Hello nanogers, Following the multiple thread on ddos attack, I was asking myself how someone could test chosen solutions. In most cases, you can't load your Internet access in the same way attackers will (does someone have a botners with ten thousands computers or more :) ?) But a solution to test basic attack (synflood, slowloris, socktress, ...) with 10 to hundred computers would be interesting, so not a tool but more a service. Found only Parabon [1] on Google Does someone know something similar ? Thanks Best regards, Jul Note: Please, don't forget this kind of public tests have some serious legal impact and you need to have an agreement with your ISP/operators to do it in most countries. Note2: Google has a lot of answers. Most of them are about tool and methodology, so not sure for a live test. I'm not looking for a lab solution but real one with business acceptation (and a wise choice on the hours of the test so front-end can be switch to "maintenance mode") [1] New grid service simulates DDoS attacks, May 2009 http://www.computerworlduk.com/technology/security-products/business-continu...
On Wed, 2010-03-17 at 07:45 +0100, jul dit:
But a solution to test basic attack (synflood, slowloris, socktress, ...) with 10 to hundred computers would be interesting, so not a tool but more a service.
Found only Parabon [1] on Google
Does someone know something similar ?
If you have access to a large enough network in a campus-size establishment, try booting a large room (100+) full of desktop PCs with a live CD/USB and script (or clusterSSH) some hpings, blind netcats (large file as input), iperfs or nmap+nmapscripting) through a _good_ switch stack. Set a low mtu on the interfaces for maximum pps. Please remember to fully air-gap it (and the redundants) from the cloud and the rest of the campus backbone in case you have thick fingers entering the target - your upstream might be tempted to ring you on the BatFone in a hurry. That gets embarrassing, as a friend of mine found out in December last year. Other than that, I suspect it's going to cost you for "real" kit :( Depends how "real" you need it I guess. Kiddies seem to be able to do it with E1/T1-sized pipes so it should at least be better than waiting for one to come your way naturally :) regards Gord -- gurgle. gurgle-splat. splat. splat. sploo-oo-oshhh = rommon
On Wed, 2010-03-17 at 08:07 +0000, gordon b slater wrote: (large file as input), iperfs or nmap+nmapscripting) through a _good_
switch stack. Set a low mtu on the interfaces for maximum pps. ^^^^^^^^^^^^^ ~fail~
correcting myself: set low packet/payload sizes (fragmenting where possible). reason: lack of coffee, too early, feel ill :( G
Nessus is a vulnerability scanner: http://www.nessus.org/nessus/ Ixia provides a full Nessus implementation in one of its platform. Bit. On Wed, 2010-03-17 at 07:45 +0100, jul wrote:
Hello nanogers,
Following the multiple thread on ddos attack, I was asking myself how someone could test chosen solutions. In most cases, you can't load your Internet access in the same way attackers will (does someone have a botners with ten thousands computers or more :) ?) But a solution to test basic attack (synflood, slowloris, socktress, ...) with 10 to hundred computers would be interesting, so not a tool but more a service.
Found only Parabon [1] on Google
Does someone know something similar ?
Thanks Best regards,
Jul
Note: Please, don't forget this kind of public tests have some serious legal impact and you need to have an agreement with your ISP/operators to do it in most countries. Note2: Google has a lot of answers. Most of them are about tool and methodology, so not sure for a live test. I'm not looking for a lab solution but real one with business acceptation (and a wise choice on the hours of the test so front-end can be switch to "maintenance mode")
[1] New grid service simulates DDoS attacks, May 2009 http://www.computerworlduk.com/technology/security-products/business-continu...
