Stressy (Number 26)

A DOS tool designed to bypass WAF's and perform advanced stress tests on web servers.

Comment

Inspiration

According to comparitech.com, 43% of all DDOS were targeted at US companies. This is almost half of all DDOS attacks throughout the world. This is bad. Very bad. There was a need to make something that is easy for any jo-schmo to just throw at their website to see if they need to hire a security engineer or if they were at risk. DOS/DDOS attacks cost on average in the US over $6,000 per minute that they are down. This is a huge risk that needs to be mitigated.

What it does

It puts a target website in a high traffic environment to see if the security features that the current website owner has setup will work. It has the capability to sidestep WAF's and server side scripts that blacklist IP addresses. This allows the target website to be in the conditions of a real world DDOS attack.

How we built it

Python

Challenges we ran into

Control C did not stop the UDP server from running or the threads from running on the stresser. Apparently we had to tell the kernel that it needs to listen to ctrl C by giving in signal instructions.

Accomplishments that we're proud of

Having the ability to completely manipulate a packet using a high level language (Python). We thought we would have to write C code to do something of this sort.

What we learned

Web Firewalls are incredibly easy to side-step. Apparently you can just go on a censys.io and find the original IP of a website if you run into a Cloudflare IP address. Even if there is a Firewall/Load balancer, you can still do some pretty heavy damage pretty easily with some basic packet manipulation.

What's next for Stressy

It will have the capability to perform some test of this sort on TCP ports, as well as work on websites connected through the TOR network (.onion sites). It will also get hosted on a website with a friendly GUI so that people who don't know much about web security can easily perform a simulated cyber attack to deduce if their web server is vulnerable, and if they need to hire a security engineer. There will also be different types of DOS/DDOS attacks available other than just a simple IP sidestep.

Built With

Share this project:

Updates