RE: anti-ddos test solutions ?
On a similar note but slightly unrelated note, Not to thread hijack, but does anyone have any useful recipes for generating any basic baseline data (top talkers, SSH brute forcing, SMTP brute forcing, 445,etc) via any of the open source netflow collectors (Flow-Tools, nfdump)? I've had mixed success getting these packages to produce any useful information after getting them to collect the flow data. Thanks, -Drew -Original Message- From: kowsik [mailto:kow...@gmail.com] Sent: Thursday, March 18, 2010 12:33 AM To: Stefan Fouant Cc: nanog@nanog.org Subject: Re: anti-ddos test solutions ? http://labs.mudynamics.com/2009/04/10/ddos-testing-network-applications/ http://www.pcapr.net/dos YMMV, but mudos converts *any* IP packet into a DoS generator (it's free). K. --- http://www.pcapr.net http://labs.mudynamics.com http://twitter.com/pcapr On Wed, Mar 17, 2010 at 11:28 AM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: Charles N Wyble [mailto:char...@knownelement.com] Sent: Wednesday, March 17, 2010 12:16 PM To: nanog@nanog.org Subject: Re: anti-ddos test solutions ? bit gossip wrote: Nessus is a vulnerability scanner: http://www.nessus.org/nessus/ Ixia provides a full Nessus implementation in one of its platform. Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis. However that wouldn't be a DDoS, but could certainly lead to DOS. If you can get your hands on a PCAP from a previous attack, you could also use something like Bit-Twist which will allow you to manipulate things like the destination IP and also the transmission rate, etc. Pretty useful tool to include in the DDoS simulation toolbox. http://bittwist.sourceforge.net/ Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
Re: anti-ddos test solutions ?
I use argus, radium, and the ra clients to do this. Works very well www.qosient.com Dave Edelman +1 917 331-0112 cell On Mar 18, 2010, at 8:05 AM, Drew Weaver drew.wea...@thenap.com wrote: On a similar note but slightly unrelated note, Not to thread hijack, but does anyone have any useful recipes for generating any basic baseline data (top talkers, SSH brute forcing, SMTP brute forcing, 445,etc) via any of the open source netflow collectors (Flow-Tools, nfdump)? I've had mixed success getting these packages to produce any useful information after getting them to collect the flow data. Thanks, -Drew -Original Message- From: kowsik [mailto:kow...@gmail.com] Sent: Thursday, March 18, 2010 12:33 AM To: Stefan Fouant Cc: nanog@nanog.org Subject: Re: anti-ddos test solutions ? http://labs.mudynamics.com/2009/04/10/ddos-testing-network-applications/ http://www.pcapr.net/dos YMMV, but mudos converts *any* IP packet into a DoS generator (it's free). K. --- http://www.pcapr.net http://labs.mudynamics.com http://twitter.com/pcapr On Wed, Mar 17, 2010 at 11:28 AM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: Charles N Wyble [mailto:char...@knownelement.com] Sent: Wednesday, March 17, 2010 12:16 PM To: nanog@nanog.org Subject: Re: anti-ddos test solutions ? bit gossip wrote: Nessus is a vulnerability scanner: http://www.nessus.org/nessus/ Ixia provides a full Nessus implementation in one of its platform. Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis. However that wouldn't be a DDoS, but could certainly lead to DOS. If you can get your hands on a PCAP from a previous attack, you could also use something like Bit-Twist which will allow you to manipulate things like the destination IP and also the transmission rate, etc. Pretty useful tool to include in the DDoS simulation toolbox. http://bittwist.sourceforge.net/ Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
anti-ddos test solutions ?
Hello nanogers, Following the multiple thread on ddos attack, I was asking myself how someone could test chosen solutions. In most cases, you can't load your Internet access in the same way attackers will (does someone have a botners with ten thousands computers or more :) ?) But a solution to test basic attack (synflood, slowloris, socktress, ...) with 10 to hundred computers would be interesting, so not a tool but more a service. Found only Parabon [1] on Google Does someone know something similar ? Thanks Best regards, Jul Note: Please, don't forget this kind of public tests have some serious legal impact and you need to have an agreement with your ISP/operators to do it in most countries. Note2: Google has a lot of answers. Most of them are about tool and methodology, so not sure for a live test. I'm not looking for a lab solution but real one with business acceptation (and a wise choice on the hours of the test so front-end can be switch to maintenance mode) [1] New grid service simulates DDoS attacks, May 2009 http://www.computerworlduk.com/technology/security-products/business-continuity/news/index.cfm?newsId=14640
Re: anti-ddos test solutions ?