Hire/buy what I know as a router tester. People call them different things. It's a device that generates packets, and can normally simulate TCP etc. all the way up to HTTP etc. or higher. BGP, OSPF, MPLS, etc. etc. etc. Tell it to generate packets that look like they come from many many hosts (you can normally simulate some kind of network topology with hosts in different places and hence different TTLs etc.), and viola. They normally let you generate background noise traffic, or you could record 24 hours of packet headers from somewhere in your network and play it back through your test network. This needs a lot of disk of course. I used to work for an anti-ddos vendor (Esphion, now owned by Allot) and built their first test rig. First we did it with a bank of PCs with custom Linux kernel code to generate packets because we were a startup doing things on the cheap and I was a bit masochistic. Then we got a router tester and did exactly the same thing, but in a whole lot less space with a whole lot less effort. Both worked great, naturally I recommend a router tester. -- Nathan Ward
Nathan Ward wrote:
Hire/buy what I know as a router tester. People call them different things. It's a device that generates packets,
Linux has a packet generator in the kernel as well. More info readily available from your local search engine.
and can normally simulate TCP etc. all the way up to HTTP etc. or higher. BGP, OSPF, MPLS, etc. etc. etc.
Hmmm. What about a fuzzer, or something like scapy?
Tell it to generate packets that look like they come from many many hosts (you can normally simulate some kind of network topology with hosts in different places and hence different TTLs etc.), and viola. They normally let you generate background noise traffic, or you could record 24 hours of packet headers from somewhere in your network and play it back through your test network. This needs a lot of disk of course.
tcpreplay is great for that.
bit gossip wrote:
Nessus is a vulnerability scanner:
Ixia provides a full Nessus implementation in one of its platform.
Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis. However that wouldn't be a DDoS, but could certainly lead to DOS.
-----Original Message----- From: Charles N Wyble [mailto:charles@knownelement.com] Sent: Wednesday, March 17, 2010 12:16 PM To: nanog@nanog.org Subject: Re: anti-ddos test solutions ?
bit gossip wrote:
Nessus is a vulnerability scanner:
Ixia provides a full Nessus implementation in one of its platform.
Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis.
However that wouldn't be a DDoS, but could certainly lead to DOS.
If you can get your hands on a PCAP from a previous attack, you could also use something like Bit-Twist which will allow you to manipulate things like the destination IP and also the transmission rate, etc. Pretty useful tool to include in the DDoS simulation toolbox. http://bittwist.sourceforge.net/ Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
http://labs.mudynamics.com/2009/04/10/ddos-testing-network-applications/ http://www.pcapr.net/dos YMMV, but mudos converts *any* IP packet into a DoS generator (it's free). K. --- http://www.pcapr.net http://labs.mudynamics.com http://twitter.com/pcapr On Wed, Mar 17, 2010 at 11:28 AM, Stefan Fouant <sfouant@shortestpathfirst.net> wrote:
-----Original Message----- From: Charles N Wyble [mailto:charles@knownelement.com] Sent: Wednesday, March 17, 2010 12:16 PM To: nanog@nanog.org Subject: Re: anti-ddos test solutions ?
bit gossip wrote:
Nessus is a vulnerability scanner:
Ixia provides a full Nessus implementation in one of its platform.
Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis.
However that wouldn't be a DDoS, but could certainly lead to DOS.
If you can get your hands on a PCAP from a previous attack, you could also use something like Bit-Twist which will allow you to manipulate things like the destination IP and also the transmission rate, etc. Pretty useful tool to include in the DDoS simulation toolbox.
http://bittwist.sourceforge.net/
Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
On a similar note but slightly unrelated note, Not to thread hijack, but does anyone have any useful recipes for generating any basic baseline data (top talkers, SSH brute forcing, SMTP brute forcing, 445,etc) via any of the open source netflow collectors (Flow-Tools, nfdump)? I've had mixed success getting these packages to produce any useful information after getting them to collect the flow data. Thanks, -Drew -----Original Message----- From: kowsik [mailto:kowsik@gmail.com] Sent: Thursday, March 18, 2010 12:33 AM To: Stefan Fouant Cc: nanog@nanog.org Subject: Re: anti-ddos test solutions ? http://labs.mudynamics.com/2009/04/10/ddos-testing-network-applications/ http://www.pcapr.net/dos YMMV, but mudos converts *any* IP packet into a DoS generator (it's free). K. --- http://www.pcapr.net http://labs.mudynamics.com http://twitter.com/pcapr On Wed, Mar 17, 2010 at 11:28 AM, Stefan Fouant <sfouant@shortestpathfirst.net> wrote:
-----Original Message----- From: Charles N Wyble [mailto:charles@knownelement.com] Sent: Wednesday, March 17, 2010 12:16 PM To: nanog@nanog.org Subject: Re: anti-ddos test solutions ?
bit gossip wrote:
Nessus is a vulnerability scanner:
Ixia provides a full Nessus implementation in one of its platform.
Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis.
However that wouldn't be a DDoS, but could certainly lead to DOS.
If you can get your hands on a PCAP from a previous attack, you could also use something like Bit-Twist which will allow you to manipulate things like the destination IP and also the transmission rate, etc. Pretty useful tool to include in the DDoS simulation toolbox.
http://bittwist.sourceforge.net/
Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
I use argus, radium, and the ra clients to do this. Works very well www.qosient.com Dave Edelman +1 917 331-0112 cell On Mar 18, 2010, at 8:05 AM, Drew Weaver <drew.weaver@thenap.com> wrote:
On a similar note but slightly unrelated note,
Not to thread hijack, but does anyone have any useful recipes for generating any basic baseline data (top talkers, SSH brute forcing, SMTP brute forcing, 445,etc) via any of the open source netflow collectors (Flow-Tools, nfdump)?
I've had mixed success getting these packages to produce any useful information after getting them to collect the flow data.
Thanks, -Drew
-----Original Message----- From: kowsik [mailto:kowsik@gmail.com] Sent: Thursday, March 18, 2010 12:33 AM To: Stefan Fouant Cc: nanog@nanog.org Subject: Re: anti-ddos test solutions ?
http://labs.mudynamics.com/2009/04/10/ddos-testing-network-applications/ http://www.pcapr.net/dos
YMMV, but mudos converts *any* IP packet into a DoS generator (it's free).
K. --- http://www.pcapr.net http://labs.mudynamics.com http://twitter.com/pcapr
On Wed, Mar 17, 2010 at 11:28 AM, Stefan Fouant <sfouant@shortestpathfirst.net> wrote:
-----Original Message----- From: Charles N Wyble [mailto:charles@knownelement.com] Sent: Wednesday, March 17, 2010 12:16 PM To: nanog@nanog.org Subject: Re: anti-ddos test solutions ?
bit gossip wrote:
Nessus is a vulnerability scanner:
Ixia provides a full Nessus implementation in one of its platform.
Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis.
However that wouldn't be a DDoS, but could certainly lead to DOS.
If you can get your hands on a PCAP from a previous attack, you could also use something like Bit-Twist which will allow you to manipulate things like the destination IP and also the transmission rate, etc. Pretty useful tool to include in the DDoS simulation toolbox.
http://bittwist.sourceforge.net/
Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
I would suggest looking at Breaking Point Systems. They have boxes that can generate lots of traffic and they can also run exploits against the systems. HD Moore was affiliated with this company at some point so Metasploit is probably used for vulnerability testing. Travis www.theIPSGuy.com On Wed, Mar 17, 2010 at 2:45 AM, jul <jul_bsd@yahoo.fr> wrote:
Hello nanogers,
Following the multiple thread on ddos attack, I was asking myself how someone could test chosen solutions. In most cases, you can't load your Internet access in the same way attackers will (does someone have a botners with ten thousands computers or more :) ?) But a solution to test basic attack (synflood, slowloris, socktress, ...) with 10 to hundred computers would be interesting, so not a tool but more a service.
Found only Parabon [1] on Google
Does someone know something similar ?
Thanks Best regards,
Jul
Note: Please, don't forget this kind of public tests have some serious legal impact and you need to have an agreement with your ISP/operators to do it in most countries. Note2: Google has a lot of answers. Most of them are about tool and methodology, so not sure for a live test. I'm not looking for a lab solution but real one with business acceptation (and a wise choice on the hours of the test so front-end can be switch to "maintenance mode")
[1] New grid service simulates DDoS attacks, May 2009
http://www.computerworlduk.com/technology/security-products/business-continu...
-- Travis Abrams, GCIH, CISSP, etc. www.theipsguy.com
participants (10)
-
bit gossip
-
Charles N Wyble
-
Dave Edelman
-
Drew Weaver
-
gordon b slater
-
jul
-
kowsik
-
Nathan Ward
-
Stefan Fouant
-
travis abrams