(Please note that I have no affiliation with the leak of this tool, nor do I endorse DoS attacks and I did not write the information below. All I did was to organize it nice and short, in a way very easy to read in short time.)
* Leaked - th3j35ter's XerXeS Attack Platform
* Uses TORHAMMER with Keep-Alive DDOS on hacked PHP servers
* Method of attack: HEAD keep/alive + range
What was it tested against?
Here is what I then did. I set up a HoneyPot (hardened Apache with DDOS protection turn on). The site was "http://www.rjfront.info". On 28 August, 2011. I logged onto IRC.2600.NET channel #jester and requested that the "ANTI-JIHAD" site would be taken down. With-in 45 minutes, the server was hit with HTTP HEAD partial fragmentation attacks. The server was completly down in 3 minutes for up to 5 hours.
How the attack looks like in the logs:
The Apache logs revealed the following headers:
126.96.36.199 - - [28/Aug/2011:14:05:34 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"
188.8.131.52 - - [28/Aug/2011:14:07:39 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"
184.108.40.206 - - [28/Aug/2011:14:10:50 +0330] "HEAD / HTTP/1.0" 200 4011 "-" "XerXes - 0wn3d bitch. TANGO DOWN"
Quote from the story behind:
What was interesting was the the sequence of IP's that were rotated. They were TOR exit relays. After doing a bit of research on the type of attack agaist te HoneyPot was an attacked called "Keep-Alive DoS Script": http://www.esrun.co.uk/blog/keep-alive-dos-script/. The CPU utilization on the Apache server was 95% throughout the attack.
Disclaimer by the original poster:
Remember it is illegal to perform denial of service attacks agaist websites. The individual known as th3j35t3r needs to be held responsible for his actions. If you cannot do the crime, do not do the crime.