DDOS testing tools

[Lv4]

Hey gang, it is has been a while since I posted here... work has kept me buried and RL has been in the way of doing "fun" stuff lately too


Anyway, here is a quick run down and background of what I am asking for. I work for a large ecommerce company, no I won't share the name right now. Anyway over the past few months they have been receiving some fairly hardcore DDoS attacks. I have been able to help them fend off this stuff but it is always a manual process. We have some beefy routers, some beefy switches and some beefy firewalls but they all will bow to the pressure of a large DDoS.

Anyway, I talked them in to buying a pretty nifty product (Cisco Guard) and we will be implementing it soon. I'm almost willing to bet that no one here is familiar with the Guard product, usually only large ISPs bother with this thing. If you are familiar with the Guard product then I'll let you know we are using the whole product in house... as I said nifty Now one of the things I'm going to have to do is show that my company has spent its money wisely, and that I don't cause harm to our application by blocking legit traffic. To that end I need to test this product. I have a test tool from Cisco for this... but that just isn't enough and quite frankly the DoS it can create are not of the style we have been seeing here. We have seen ICMP fragements, SYN floods, UDP fragments, and just plain overloading port 80 with legit TCP packets. Their tool does a lot of that, but not all of that... plus I would like to get exotic in my testing at some point to show the "powers that be" that the capital expenditure here was well worth it and that we will be in good shape for the future.

I need to hammer this thing, the harder the better. I, however, am not familiar with the tools out there to do such a thing. I usually do pen test work, forensics work, etc and not DDoS/DoS work, so I'm turning to the AO community for suggestions and ideas.

As always if you don't wish to share information in the open then hit me up by email. Any help would be greatly appreciated.

[nihil]

Sorry mate, not really my area but you said:

Anyway, I talked them in to buying a pretty nifty product (Cisco Guard) and we will be implementing it soon.

Don't you "try before you buy?"

I know that this will sound rather like a pathetic CYA strategy, but I actually wouldn't do what you are proposing, given that they have already purchased the product you recommended.

Supposing it craps out?.......................... that would drop you right in the brown and smelly stuff?

My advice would be to let it run, and point out that the pressure has been relieved to some extent. That way, when the scumbags find a way to compromise the system or overwhelm it.............. you just blame Cisco

On the face of what you have said though, I would have thought that the best line of approach (corporate wise) is to find out which business rival is behind this? after all, if you are a big organisation it is going to involve a reasonably serious amount of cash to hire sufficient resources?

That doesn't sound like your average p1$$ed off customer to me?

We have a saying over here:

"You don't kill an octopus by cutting off its tentacles"

[Lv4]

We can't "try before buy" on this product. In order to properly eval this we would have had to buy a /lot/ of network gear that we will never use again... Catalysts, routers, FWSMs, etc along with several OC3s. This is one of those odd products that would have to go production straight away. Do /you/ have a dev infrastructure network, I know we don't? We normally eval first, just couldn't in this case.

Trust me on this much, it wasn't an overnight decision and a lot of effort was put in to finding the correct product. We had all the big players in house a lot, and we have seen a couple of live installations for a POC on it. We have spent many hundreds of man hours already on this project, just now we are at the delicate stage.

In this case I /have/ to prove that it works in the way we need it to work, and to do that I am going to have to simulate the attacks we have seen. We have a very "odd" network and an application that is very non standard so we can't just plug it in an say "ta-da!" If this starts blocking legit traffic it is many millions of dollars that it will cost the company, not to mention the impact to brand integrity.


As far as that "who" it is attacking us, we have a good idea. But due to international laws, and where they are located, it makes it next to impossible to pursue legally

[nihil]

Hmmm,

In order to properly eval this we would have had to buy a /lot/ of network gear that we will never use again... Catalysts, routers, FWSMs, etc along with several OC3s. This is one of those odd products that would have to go production straight away.

So, you buy the lottery ticket or you don't....................?

Time to bring in your "lawyers and other reptiles"............. Cisco must agree a full refund if it doesn't work for you?

