I'd double check that it's legal.
Also you're giving money to people who usually does not do legal things.
this post was submitted on 30 May 2025
45 points (95.9% liked)
No Stupid Questions
40941 readers
1669 users here now
No such thing. Ask away!
!nostupidquestions is a community dedicated to being helpful and answering each others' questions on various topics.
The rules for posting and commenting, besides the rules defined here for lemmy.world, are as follows:
Rules (interactive)
Rule 1- All posts must be legitimate questions. All post titles must include a question.
All posts must be legitimate questions, and all post titles must include a question. Questions that are joke or trolling questions, memes, song lyrics as title, etc. are not allowed here. See Rule 6 for all exceptions.
Rule 2- Your question subject cannot be illegal or NSFW material.
Your question subject cannot be illegal or NSFW material. You will be warned first, banned second.
Rule 3- Do not seek mental, medical and professional help here.
Do not seek mental, medical and professional help here. Breaking this rule will not get you or your post removed, but it will put you at risk, and possibly in danger.
Rule 4- No self promotion or upvote-farming of any kind.
That's it.
Rule 5- No baiting or sealioning or promoting an agenda.
Questions which, instead of being of an innocuous nature, are specifically intended (based on reports and in the opinion of our crack moderation team) to bait users into ideological wars on charged political topics will be removed and the authors warned - or banned - depending on severity.
Rule 6- Regarding META posts and joke questions.
Provided it is about the community itself, you may post non-question posts using the [META] tag on your post title.
On fridays, you are allowed to post meme and troll questions, on the condition that it's in text format only, and conforms with our other rules. These posts MUST include the [NSQ Friday] tag in their title.
If you post a serious question on friday and are looking only for legitimate answers, then please include the [Serious] tag on your post. Irrelevant replies will then be removed by moderators.
Rule 7- You can't intentionally annoy, mock, or harass other members.
If you intentionally annoy, mock, harass, or discriminate against any individual member, you will be removed.
Likewise, if you are a member, sympathiser or a resemblant of a movement that is known to largely hate, mock, discriminate against, and/or want to take lives of a group of people, and you were provably vocal about your hate, then you will be banned on sight.
Rule 8- All comments should try to stay relevant to their parent content.
Rule 9- Reposts from other platforms are not allowed.
Let everyone have their own content.
Rule 10- Majority of bots aren't allowed to participate here. This includes using AI responses and summaries.
Credits
Our breathtaking icon was bestowed upon us by @Cevilia!
The greatest banner of all time: by @TheOneWithTheHair!
founded 2 years ago
MODERATORS
I think unless you want to send some money to a shady self-proclaimed hacker, you'd just go with a regular computer security company. They can do it and they'll have people who know what to look for. You can't do red-teaming without any of the background knowledge, it's a proper job and takes lots of experience to get meaningful results. And before you yourself launch a large DDoS attack on "your" rented virtual server, contact your hoster and give them a heads-up, since that's really their servers, their datacenter and netwoking infrastructure which might get affected.
If it's a smaller website and not super critical, you might be fine hiring some single freelancer who know what they're doing as well...
(And other than that... I'd just rent 10 AWS instances from Amazon, or the equivalent from Microsoft or any of the cloud providers. For all intents and purposes, that's your proper botnet with a lot of bandwidth. But please don't do this for nefarious purposes.)
I'd hire a cyber security firm. Most firms can test how your website handles under specific kinds of stress like ddos or malicious webscrapers. They can also advice you on the axtuak risks and how to mitigate them.
Is this something you're self hosting for fun, or is it some kind of business?
If you're running web services for a business, you should look into existing load test tooling/infrastructure. Some of it can be fully managed, or other solutions might have a degree of setup involved (eg spinning up worker nodes in AWS or whatever). The hard part is designing your load test to match IRL traffic patterns, but once you have that down you can confidently answer questions about service scalability.
A load test is not a DDoS test. Load tests tell you how much legitimate traffic your services can take. DDoS consists of illegitimate traffic which may not correspond to what your web services expect.
Usually you don't test your systems for something like a DDoS. You would instead set up DDoS protection through a CDN (content delivery network) to shield yourself and let someone else handle the logistics of blocking unwanted load. It's a really hard problem to solve.
Depending on what you want to learn, running your own DDoS is unlikely to be very instructive. Most "DDoS as a service" networks are not going to tell their customers how anything works, they just take your bitcoin and send some traffic where you tell them.
This is for my personal business prelaunch. I'm particularly interested in the "illegitimate" traffic. I have a suite of telemetry infrastructure to analyze incoming traffic and want to see what it produces before I don't have the option to "turn off the traffic" because I'm not the one causing it.
I can outsource things like ddos protection to my cdn provider, but that would still be just kinda hoping I didn't have any attackable surface I didn't think of prelaunch.
I can outsource things like ddos protection to my cdn provider, but that would still be just kinda hoping I didn’t have any attackable surface I didn’t think of prelaunch.
In that case, I wonder if your money would be better spent on contracting a security review. If you're worried about unknown attack surface, I'm not sure that funding organized crime to rent a botnet would help. Botnet operators rely on you to tell them what to attack, so you're unlikely to discover anything new here. Better to hire a professional and get a fresh opinion.
In cybersecurity, this is called red-hat or red-team work. Maybe the search terms will help you find what you need.
Whitehat hacking is a common service that’s offered that you might be interested in. They’ll find every security hole and weakness and then give you a report on recommendations
if you have the skill set to run the tools you'll need to run in order to perform this type of test I would advise just renting a bunch of low-cost VPS systems and configuring them as needed. You can rent computers monthly for just a couple of dollars on things like digitalocean or ovh or something like that and as long as you're targeting your own stuff I mean you're not going to call the cops on yourself so nothing to worry about. you can probably even just do it with something like AWS and you know just scale up and down as needed and it'll be a lot more cost effective that way too.
I don't believe this is illegal as I'm targeting myself for education.
Difficult to know, and ofc depends a lot where you are. Better ask a lawyer.
Buying access to people's hacked routers and such without their consent is probably very illegal.
Edit:
Probably you will find offers in the darknet.
If you ask this kind of questions I recommend you to look up github and launch any ddos software you find there, if you host it at home your home router will 99% shut down if you don't have rack router with ddos protection. If you shut down remote server router because you host in shitty provider that's illegal. Anyways it's stupid.
Cloud hosting providers usually have documented how you're allowed to do penetration testing there without affecting other customers.
For example, here's Microsoft documentation https://www.microsoft.com/en-us/msrc/pentest-rules-of-engagement
pentesting for ddos in cloud is even more stupid, if you can afford cloud you can afford ddos solutions and put your application behind one
OP, you're looking for something called "Bot as a Service". There are more and more companies that cater to those needing a bot infrastructure. Bright data, ScrapingBee, ZenRows, and Apify are some of the more common services I typically work against that offer what you're looking for.
*Edit: If you're just looking for performance testing, you can use services like Loadster.
Couldn't you simply rent a single server with like twice the bandwidth of your existing server? Unless you want to test automatic banning of IP addresses or something, having it spam your website with requests should have the exact same effect as using a botnet.
I don't think you can rent botnets with some ready to use software to simulate web scraping or generate fake comments. You'd probably have to write that yourself anyway.
I don't think you can rent botnets with some ready to use software to simulate web scraping or generate fake comments
Just look how half of the "reviews" on Amazon are fake already.
Oh yes, someone has paid for them, and there's a well established industry at work.