DoS / DDoS Training Platform — Authorized Use Only

DOS ARENA

Flood. Prove. Score. Learn.

The first DoS/DDoS training platform with a live proof-of-impact scoring system. Flags are only issued when the judge confirms your service is actually down. No file hunting. No guessing. Real impact or no points.

Start Training View Scenarios
19
Vulnerable targets
8
Scenarios
~650x
Max amplification
1050
Total points
Live Score Feed Live
14:32:01franckfermansolved SYN Flood+100
14:31:44GilraenDNS amp confirmed+100
14:30:12mafiaboyMySQL starvation+150
14:29:58franckfermanhint 02 lvl 2-25
14:28:33GilraenSNMP GetBulk confirmed+150
14:27:01Anna-senpaiSlow POST solved+200
14:26:18mafiaboyNTP monlist proven+100
SYN Flood Slowloris NTP ~550x SNMP ~650x ACK Bypass TCP Starvation DNS ~60x Slow POST IP Fragmentation ICMP Flood Live Proof System Progressive Hints Full Writeups Docker + Terraform SYN Flood Slowloris NTP ~550x SNMP ~650x ACK Bypass TCP Starvation DNS ~60x Slow POST IP Fragmentation ICMP Flood Live Proof System Progressive Hints Full Writeups Docker + Terraform
Methodology

Not a CTF.
Proof of impact.

01 / Recon
01
Read the Scenario

Each scenario targets one specific vulnerability class. Understand the mechanism. No hand-holding — the hint system is there if you need it.

02 / Attack
02
Launch Your Attack

Use Floodles, hping3, Scapy, or any tool. The arena does not care how you get there. Only whether the service degrades.

03 / Proof
03
Judge Confirms

The judge polls every target every 5 seconds. When it detects proven degradation matching the scenario criteria, a time-windowed flag is generated.

04 / Learn
04
Submit and Read

Submit your flag for points. Full technical writeup unlocks immediately — vulnerability mechanics, real-world context, detection, mitigation.

Classic CTF
Find a file.
Get a string.
Submit.

You can copy a flag without understanding what you did. The platform has no way to verify actual exploitation.

DOSArena
Break a service.
Keep it broken.
Prove it.

Flags expire every 5 minutes. Your attack must still be running when you submit. The judge is the ground truth.

Scenarios

8 challenges.
One goal: downtime.

Total available1050points
01
SYN Flood
10.0.2.20:80 — apache-vuln

Exhaust the TCP SYN queue. SYN cookies disabled — backlog fills in seconds. Prove the server stops accepting connections.

100Easy
02
Slowloris
10.0.2.20:80 — apache-vuln

Hold all 150 Apache workers with incomplete HTTP requests. Zero bandwidth. mod_reqtimeout not loaded on this target.

100Easy
03
ACK Bypass
10.0.2.50:80 — fw-stateless

Prove ACK packets reach the server behind the stateless firewall. No conntrack, no session check — ACK floods pass through.

150Medium
04
DNS Amp
10.0.2.30:53 — dns-open

Verify the BIND9 server is an open resolver responding to ANY queries from any source. Measure the amplification factor.

100Easy
05
NTP Monlist
10.0.2.31:123 — ntp-vuln

Prove NTPd responds to mode 7 monlist. 8-byte request → 43,200 bytes response. ~550x amplification factor.

100Easy
06
SNMP GetBulk
10.0.2.32:161 — snmp-vuln

Highest amplification in the arena. Community=public, full MIB-II. max-repetitions=255 dumps the entire device tree. ~650x.

150Medium
07
TCP Starvation
10.0.2.40:3306 — mysql-vuln

Fill MySQL's connection table (max=50) with idle TCP connections. No auth needed. Prove the database refuses new connections.

150Medium
08
Slow POST
10.0.2.20:80 — apache-vuln

RUDY attack. Declare 10MB Content-Length, send 1 byte/10s. Bypasses header timeouts. Fills workers via body channel.

200Hard
Lab Targets

15 containers.
8 vulnerable by design.

