Cyber Attack Preparation Platform (CAPP)

History

Since DOSarrest’s first days back in 2007 we knew we had to have some system to test out our assumptions regarding the DDoS defenses that we were providing to our global client base. Some of our assumptions regarding stopping DDoS attacks were correct, sometimes they were not correct and we had to scramble to create features on the fly that we could apply to a customer’s config to get the job done. Fast forward 11 years and DDoS attacks have become at times very complex in nature, making it difficult to mitigate in a straight forward fashion. Add to this that most attacks these days are actually made up of 3 to 7 completely different types of attacks. All hitting your website at the same time.

Most people and even so called experts don’t understand that a well placed attack measuring in at less than 5 Mb/s can bring a website without protection to a screeching halt. When we say well placed, we mean a specific URL on your website that is very CPU intensive and is dynamic. Real hackers know this and won’t just hit your front page, they will look for the weakest link and go after that weak link. To make things even more difficult, they will throw in other attack types just to confuse you.

A sample Scenario we have seen many times:

1

TCP Syn attack

1.5 Gb/sec 1.0 M PPS

# of IP Source addresses = 2K

2

UDP flood

3.0 Gb/sec 2.2 M PPS

# of IP Source addresses = 0.1K

3

TCP FIN attack

500 Mb/sec 500K PPS

# of IP Source addresses = .2K

4

Phantom JS headless Browser attack

2 Mb/sec 2K PPS

# of IP Source addresses = 200


In the example above the website is down, while your DDoS defenses and your technical team are focussed on the volumetric (1, 2 and 3) type attacks, the site is in fact down because of attack type 4.

Why Use CAPP ?

Test your defenses:

You can try as many tests and combinations of tests as you like, if you fail, retest with the exact same attack type and strength until you successfully defend against the attack. This way you are assured that you have the right defenses in place.

Save money on AWS, Azure and Google cloud:

Many cloud providers stop DDoS attacks with just pure CPU power and bandwidth They have lots to spare and would love to help you stop attacks by just serving up all the requests the attacker is asking for. Your site may not go down but by the time you see your bill at the end of the month, it could cost you a small fortune.

Note : We have stock attacks in our system that cause the victim/target to spit out 20 times+ more bandwidth then what the attack is sending to the victim! In essence, it causes the target to DDoS its own ISP.

System Overview

The system is made up of hundreds of high powered machines on their own IP addresses, each machine is connected to a mix of multiple 10Gb/Sec and 100Gb/sec upstream links. The botnet is located in 5 geographic regions, Europe, US east, Canada, US west and Asia. The total strength of this private botnet is over 100Gb/sec and 70MPPS for certain TCP volumetric attacks. Depending on the type and scale of an attack chosen and the region, there is an auxiliary third party cloud pool of machines that will be activated on demand to fulfill the resources when required. This is primarily for certain sophisticated HTTP attacks and provides extra IP addresses as well as source location diversity.


Once you have a chosen target site and IP address and its been verified by DOSarrest, the system has an easy to use Wizard that walks you through the steps required to run a test attack. Some of the TCP tests have some serious firepower and we strongly recommend you use our bandwidth and packet per second calculator so you don’t risk bringing down your whole infrastructure while conducting test attacks.

CAPP Calculator

Step 1 is to choose your attack(s)

Click here to see and learn more about attack types available.

Step 2

  1. Choose your source attack regions, you can choose 1 or up to 5 simultaneous locations
  2. Choose the duration of the attack in minutes, we recommend starting at 5 minutes
  3. Depending on the attack(s) you have chosen you can decide on HTTP or HTTPS
  4. Choose your URL, the default is the main page but you can enter any specific URL you desire
  5. Choose your port the default is 80 but you can choose any port, great for custom APPs

At this stage all you have to do is choose the intensity for each bot participating in the attack(s) you have selected and the size of the botnet in each geographic region you have chosen.

Reporting :
Once a test has started you can view interactive graphical displays that auto refresh every 10 seconds.

Pricing :
The cost for this service has a convenient online pricing calculator and as always current DOSarrest customers receive a 50 % discount on the cost of this extra service.

