Tor abuse distributed testing
So with a colleague, we’re building a test platform capable of simulating large amounts of load against a website in order to gauge its capabilities following an outage last year.
This involves a series of load engines and centrally controlled scripts that simulate user behaviour on the site, with the idea we spawn more and more until the site service degrades, where upon we declare that to be the capacity of the site with its current infrastructure and code base.
A concern I had, was that the load engine traffic, since it would be coming from a single source, would not have the variable bandwidth and quirks that real user visits would have, but mostly to be contrary.
I then considered this as a challenge, how can you truly simulate hundreds of geographically disparate users visiting a website?
#1 Hire hundreds of people around the world to give up their PCs for load testing, a la folding@home and other distributed computing projects. Problem, is AFAIK this infrastructure does not exist for hire. :(
#2 Make a bot net. Whilst this might be ‘to do’ on my ‘list of things to do en route to taking over world’ it’s not something I’ll have soon enough. Oh please evil bot net masters, lend us your bot nets so I can produce more valid load test data! :(
#3 Abuse the TOR network. Hmmm. There are a couple of challenges here, but certainly none listed in the abuse faq because apparently “So in general, attackers who control enough bandwidth to launch an effective DDoS attack can do it just fine without Tor. “
How naive of them, I have bandwidth a plenty. So one could presumably launch sandboxed instances of Tor with different identities, and either via command line script or through click automation, access a site via scores of different locations.
What would happen if I were do to this?
a) Very valid test data!
b) Tor would kick me off their network pretty fast — but not necessarily before the data is captured
c) The source IP would be banned from Tor forever.
What’s interesting is that the consequences are really quite mild. Given this plan is valid, anyone with enough bandwidth and the willingness to abuse Tor could DDOS someone to the extent of their bandwidth.
If one factored in multiple VPNs into this mix to mitigate IP bans, this could be highly robust DDOSing machine, without the need for a botnet.
