22

The idea behind security tests is easy. You want to know what a hacker can do - you hire a security expert who acts like a hacker to see how far he can get. You want to know what an evil admin can do - your security experts gets admin privileges and does his job that way.

I am aware that there are other and maybe better ways to perform an audit, but these are common approaches that work. Unfortunately it gets difficult when the threat is not a single person or a team of hackers, but a distributed bot-network that spams you with more or less intelligent requests. How can you test such a scenario? Lets say I have my infrastructure ready and I am confident that my systems can withstand a certain amount of pressure from a DDoS attack. Now I want to verify my expectations and perform a DDoS test from the Internet.

Where can I legally get a DDoS simulator? I do not want to buy resources from an illegal bot-net and I only want to work with experts in this field. Are there companies who perform such tests for you or can you at least rent systems that are powerful enough to simulate a DDoS attack? I am aware of the legal issues like informing all involved parties like providers and the like - this question is focused on how such a test can be performed. I am also not looking for a list of companies that can do that, I am interested what is state of the art in this field and which services are available on the market.

AviD
  • 72,138
  • 22
  • 136
  • 218
Demento
  • 7,249
  • 5
  • 36
  • 45
  • How come noone mentioned [LOIC](http://sourceforge.net/projects/loic/)? – zogby Mar 27 '14 at 10:52
  • you can also try comsec and their comsimulator: they can generate a DDos with the sizing your like ;) – Reg May 02 '14 at 12:05
  • I've used two different applications to stress test web applications that I've built. [Apache Bench](https://httpd.apache.org/docs/2.0/programs/ab.html) [Seige](http://www.joedog.org/index/siege-home) They may or may not be enough to test your network pipe against a large DDoS, but running these on a few different outside boxes could get you in the ballpark. – Peter Anselmo Oct 12 '11 at 19:37
  • [blitz.io](http://blitz.io/) are one of the companies to offer this service, though it seems to be mostly web based load testing. I believe they use [Amazon Web Services](http://aws.amazon.com/) to achieve the high load they require. – Andy Smith Oct 12 '11 at 15:22
  • You could try something like [Bees with machine guns](https://github.com/newsapps/beeswithmachineguns "Bees with machine guns") which spins up lots of EC2 instances to attack / load test a target. Obviously only use this against sites you own or have permission to target, otherwise Amazon will likely lock you out of your account. – rjmackay Oct 12 '11 at 20:09
  • If you're looking for a professional service who can do this for you, take a look at RedWolf Security - http://www.redwolfsecurity.com/#!ddos_testing/cqd6 I've heard good things about their service, although I haven't used it, and I don't work for them. – monkeymagic Apr 23 '14 at 21:22
  • In my experience I've come across the [Low Orbit Ion Cannon](http://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon). it is a common tool for ddos attacks. It is open source now I believe. – Jake B Apr 23 '14 at 17:01

5 Answers5

17

I think you seek the use of a packet generator and a corresponding number of systems generating packets to match the load you seek. Use random valid IP addresses for the packet source addresses and you should find yourself quite annoyed when it comes time to filter.

You can do all of that without ever sending a bit across your ISP's link. If you get DDOS'd in such a way that bandwidth is maxed out rather than services, then your ISP will need to choke off the traffic prior to it reaching your link.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
  • 3
    Just to remember, in case the ISP chokes traffic, the (D)DOS attack is sucessful in the sense, that it rendered your server unreachable, even if it WOULD HAVE handled the additional traffic. – Marcel Mar 27 '14 at 12:02
3

You are not looking for companies that can do it, but are interested in which services are available? Can you clarify?

What you are really asking for is load testing in this particular case. How many users (accessing as much as possible) can the servers withstand? At what threshold does it all crap out? Basically you start at a small number of "users" and increment until the site gives up.

Whenever we run tests like this we use Visual Studio load testing agents hosted in Amazon which gives us a pretty good idea of the systems will respond. There are of course many alternatives to Visual Studio -- it's just what we use.

Steve
  • 15,155
  • 3
  • 37
  • 66
  • 1
    +1: Thanks for the term load testing, that describes it pretty well. Concerning your question - I am asking for answers like "companies offer load tests that can generate enough requests to stress your firewall out" and not "ask company XYZ, they can make you an offer". I want to avoid answers that are only written to promote a company, to keep the quality high. – Demento Oct 12 '11 at 15:39
  • I think it's called *stress testing* not *load testing*. As far as I've read, *load testing* is testing under fairly normal load, but stress testing is when you max out your machines. – KajMagnus May 01 '12 at 22:39
2

I've done load testing on voip apps, including simulating DDoS, without ever passing any traffic outside the test lab.

Another answer mentions packet generators. You can buy or rent equipment to do this (e.g. smartbits), or you can write code to generate the traffic you need. A poor man's web load tester is as simple as a linux box (or handful of them) with a bunch of different network interfaces configured (to simulate multiple traffic sources) and several curl (or other) scripts to hit your web app. You can get as sophisticated as you want -- your packet generator could be a multithreaded app emitting raw packets (see libnet) to vary the sources and types of packets. Add load by adding boxes (or, if your boxes are bandwidth-bound instead of CPU-bound, add a NIC).

bstpierre
  • 4,868
  • 1
  • 21
  • 34
1

There are two different types of DDoS protection strategies, and each responds differently to different types of loads. So you need to make your test realistic for the type of traffic you wish to guard against.

Overwhelming capacity
One defense mechanism is to simply have more capacity than your attacker. This is very simple and very robust, but also very expensive. To test this type of system, you can just use any old load generator since you're just testing the ability of your servers to withstand heavy traffic loads.

Identify and drop
Another popular mechanism is to identify DDoS traffic and prevent it from reaching your servers. This is easier, cheaper, and significantly more fragile than the above. Testing in this case means testing out both the amount of traffic that can be examined and dropped, and also the quality of the examination techniques. To test this, you need to find some real DDoS software to test against (google Gootkit ddos system for example to find some code). Then rent a few dozen virtual servers for a while from various cloud providers and run your attack. The more DDoS systems you test against, the better you can trust your prevention measures.

tylerl
  • 82,225
  • 25
  • 148
  • 226
1

Quite a few of the ISP's offer this as part of their load testing capability. The DDoS protection companies also tend to provide load test as a service.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320