I’d double check that it’s legal.

Also you’re giving money to people who usually does not do legal things.

I think unless you want to send some money to a shady self-proclaimed hacker, you’d just go with a regular computer security company. They can do it and they’ll have people who know what to look for. You can’t do red-teaming without any of the background knowledge, it’s a proper job and takes lots of experience to get meaningful results. And before you yourself launch a large DDoS attack on “your” rented virtual server, contact your hoster and give them a heads-up, since that’s really their servers, their datacenter and netwoking infrastructure which might get affected.

If it’s a smaller website and not super critical, you might be fine hiring some single freelancer who know what they’re doing as well…

(And other than that… I’d just rent 10 AWS instances from Amazon, or the equivalent from Microsoft or any of the cloud providers. For all intents and purposes, that’s your proper botnet with a lot of bandwidth. But please don’t do this for nefarious purposes.)

I’d hire a cyber security firm. Most firms can test how your website handles under specific kinds of stress like ddos or malicious webscrapers. They can also advice you on the axtuak risks and how to mitigate them.

Is this something you’re self hosting for fun, or is it some kind of business?

If you’re running web services for a business, you should look into existing load test tooling/infrastructure. Some of it can be fully managed, or other solutions might have a degree of setup involved (eg spinning up worker nodes in AWS or whatever). The hard part is designing your load test to match IRL traffic patterns, but once you have that down you can confidently answer questions about service scalability.

A load test is not a DDoS test. Load tests tell you how much legitimate traffic your services can take. DDoS consists of illegitimate traffic which may not correspond to what your web services expect.

Usually you don’t test your systems for something like a DDoS. You would instead set up DDoS protection through a CDN (content delivery network) to shield yourself and let someone else handle the logistics of blocking unwanted load. It’s a really hard problem to solve.

Depending on what you want to learn, running your own DDoS is unlikely to be very instructive. Most “DDoS as a service” networks are not going to tell their customers how anything works, they just take your bitcoin and send some traffic where you tell them.

In cybersecurity, this is called red-hat or red-team work. Maybe the search terms will help you find what you need.

Whitehat hacking is a common service that’s offered that you might be interested in. They’ll find every security hole and weakness and then give you a report on recommendations

if you have the skill set to run the tools you’ll need to run in order to perform this type of test I would advise just renting a bunch of low-cost VPS systems and configuring them as needed. You can rent computers monthly for just a couple of dollars on things like digitalocean or ovh or something like that and as long as you’re targeting your own stuff I mean you’re not going to call the cops on yourself so nothing to worry about. you can probably even just do it with something like AWS and you know just scale up and down as needed and it’ll be a lot more cost effective that way too.

I don’t believe this is illegal as I’m targeting myself for education.

Difficult to know, and ofc depends a lot where you are. Better ask a lawyer.

Probably you will find offers in the darknet.

If you ask this kind of questions I recommend you to look up github and launch any ddos software you find there, if you host it at home your home router will 99% shut down if you don’t have rack router with ddos protection. If you shut down remote server router because you host in shitty provider that’s illegal. Anyways it’s stupid.

OP, you’re looking for something called “Bot as a Service”. There are more and more companies that cater to those needing a bot infrastructure. Bright data, ScrapingBee, ZenRows, and Apify are some of the more common services I typically work against that offer what you’re looking for.

*Edit: If you’re just looking for performance testing, you can use services like Loadster.

Couldn’t you simply rent a single server with like twice the bandwidth of your existing server? Unless you want to test automatic banning of IP addresses or something, having it spam your website with requests should have the exact same effect as using a botnet.

I don’t think you can rent botnets with some ready to use software to simulate web scraping or generate fake comments. You’d probably have to write that yourself anyway.