0

We need to know what to expect if a rogue actor DDOSes one of our production sites, so I'm looking to spin up a few VPSes with web apps on so that I can simulate a DDOS against them with an online stress testing service.

We have a dedicated server but I received this response from the hosting company when I asked if I could DDOS it:

Response from the first hosting company

I asked a well-known VPS provider if I could spin up a VPS and then DDOS it but they replied with this:

Reply from the second hosting company

I'm currently waiting on a response from AWS support, but my hopes aren't very high that they'll allow it at the moment.

How can I test our DDOS response strategy if no hosting company will let me DDOS a server on their network?

glcheetham
  • 103
  • 4
  • 5
    Christ, don't go to a VPS provider and say "DDOS". Say "load test". AWS will permit it generally, as you pay them for bandwidth usage. Apply at https://aws.amazon.com/security/penetration-testing/ – ceejayoz Apr 06 '16 at 13:16
  • @ceejayoz haha! Good point! Anyway, that's exactly what I was looking for. Thank you very much - if that was an answer I would accept it. – glcheetham Apr 06 '16 at 13:25
  • Not really sure what you are trying to test? A DDOS can take down practically any site leaving you with no options to mitigate it at VPS level other than paying for it to be dealt with upstream. What extra info does carrying it out give you? – JamesRyan Apr 09 '16 at 19:03
  • @JamesRyan Of course we know that the site would break under a real DDOS scenario. `We need to know what to expect ` - we're foremost looking to put together disaster recovery plans. And our apps/servers have never been put under that much stress before - so we don't even actually know what will happen to them. – glcheetham Apr 09 '16 at 19:31
  • @glcheetham if anyone vaguely competent DDOSs you, you simply won't have network connectivity at all. Load testing your apps is a bit of a different kettle of fish. – JamesRyan Apr 09 '16 at 20:42

2 Answers2

2

You could use some personal/private/office computers instead, maybe not optimal, but at least you can get started.

user2713516
  • 155
  • 1
  • 1
  • 12
  • 1
    If we were to DDoS a server on our LAN, that would bring *our* network down aswell - which isn't something we'd like to do. – glcheetham Apr 06 '16 at 13:08
2

Because you pay for the bandwidth, AWS will generally permit this if you deem it a "load test" instead of a "DDOS". They ask that you clear it with them and you may not perform it on smaller instance types (so you don't clobber your neighbors).

ceejayoz
  • 32,910
  • 7
  • 82
  • 106