02-18-2010 02:05 AM
my customer requested to have demo how the ServerIron can protect real server when DoS is happen as this is 1 of the strength selling point for ServerIron. I have something in my mind to prove it and would like to have more advise,
client PC ------------web request------------------------->
PC with DoS attack ------------generete DoS attack----------->ServerIron 1000 -------------------------> real server (hosted web service)
(serverIron drop the DoS packet)
1. is this a proper way to test out ServerIron 1000 for DoS functionallity ?
2. any recommend software that can generete DoS attack ?
Thanks in advance for those is advise me.
02-26-2010 06:08 PM
In the absence of a more formal denial of service (DoS) test tool (ie: Avalanche, etc) the best way to test prevention from DoS attacks is to have multiple hosts running various attacks, but also have several hosts running legitimate traffic –note that VMware (esxi) or Xen works very well for this type of setup. It is always best to use a combination of attacks as well as different types of ‘real’ traffic as this will give you a more accurate test then just firing a single attack at the ServerIron.
There are a number of open source tools available to simulate DoS attacks and I’d recommend a couple of the following:
- Various attacks available at Packet Storm Security (http://packetstormsecurity.org/DoS/) ; this site offers a number of different types from SYN attacks (juno.c is a particularly nasty one) to buffer overflows against specific OSs, to icmp attacks. Typically these will need to be compiled on the OS you are using but this enables you to tweak things such as source/dest ports, tcp sequence numbers, etc.
- Nessus (http://www.nessus.org/nessus/) ; a nice all around tool that is fairly easy to install and get up and running quickly. I’d also recommend several traffic generating tools to send legitimate traffic while you are running DoS attacks. Here are two that I use frequently:
-Microsoft Web Application Stress Tool
-Apache jmeter test tool
So for example, you might take the following steps:
1) Configure the ServerIron with several real servers and multiple VIPs
2) Setup a server with several VMs running apache jmeter against the VIPs and record the sampling rates
3) Setup a separate server with several more VMs running a different DoS attack on each one and blast them at the ServerIron –you should see the connection table fill up and your legitimate traffic start to be affected (when running the SYN attacks)
4) Enable SYN protection and you should see your legitimate traffic return to normal
Other options might be to try several types of ACLs while running attacks or attempt specific exploits against the ServerIron (ssh, telnet, web, snmp, etc) with these services enabled, then disabled or protected via ACLs and record the results.
ADP System Engineer (New England & Canada Regions)