Worm attack generation tools
|
View:
New views
11 Messages
—
Rating Filter:
Alert me
|
 |
Worm attack generation tools
by miaomitiff119
::
Rate this Message:
Hi,:)
Does anyone know any tools which can be used to simulate attack traffic (especially traffic pattern of worm attacks)? It is for the purpose of testing IDSs. I've looked at PACKIT and Netcat, but they can't generate "simultaneous" connections which is required for generating worm spreading behaviour...(or are there any ways to use PACKIT or Netcat to generate simultaneous connections?) Many thanks!:) |
|
|
Re: Worm attack generation tools
by Joey Peloquin
::
Rate this Message:
miaomitiff119 wrote:
> Hi,:) > Does anyone know any tools which can be used to simulate attack traffic > (especially traffic pattern of worm attacks)? It is for the purpose of > testing IDSs. I've looked at PACKIT and Netcat, but they can't generate > "simultaneous" connections which is required for generating worm spreading > behaviour...(or are there any ways to use PACKIT or Netcat to generate > simultaneous connections?) > > Many thanks!:) Assuming you're wanting to test detections versus connections per second, you might try Tomahawk. We used it for testing NIPS, but I don't see why you couldn't use it for IDS as well. http://tomahawk.sourceforge.net/ It's been discussed on this list before, ad nauseam, but keep in mind, ICSALabs rewrote most of the code for their certification program (v1.1), so it shouldn't be considered a TippingPoint-leaning tool, as it has in the past. -jp ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
Re: Worm attack generation tools
by Stefano Zanero
::
Rate this Message:
miaomitiff119 wrote:
> Hi,:) > Does anyone know any tools which can be used to simulate attack traffic > (especially traffic pattern of worm attacks)? With the usual caveats on the uselessness of running IDS evaluations without fully planning them: http://blackhat.com/presentations/bh-federal-06/BH-Fed-06-Zanero.pdf Here is the tool you probably want: http://portal.acm.org/citation.cfm?coll=GUIDE&dl=GUIDE&id=1028799 Best, Stefano Zaner ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
RE: Worm attack generation tools
by Robert D. Holtz - Lists
::
Rate this Message:
Use the worms themselves if you're testing IDS/IPS systems.
Just isolate them and setup a test system that you infect with the worms. Use this system to pound away at the IDS. If you need more systems you can always throw VMWare onto your test system and create them virtually. Nothing better to test with than the real thing! -----Original Message----- From: Joey Peloquin [mailto:joeyp@...] Sent: Friday, August 18, 2006 7:50 AM To: miaomitiff119 Cc: focus-ids@... Subject: Re: Worm attack generation tools miaomitiff119 wrote: > Hi,:) > Does anyone know any tools which can be used to simulate attack traffic > (especially traffic pattern of worm attacks)? It is for the purpose of > testing IDSs. I've looked at PACKIT and Netcat, but they can't generate > "simultaneous" connections which is required for generating worm spreading > behaviour...(or are there any ways to use PACKIT or Netcat to generate > simultaneous connections?) > > Many thanks!:) Assuming you're wanting to test detections versus connections per second, you might try Tomahawk. We used it for testing NIPS, but I don't see why you couldn't use it for IDS as well. http://tomahawk.sourceforge.net/ It's been discussed on this list before, ad nauseam, but keep in mind, ICSALabs rewrote most of the code for their certification program (v1.1), so it shouldn't be considered a TippingPoint-leaning tool, as it has in the past. -jp ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
Re: Worm attack generation tools
by Joey Peloquin
::
Rate this Message:
Robert D. Holtz wrote:
> Use the worms themselves if you're testing IDS/IPS systems. > > Just isolate them and setup a test system that you infect with the worms. > Use this system to pound away at the IDS. > > If you need more systems you can always throw VMWare onto your test system > and create them virtually. > > Nothing better to test with than the real thing! Excellent idea, Robert! The only problem is scalability, which you already hinted at. It'd take a lot of VMs to generate the kind of traffic I'm looking for ;) -jp ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
RE: Worm attack generation tools
by Robert D. Holtz - Lists
::
Rate this Message:
You would be surprised at what one infected machine can crank out.
I've seen two mediocre machines cripple a four T1 MLPPP bundle. I've done time at a CLEC and one of our most common problems was folks insisting there internet connection was down when it was actually an infected machine on their internal LAN going nuts. I could watch the traffic once it entered into the core and was able to see that it was trash. What type of bandwidth are you trying to throw at these things? I would assume that the IDS system is "mainly" watching ingress traffic from the internet which for the most part won't be too high due to the cost of this type of access. This assumption goes out the window if you have IDS systems separating departments, business units, etc. Then you're talking LAN speeds. -----Original Message----- From: Joey Peloquin [mailto:joeyp@...] Sent: Friday, August 18, 2006 9:20 PM To: Robert D. Holtz Cc: 'miaomitiff119'; focus-ids@... Subject: Re: Worm attack generation tools Robert D. Holtz wrote: > Use the worms themselves if you're testing IDS/IPS systems. > > Just isolate them and setup a test system that you infect with the worms. > Use this system to pound away at the IDS. > > If you need more systems you can always throw VMWare onto your test system > and create them virtually. > > Nothing better to test with than the real thing! Excellent idea, Robert! The only problem is scalability, which you already hinted at. It'd take a lot of VMs to generate the kind of traffic I'm looking for ;) -jp ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
Re: Worm attack generation tools
by Joey Peloquin
::
Rate this Message:
Robert D. Holtz wrote:
> You would be surprised at what one infected machine can crank out. > > I've seen two mediocre machines cripple a four T1 MLPPP bundle. I've done > time at a CLEC and one of our most common problems was folks insisting there > internet connection was down when it was actually an infected machine on > their internal LAN going nuts. I could watch the traffic once it entered > into the core and was able to see that it was trash. > > What type of bandwidth are you trying to throw at these things? > > I would assume that the IDS system is "mainly" watching ingress traffic from > the internet which for the most part won't be too high due to the cost of > this type of access. > > This assumption goes out the window if you have IDS systems separating > departments, business units, etc. Then you're talking LAN speeds. Department segregation within the LAN is exactly what I'm talking about, though I can't speak for the OP. Ingress worm traffic does virtually nothing to us, because it's usually the same 'ole vectors, 135, 139 or 445, which have been blocked, filtered, or otherwise denied (perimeter routers, before the traffic even gets to our IPS) from the Internet for many moons. Still, I like your style, and wish I would have thought of throwing "real" worm traffic at my boxes. Cheers, -jp ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
RE: Worm attack generation tools
by Robert D. Holtz - Lists
::
Rate this Message:
Good luck on your quest.
