Submitted 3 weeks ago by zamithal@programming.dev to nostupidquestions@lemmy.world
I want to rent a botnet and point it at my own website + service stack so that I can better understand how they work and protect myself against it.
I’m looking for things like automated web scraping, targeted ddos, llm generated fake comments and stuff like that. Basically, I want to test my services against my stuff before I launch.
I don’t believe this is illegal as I’m targeting myself for education.
Is this something you’re self hosting for fun, or is it some kind of business?
If you’re running web services for a business, you should look into existing load test tooling/infrastructure. Some of it can be fully managed, or other solutions might have a degree of setup involved (eg spinning up worker nodes in AWS or whatever). The hard part is designing your load test to match IRL traffic patterns, but once you have that down you can confidently answer questions about service scalability.
A load test is not a DDoS test. Load tests tell you how much legitimate traffic your services can take. DDoS consists of illegitimate traffic which may not correspond to what your web services expect.
Usually you don’t test your systems for something like a DDoS. You would instead set up DDoS protection through a CDN (content delivery network) to shield yourself and let someone else handle the logistics of blocking unwanted load. It’s a really hard problem to solve.
Depending on what you want to learn, running your own DDoS is unlikely to be very instructive. Most “DDoS as a service” networks are not going to tell their customers how anything works, they just take your bitcoin and send some traffic where you tell them.
This is for my personal business prelaunch. I’m particularly interested in the “illegitimate” traffic. I have a suite of telemetry infrastructure to analyze incoming traffic and want to see what it produces before I don’t have the option to “turn off the traffic” because I’m not the one causing it.
I can outsource things like ddos protection to my cdn provider, but that would still be just kinda hoping I didn’t have any attackable surface I didn’t think of prelaunch.
I can outsource things like ddos protection to my cdn provider, but that would still be just kinda hoping I didn’t have any attackable surface I didn’t think of prelaunch.
In that case, I wonder if your money would be better spent on contracting a security review. If you’re worried about unknown attack surface, I’m not sure that funding organized crime to rent a botnet would help. Botnet operators rely on you to tell them what to attack, so you’re unlikely to discover anything new here. Better to hire a professional and get a fresh opinion.
I think unless you want to send some money to a shady self-proclaimed hacker, you'd just go with a regular computer security company. They can do it and they'll have people who know what to look for. And before you yourself launch a large DDoS attack on "your" rented virtual server, contact your hoster and give them a heads-up, since that's really their servers and netwoking infrastructure.
In cybersecurity, this is called red-hat or red-team work. Maybe the search terms will help you find what you need.
I don’t believe this is illegal as I’m targeting myself for education.
Difficult to know, and ofc depends a lot where you are. Better ask a lawyer.
Buying access to people’s hacked routers and such without their consent is probably illegal.
Whitehat hacking is a common service that’s offered that you might be interested in. They’ll find every security hole and weakness and then give you a report on recommendations
Probably you will find offers in the darknet.
If you ask this kind of questions I recommend you to look up github and launch any ddos software you find there, if you host it at home your home router will 99% shut down if you don’t have rack router with ddos protection. If you shut down remote server router because you host in shitty provider that’s illegal. Anyways it’s stupid.
Cloud hosting providers usually have documented how you’re allowed to do security testing there.
For example, here’s Microsoft documentation www.microsoft.com/…/pentest-rules-of-engagement
pentesting for ddos in cloud is even more stupid, if you can afford cloud you can afford ddos solutions and put your application behind one
I’d double check that it’s legal.
Also you’re giving money to people who usually does not do legal things.
if you have the skill set to run the tools you’ll need to run in order to perform this type of test I would advise just renting a bunch of low-cost VPS systems and configuring them to do a jam to do cuz you can rent computers monthly for just a couple of dollars on things like digitalocean or ovh or something like that and as long as you’re targeting your own stuff I mean you’re not going to call the cops on yourself so nothing to worry about
OP, you’re looking for something called “Bot as a Service”. There are more and more companies that cater to those needing a bot infrastructure. Bright data, ScrapingBee, ZenRows, and Apify are some of the more common services I typically work against that offer what you’re looking for.
I don’t think you can rent botnets with some ready to use software to simulate web scraping or generate fake comments
Just look how half of the “reviews” on Amazon are fake already.
Oh yes, someone has paid for them, and there’s a well established industry at work.
abbadon420@lemm.ee 3 weeks ago
I’d hire a cyber security firm. Most firms can test how your website handles under specific kinds of stress like ddos or malicious webscrapers. They can also advice you on the axtuak risks and how to mitigate them.