Re: anti-ddos test solutions ?

2010-03-18 Thread Dave Edelman

I use argus, radium, and the ra clients to do this. Works very well 
www.qosient.com



Dave Edelman
+1 917 331-0112 cell

On Mar 18, 2010, at 8:05 AM, Drew Weaver  wrote:


On a similar note but slightly unrelated note,

Not to thread hijack, but does anyone have any useful recipes for
generating any basic baseline data (top talkers, SSH brute forcing,  
SMTP brute forcing, 445,etc)

via any of the open source netflow collectors (Flow-Tools, nfdump)?

I've had mixed success getting these packages to produce any useful  
information after getting them to collect the flow data.


Thanks,
-Drew


-Original Message-
From: kowsik [mailto:kow...@gmail.com]
Sent: Thursday, March 18, 2010 12:33 AM
To: Stefan Fouant
Cc: nanog@nanog.org
Subject: Re: anti-ddos test solutions ?

http://labs.mudynamics.com/2009/04/10/ddos-testing-network-applications/
http://www.pcapr.net/dos

YMMV, but mudos converts *any* IP packet into a DoS generator (it's  
free).


K.
---
http://www.pcapr.net
http://labs.mudynamics.com
http://twitter.com/pcapr

On Wed, Mar 17, 2010 at 11:28 AM, Stefan Fouant
 wrote:

-Original Message-
From: Charles N Wyble [mailto:char...@knownelement.com]
Sent: Wednesday, March 17, 2010 12:16 PM
To: nanog@nanog.org
Subject: Re: anti-ddos test solutions ?

bit gossip wrote:

Nessus is a vulnerability scanner:

http://www.nessus.org/nessus/

Ixia provides a full Nessus implementation in one of its platform.



Well these days I would use http://www.openvas.org and
http://www.metasploit.org
for vulnerability scanning and analysis.

However that wouldn't be a DDoS, but could certainly lead to DOS.


If you can get your hands on a PCAP from a previous attack, you  
could also use something like Bit-Twist which will allow you to  
manipulate things like the destination IP and also the transmission  
rate, etc.  Pretty useful tool to include in the DDoS simulation  
toolbox.


http://bittwist.sourceforge.net/

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D









RE: anti-ddos test solutions ?

2010-03-18 Thread Drew Weaver
On a similar note but slightly unrelated note,

Not to thread hijack, but does anyone have any useful recipes for 
generating any basic baseline data (top talkers, SSH brute forcing, SMTP brute 
forcing, 445,etc) 
via any of the open source netflow collectors (Flow-Tools, nfdump)?

I've had mixed success getting these packages to produce any useful information 
after getting them to collect the flow data.
  
Thanks,
-Drew


-Original Message-
From: kowsik [mailto:kow...@gmail.com] 
Sent: Thursday, March 18, 2010 12:33 AM
To: Stefan Fouant
Cc: nanog@nanog.org
Subject: Re: anti-ddos test solutions ?

http://labs.mudynamics.com/2009/04/10/ddos-testing-network-applications/
http://www.pcapr.net/dos

YMMV, but mudos converts *any* IP packet into a DoS generator (it's free).

K.
---
http://www.pcapr.net
http://labs.mudynamics.com
http://twitter.com/pcapr

On Wed, Mar 17, 2010 at 11:28 AM, Stefan Fouant
 wrote:
>> -Original Message-
>> From: Charles N Wyble [mailto:char...@knownelement.com]
>> Sent: Wednesday, March 17, 2010 12:16 PM
>> To: nanog@nanog.org
>> Subject: Re: anti-ddos test solutions ?
>>
>> bit gossip wrote:
>> > Nessus is a vulnerability scanner:
>> >
>> > http://www.nessus.org/nessus/
>> >
>> > Ixia provides a full Nessus implementation in one of its platform.
>> >
>>
>> Well these days I would use http://www.openvas.org and
>> http://www.metasploit.org
>> for vulnerability scanning and analysis.
>>
>> However that wouldn't be a DDoS, but could certainly lead to DOS.
>
> If you can get your hands on a PCAP from a previous attack, you could also 
> use something like Bit-Twist which will allow you to manipulate things like 
> the destination IP and also the transmission rate, etc.  Pretty useful tool 
> to include in the DDoS simulation toolbox.
>
> http://bittwist.sourceforge.net/
>
> Stefan Fouant, CISSP, JNCIE-M/T
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
>
>
>



Re: anti-ddos test solutions ?

