This attack utilizes the attack script from bennettaur's http2-ddos! Huge shout to Michael Bennett for his great work and presentation at HackFest.

docker pull robinhung/http2-express-server

docker run -p 9876:3000 --name=http-express-server -d robinhung/http2-express-server

Now go to https://localhost:9876 to connect to HTTP/2 express.js server.

NOTICE: use https instead of http! Normally the browser will indicates that the connection is insecure. This is becasue we're utilizing the self-signed certificate ,which is not trusted by the browser. Just add the exception to view the page :)

Head over to attack-script directory. After you can utilize the .py script to launch the attack, you need to setup the virtualenv and install all the required packages!

virtualenv --python python2 env2

# activate the virtual environment
source env2/bin/activate

# test if the virtualenv has been successfully setup
pip list

pip install -r requirements.txt

Now, let's launch the attack!

# use the `http_req_limit_tests.pt` to spam the server with `/` requests
python http2_req_limit_tests.py -r 200 -c 10 -t localhost -p 9876 -f ./assets.txt -v 2

Click Control + C to stop the attack script.

During the attack, you can use docker stats to view the CPU usage has been increased dramatically!

docker stats $(docker ps | awk '{if(NR>1) print $NF}')

cd http2-express-rate-limit

docker build -t robinhung/http2-express-rate-limit .

docker run -p 1234:3000 --name=rate-limit -d robinhung/http2-express-rate-limit

Defense is NOT effective. Because the server is still taking all of the coming requests, but just instead return the status code 429 (Too many requests).