As I’m researching different DDoS tools and looking for ways to make our hosting platform more secure, I’ve noticed that there are plenty of tools hosted on github.com which claim to be easy to use attack tools. Thus, I’ve decided to examine them for fun in this little series!
#1 Tool for the search term “DDoS” on github is hammer with 927 stars and no less than 969 forks! Pretty impressive, so let’s have a look at it!
What the tool does is building a HTTP request from one of eight user agents like:
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0) Opera 12.14
The rest of the header is statically included from headers.txt:
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859–1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
The script’s idea is to open 135 threads and perform simultaneous HTTP queries against a server and overload the HTTP server process. However, due to a bug in line 47, a line wrap is done too early, and the packet send to the host looks like this:
GET / HTTP/1.1
Host: 192.168.0.16User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859–1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Additonally, requests.txt has line breaks of \n and not \r\n - please alsonote the additional space in front of “User-Agent” which is another issue on line 47, all of this making this an illegal HTTP request. The server will simply answer:
HTTP/1.1 400 Bad Request
Date: Sun, 19 Sep 2021 21:17:02 GMT
Server: Apache/2.4.38 (Debian)
Content-Length: 302
Connection: close
Content-Type: text/html; charset=iso-8859–1
The tool is only opening 135 threads per default, which isn’t an issue for any server software; even going up to 1024 doesn’t change anything for Apache (which is known for it’s low default settings), as the connections immediately get closed by the server.
Rating: 1/5 stars:
This tool is broken, has absolutely no effect on any web server, contains unused code and has probably never been tested? I have no idea why it is so popular on github and why so many kids are opening github issues and PRs for it.