README
ΒΆ
π’ Turtle is a toolkit for simulating and validating application layer denial-of-service attacks in both live and unit testing environments.
π¨ Disclaimer
Important: The use of this program for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to comply with all applicable local, state, and federal laws. The developers assume no liability and are not responsible for any misuse or damage caused by this program.
π― Why Use Turtle?
Exposing an application to the public internet is fraught with risks due to various types of denial-of-service attacks, such as:
- slowloris
- low and slow attack
- R.U.D.Y
- ... and many more
While some applications may have well-configured settings that render them invulnerable to these attacks, others, such as those built with popular languages like Golang, might be vulnerable by default. Turtle provides an easy way to validate your application against these common threats to identify risks.
Furthermore, an application that is secure today may become vulnerable due to future changes. Therefore, integrating these attack simulations into your regular validation process is crucial.
π Features
Turtle provides:
- A Command-Line Interface (CLI) for validating real endpoints
- A Golang library for easy integration into unit/integration tests
Supported Scenarios
Turtle current supports the following scenarios:
π Getting Started
Turtle CLI
You can install the CLI tool via:
go install github.com/b4fun/turtle/cmd/turtle@latest
Or download a release binary from the GitHub Release page.
Using Turtle CLI
The turtle CLI embeds supported scenarios as sub-commands. A common way to invoke a scenario test:
$ turtle <scenario-name> <target-url>
Further details can be obtained by viewing the command's help message:
$ turtle -h
# Scenario specified help
$ turtle slowloris -h
Turtle Golang Library
For the Golang library, documentation can be found on GoDoc.
π LICENSE
Turtle is distributed under the [MIT license][/LICENSE]
Documentation
ΒΆ
Index ΒΆ
Examples ΒΆ
Constants ΒΆ
const ( EventTCPDial = "tcp/dial" EventTCPClosed = "tcp/closed" EventWorkerError = "worker/error" EventWorkerPanic = "worker/panic" )
Variables ΒΆ
This section is empty.
Functions ΒΆ
func ErrorFromEvent ΒΆ added in v0.0.2
func WorkerIdFromEvent ΒΆ added in v0.0.2
Types ΒΆ
type AsyncEventHandler ΒΆ added in v0.0.2
type AsyncEventHandler struct {
// contains filtered or unexported fields
}
func NewAsyncEventHandler ΒΆ added in v0.0.2
func NewAsyncEventHandler(h EventHandler, cap int) *AsyncEventHandler
func (*AsyncEventHandler) Close ΒΆ added in v0.0.2
func (f *AsyncEventHandler) Close() error
func (*AsyncEventHandler) HandleEvent ΒΆ added in v0.0.2
func (f *AsyncEventHandler) HandleEvent(event Event)
type Event ΒΆ added in v0.0.2
type Event struct {
// Name - event name
Name string
// At - event time
At time.Time
// Attrs - optional event attributes
Attrs map[string]any
}
Event represents an event.
func NewEvent ΒΆ added in v0.0.2
func NewEvent(eventName string, settings ...EventSettings) Event
NewEvent creates a new event.
type EventHandleFunc ΒΆ added in v0.0.2
type EventHandleFunc func(event Event)
func (EventHandleFunc) HandleEvent ΒΆ added in v0.0.2
func (f EventHandleFunc) HandleEvent(event Event)
type EventHandler ΒΆ added in v0.0.2
type EventHandler interface {
HandleEvent(event Event)
}
EventHandler handles events.
var NilEventHandler EventHandler = EventHandleFunc(func(event Event) {})
NilEventHandler is an event handler that does nothing.
type EventSettings ΒΆ added in v0.0.2
type EventSettings func(e *Event)
EventSettings configures an event.
func WithEventError ΒΆ added in v0.0.2
func WithEventError(err error) EventSettings
WithEventError binds the error of the event attrs.
func WithEventWorkerId ΒΆ added in v0.0.2
func WithEventWorkerId(workerId int) EventSettings
WithEventWorkerId binds the worker id of the event attrs.
type SlowBodyReadRequest ΒΆ
type SlowBodyReadRequest struct {
Target Target `embed:""`
// Method - the HTTP method to use, one of POST / PUT. Defaults to POST.
Method string `name:"http-method" help:"the HTTP method to use, one of POST / PUT. Defaults to POST."`
// BodyReadTimeout - the timeout for reading the request body. Defaults to hang forever.
BodyReadTimeout time.Duration `name:"http-read-timeout" help:"the timeout for reading the request body. Defaults to hang forever."`
// contains filtered or unexported fields
}
SlowBodyReadRequest provides the configurations for simulating slow request body reading attack.
Example ΒΆ
u, err := url.Parse("http://127.0.0.1:8080")
if err != nil {
panic(err)
}
s := SlowBodyReadRequest{
Target: Target{
Url: *u,
},
Method: http.MethodPost,
BodyReadTimeout: 180 * time.Second,
}
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
_ = s.Run(ctx)
Output:
func (*SlowBodyReadRequest) AfterApply ΒΆ added in v0.0.2
func (s *SlowBodyReadRequest) AfterApply() error
type Slowloris ΒΆ
type Slowloris struct {
Target Target `embed:""`
// Method - the HTTP method to use. Defaults to GET
Method string `name:"http-method" help:"the HTTP method to use. Defaults to GET"`
// UserAgents - list of user agents to use.
// If more than one is provided, a random one will be selected.
// If none is provided, a default one will be used.
UserAgents []string `` /* 167-byte string literal not displayed */
// SendGibberish - whether to send gibberish data in the request header.
SendGibberish bool `name:"http-send-gibberish" help:"whether to send gibberish data in the request header"`
// GibberishInterval - the random interval to send gibberish data in the request header. Defaults to 3s.
GibberishInterval time.Duration `name:"http-gibberish-interval" help:"the random interval to send gibberish data in the request header"`
// WriteTimeout - the timeout for writing the request header. Defaults to 10s.
WriteTimeout time.Duration `name:"http-write-timeout" help:"the timeout for writing the request header. Defaults to 10s."`
// contains filtered or unexported fields
}
Slowloris provides the configurations for running slowloris attack.
Example ΒΆ
u, err := url.Parse("http://127.0.0.1:8080")
if err != nil {
panic(err)
}
s := Slowloris{
Target: Target{
Url: *u,
},
SendGibberish: true,
GibberishInterval: 5 * time.Millisecond,
UserAgents: []string{
"turtle/0.0.1",
"turtle/0.0.1 - slowloris",
},
}
ctx, cancel := context.WithCancel(context.Background())
defer cancel()
_ = s.Run(ctx)
Output:
func (*Slowloris) AfterApply ΒΆ added in v0.0.2
type Target ΒΆ
type Target struct {
// Url - the url of the target.
Url url.URL `arg:"" name:"target-url" help:"the url of the target"`
// Duration - the duration of the attack. Defaults to 30s.
Duration time.Duration `name:"target-duration" help:"the duration of the attack. Defaults to 30s"`
// Connections - the number of connections to be made. Defaults to 100.
Connections int `name:"target-connections" help:"the number of connections to be made. Defaults to 100"`
// EventHandler - optional event handler to use.
EventHandler EventHandler `kong:"-"`
}
Target provides target configuration.
Source Files
Directories