Ask HN: How can I DDOoS attack my personal website (for curiosity)?
Am curious about simulating cyber attacks (e.g. DDOS) on my own little website, for my curiosity. Am a software developer but know embarrassingly little about security and exploits.
Should mention I have a few laptops (2020 Macbook Pros) at my disposal to act as DIY Botnets.
EDIT: Thanks everyone. It seems to me the suggestions for DDOS'ing converge on hitting a expensive query/operation many times and this can be aided by various tools, such as botnets and load testing tools.
What about other "common" security exploits? ie, exploits that are commonly unprotected against and can cause damage to a website?
Also...I have websites hosted on Bluehost (wordpress) and Namecheap. Do these hosting services automatically protect me from the DDOS tactics suggested?
9 comments
[ 3.4 ms ] story [ 37.6 ms ] threadA few laptops with a few shells with curl to download the full main page or an image would be a possible self-run stress test. A DDoS is in practice stress testing gone to far (and without permission).
- buy a bunch of VMs and curl your site's weakest point (don't wait for the http response) / use loadtesting tools
- change the site infra to support 1 request per second at most, and hit it with 2! :D
- posting the url here will get you far
- develop an app for your site, make it super popular and let it call home (an unidentifiable and cache breaking request -- many have fallen to this)
Depending on the deployment and the site's infra, this can be trivial. Or you might need to pay a botnet (or create an app with x milion downloads, whatever is easiest).
https://azure.microsoft.com/en-us/products/load-testing/#ove...
https://aws.amazon.com/solutions/implementations/distributed...
https://loadninja.com/features/
https://loadium.com/features
Most hosts don't protect you from DDOS automatically, CloudFlare provides some level of protection for free now. You'll have to check with BlueHost to see if they have anything. Otherwise, I think you can sign up for CloudFlare's service even if your site isn't hosted there.
https://www.cloudflare.com/ddos-hub/#DDoS-Page-Pricing-AS
For other common security exploits as well as mitigations, you're probably looking for the OWASP Top 10: https://owasp.org/Top10/
Testing for this sort of thing falls under the realm of vulnerability scanning tools for the languages you are using. Several OWASP projects aim to make this easy and are implemented in many common languages, especially Dependency-Check, FindSecBugs, and APICheck.
https://owasp.org/projects/
You can dig through those projects or go looking for "<language> findbugs/findsecbugs/vulnerability scanner/etc". There are also commonly tools available for codified password detection, dead-code checks, and data-flow analysis, on top of the often used find-bugs and style guide checkers. Several widely used repositories, such as JFrog, provide scanning for stuff you upload and it's dependencies. SonarQube is also a big player in this space with integrations for many repos and CI/CD tools.
https://jfrog.com/knowledge-base/best-practices-for-package-...
https://www.sonarqube.org/