AFAIK, the only way you could do this properly is the way it is happening IRL.......... which means you will have to employ someone with a bot army?

I guess that would be illegal where you are?

I haven't done this sort of thing, but I haven't heard of it being done either, which is probably more significant

I have done a fair bit of systems stress testing though; which is a similar concept. I am of the opinion that it only gives you a "rough idea".

Unfortunately, there are times in life when you just have to take the salesman's word for it.................. just make sure that your lawyers have a noose around his neck

As far as that "who" it is attacking us, we have a good idea. But due to international laws, and where they are located, it makes it next to impossible to pursue legally

Try "politically"........................ generally works out cheaper

[Lv4]

heh, politically we have no recourse either... pretty much they are based in the wilds of the world. Their gov't doesn't care, their police don't care, and our gov't can't do anything about it.

We have a iron clad agreement with Cisco, but my higher ups have still requested that I "prove" it works and the only way to do that is to attack my own company.

I thought about the bot net, but I'm not sure I wish to raise our profile any more than it already is in the "underground". I have my hands full now as it is, I don't think I could add more bad guys to my plate and still have anything remotely resembling a life

I know there have to be tools out there, people attack us all the time. I have seen some of the tools, but I guess I'm really looking for recommendations.

[Tachyon]

Do you have a team there that does network analyzation from the standpoint of performance? Usually these groups will have devices that will be able to stress your infrastructure.

At a previous job, we were having latency issues, so we hooked up some avalanche/reflectors from http://www.spirentcom.com/ to test.

If you company is as big as you imply, your network group should have these type of tools already available.

[nihil]

Condolences mate!

I sort of know how you feel................. I am a cheap bastard, so I was kinda looking for a cheap route?

All I can suggest is that you would do what I have done when doing stress testing. Go to a reputable outside pen testing outfit, and get them to do it. IMO to do it properly you need to produce the real traffic of several thousand compromised PCs?

Once again, a nice CYA strategy?

and our gov't can't do anything about it.

Have you tried the power of the media?.............. it is surprising what they will do for a three Martini lunch and a good story that knocks the powers that be...................

but my higher ups have still requested that I "prove" it works and the only way to do that is to attack my own company.

Yep, again, a not unfamiliar scenario. You must educate them that "might is right" when it comes to DoS. It is all down to resources in the end?

Good luck with your project BTW

[Lv4]

stress testing isn't the same as DDoS. I can do a stress test to cover the legit traffic to port 80... but they won't do ICMP floods, SYN flood, UDP flood, etc etc. So I have only covered one of the bases. The other thing I have to do is an attack /while/ our application is running to make sure that legit traffic is not stopped... a stress test can't do that as I would be sending a lot of non legit traffic while doing the stress test.

We are a 5 billion dollar company, so I like to think we are pretty big In our market space we aer the 800 lbs gorilla.


Thanks Nihil, this has certainly been the most challenging job of my career. I may look in to a third party doing it, but since they have already put out a small fortune for this product I'm not sure I can revisit the well for more money. While my company doesn't mind spending the cash when needed, they don't like people to keep coming back and asking for more.

[nihil]

Hi Lv4,

My comments on the stress test wasn't that you need to do one............. hey, that would be a bit late, given that you have your systems up and running and all?

What I was thinking was that an outfit who did serious stress testing might be able to do a DoS test for you? OK, you would have to give them the rules, but they would hopefully have the infrastructure.

The problem is that you need one hell of a lot of resource to do the "live" testing your guys seem to envisage? This is going to cost money whichever way you decide to do it, and you have already mentioned that you (quite rightly) don't want to spend money on redundant hardware.

My thinking was that whilst the software for DoS attacks isn't
going to be an issue, getting sufficient hardware resource for a full blown real time attack certainly will be?

With normal stress testing I have always relied on a certain amount of physical testing, and then statistical extrapolations or modelling software.

I guess this is the kind of approach the Cisco tools take?

I would be inclined to dig out the original project plan, and see where this testing was included in the specifications and budget

From what I can see, this is a classic case of project scope creep