Pricing

Authorization :
DOSarrest’s private attack platform is strictly controlled and anyone wishing to use the system will require authorization from their hosting provider.

Apache Benchmark has been designed to benchmark the number of concurrent requests an Apache HTTP Server can handle. Yet, this tool is generic enough that it can be used to test any HTTP/HTTPS server. This tool has not been designed to be sympathetic to your network or hardware. This test has been designed to send an overwhelming number of HTTP/HTTPS requests, in an attempt to judge the maximum number of request that an application can handle.

Apache Benchmark has been designed to benchmark the number of concurrent requests an Apache HTTP Server can handle. Yet, this tool is generic enough that it can be used to test any HTTP/HTTPS server. This tool has not been designed to be sympathetic to your network or hardware. This test has been designed to send an overwhelming number of HTTP/HTTPS requests, in an attempt to judge the maximum number of request that an application can handle.

CasperJS is a headless browser tool that has been configured to execute HTTP flood attacks.

CasperJS is a headless browser tool that has been configured to execute HTTP flood attacks.

An edited version HULK. ChiHULK includes the functionality of the original Http Unbearable Load King. However, this version has modifications to its random URIs and random referrers. Refers and URIs obfuscation strings have increased complexity and length (example: /?~\x9A\x9D=\x9C\x8B\x90\x9E\x9F\x8C\x8C\x80). This tool was originally created by chinassie in 2016.

GoldenEye is an HTTP DDoS tool that exploits HTTP Keep Alive and NoCache. This python based tool utilizes a multi-threaded HTTP/HTTPS flood. This tool sends GET requests with randomized user agents and referrers.

GoldenEye is an HTTP DDoS tool that exploits HTTP Keep Alive and NoCache. This python based tool utilizes a multi-threaded HTTP/HTTPS flood. This tool sends POST requests with randomized user agents and referrers.

GoldenEye is an HTTP DDoS tool that exploits HTTP Keep Alive and NoCache. This python based tool utilizes a multi-threaded HTTP/HTTPS flood. This tool sends both GET and POST requests. As well as randomized user agents and referrers.

Developed by Barry Shteiman, the Http Unbearable Load King was designed to bring down a web server from a single source. This tool generated a small TCP flood alongside a multithreaded HTTP GET flood. This GET flood exploits HTTP Keep Alive and NoCache. It also incorporates random URIs, referrers, and user agents.

PhantomJS is a headless browser tool that has been configured to execute HTTP flood attacks.

PhantomJS is a headless browser tool that has been configured to execute HTTP flood attacks.

Originally developed by Robert Hansen (RSnake), and released to the public in 2009. Slowloris reaches out to a target web server and attempts to keep as many connections open as it can, for as long as possible. This eventually fills uses all the available connections within the server’s pool. Slowloris is also effective in using up the available connections on load balancers.

Tor's Hammer is a slow post dos testing tool written in Python by phiral. It can also be run through the Tor network as a means of anonymization. The tool kills most unprotected web servers running Apache and IIS via a single instance. Kills Apache 1.X and older IIS with ~128 threads, newer IIS and Apache 2.X with ~256 threads. This tool dates back to early 2011.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a ACK+PSH flag.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a ACK+PSH flag with a spoofed source IP address.

Utilizing spoofed IP addresses increases the resource requirements needed to mitigate a DDoS attack. As the source can be randomized, the effectiveness of ACLs become harder to create and maintain. Moreover, response traffic is directed (reflected back) towards the spoofed IPs, and not the attacker. While also masking the true source of the attack from the target.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a FIN flag.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a FIN flag with a spoofed source IP address.

Utilizing spoofed IP addresses increases the resource requirements needed to mitigate a DDoS attack. As the source can be randomized, the effectiveness of ACLs become harder to create and maintain. Moreover, response traffic is directed (reflected back) towards the spoofed IPs, and not the attacker. While also masking the true source of the attack from the target.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a FIN+PSH flag.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a FIN+PSH flag with a spoofed source IP address.