On Wed, 2010-03-17 at 07:45 +0100, jul dit: But a solution to test basic attack (synflood, slowloris, socktress, ...) with 10 to hundred computers would be interesting, so not a tool but more a service. Found only Parabon [1] on Google Does someone know something similar ? If you have access to a large enough network in a campus-size establishment, try booting a large room (100+) full of desktop PCs with a live CD/USB and script (or clusterSSH) some hpings, blind netcats (large file as input), iperfs or nmap+nmapscripting) through a _good_ switch stack. Set a low mtu on the interfaces for maximum pps. Please remember to fully air-gap it (and the redundants) from the cloud and the rest of the campus backbone in case you have thick fingers entering the target - your upstream might be tempted to ring you on the BatFone in a hurry. That gets embarrassing, as a friend of mine found out in December last year. Other than that, I suspect it's going to cost you for real kit :( Depends how real you need it I guess. Kiddies seem to be able to do it with E1/T1-sized pipes so it should at least be better than waiting for one to come your way naturally :) regards Gord -- gurgle. gurgle-splat. splat. splat. sploo-oo-oshhh = rommon
Re: anti-ddos test solutions ?
On Wed, 2010-03-17 at 08:07 +, gordon b slater wrote: (large file as input), iperfs or nmap+nmapscripting) through a _good_ switch stack. Set a low mtu on the interfaces for maximum pps. ^ ~fail~ correcting myself: set low packet/payload sizes (fragmenting where possible). reason: lack of coffee, too early, feel ill :( G
Re: anti-ddos test solutions ?
Nessus is a vulnerability scanner: http://www.nessus.org/nessus/ Ixia provides a full Nessus implementation in one of its platform. Bit. On Wed, 2010-03-17 at 07:45 +0100, jul wrote: Hello nanogers, Following the multiple thread on ddos attack, I was asking myself how someone could test chosen solutions. In most cases, you can't load your Internet access in the same way attackers will (does someone have a botners with ten thousands computers or more :) ?) But a solution to test basic attack (synflood, slowloris, socktress, ...) with 10 to hundred computers would be interesting, so not a tool but more a service. Found only Parabon [1] on Google Does someone know something similar ? Thanks Best regards, Jul Note: Please, don't forget this kind of public tests have some serious legal impact and you need to have an agreement with your ISP/operators to do it in most countries. Note2: Google has a lot of answers. Most of them are about tool and methodology, so not sure for a live test. I'm not looking for a lab solution but real one with business acceptation (and a wise choice on the hours of the test so front-end can be switch to maintenance mode) [1] New grid service simulates DDoS attacks, May 2009 http://www.computerworlduk.com/technology/security-products/business-continuity/news/index.cfm?newsId=14640
Re: anti-ddos test solutions ?
Hire/buy what I know as a router tester. People call them different things. It's a device that generates packets, and can normally simulate TCP etc. all the way up to HTTP etc. or higher. BGP, OSPF, MPLS, etc. etc. etc. Tell it to generate packets that look like they come from many many hosts (you can normally simulate some kind of network topology with hosts in different places and hence different TTLs etc.), and viola. They normally let you generate background noise traffic, or you could record 24 hours of packet headers from somewhere in your network and play it back through your test network. This needs a lot of disk of course. I used to work for an anti-ddos vendor (Esphion, now owned by Allot) and built their first test rig. First we did it with a bank of PCs with custom Linux kernel code to generate packets because we were a startup doing things on the cheap and I was a bit masochistic. Then we got a router tester and did exactly the same thing, but in a whole lot less space with a whole lot less effort. Both worked great, naturally I recommend a router tester. -- Nathan Ward
Re: anti-ddos test solutions ?
