Although cc attacks are despicable, I was also forced to do so. The target webmaster is a rascal and the website itself does not have much content and does not affect the webmaster's profit.
There was a dispute that made me very upset and unable to understand this matter and the behavior of the webmaster. I had to vent my frustration in this way.
Directly purchasing cc attacks and ddos attacks is too expensive. I still have a few hundred dollars in balance on Vultr, so I opened a high-performance 8h16g server (160 dollars per month). Fortunately, Vultr can be billed by the hour.
First, I wrote a sh script:
#!/bin/bash
WEBSITE_URL="https://123.com/"
NUM_REQUESTS=9999999
NUM_PROCESSES=1000
for ((i=1; i<=$NUM_PROCESSES; i++)); do
echo "Starting process $i"
(
for ((j=1; j<=$NUM_REQUESTS; j++)); do
echo "Sending request $j from process $i"
curl -k -i $WEBSITE_URL
echo "------------------------------------"
done
) &
done
wait
Frequently sending requests to the target site, although it is a stupid method, it is effective. Since the target site has no defense, no CDN, and no basic cc defense measures, I quickly caused a 502 error.
After that, I launched a traffic attack. I found a simple HTML page before, which can send frequent requests to a image link to generate traffic. You can directly search on Google for "traffic generator" to view the source code and copy it to create an HTML file. The principle is to send requests to the image URL "https://123.com/123.png" and add random parameters at the end to avoid browser caching.
But the target site has cross-domain restrictions, so I reverse proxied the target site and solved the cross-domain problem through the local Nginx configuration file. However, it seems that the target site's upstream bandwidth is too low and the traffic speed cannot keep up.
A few hours later, the webmaster realized what was happening and seemed to have blocked my IP with a firewall. This method naturally became ineffective, so I received an email from Vultr saying that one of my servers was under a DDoS attack. I simply deleted the server and stopped.
Then I became more and more angry and couldn't let him off so easily. I copied the target site's source IP + port 8888 and successfully opened our national Baota. I just didn't know the specific address of the panel.
Still the same old method, sending requests to the IP + port 8888, the website can be accessed normally, but the webmaster's Baota cannot be opened. Even stopping the attack doesn't work. Finally, I waited for the recovery to be successful and continued the attack. However, I found that they had added defense strategies and the attack was ineffective.
Still not satisfied, I got hold of the webmaster's social media account + a domain name. Through this social media account, I went to the all-knowing Google+ Baidu and found another server and another domain name owned by the webmaster, as well as email accounts, Alipay accounts, names, phone numbers, and other information. If I import the phone number into the address book and operate on some social software that can recommend friends through the address book, I might be able to find the webmaster's other social media accounts, and maybe even find photos and family information.
I can also find someone on Telegram to spend some money to open an account, but it is unnecessary and not what I want. Even if I find out what the webmaster looks like, how old they are, and where they live, it is of no use to me. I just want to vent my frustration by simply launching a cc attack.
Then a few days later, I came across a post on a global hosting forum:
Original post content: https://hostloc.com/thread-1204659-1-1.html
I also found a technical article: https://zu1k.com/posts/tutorials/http-proxy-ipv6-pool/
I thought, I can open a Vultr server and use the server's IPv6 to launch a cc attack. Even if it gets blocked, I can just open another machine in a different region.
After some tinkering, the target site does not support IPv6 access. Just when I was at a loss, I suddenly had an idea (since the last attack was several days ago, I don't know if the target site's defense strategy is still enabled, so I didn't test the previous stupid method).
I can add a domain name through Cloudflare and then resolve the domain name to the source IP of the site. Cloudflare's CDN supports IPv6 access, and I can use the IPv6 protocol to launch a cc attack. Even if it gets intercepted, Cloudflare can use the IPv4 protocol to fetch the source IP, and Cloudflare has so many IPv4 addresses for fetching, so even if it gets blocked, it won't affect my cc attack.
At this point, someone might ask, if you resolve the domain name and enable CDN, accessing the domain name will prompt that it is not bound to a domain name, and it is just an HTML page, so cc attacks will not be effective. At this time, the national Baota has made another contribution. It has a bug that if you bind a domain name and enable SSL, then when other unbound domain names are accessed directly via HTTPS, the certificate used will be the one bound to that domain name, and the content displayed on the website will also be the content of that domain name.
I resolved the domain name, set the SSL/TLS encryption mode to "Full", and I can directly access the content of the target site through HTTPS using my domain name. Then I turned off Cloudflare's defense strategy and disabled passing the source region and IP.
At this point, I can configure the attack according to the technical article shared by the expert. But when I tested it, the cc attack was effective and was not intercepted by Cloudflare. The target website also returned a 502 error. I made some improvements to the code.
#!/bin/bash
WEBSITE_URL="https://123.com"
NUM_REQUESTS=9999999
NUM_PROCESSES=1000
for ((i=1; i<=$NUM_PROCESSES; i++)); do
echo "Starting process $i"
(
for ((j=1; j<=$NUM_REQUESTS; j++)); do
echo "Sending request $j from process $i"
curl -6 -k -s -o /dev/null -w "%{http_code}" $WEBSITE_URL
echo "------------------------------------"
done
) &
done
wait
I modified it to directly send curl requests using IPv6 and not display the website's code information, only the request headers. In the first test, the attack was successful, but the server's downstream speed could only reach a few hundred kilobits and couldn't keep up. With this method, the server's downstream speed can reach over 5 megabits, and it can indirectly consume the target's traffic.
I remember there was a saying about a traffic alliance, which means that communication between several Internet company products does not count as traffic. I don't know if Cloudflare and Vultr count traffic.
Currently, I am still launching a cc attack on an 8h16g server. Occasionally, the target site will return a 200 response header. If I add another server to the attack, it won't happen. Although my behavior is not good, I advise everyone not to imitate it. After venting my frustration, I will stop. If there are any further developments, I will continue to edit.