These types of experiments are always fun learning experiences! Great scientific discoveries aren't followed by "Eureka!" ... it's more like "that's funny". -----Original Message----- From: Joey Peloquin [mailto:joeyp@...] Sent: Saturday, August 19, 2006 9:39 AM To: Robert D. Holtz Cc: 'miaomitiff119'; focus-ids@... Subject: Re: Worm attack generation tools Robert D. Holtz wrote: > You would be surprised at what one infected machine can crank out. > > I've seen two mediocre machines cripple a four T1 MLPPP bundle. I've done > time at a CLEC and one of our most common problems was folks insisting there > internet connection was down when it was actually an infected machine on > their internal LAN going nuts. I could watch the traffic once it entered > into the core and was able to see that it was trash. > > What type of bandwidth are you trying to throw at these things? > > I would assume that the IDS system is "mainly" watching ingress traffic from > the internet which for the most part won't be too high due to the cost of > this type of access. > > This assumption goes out the window if you have IDS systems separating > departments, business units, etc. Then you're talking LAN speeds. Department segregation within the LAN is exactly what I'm talking about, though I can't speak for the OP. Ingress worm traffic does virtually nothing to us, because it's usually the same 'ole vectors, 135, 139 or 445, which have been blocked, filtered, or otherwise denied (perimeter routers, before the traffic even gets to our IPS) from the Internet for many moons. Still, I like your style, and wish I would have thought of throwing "real" worm traffic at my boxes. Cheers, -jp ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
|
|
|
RE: Worm attack generation tools
by thaywood
::
Rate this Message:
You might want to take a look at Traffic IQ, there is a Pro and a Basic
version of the product and it designed to replay traffic both normal and threat to test inline network and security devices such as firewalls, IDS & IPS systems, evaluation software is available from our site at www.karalon.com we also have a Traffic IQ Gateway product which can be used to apply evasion techniques to traffic flowing through it. Best Tony -----Original Message----- From: Robert D. Holtz [mailto:robert.d.holtz@...] Sent: 19 August 2006 19:07 To: 'Joey Peloquin' Cc: 'miaomitiff119'; focus-ids@... Subject: RE: Worm attack generation tools Good luck on your quest. These types of experiments are always fun learning experiences! Great scientific discoveries aren't followed by "Eureka!" ... it's more like "that's funny". -----Original Message----- From: Joey Peloquin [mailto:joeyp@...] Sent: Saturday, August 19, 2006 9:39 AM To: Robert D. Holtz Cc: 'miaomitiff119'; focus-ids@... Subject: Re: Worm attack generation tools Robert D. Holtz wrote: > You would be surprised at what one infected machine can crank out. > > I've seen two mediocre machines cripple a four T1 MLPPP bundle. I've > done time at a CLEC and one of our most common problems was folks > insisting there > internet connection was down when it was actually an infected machine > on their internal LAN going nuts. I could watch the traffic once it > entered into the core and was able to see that it was trash. > > What type of bandwidth are you trying to throw at these things? > > I would assume that the IDS system is "mainly" watching ingress > traffic from > the internet which for the most part won't be too high due to the cost > of this type of access. > > This assumption goes out the window if you have IDS systems separating > departments, business units, etc. Then you're talking LAN speeds. Department segregation within the LAN is exactly what I'm talking about, though I can't speak for the OP. Ingress worm traffic does virtually nothing to us, because it's usually the same 'ole vectors, 135, 139 or 445, which have been blocked, filtered, or otherwise denied (perimeter routers, before the traffic even gets to our IPS) from the Internet for many moons. Still, I like your style, and wish I would have thought of throwing "real" worm traffic at my boxes. Cheers, -jp ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
|
|
Re: Worm attack generation tools
by dave-151
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 miaomitiff119 wrote: > Hi,:) Does anyone know any tools which can be used to simulate > attack traffic (especially traffic pattern of worm attacks)? It is > for the purpose of testing IDSs. I've looked at PACKIT and Netcat, > but they can't generate "simultaneous" connections which is > required for generating worm spreading behaviour...(or are there > any ways to use PACKIT or Netcat to generate simultaneous > connections?) > > Many thanks!:) We've been using Nematode to generate worms for us ... but we're not at the stage of releasing it as a commercial tool. What sort of features are you looking for here? - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD4DBQFE+D+wB8JNm+PA+iURAql2AJsH6xsL5l+NbsDRYe7OWQQT1CivkgCYuLq6 zyCW8E2qeS6EkMIctEgu/w== =oTzx -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ |
| Free embeddable forum powered by Nabble | Forum Help |
