I want to rent a botnet and point it at my own website + service stack so that I can better understand how they work and protect myself against it.
I’m looking for things like automated web scraping, targeted ddos, llm generated fake comments and stuff like that. Basically, I want to test my services against my stuff before I launch.
I don’t believe this is illegal as I’m targeting myself for education.
CrackedLinuxISO@lemmy.dbzer0.com 2 days ago
Is this something you’re self hosting for fun, or is it some kind of business?
If you’re running web services for a business, you should look into existing load test tooling/infrastructure. Some of it can be fully managed, or other solutions might have a degree of setup involved (eg spinning up worker nodes in AWS or whatever). The hard part is designing your load test to match IRL traffic patterns, but once you have that down you can confidently answer questions about service scalability.
A load test is not a DDoS test. Load tests tell you how much legitimate traffic your services can take. DDoS consists of illegitimate traffic which may not correspond to what your web services expect.
Usually you don’t test your systems for something like a DDoS. You would instead set up DDoS protection through a CDN (content delivery network) to shield yourself and let someone else handle the logistics of blocking unwanted load. It’s a really hard problem to solve.
Depending on what you want to learn, running your own DDoS is unlikely to be very instructive. Most “DDoS as a service” networks are not going to tell their customers how anything works, they just take your bitcoin and send some traffic where you tell them.
zamithal@programming.dev 2 days ago
This is for my personal business prelaunch. I’m particularly interested in the “illegitimate” traffic. I have a suite of telemetry infrastructure to analyze incoming traffic and want to see what it produces before I don’t have the option to “turn off the traffic” because I’m not the one causing it.
I can outsource things like ddos protection to my cdn provider, but that would still be just kinda hoping I didn’t have any attackable surface I didn’t think of prelaunch.
CrackedLinuxISO@lemmy.dbzer0.com 2 days ago
In that case, I wonder if your money would be better spent on contracting a security review. If you’re worried about unknown attack surface, I’m not sure that funding organized crime to rent a botnet would help. Botnet operators rely on you to tell them what to attack, so you’re unlikely to discover anything new here. Better to hire a professional and get a fresh opinion.