2010-03-17 Thread kowsik
http://labs.mudynamics.com/2009/04/10/ddos-testing-network-applications/
http://www.pcapr.net/dos

YMMV, but mudos converts *any* IP packet into a DoS generator (it's free).

K.
---
http://www.pcapr.net
http://labs.mudynamics.com
http://twitter.com/pcapr

On Wed, Mar 17, 2010 at 11:28 AM, Stefan Fouant
 wrote:
>> -Original Message-
>> From: Charles N Wyble [mailto:char...@knownelement.com]
>> Sent: Wednesday, March 17, 2010 12:16 PM
>> To: nanog@nanog.org
>> Subject: Re: anti-ddos test solutions ?
>>
>> bit gossip wrote:
>> > Nessus is a vulnerability scanner:
>> >
>> > http://www.nessus.org/nessus/
>> >
>> > Ixia provides a full Nessus implementation in one of its platform.
>> >
>>
>> Well these days I would use http://www.openvas.org and
>> http://www.metasploit.org
>> for vulnerability scanning and analysis.
>>
>> However that wouldn't be a DDoS, but could certainly lead to DOS.
>
> If you can get your hands on a PCAP from a previous attack, you could also 
> use something like Bit-Twist which will allow you to manipulate things like 
> the destination IP and also the transmission rate, etc.  Pretty useful tool 
> to include in the DDoS simulation toolbox.
>
> http://bittwist.sourceforge.net/
>
> Stefan Fouant, CISSP, JNCIE-M/T
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
>
>
>



RE: anti-ddos test solutions ?

2010-03-17 Thread Stefan Fouant
> -Original Message-
> From: Charles N Wyble [mailto:char...@knownelement.com]
> Sent: Wednesday, March 17, 2010 12:16 PM
> To: nanog@nanog.org
> Subject: Re: anti-ddos test solutions ?
> 
> bit gossip wrote:
> > Nessus is a vulnerability scanner:
> >
> > http://www.nessus.org/nessus/
> >
> > Ixia provides a full Nessus implementation in one of its platform.
> >
> 
> Well these days I would use http://www.openvas.org and
> http://www.metasploit.org
> for vulnerability scanning and analysis.
> 
> However that wouldn't be a DDoS, but could certainly lead to DOS.

If you can get your hands on a PCAP from a previous attack, you could also use 
something like Bit-Twist which will allow you to manipulate things like the 
destination IP and also the transmission rate, etc.  Pretty useful tool to 
include in the DDoS simulation toolbox.

http://bittwist.sourceforge.net/

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D




RE: anti-ddos test solutions ?

2010-03-17 Thread Stefan Fouant
> -Original Message-
> From: Matthew Kaufman [mailto:matt...@matthew.at]
> Sent: Wednesday, March 17, 2010 11:00 AM
> 
> Don't you just set up an IRC server and then say something inflammatory
> to the wrong person?

You can always get DNS hosting from Ultra.  You're apt to experience some
noise in that scenario too ;)

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D




Re: anti-ddos test solutions ?

2010-03-17 Thread Charles N Wyble


Nathan Ward wrote:
> Hire/buy what I know as a router tester. People call them different things.
> It's a device that generates packets,

Linux has a packet generator in the kernel as well.

More info readily available from your local search engine.

>  and can normally simulate TCP etc. all the way up to HTTP etc. or higher. 
> BGP, OSPF, MPLS, etc. etc. etc.
>   

Hmmm. What about a fuzzer, or something like scapy?
> Tell it to generate packets that look like they come from many many hosts 
> (you can normally simulate some kind of network topology with hosts in 
> different places and hence different TTLs etc.), and viola.
> They normally let you generate background noise traffic, or you could record 
> 24 hours of packet headers from somewhere in your network and play it back 
> through your test network. This needs a lot of disk of course.
>   
tcpreplay is great for that.





Re: anti-ddos test solutions ?

2010-03-17 Thread Charles N Wyble
bit gossip wrote:
> Nessus is a vulnerability scanner:
>
> http://www.nessus.org/nessus/
>
> Ixia provides a full Nessus implementation in one of its platform.
>   

Well these days I would use http://www.openvas.org and
http://www.metasploit.org
for vulnerability scanning and analysis.

