DEV Community

Dhanalakshmi V
Dhanalakshmi V

Posted on

CrushIt: Testing Server Limits with BEAM's Million-Worker Army

  ██████╗██████╗ ████████╗
 ██╔════╝██╔══██╗╚══██╔══╝
 ██║     ██████╔╝   ██║
 ██║     ██╔══██╗   ██║
 ╚██████╗██║  ██║   ██║
  ╚═════╝╚═╝  ╚═╝   ╚═╝
Enter fullscreen mode Exit fullscreen mode

Why This Exists

Most load testing tools are glorified curl loops. They spawn threads, fire requests, and call it a day. But the BEAM VM — the battle-tested runtime behind WhatsApp, Discord, and RabbitMQ — can do something no other VM can: spawn millions of lightweight processes that actually perform.

CrushIt exploits this. Not as a toy. As a weapon.

What It Does

CrushIt is a penetration testing framework that turns your machine into a stress-testing powerhouse. One binary. One command. Up to 1,000,000 concurrent workers hammering a target.

./crush_it --url http://target.com --concurrency 100000 --forever --allow-remote
Enter fullscreen mode Exit fullscreen mode

That's it. That's the attack.

The Numbers

On a standard laptop against a Python HTTP server:

Workers Requests Throughput Avg Latency
50 6,856 1,382 req/s 7ms
200 6,234 1,020 req/s 147ms

Against a real web application with database queries, auth middleware, and template rendering? Those numbers drop to zero fast. That's the point.

How It Works

┌─────────────────────────────────────┐
│          Supervisor (one_for_one)    │
│  ┌─────┐ ┌─────┐ ┌─────┐ ┌─────┐  │
│  │ W1  │ │ W2  │ │ W3  │ │ ... │  │
│  └──┬──┘ └──┬──┘ └──┬──┘ └──┬──┘  │
│     │       │       │       │      │
│     └───────┴───────┴───────┘      │
│              ↓                      │
│         Collector                   │
│    (atomics-based counting)         │
└─────────────────────────────────────┘
Enter fullscreen mode Exit fullscreen mode

Each worker is a GenServer that:

  1. Checks cancellation/deadline/request cap
  2. Fires an HTTP request via :httpc
  3. Reports result to collector
  4. Loops immediately — no idle time

The collector uses :atomics for lock-free counting. No mutexes. No bottlenecks. Pure BEAM.

The TUI (Ink + React)

Three screens:

Configure — Set URL, workers, duration, method, headers. Toggle DOS mode.

Running — Live metrics with sparklines:

1810 req · 1810 ok · 0 fail · 187 req/s · 263ms avg · 9.65s
Latency p50=246ms · p95=256ms · p99=259ms
███████████████████████████████████████████████████████
Status 200:1810
Enter fullscreen mode Exit fullscreen mode

Report — Pass/fail verdict based on success rate.

DOS Mode

./crush_it --url http://target.com --forever --concurrency 500
Enter fullscreen mode Exit fullscreen mode

Runs indefinitely. Workers loop continuously. No pause between requests. The target either handles it or dies. Ctrl+C to stop.

Features

  • 1M workers — BEAM handles it. Your target might not.
  • 6 HTTP methods — GET, POST, PUT, DELETE, PATCH, HEAD
  • Custom headers & body — Auth tokens, content types, whatever
  • Ramp-up — Stagger worker startup to simulate gradual load
  • Request cap — Stop after N total requests
  • Latency percentiles — p50, p95, p99 computed from rolling buffer
  • JSON streaming — Pipe to jq, dashboards, custom tools
  • Live TUI — No 300-line config files. Point, configure, crush.

Install

git clone https://codeberg.org/PandaternOSS/Crush_it.git
cd Crush_it
./build.sh
Enter fullscreen mode Exit fullscreen mode

Requires Elixir 1.14+ and Node.js 18+.

The Philosophy

Security tools should be:

  1. Simple — One binary, one command
  2. Honest — Show real metrics, not inflated marketing numbers
  3. Powerful — Exploit the platform's strengths (BEAM = processes)

CrushIt doesn't pretend to be a sophisticated APT framework. It's a hammer. Sometimes you need a hammer.

Built With

  • Elixir — BEAM VM, supervision trees, OTP
  • Ink — React for CLIs
  • esbuild — Fast JS bundling
  • :httpc — Erlang's built-in HTTP client

by valt


This tool is for authorized security testing only. Get permission before hammering anything you don't own.

Top comments (0)