I would suggest looking at Breaking Point Systems. They have boxes that can generate lots of traffic and they can also run exploits against the systems. HD Moore was affiliated with this company at some point so Metasploit is probably used for vulnerability testing. Travis www.theIPSGuy.com On Wed, Mar 17, 2010 at 2:45 AM, jul jul_...@yahoo.fr wrote: Hello nanogers, Following the multiple thread on ddos attack, I was asking myself how someone could test chosen solutions. In most cases, you can't load your Internet access in the same way attackers will (does someone have a botners with ten thousands computers or more :) ?) But a solution to test basic attack (synflood, slowloris, socktress, ...) with 10 to hundred computers would be interesting, so not a tool but more a service. Found only Parabon [1] on Google Does someone know something similar ? Thanks Best regards, Jul Note: Please, don't forget this kind of public tests have some serious legal impact and you need to have an agreement with your ISP/operators to do it in most countries. Note2: Google has a lot of answers. Most of them are about tool and methodology, so not sure for a live test. I'm not looking for a lab solution but real one with business acceptation (and a wise choice on the hours of the test so front-end can be switch to maintenance mode) [1] New grid service simulates DDoS attacks, May 2009 http://www.computerworlduk.com/technology/security-products/business-continuity/news/index.cfm?newsId=14640 -- Travis Abrams, GCIH, CISSP, etc. www.theipsguy.com
Re: anti-ddos test solutions ?
Dear jul, I would advise Breaking Point : -News : http://www.breakingpointsystems.com/news/press-releases/breakingpoint-distributed-denial-of-service-ddos-and-botnet-test-methodology-helps-networks-prepare-for-imminent-attack -Methodology http://www.breakingpointsystems.com/resources/testmethodologies/breakingpoint-ddos-botnet-testing-methodology -Documentation : http://docs.google.com/viewer?url=http://www.breakingpointsystems.com/resources/how-to-guides/simulating-distributed-denial-of-service.pdf Best Regards, Guillaume FORTAINE On 03/17/2010 07:45 AM, jul wrote: Hello nanogers, Following the multiple thread on ddos attack, I was asking myself how someone could test chosen solutions. In most cases, you can't load your Internet access in the same way attackers will (does someone have a botners with ten thousands computers or more :) ?) But a solution to test basic attack (synflood, slowloris, socktress, ...) with 10 to hundred computers would be interesting, so not a tool but more a service. Found only Parabon [1] on Google Does someone know something similar ? Thanks Best regards, Jul Note: Please, don't forget this kind of public tests have some serious legal impact and you need to have an agreement with your ISP/operators to do it in most countries. Note2: Google has a lot of answers. Most of them are about tool and methodology, so not sure for a live test. I'm not looking for a lab solution but real one with business acceptation (and a wise choice on the hours of the test so front-end can be switch to maintenance mode) [1] New grid service simulates DDoS attacks, May 2009 http://www.computerworlduk.com/technology/security-products/business-continuity/news/index.cfm?newsId=14640
RE: anti-ddos test solutions ?
-Original Message- From: Guillaume FORTAINE [mailto:gforta...@live.com] Sent: Wednesday, March 17, 2010 7:02 AM To: nanog@nanog.org Subject: Re: anti-ddos test solutions ? Dear jul, I would advise Breaking Point : To those advising using BreakingPoint for DDoS simulation, I have to ask have you ever actually used it? I have spent considerable time using the BreakingPoint in my DDoS lab and I can tell you that I for one would absolutely and unequivocally NOT advocate using the BreakingPoint for DDoS testing. Sure it's a good box for testing firewalls, but the FPGAs on that box are extremely limited and I would be remiss if I didn't warn you before using this box as a DDoS simulation platform. Here are some of the limitations I've encountered when using the BreakingPoint BPS Elite: - No support for ICMP or ICMP flooding attacks - There are several methods to similate UDP and TCP floods - AppSim and ClientSim only allow you to generate UDP/TCP floods using fixed ports. Another component called Routing Robot lets you use randomize source/destination ports, but is limited to only 64 hosts per interface. In my experience most DDoS attacks are far and away above 64 source hosts. - No ability to fragment packets or modify other items within the packets, such as bits in the IP Options portion of the IP header. - No ability to manipulate DSCP bits with fine grained control - No ability to parse microflows - for example, when running a test, one can look at the Applications tab and see a visible display of how much DNS traffic is received vs. HTTP traffic, however there is no ability to parse the individual microflows within the DNS traffic, for example to identify the malicious DNS traffic vs. the good DNS traffic - Large amount of issues with the Web based GUI, which will cause the end-user considerable frustration when you have to continually reopen the application due to hangs, etc. This is just a small sample of the issues I've encountered. All I'm saying is don't say I didn't warn you. This is *NOT* the box for DDoS testing. Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
RE: anti-ddos test solutions ?