However that wouldn't be a DDoS, but could certainly lead to DOS.




Re: anti-ddos test solutions ?

2010-03-17 Thread Brielle Bruns
(Written on a blackberry - please don't flame me for top posting.)


Depends on what kind of DoS - cause your more likely to experience a phone DoS 
moreso then an Internet DoS.  Hope you don't need to make or receive any calls 
for a week or two :)

-- 
Brielle Bruns
http://www.sosdg.org  /  http://www.ahbl.org

-Original Message-
From: valdis.kletni...@vt.edu
Date: Wed, 17 Mar 2010 13:20:00 
To: 
Cc: 
Subject: Re: anti-ddos test solutions ?

On Wed, 17 Mar 2010 10:00:21 PDT, Matthew Kaufman said:

> Don't you just set up an IRC server and then say something inflammatory 
> to the wrong person?

For a slightly more interesting packet mix, go over to 4chan and get anon
ticked at you.





Re: anti-ddos test solutions ?

2010-03-17 Thread Valdis . Kletnieks
On Wed, 17 Mar 2010 10:00:21 PDT, Matthew Kaufman said:

> Don't you just set up an IRC server and then say something inflammatory 
> to the wrong person?

For a slightly more interesting packet mix, go over to 4chan and get anon
ticked at you.


pgpeQnTYH2mmM.pgp
Description: PGP signature


RE: anti-ddos test solutions ?

2010-03-17 Thread Drew Weaver
Or let your users post something on their blog that person x y z might not like 
=)

-Original Message-
From: Matthew Kaufman [mailto:matt...@matthew.at] 
Sent: Wednesday, March 17, 2010 1:00 PM
To: Brandon Kim
Cc: nanog@nanog.org
Subject: Re: anti-ddos test solutions ?

Brandon Kim wrote:
> Hey Barry,
>
> What program do you use to simulate the DDOS Botnet? Is it a custom program 
> or something off
> the shelf?
>
>   
> 

Don't you just set up an IRC server and then say something inflammatory 
to the wrong person?

Matthew Kaufman




Re: anti-ddos test solutions ?

2010-03-17 Thread Matthew Kaufman

Brandon Kim wrote:

Hey Barry,

What program do you use to simulate the DDOS Botnet? Is it a custom program or 
something off
the shelf?

  
	 	   		  


Don't you just set up an IRC server and then say something inflammatory 
to the wrong person?


Matthew Kaufman



RE: anti-ddos test solutions ?

2010-03-17 Thread Brandon Kim

Hey Barry,

What program do you use to simulate the DDOS Botnet? Is it a custom program or 
something off
the shelf?



> From: bgre...@senki.org
> To: sfou...@shortestpathfirst.net; gforta...@live.com; nanog@nanog.org
> Subject: RE: anti-ddos test solutions ?
> Date: Wed, 17 Mar 2010 09:27:20 -0700
> 
> I use all the testing tools out there for DDOS testing (you name it I've
> most likely have used or currently have in the lab). The only way I've been
> able to whack anti-DDOS solutions is by build a couple of racks of servers
> to emulate a DDOS Botnet. 
> 
> 
> 
> 
  

RE: anti-ddos test solutions ?

2010-03-17 Thread Barry Raveendran Greene
I use all the testing tools out there for DDOS testing (you name it I've
most likely have used or currently have in the lab). The only way I've been
able to whack anti-DDOS solutions is by build a couple of racks of servers
to emulate a DDOS Botnet. 






RE: anti-ddos test solutions ?

2010-03-17 Thread Stefan Fouant
> -Original Message-
> From: Guillaume FORTAINE [mailto:gforta...@live.com]
> Sent: Wednesday, March 17, 2010 7:02 AM
> To: nanog@nanog.org
> Subject: Re: anti-ddos test solutions ?
> 
> Dear jul,
> 
> I would advise Breaking Point :

To those advising using BreakingPoint for DDoS simulation, I have to ask
have you ever actually used it?  I have spent considerable time using the
BreakingPoint in my DDoS lab and I can tell you that I for one would
absolutely and unequivocally NOT advocate using the BreakingPoint for DDoS
testing.  Sure it's a good box for testing firewalls, but the FPGAs on that
box are extremely limited and I would be remiss if I didn't warn you before
using this box as a DDoS simulation platform.