IP Address Hostname Service Vulnerable To Tag
10.0.2.20 apache-vuln HTTP :80 Slowloris, SYN flood, Slow POST, NUKE L7
10.0.2.30 dns-open UDP :53 DNS amplification (~60x) AMP
10.0.2.31 ntp-vuln UDP :123 NTP monlist (~550x) AMP
10.0.2.32 snmp-vuln UDP :161 SNMP GetBulk (~650x) AMP
10.0.2.40 mysql-vuln TCP :3306 TCP starvation (max_connections=50) L4
10.0.2.50 fw-stateless HTTP :80 ACK flood, XMAS flood (no conntrack) L4
10.0.3.20 apache-protected HTTP :80 mod_reqtimeout + SYN cookies + iptables rate limit Protected
10.0.3.21 nginx-protected HTTP :80 Event-driven + client_header_timeout + limit_req Protected

+ postgres-vuln, fw-stateful, monitor, prometheus, grafana, judge, attacker (infrastructure)

Flag System

Flags prove
real downtime.

judge — polling loop
[14:31:02] probe 10.0.2.20:80... 200 OK (92ms)
[14:31:07] probe 10.0.2.20:80... 200 OK (88ms)
[14:31:12] probe 10.0.2.20:80... TIMEOUT (3040ms)
[14:31:17] probe 10.0.2.20:80... CONNECTION REFUSED
[14:31:17] ✓ DEGRADED — scenario 01 confirmed
[14:31:17] FLAG: DOSARENA{01_a3f9c2d18e4b}
 
$ python3 cli.py submit 01
Flag: DOSARENA{01_a3f9c2d18e4b}
✓ CORRECT +100 pts Total: 200
Writeup unlocked for scenario 01
 
$
01
Your attack must be active

Flags are time-windowed (5-minute validity). The judge must have confirmed degradation within the current window. Keep the attack running, then submit.

02
No guessing, no copying

Flags are HMAC-SHA256 tokens tied to scenario ID + time window. The judge also verifies it recently confirmed degradation. A valid token without active proof = rejected.

03
Writeup unlocks on submit

Full technical writeup — vulnerability mechanics, real-world CVEs, server-side detection commands, and remediation config — available immediately after a correct submission.

04
Progressive hints cost points

3 hint levels per scenario. Level 1: directional nudge (-10pts). Level 2: vulnerability class revealed (-25pts). Level 3: near-explicit with commands (-50pts).

Amplification Factors

Send 1 Mbps.
Deliver 650 Mbps.

650x SNMP
v2c GetBulk // UDP:161
550x NTP
monlist // UDP:123
254x Smurf
ICMP broadcast
60x DNS
ANY/DNSKEY // UDP:53
MULTI SPRAY
Combined vectors

Amplification scenarios in DOSArena are recon and proof exercises — verify that equipment in the lab scope can serve as reflectors. Same methodology used in real-world network audits.

Learning System

Break it first.
Understand it after.

?
Progressive Hints
3 Levels — Costs Points

Level 1 gives direction without revealing technique. Level 2 names the vulnerability class. Level 3 gives near-explicit commands. Each level deducts points — think before asking.

Full Writeups
Unlocks Post-Solve

Research-grade explanations covering: why the vulnerability exists at the kernel level, attack mechanics step-by-step, historical CVEs and incidents, detection commands, and remediation configs.

Protected Counterparts
Compare & Learn

Every vulnerable target has a hardened equivalent. After exploiting apache-vuln, try the same attack on apache-protected. See exactly which config change stops it. Theory into practice.

Deployment

Up in
two commands.

Docker
Terraform AWS
Docker 20.10+ · Docker Compose v2 · Linux host recommended · 4 GB RAM · 8 GB disk
bash 
# clone and start — builds all images on first run
git clone https://github.com/franckferman/DOSArena.git
cd DOSArena
make up
bash — without make 
docker compose -f docker/docker-compose.yml up -d --build
Attacker shell make shell
Judge API http://localhost:8888
Grafana http://localhost:3000
Prometheus http://localhost:9090
Stop make down

Enter the Arena.
Break something real.

Docker Compose or Terraform AWS — deploy in minutes

Deploy DOSArena