DDoS’ing for beginners: DDoS Russia in 4 easy steps

Support πŸ‡ΊπŸ‡¦ πŸ‡ΊπŸ‡¦ Ukraine πŸ‡ΊπŸ‡¦ πŸ‡ΊπŸ‡¦ by joining in the DDoS effort! Here’s how, in 4 steps.


I started with the code that’s been floating around on Reddit, and then:

System Requirements

I’m running this on a 2011 Mac Mini with 4GB RAM.
You can tell you’re running out of memory if the console shows “insufficient resources” errors.
Open up an issue if that’s the case. We could make the memory usage configurable.

1. Set up a VPN.

Protect yourself by make your connections come from a different location than your own. I use Express VPN, but there are many alternatives. Here’s what that looks like when it’s up and running. I’ve got mine set to have all my Internet come and go through Phoenix, USA:

Screen Shot 2022-03-01 at 7 42 41 AM

2. Disable CORS in a new Chrome browser profile.

These instructions use Chrome because it’s secure and not hard to configure.

This is essential: it allows the code to make the network connections. Follow these instructions to create a new, a separate profile in Chrome for this.

⚠️ Do not simply disable CORS in your current browser profile. ⚠️

Continue following the instructions to keep yourself safe. To create the new profile, first click your current profile avatar in the upper right corner. Then click + Add to add a new profile:

Screen Shot 2022-03-01 at 11 13 23 AM

In the next screen, click Continue without an account:

Screen Shot 2022-03-01 at 11 08 27 AM

Now you can give the new profile a name:

Screen Shot 2022-03-01 at 11 08 47 AM

Finally, you’ll a new profile just for doing the DDoS’ing:

Screen Shot 2022-03-01 at 11 12 10 AM

Now install Allow CORS into your new profile. If you use Allow CORS (it’s the easiest way I’ve found), just change Option 4 to *:

Screen Shot 2022-03-01 at 7 40 35 AM

Then, be sure to actually turn on the extension itself. The “C” logo will appear orange:

Screen Shot 2022-03-01 at 7 41 42 AM

3. Browse to russia-must-be-stopped.html.

Here’s the source code, if you want to examine it. It’s pretty simple, IMO.

4. Enable mixed content.

At this point, the script is running, but can only connect to the sites that use https.
But some of these Russian sites are still on http. In order to hit those as well, we need
to enable “mixed content” (a mix of https and http).

First, click the lock to the left of the URL, then click Site settings:

Screen Shot 2022-03-01 at 7 54 30 AM

Then, on the Site settings page, scroll down to the Insecure content setting:

Screen Shot 2022-03-01 at 7 54 48 AM

Change it to Allow:

Screen Shot 2022-03-01 at 7 54 58 AM

You’ll probably have to reload the page to pick up the new setting. Chrome gives a helpful button for that:

Screen Shot 2022-03-01 at 7 59 26 AM

And you’re done. Your browser will load all the URLs, even the ones over http.

5. Verify it’s working.

Welcome to step #5 out of 4. You should probably make sure this is actually working correctly. It took me several tries to get it right. To do this, open up the Javascript Console. On the Mac, it’s alt-cmd-j. You can also right-click on the page, choose Inspect, and then switch to the Console. It should look like this:

Screen Shot 2022-03-01 at 7 59 56 AM

Uncheck Group similar messages in console. Now it should look like this:

Screen Shot 2022-03-01 at 7 59 52 AM

Notice how the browser is complaining about the mixed content, but it’s going ahead and loading it anyway. Because I enabled it in Step 4.

But if your console looks like this, then you didn’t properly enable mixed content. Go back and try again:

Screen Shot 2022-03-01 at 8 33 49 AM

Any questions? Ask them in the discussion forum.

Other similar projects and forks


View Github