090602_BreakingPoint_Simulating_Distributed_Denial

SimulatingDistributedDenialofServicewithBreakingPointApril30,2009DustinD.Trammelldtrammell@breakingpoint.comToddManningtmanning@breakingpoint.comBreakingPointLabs(tcl.lib)26CTCLScript:3.3.127DTCLScript:TCP-129ETCLScript:DNS-231ListofFigures2.1ImportTestMenu......................................53.1NetworkNeighborhood...................................83.2NetworkNeighborhood:NewDomain...........................93.3NetworkNeighborhood:SourceAddresses.........................93.4NetworkNeighborhood:TargetAddress..........................103.5HostConfiguration:Target.................................103.6HostConfiguration:Server.................................113.7Test:Interfaces.......................................113.8RateSettings........................................123.9SameDestinationBlendedTrafficAppProfile.......................133.10TestApplicationProfileSetting...............................143.11AppSimComponentInterfaces...............................143.12DataRateParameters....................................153Chapter1ForewordThispaperandtheaccompanyingtestcasesareintendedtoillustratehowtheBreakingPointproductscanbeusedtosimulateDistributedDenial-of-Service1(DDoS)attacksusingsomeoftheproduct’svariouscomponents.Thetestcasesprovidedforthescenariosdescribedhereinaremeanttobeprovidedasexamplematerialandfurthertailoredtosuittheuser’sspecificneeds.Notethattheaccompanyingtestcasesweredevel-opedfortheBreakingPointEliteproduct.Assuch,importanduseofthesetestswiththeBreakingPointApplianceproducts(BPS1KandBPS10k)isnotlikelytobecompatible.ItisalsoimportanttonotethatwhenmodelingDDoSattacks,largenumbersofindividualhostsareinvolvedaswellaslargenumbersofrepetitivenetworkpacketsorprotocolsequences.WhiletheAppSimcomponent’sUserInterfaceiswell-suitedforcreationofnormaltrafficscenarios,duetothetimeinvolvedinmanuallyconfiguringDDoSscenarioswiththeselargenumbersofhostsandAppSimactionsfromwithintheAppSimcomponentUserInterface,manyofthetestcasesprovidedwerecreatedbyutilizingTCLscriptingwithintheBreakingPointTCLcommandinterface.Individualtestcasesthathavebeencreatedthiswaywillbeaccompaniedbythescriptthatcreatedthem,andageneralintroductiontoBreakingPointTCLscriptingcanbefoundinAppendixA.1ADistributedDenial-of-Serviceattackoccurswhenalargecollectionofmultiplenetworkedsystemsfloodthebandwidthorresourcesofatargetedsystemwithindividuallysmallorinsignificantpacketsornetworksessions.[1]Whenaggregated,theresultanttrafficoverwhelmsthetarget.4Chapter2BreakingPointSystemPreparationAccompanyingthisdocumentareanumberofadditionalfiles.Allofthefilesfoundwithinthe“test-cases”sub-directoryendingwiththe“.bpt”extensionareBreakingPointTestfilessuitableforimportintoyourBreakingPointElitesystem.Thesefilesshouldbeimportedviathe“ImportTest”menuoption(Figure2.1).ImportingthesefileswillsetupthevariousNetworkNeighborhoods,SuperFlows,AppProfiles,andTestswhichaccompanytheattackscenariospresentedthroughoutthisdocument.ItisexpectedthatthereaderinspecteachtestcaseintheBreakingPointproductwhilereadingtherelatedsectionaboutitsassociatedattackscenariotoachievefullcomprehensionofthescenariodiscussedandhowthetestcaseaccomplishessimulationofsuch.Figure2.1:ImportTestMenuAlsoaccompanyingthisdocumentarefilesinthe“bps-user-files”sub-directory.ThesefilesshouldbeuploadedtoyourBreakingPointElitesystemforusebythevariousAppSimSuperFlows.ThiscanbeaccomplishedbybrowsingtothefollowingURLonyourBreakingPointSystem’swebinterface:“bps”intheURLabovewithyoursystem’shostnameornetworkaddress.Chapter3ConfiguringtheNetworkNeighborhoodUnlikenormalnetworktraffic,DDoStraffichassomeuniqueandsignificantproperties.ThegeneraltrafficprofileofaDDoSconsistsofanarbitrarilylargenumb