I use all the testing tools out there for DDOS testing (you name it I've most likely have used or currently have in the lab). The only way I've been able to whack anti-DDOS solutions is by build a couple of racks of servers to emulate a DDOS Botnet.
RE: anti-ddos test solutions ?
Hey Barry, What program do you use to simulate the DDOS Botnet? Is it a custom program or something off the shelf? From: bgre...@senki.org To: sfou...@shortestpathfirst.net; gforta...@live.com; nanog@nanog.org Subject: RE: anti-ddos test solutions ? Date: Wed, 17 Mar 2010 09:27:20 -0700 I use all the testing tools out there for DDOS testing (you name it I've most likely have used or currently have in the lab). The only way I've been able to whack anti-DDOS solutions is by build a couple of racks of servers to emulate a DDOS Botnet.
Re: anti-ddos test solutions ?
Brandon Kim wrote: Hey Barry, What program do you use to simulate the DDOS Botnet? Is it a custom program or something off the shelf? Don't you just set up an IRC server and then say something inflammatory to the wrong person? Matthew Kaufman
Re: anti-ddos test solutions ?
On Wed, 17 Mar 2010 10:00:21 PDT, Matthew Kaufman said: Don't you just set up an IRC server and then say something inflammatory to the wrong person? For a slightly more interesting packet mix, go over to 4chan and get anon ticked at you. pgpeQnTYH2mmM.pgp Description: PGP signature
Re: anti-ddos test solutions ?
(Written on a blackberry - please don't flame me for top posting.) Depends on what kind of DoS - cause your more likely to experience a phone DoS moreso then an Internet DoS. Hope you don't need to make or receive any calls for a week or two :) -- Brielle Bruns http://www.sosdg.org / http://www.ahbl.org -Original Message- From: valdis.kletni...@vt.edu Date: Wed, 17 Mar 2010 13:20:00 To: matt...@matthew.at Cc: nanog@nanog.org Subject: Re: anti-ddos test solutions ? On Wed, 17 Mar 2010 10:00:21 PDT, Matthew Kaufman said: Don't you just set up an IRC server and then say something inflammatory to the wrong person? For a slightly more interesting packet mix, go over to 4chan and get anon ticked at you.
Re: anti-ddos test solutions ?
bit gossip wrote: Nessus is a vulnerability scanner: http://www.nessus.org/nessus/ Ixia provides a full Nessus implementation in one of its platform. Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis. However that wouldn't be a DDoS, but could certainly lead to DOS.
RE: anti-ddos test solutions ?
-Original Message- From: Charles N Wyble [mailto:char...@knownelement.com] Sent: Wednesday, March 17, 2010 12:16 PM To: nanog@nanog.org Subject: Re: anti-ddos test solutions ? bit gossip wrote: Nessus is a vulnerability scanner: http://www.nessus.org/nessus/ Ixia provides a full Nessus implementation in one of its platform. Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis. However that wouldn't be a DDoS, but could certainly lead to DOS. If you can get your hands on a PCAP from a previous attack, you could also use something like Bit-Twist which will allow you to manipulate things like the destination IP and also the transmission rate, etc. Pretty useful tool to include in the DDoS simulation toolbox. http://bittwist.sourceforge.net/ Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
Re: anti-ddos test solutions ?
http://labs.mudynamics.com/2009/04/10/ddos-testing-network-applications/ http://www.pcapr.net/dos YMMV, but mudos converts *any* IP packet into a DoS generator (it's free). K. --- http://www.pcapr.net http://labs.mudynamics.com http://twitter.com/pcapr On Wed, Mar 17, 2010 at 11:28 AM, Stefan Fouant sfou...@shortestpathfirst.net wrote: -Original Message- From: Charles N Wyble [mailto:char...@knownelement.com] Sent: Wednesday, March 17, 2010 12:16 PM To: nanog@nanog.org Subject: Re: anti-ddos test solutions ? bit gossip wrote: Nessus is a vulnerability scanner: http://www.nessus.org/nessus/ Ixia provides a full Nessus implementation in one of its platform. Well these days I would use http://www.openvas.org and http://www.metasploit.org for vulnerability scanning and analysis. However that wouldn't be a DDoS, but could certainly lead to DOS. If you can get your hands on a PCAP from a previous attack, you could also use something like Bit-Twist which will allow you to manipulate things like the destination IP and also the transmission rate, etc. Pretty useful tool to include in the DDoS simulation toolbox. http://bittwist.sourceforge.net/ Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
