Suggestion

[Cosmysd]

Hi sir @Leeon123 , as a suggestion, you could add ratelimit, because many targets when they receive a lot of requests will ban the whole class of IP, etc. So ratelimit would help circumvent this protection. You could also add cloudscraper (python) or this library https://github.com/pavlodvornikov/aiocfscrape/tree/na/update-to-latest-cfscrape to bypass cloudflare String url, hiting all pages on the target (sending requests on all pages) also some like https: // target //?q=% RANDOM% your script can't send req to this page So, all these options could be added as an alternative if you want to use them, not by default. the script cant read cf content can u make headers like that, or to use custome headers

headers: {
                        'Connection': 'keep-alive',
                        'Cache-Control': 'no-cache',
                        'Pragma': 'no-cache',
                        'DNT': 1,
                        'Upgrade-Insecure-Requests': 1,
                        'User-Agent': user-agents,
                        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3',
                        'Accept-Encoding': 'gzip, deflate, br',
                        'Accept-Language': 'en-US,en;q=0.9',
                        'X-Forwarded-For': proxy-etc`
Of course, if you have time you want to do this

Slow attack is not working, dont send any req 

1.          none          | Rps: 0
                  2.          none          | Rps: 0
                  3.          none          | Rps: 0
                  4.          none          | Rps: 0
                  5.          none          | Rps: 0
                  6.          none          | Rps: 0
                  7.          none          | Rps: 0
                  8.          none          | Rps: 0
                  9.          none          | Rps: 0
                 10.          none          | Rps: 0

[Leeon123]

The problem of the output of slow attack has been fixed, also what do you mean can't atttack "https: // target //?q=% RANDOM%".

[andress134]

The problem of the output of slow attack has been fixed, also what do you mean can't atttack "https: // target //?q=% RANDOM%".

@Cosmysd him want to say like to send requests on all pages, if u attack http://mysitetest.com he to detect pages and send req on all like index.php test.php car.php, idk if u undestend Also about ratelimit, i think using ratelimit can bypass some normal waf So maybe a option ''use rate limit y/n'' default is no if u activate ratelimit, to send limited requests per proxy

and custom headers like your cc golang version to add like

'Cache-Control': 'no-cache', 'Pragma': 'no-cache', 'Upgrade-Insecure-Requests': 1,

[ruz0ne]

it would be so great if you could add these features, especially the cloudflare bypass

[andress134]

hi @Leeon123 sir, is not posible to improve script to bypass cf headers? also maybe using cloudscraper (python) ?

[jmcausing]

Hi @Leeon123 , Do you know what iptables rules can I apply for my server if an attacker will try to use this? I tried different iptables rules but I cannot seem to find the correct one. The only way I can mitigate this is to drop the port 443 and port 80

[Leeon123]

@jmcausing It could be easily stopped by limiting the connections per host. The exactly command I don't remember, but i think you should be able to find on google.

[ghost]

@jmcausing You could drop junk http packets, or any packet that does not have a valid HTTP method (So you only allow GET, HEAD, POST or that stuff). The second option is to rate-limit the attacker.

[swordapi]

The problem of the output of slow attack has been fixed, also what do you mean can't atttack "https: // target //?q=% RANDOM%".

Sir have a look at hulk.go at hulk repository, it uses random strings at the end of a url but i guess this doesnt make sense bc its written in go but to understand the basic idear lol.