Together, towards a better future

Opensource DDoS Botnet Simulator: BoNeSi

2 min read
Opensource DDoS Botnet Simulator: BoNeSi

BoNeSi is a network traffic generator for different protocol types. It is a tool to simulate DDoS in a testing environment. It is designed to study the effect of attacks. It can generate ICMP, UDP and TCP (HTTP) flooding attacks from a defined botnet size (different IP addresses).

BoNeSi is highly configurable; rates, data volume, source IP addresses, URLs and other parameters can be configured. There are plenty of other tools out there to spoof IP addresses with UDP and ICMP, but for TCP spoofing, there is no solution. It is the first tool to simulate HTTP-GET floods from large-scale bot networks.

Where can I run BoNeSi?

We highly recommend you to run BoNeSi in a closed environment. However, attacks could be run on the internet as well, but you should be very carefull.

BoNeSi sniffs for TCP packets on the network interface and responds to all packets in order to establish TCP connections. For this feature, it is necessary, that all traffic from the target webserver is routed back to the host running BoNeSi.

How good is the perfomance?

The developers constantly provide updates and are focused on the performance in order to simulate big botnets. On an AMD Opteron with 2Ghz they were able to generate up to 150,000 packets per second.

UDP/ ICMP attacks can easily fill the bandwidth and HTTP-Flooding attacks knock out webservers fast. A demo video of BoNeSi in action can be found here.


:~$ ./configure
:~$ make
:~$ make install


:~$ bonesi [OPTION...] <dst_ip:port>


  -i, --ips=FILENAME               filename with ip list
  -p, --protocol=PROTO             udp (default), icmp or tcp
  -r, --send_rate=NUM              packets per second, 0 = infinite (default)
  -s, --payload_size=SIZE          size of the paylod, (default: 32)
  -o, --stats_file=FILENAME        filename for the statistics, (default: 'stats')
  -c, --max_packets=NUM            maximum number of packets (requests at tcp/http), 0 = infinite (default)
      --integer                    IPs are integers in host byte order instead of in dotted notation
  -t, --max_bots=NUM               determine max_bots in the 24bit prefix randomly (1-256)
  -u, --url=URL                    the url (default: '/') (only for tcp/http)
  -l, --url_list=FILENAME          filename with url list (only for tcp/http)
  -b, --useragent_list=FILENAME    filename with useragent list (only for tcp/http)
  -d, --device=DEVICE              network listening device (only for tcp/http, e.g. eth1)
  -m, --mtu=NUM                    set MTU, (default 1500). Currently only when using TCP.
  -f, --frag=NUM                   set fragmentation mode (0=IP, 1=TCP, default: 0). Currently only when using TCP.
  -v, --verbose                    print additional debug messages
  -h, --help                       print help message and exit



  • 50,000 ip addresses generated randomly to use with –ips option


  • several browser identifications to use with –useragentlist option


  • several urls to use with –urllist option
Get all the latest posts delivered straight to your inbox!
🎉 You've successfully subscribed to Hack Hex!