Utilizing spoofed IP addresses increases the resource requirements needed to mitigate a DDoS attack. As the source can be randomized, the effectiveness of ACLs become harder to create and maintain. Moreover, response traffic is directed (reflected back) towards the spoofed IPs, and not the attacker. While also masking the true source of the attack from the target.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a Fragmented ACK flag.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a Fragmented ACK flag with a spoofed source IP address.

Utilizing spoofed IP addresses increases the resource requirements needed to mitigate a DDoS attack. As the source can be randomized, the effectiveness of ACLs become harder to create and maintain. Moreover, response traffic is directed (reflected back) towards the spoofed IPs, and not the attacker. While also masking the true source of the attack from the target.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a PSH flag.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a PSH flag with a spoofed source IP address.

Utilizing spoofed IP addresses increases the resource requirements needed to mitigate a DDoS attack. As the source can be randomized, the effectiveness of ACLs become harder to create and maintain. Moreover, response traffic is directed (reflected back) towards the spoofed IPs, and not the attacker. While also masking the true source of the attack from the target.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a RST flag.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a RST flag with a spoofed source IP address.

Utilizing spoofed IP addresses increases the resource requirements needed to mitigate a DDoS attack. As the source can be randomized, the effectiveness of ACLs become harder to create and maintain. Moreover, response traffic is directed (reflected back) towards the spoofed IPs, and not the attacker. While also masking the true source of the attack from the target.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a RST+PSH flag.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a RST+PSH flag with a spoofed source IP address.

Utilizing spoofed IP addresses increases the resource requirements needed to mitigate a DDoS attack. As the source can be randomized, the effectiveness of ACLs become harder to create and maintain. Moreover, response traffic is directed (reflected back) towards the spoofed IPs, and not the attacker. While also masking the true source of the attack from the target.

The SYN Attack, for all its simplicity remains an effective means of attack, on an unprotected server. The SYN packet is the first step in establishing a connection between two computers over the internet. This event is expected and treated by servers as a normal event. However, SYN events build connections quickly; while, the server waits for each connection to proceed through its normal connection cycle. However, the attacker, in this case, has no intension of completing this cycle. The server is then left waiting for its expected ACK packet; of which, none will arrive. In this time server, resources are being accumulated to an extent in which the server is quickly overwhelmed.

This test will flood the target with TCP SYNchronize packets using spoofed random source IPs.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a SYN+ACK flag.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a SYN+ACK flag with a spoofed source IP address.

Utilizing spoofed IP addresses increases the resource requirements needed to mitigate a DDoS attack. As the source can be randomized, the effectiveness of ACLs become harder to create and maintain. Moreover, response traffic is directed (reflected back) towards the spoofed IPs, and not the attacker. While also masking the true source of the attack from the target.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a SYN+FIN flag.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a SYN+FIN flag with a spoofed source IP address.

Utilizing spoofed IP addresses increases the resource requirements needed to mitigate a DDoS attack. As the source can be randomized, the effectiveness of ACLs become harder to create and maintain. Moreover, response traffic is directed (reflected back) towards the spoofed IPs, and not the attacker. While also masking the true source of the attack from the target.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a SYN+PSH flag.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a SYN+PSH flag with a spoofed source IP address.

Utilizing spoofed IP addresses increases the resource requirements needed to mitigate a DDoS attack. As the source can be randomized, the effectiveness of ACLs become harder to create and maintain. Moreover, response traffic is directed (reflected back) towards the spoofed IPs, and not the attacker. While also masking the true source of the attack from the target.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a ACK flag.

TCP floods are one of the most common forms of DDoS attacks. The following attack preforms a volumetric TCP flood, designed to overwhelm a networks capacity, or in some cases, the TCP state tables within network devices. This attack utilizes packets with a ACK flag with a spoofed source IP address.

Utilizing spoofed IP addresses increases the resource requirements needed to mitigate a DDoS attack. As the source can be randomized, the effectiveness of ACLs become harder to create and maintain. Moreover, response traffic is directed (reflected back) towards the spoofed IPs, and not the attacker. While also masking the true source of the attack from the target.

Experience, Technology, and Focus

Ready to get started? Contact us now and get a free quote!

Get A Free Quote