The Russians are Coming: How to Launch a DDoS Defense

Russian tanks are rolling on Kyiv and fellow Ukrainian developers are swapping laptops for Kalashnikovs, so I felt a timely topic would be more appropriate than my usual development drivel.

“A desperate disease requires a dangerous remedy.”

In the United States, the reaction to Russia’s aggression has been mixed. Republicans have declared the party’s “solidarity” with Ukraine as well as its “outrage” against Russian President Vladimir Putin’s tyranny. But in their response to the Biden’s State of the Union, there was no attempt whatsoever to square this hollow declaration with the fact that the former Republican President repeatedly aligned himself with Putin and withheld military aid to Ukraine in a narcissistic ploy to bully them into lending credence to his lies about a stolen election. The former President, Fox television personalities, and Republican members of Congress, are still spouting Russian propaganda talking points, and some of them are attending “white nationalist conferences” where attendees chant “Putin! Putin!” This is the fractured state of our union, and I worry that it may come apart at the seams without the threat of Russian tanks.

But as long as we are able, we will heed the call of Mykhailo Fedorov, the Vice Prime Minister of Ukraine, to join the Ukraine’s volunteer “IT Army”. To that end, I will provide brief instructions for how anyone with scripting knowledge can launch a Distributed Denial of Service Attack (DDoS).

Technically, what I will demonstrate is a Denial of Service attack: the “Distributed” comes from having it repeated from multiple locations. Although one person can initiate a distributed attack, gaining access to multiple machines requires a lot more work.

A list of targets was published on Twitter, spanning Russian businesses (many petroleum based), banks, and state services. At the time of writing, many of the sites are down, including http://www.gazprom.ru/ and http://lukoil.ru/ (probably due to cyber attacks). Our sincere hope is that a proxy attack on these targets will damage Russia’s economy and deter their desire to wage war and thereby spare the lives of innocent civilians. That is why I’m billing this a “DDoS Defense” instead of a DDoS attack.

How do you attack a website? Although there are many vulnerabilities that might be exploited, one of the simplest ways to bring it down is to overwhelm it with a “Superbowl” amount of web traffic. Eventually it will fail to keep up with the handling of requests. You don’t necessarily need any “hacker-tech” to make this happen: you could just get enough people clicking refresh on their browser, but let’s up our game and do this programmatically.

Although there are listicles out there that list the 10 “best” DDoS tools available, I’ve found the lists to be woefully out of date and the tools themselves abandoned or horribly documented. So I’ll limit this discussion to single working tool used in ethical hacking courses, HULK, available on Github: https://github.com/grafov/hulk

You can download the project locally (or you can use git clone), then move into its directory.

To launch the tool using Python, the syntax looks like this:

❯ python hulk.py http://www.gazprom.ru/

Using Python is easier since it may already be installed on your computer.

The Go version of the script is more powerful, owing to Go’s concurrency capabilities. You would need to download and install Go, then build the executable and run it:

❯ go build
❯ ./hulk -site http://lukoil.ru/

One powerful variation of this, which is beyond the scope of this article, would be to house this tool inside of an AWS Lambda function: this would give it the ability to run concurrently in the cloud leveraging multiple IP addresses, making it much harder to block and effectively achieving “distributed” status.

If you actually run one of these commands against one of the listed targets, congratulations comrade, you are participating in gumming up the gears of Russian cyberspace. I must point out that doing this is probably illegal, and if you instead pointed such tools at domains inside the United States or Europe, you could be tracked down and arrested like the OG members of Anonymous and LulzSec when they targeted sites run by the CIA. Use these tools at your own risk.

The attacks have improved even more: you can open this website http://notwar.ho.ua/ and it will launch the attacks on the list of targets automatically. The IT Army of Ukraine channel in Telegram says that there are some targets that were initially missed:

• https://scr.online.sberbank.ru/api/fl/idgib-w-3ds
• https://3dsec.sberbank.ru/mportal3/auth/login
• https://acs1.sbrf.ru
• https://acs2.sbrf.ru
• https://acs3.sbrf.ru
• https://acs4.sbrf.ru
• https://acs5.sbrf.ru
• https://acs6.sbrf.ru
• https://acs7.sbrf.ru
• https://acs8.sbrf.ru

We do this for our brothers and sisters in Ukraine; they may one day need to return the favor. Solidarity.