K7

K7Blog

须知少年凌云志 曾许人间第一流.
proton
telegram

Recall a CC attack experience

Although cc attacks are despicable, I was also forced to do so. The target webmaster is a rascal and the website itself has no content and does not affect the webmaster's profit.

There was a dispute that made me very upset and unable to understand the behavior of the webmaster. I had to vent my frustration in this way.

Directly purchasing cc attacks and ddos attacks is too expensive. I still have a few hundred dollars in balance on Vultr, so I opened a high-performance 8h16g server (160 dollars per month), but fortunately Vultr can be billed by the hour.

First, I wrote a sh script:

#!/bin/bash

WEBSITE_URL="https://123.com/"

NUM_REQUESTS=9999999

NUM_PROCESSES=1000

for ((i=1; i<=$NUM_PROCESSES; i++)); do
    echo "Starting process $i"
    (
        for ((j=1; j<=$NUM_REQUESTS; j++)); do
            echo "Sending request $j from process $i"
            curl -k -i $WEBSITE_URL
            echo "------------------------------------"
        done
    ) &
done

wait

Frequently sending requests to the target site, although it is a stupid method, it is effective. Since the target site has no defense, no CDN, and no basic cc defense measures, I quickly caused a 502 error.

Then I launched a traffic flooding attack. Previously, I found a simple HTML page that can send frequent requests to a image link to generate traffic. You can directly search on Google for "traffic generator" to view the source code and copy it to create an HTML page. The principle is to send requests to the image URL https://123.com/123.png and add random parameters at the end to prevent browser caching.

However, the target site has cross-origin restrictions, so I reverse proxied the target site and solved the cross-origin problem through the local Nginx configuration file. But it seems that the target site's upload bandwidth is too low and the traffic speed cannot keep up.

A few hours later, the webmaster realized what was happening and seemed to have blocked my IP with a firewall. This method naturally became ineffective, and I received an email from Vultr saying that one of my servers was under a DDoS attack. I simply deleted the server and stopped.

Then I became more and more angry and couldn't let it go so easily. I copied the target site's source IP + port 8888 and successfully accessed our national Baota. I just didn't know the specific address of the panel.

Still the same old method, sending requests to the IP + port 8888, the website can be accessed normally, but the webmaster's Baota cannot be opened. Even stopping the attack cannot open it. Finally, when the recovery was successful, I continued the attack and found that they had added defense strategies, rendering the attack ineffective.

Still unsatisfied, I obtained the webmaster's social media account + a domain name. Through this social media account, I went to the all-knowing Google+ Baidu and found another server and another domain name owned by the webmaster, as well as email accounts, Alipay accounts, names, phone numbers, and other information. If I import the phone number into the address book and operate on some social software that can recommend friends through the address book, I may be able to find the webmaster's other social media accounts, and maybe even find photos and family information.

I can also find someone on Telegram to spend some money to open an account, but it is unnecessary and not what I want. Even if I know what the webmaster looks like, how old they are, and where they live, it is of no use to me. I just want to vent my frustration by launching a simple cc attack.

Then a few days later, I came across a post on a global hosting forum:

Snipaste_2024-03-15_18-12-42

Original post content: https://hostloc.com/thread-1204659-1-1.html
I also found a technical article: https://zu1k.com/posts/tutorials/http-proxy-ipv6-pool/

I thought, I can open a Vultr server and use the server's IPv6 to launch a cc attack. Even if it gets blocked, I can just open another machine in a different region and continue the cc attack.

After some tinkering, the target site does not support IPv6 access. Just when I was at a loss, I suddenly came up with an idea (since the last attack was several days ago, I didn't know if the target site's defense strategy was still active, so I didn't test the previous stupid method).

I can add a domain name through Cloudflare and then resolve the domain name to the source IP of the target site. Cloudflare's CDN supports IPv6 access, and I can use the IPv6 protocol to launch a cc attack. Even if it gets intercepted, Cloudflare can use the IPv4 protocol to send the traffic back to the source IP, and Cloudflare has so many IPv4 addresses that even if it gets blocked, it won't affect my cc attack.

At this point, someone might ask, if you resolve the domain name and enable CDN, when you visit the domain name, it shows that the domain name is not bound, and it's just an HTML page, so cc attacks won't work. This is where the national Baota comes in handy. It has a bug that if you bind a domain name and enable SSL, when you directly access other unbound domain names with HTTPS, it will use the certificate of the bound domain name and display the content of that domain name.

I resolved the domain name, set the SSL/TLS encryption mode to "Full", and I can directly access the content of the target site through HTTPS using my domain name. Then I turned off Cloudflare's defense strategy and disabled passing the source region and IP.

At this point, I can configure and launch the attack using the technical article shared by the expert. But when I tested it, the cc attack was effective and was not intercepted by Cloudflare. The target website also returned a 502 error. I made some improvements to the code.

#!/bin/bash

WEBSITE_URL="https://123.com"

NUM_REQUESTS=9999999

NUM_PROCESSES=1000

for ((i=1; i<=$NUM_PROCESSES; i++)); do
    echo "Starting process $i"
    (
        for ((j=1; j<=$NUM_REQUESTS; j++)); do
            echo "Sending request $j from process $i"
            curl -6 -k -s -o /dev/null -w "%{http_code}" $WEBSITE_URL
            echo "------------------------------------"
        done
    ) &
done

wait

I modified it to directly send curl requests using IPv6 and not display the website's code information, but display the request headers. In the first test, the attack was successful, but the server's downstream speed could only reach a few hundred kilobits and couldn't keep up. With this method, the server's downstream speed can reach over 5 megabits, and it can indirectly consume the target's traffic.

I remember there was a saying about a traffic alliance, which means that communication between several Internet company products does not count as traffic. I don't know if Cloudflare and Vultr count traffic.

Currently, I still have an 8h16g server attacking with cc. The target site occasionally returns a 200 response header. If I add another server to the attack, it won't happen. Although my behavior is not good, I advise everyone not to imitate it. After venting my frustration, I will stop. If there are any further developments, I will continue to edit.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.