Following the multiple thread on ddos attack, I was asking myself how
someone could test chosen solutions.
In most cases, you can't load your Internet access in the same way
attackers will (does someone have a botners with ten thousands computers
or more ?)
But a solution to test basic attack (synflood, slowloris, socktress,
...) with 10 to hundred computers would be interesting, so not a tool
but more a service.
Found only Parabon [1] on Google
Does someone know something similar ?
Thanks
Best regards,
    Jul
Note: Please, don't forget this kind of public tests have some serious
legal impact and you need to have an agreement with your ISP/operators
to do it in most countries.
Note2: Google has a lot of answers. Most of them are about tool and
methodology, so not sure for a live test. I'm not looking for a lab
solution but real one with business acceptation (and a wise choice on
the hours of the test so front-end can be switch to "maintenance mode")
But a solution to test basic attack (synflood, slowloris, socktress,
...) with 10 to hundred computers would be interesting, so not a tool
but more a service.
Found only Parabon [1] on Google
Does someone know something similar ?
If you have access to a large enough network in a campus-size
establishment, try booting a large room (100+) full of desktop PCs with
a live CD/USB and script (or clusterSSH) some hpings, blind netcats
(large file as input), iperfs or nmap+nmapscripting) through a _good_
switch stack. Set a low mtu on the interfaces for maximum pps.
Please remember to fully air-gap it (and the redundants) from the cloud
and the rest of the campus backbone in case you have thick fingers
entering the target - your upstream might be tempted to ring you on the
BatFone in a hurry. That gets embarrassing, as a friend of mine found
out in December last year.
Other than that, I suspect it's going to cost you for "real" kit
Depends how "real" you need it I guess.
Kiddies seem to be able to do it with E1/T1-sized pipes so it should at
least be better than waiting for one to come your way naturally
Hire/buy what I know as a router tester. People call them different things.
It's a device that generates packets, and can normally simulate TCP etc. all the way up to HTTP etc. or higher. BGP, OSPF, MPLS, etc. etc. etc.
Tell it to generate packets that look like they come from many many hosts (you can normally simulate some kind of network topology with hosts in different places and hence different TTLs etc.), and viola.
They normally let you generate background noise traffic, or you could record 24 hours of packet headers from somewhere in your network and play it back through your test network. This needs a lot of disk of course.
I used to work for an anti-ddos vendor (Esphion, now owned by Allot) and built their first test rig. First we did it with a bank of PCs with custom Linux kernel code to generate packets because we were a startup doing things on the cheap and I was a bit masochistic. Then we got a router tester and did exactly the same thing, but in a whole lot less space with a whole lot less effort.
Both worked great, naturally I recommend a router tester.
I would suggest looking at Breaking Point Systems. They have boxes that can
generate lots of traffic and they can also run exploits against the systems.
HD Moore was affiliated with this company at some point so Metasploit is
probably used for vulnerability testing.
Hire/buy what I know as a router tester. People call them different things.
It's a device that generates packets,
Linux has a packet generator in the kernel as well.
More info readily available from your local search engine.
and can normally simulate TCP etc. all the way up to HTTP etc. or higher. BGP, OSPF, MPLS, etc. etc. etc.
Hmmm. What about a fuzzer, or something like scapy?
Tell it to generate packets that look like they come from many many hosts (you can normally simulate some kind of network topology with hosts in different places and hence different TTLs etc.), and viola.
They normally let you generate background noise traffic, or you could record 24 hours of packet headers from somewhere in your network and play it back through your test network. This needs a lot of disk of course.
If you can get your hands on a PCAP from a previous attack, you could also use something like Bit-Twist which will allow you to manipulate things like the destination IP and also the transmission rate, etc. Pretty useful tool to include in the DDoS simulation toolbox.
Not to thread hijack, but does anyone have any useful recipes for
generating any basic baseline data (top talkers, SSH brute forcing, SMTP brute forcing, 445,etc)
via any of the open source netflow collectors (Flow-Tools, nfdump)?
I've had mixed success getting these packages to produce any useful information after getting them to collect the flow data.
 Â
Thanks,
-Drew
?)
