27. 03. 2026
Automation, Development, DevOps, NetEye
22. 02. 2025
Simone Ragonesi
Automation, DDoS, Offensive Security, Red Team
Building a Distributed DDoS Infrastructure for Red Teaming Campaigns
⚠️ Warning: This article is intended for educational and ethical purposes only ⚠️
Red teamers don’t often engage in DDoS campaigns or stress testing against client systems, mainly for two reasons:
- Simulating a real attack in a credible manner is challenging
- If done well, these operations can have a significant impact
However, there are cases where clients explicitly request such activities. When that happens, the red team must be thoroughly prepared; both legally, to clearly define the scope and methodology, and technically, to execute the engagement effectively.
If you’re a company considering this type of assessment, ensure you have detailed discussions with your providers about their approach: If they suggest something as simplistic as sending oversized ping packets from their workstations, take it as a red flag (no pun intended).
Given the sensitivity of DDoS testing, realism is key. A meaningful assessment requires a geographically distributed infrastructure with at least a few dozen servers.
My approach to this and other red teaming tasks involves defining infrastructure as code (using IaC tools like Terraform) and leveraging various cloud providers for provisioning.
Over time, I have automated the provisioning of various red teaming infrastructures, including:
- Fully operational C2 servers
- Exfiltration endpoints
- Landing pages and malicious websites
- Hash-cracking servers powered by industrial-grade GPUs
- And more
Please note that, in the case of DDoS, not all cloud providers may allow the use of their infrastructure like this. Depending on the specifics and use case, it could violate their terms of service or result in significant costs. Thoroughly research your options before selecting a provider to avoid potential bans or unexpected expenses. Personally, I have never spent more than a few cents per hour for the necessary infrastructure, making it an extremely cost-effective approach.
Of course, simply automating the deployment of geographically distributed servers across different data centers isn’t enough: the critical component is the script that performs the actual attack. During provisioning, this script is automatically copied to the servers and executed as soon as they are ready. Its logic varies depending on the target and specific use case, but it typically involves strategies for Layer 7 (HTTP) call flooding.
Here are some tricks that can be implemented in the script:
- Randomization of HTTP verbs
- Randomization of endpoints on the target
- Randomization of user agents
For this specific type of activity, we developed and open-sourced Dossy, the engine we use for HTTP volumetric Denial of Service.
When this engine is distributed across dozens of servers (even modest ones), it can easily generate tens of millions of cumulative calls per minute.
With the customers we’ve performed these activities with, we’ve often achieved unexpected results:
in one particular instance during the attack, we managed to block VPN access and completely crash one company portal.
Interestingly, the crashed portal was protected by Cloudflare’s anti-DDoS solution, which blocked 99.99% of the packets, but one of the few thousand that got through triggered an unhandled application exception.
These Solutions are Engineered by Humans
Did you learn from this article? Perhaps you’re already familiar with some of the techniques above? If you find cybersecurity issues interesting, maybe you could start in a cybersecurity or similar position here at Würth Phoenix.
Simone Ragonesi
Offensive Security Technical Lead | Würth IT Italy
Author
Latest posts by Simone Ragonesi
22. 04. 2026
Offensive Security, Red Team, SEC4U
The Ghost in the Kernel Machine
23. 03. 2026
Offensive Security, Red Team, SEC4U
Writing High Quality Pentesting Reports
27. 01. 2026
Automation, Development, DevOps, Offensive Security, Red Team, SEC4U
Architecting a Portable Red Team Engine
11. 01. 2026
Blue Team, Offensive Security, Red Team, SEC4U
Purple Teaming is a MUST, not a PLUS
26. 09. 2025
AI, Artificial Intelligence, Offensive Security, Red Team
The Evolving Security Landscape of MCP