Here are some of the limitations I've encountered when using the
BreakingPoint BPS Elite:

- No support for ICMP or ICMP flooding attacks
- There are several methods to similate UDP and TCP floods - AppSim and
ClientSim only allow you to generate UDP/TCP floods using fixed ports.
Another component called Routing Robot lets you use randomize
source/destination ports, but is limited to only 64 hosts per interface.  In
my experience most DDoS attacks are far and away above 64 source hosts.
- No ability to fragment packets or modify other items within the packets,
such as bits in the IP Options portion of the IP header.
- No ability to manipulate DSCP bits with fine grained control
- No ability to parse microflows - for example, when running a test, one can
look at the Applications tab and see a visible display of how much DNS
traffic is received vs. HTTP traffic, however there is no ability to parse
the individual microflows within the DNS traffic, for example to identify
the malicious DNS traffic vs. the good DNS traffic
- Large amount of issues with the Web based GUI, which will cause the
end-user considerable frustration when you have to continually reopen the
application due to hangs, etc.

This is just a small sample of the issues I've encountered.  All I'm saying
is don't say I didn't warn you.  This is *NOT* the box for DDoS testing.

Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D




Re: anti-ddos test solutions ?

2010-03-17 Thread Guillaume FORTAINE

Dear jul,

I would advise Breaking Point :

-News :

http://www.breakingpointsystems.com/news/press-releases/breakingpoint-distributed-denial-of-service-ddos-and-botnet-test-methodology-helps-networks-prepare-for-imminent-attack


-Methodology

http://www.breakingpointsystems.com/resources/testmethodologies/breakingpoint-ddos-botnet-testing-methodology


-Documentation :

http://docs.google.com/viewer?url=http://www.breakingpointsystems.com/resources/how-to-guides/simulating-distributed-denial-of-service.pdf



Best Regards,

Guillaume FORTAINE

On 03/17/2010 07:45 AM, jul wrote:

 Hello nanogers,

 Following the multiple thread on ddos attack, I was asking myself how
 someone could test chosen solutions.
 In most cases, you can't load your Internet access in the same way
 attackers will (does someone have a botners with ten thousands computers
 or more :) ?)
 But a solution to test basic attack (synflood, slowloris, socktress,
 ...) with 10 to hundred computers would be interesting, so not a tool
 but more a service.

 Found only Parabon [1] on Google

 Does someone know something similar ?

 Thanks
 Best regards,

Jul

 Note: Please, don't forget this kind of public tests have some serious
 legal impact and you need to have an agreement with your ISP/operators
 to do it in most countries.
 Note2: Google has a lot of answers. Most of them are about tool and
 methodology, so not sure for a live test. I'm not looking for a lab
 solution but real one with business acceptation (and a wise choice on
 the hours of the test so front-end can be switch to "maintenance mode")

 [1] New grid service simulates DDoS attacks, May 2009
 
http://www.computerworlduk.com/technology/security-products/business-continuity/news/index.cfm?newsId=14640










Re: anti-ddos test solutions ?

2010-03-17 Thread travis abrams
I would suggest looking at Breaking Point Systems. They have boxes that can
generate lots of traffic and they can also run exploits against the systems.
HD Moore was affiliated with this company at some point so Metasploit is
probably used for vulnerability testing.

Travis

www.theIPSGuy.com



On Wed, Mar 17, 2010 at 2:45 AM, jul  wrote:

> Hello nanogers,
>
> Following the multiple thread on ddos attack, I was asking myself how
> someone could test chosen solutions.
> In most cases, you can't load your Internet access in the same way
> attackers will (does someone have a botners with ten thousands computers
> or more :) ?)
> But a solution to test basic attack (synflood, slowloris, socktress,
> ...) with 10 to hundred computers would be interesting, so not a tool
> but more a service.
>
> Found only Parabon [1] on Google
>
> Does someone know something similar ?
>
> Thanks
> Best regards,
>
>Jul
>
> Note: Please, don't forget this kind of public tests have some serious
> legal impact and you need to have an agreement with your ISP/operators
> to do it in most countries.
> Note2: Google has a lot of answers. Most of them are about tool and
> methodology, so not sure for a live test. I'm not looking for a lab
> solution but real one with business acceptation (and a wise choice on
> the hours of the test so front-end can be switch to "maintenance mode")
>
> [1] New grid service simulates DDoS attacks, May 2009
>
> http://www.computerworlduk.com/technology/security-products/business-continuity/news/index.cfm?newsId=14640
>
>


-- 
Travis Abrams, GCIH, CISSP, etc.
www.theipsguy.com


Re: anti-ddos test solutions ?

