with url list (only for tcp/http)
  -b, --useragent_list=FILENAME    filename with useragent list (only for tcp/http)
  -d, --device=DEVICE              network listening device (only for tcp/http)
  -m, --mtu=NUM                    set MTU, (default 1500)
  -f, --frag=NUM                   set fragmentation mode (0=IP, 1=TCP, default: 0)
  -v, --verbose                    print additional debug messages
  -h, --help                       print this message and exit