2010-03-17 Thread Nathan Ward
Hire/buy what I know as a router tester. People call them different things.
It's a device that generates packets, and can normally simulate TCP etc. all 
the way up to HTTP etc. or higher. BGP, OSPF, MPLS, etc. etc. etc.
Tell it to generate packets that look like they come from many many hosts (you 
can normally simulate some kind of network topology with hosts in different 
places and hence different TTLs etc.), and viola.
They normally let you generate background noise traffic, or you could record 24 
hours of packet headers from somewhere in your network and play it back through 
your test network. This needs a lot of disk of course.

I used to work for an anti-ddos vendor (Esphion, now owned by Allot) and built 
their first test rig. First we did it with a bank of PCs with custom Linux 
kernel code to generate packets because we were a startup doing things on the 
cheap and I was a bit masochistic. Then we got a router tester and did exactly 
the same thing, but in a whole lot less space with a whole lot less effort.

Both worked great, naturally I recommend a router tester.

--
Nathan Ward


Re: anti-ddos test solutions ?

2010-03-17 Thread bit gossip
Nessus is a vulnerability scanner:

http://www.nessus.org/nessus/

Ixia provides a full Nessus implementation in one of its platform.

Bit.

On Wed, 2010-03-17 at 07:45 +0100, jul wrote:
> Hello nanogers,
> 
> Following the multiple thread on ddos attack, I was asking myself how
> someone could test chosen solutions.
> In most cases, you can't load your Internet access in the same way
> attackers will (does someone have a botners with ten thousands computers
> or more :) ?)
> But a solution to test basic attack (synflood, slowloris, socktress,
> ...) with 10 to hundred computers would be interesting, so not a tool
> but more a service.
> 
> Found only Parabon [1] on Google
> 
> Does someone know something similar ?
> 
> Thanks
> Best regards,
> 
>   Jul
> 
> Note: Please, don't forget this kind of public tests have some serious
> legal impact and you need to have an agreement with your ISP/operators
> to do it in most countries.
> Note2: Google has a lot of answers. Most of them are about tool and
> methodology, so not sure for a live test. I'm not looking for a lab
> solution but real one with business acceptation (and a wise choice on
> the hours of the test so front-end can be switch to "maintenance mode")
> 
> [1] New grid service simulates DDoS attacks, May 2009
> http://www.computerworlduk.com/technology/security-products/business-continuity/news/index.cfm?newsId=14640
> 





Re: anti-ddos test solutions ?

2010-03-17 Thread gordon b slater
On Wed, 2010-03-17 at 08:07 +, gordon b slater wrote:
(large file as input), iperfs or nmap+nmapscripting) through a _good_
> switch stack. Set a low mtu on the interfaces for maximum pps.
^   
~fail~

correcting myself: set low packet/payload sizes (fragmenting where
possible).

reason: lack of coffee, too early, feel ill :(

G





Re: anti-ddos test solutions ?

2010-03-17 Thread gordon b slater
On Wed, 2010-03-17 at 07:45 +0100, jul dit:
> But a solution to test basic attack (synflood, slowloris, socktress,
> ...) with 10 to hundred computers would be interesting, so not a tool
> but more a service.
> 
> Found only Parabon [1] on Google
> 
> Does someone know something similar ?

If you have access to a large enough network in a campus-size
establishment, try booting a large room (100+) full of desktop PCs with
a live CD/USB and script (or clusterSSH) some hpings, blind netcats
(large file as input), iperfs or nmap+nmapscripting) through a _good_
switch stack. Set a low mtu on the interfaces for maximum pps.

Please remember to fully air-gap it (and the redundants) from the cloud
and the rest of the campus backbone in case you have thick fingers
entering the target - your upstream might be tempted to ring you on the
BatFone in a hurry. That gets embarrassing, as a friend of mine found
out in December last year.

Other than that, I suspect it's going to cost you for "real" kit :(
Depends how "real" you need it I guess.

Kiddies seem to be able to do it with E1/T1-sized pipes so it should at
least be better than waiting for one to come your way naturally :)

regards
Gord

--
gurgle. gurgle-splat. splat. splat. sploo-oo-oshhh = rommon