Denial of Service (DOS) Testing Sample Test Plans - Ixia

More documents

Recommendations

Info

A brief outline of theDoS attack typessupported in IxChariotIxChariot has the ability to produce severalcommon types of DoS attacks, as explainedbelow. Keep in mind that such attacksare created within Ixia-specific hardware,generated directly using Field ProgrammableGate Arrays (FPGA), and as such, thismalicious traffic can be generated in speedsranging from zero to the full wire speed ofthe interface.SYN AttackEvery TCP connection begins with asingle TCP SYN flag being sent from theclient host to a server. In response toreceiving such a flag, the server typicallyallocates resources and then sendsa TCP SYN-ACK packet back towardthe client host station. A SYN attackoverwhelms the victim computer witha rapid succession of SYN packets,causing it to over allocate resources andeither crash or wait for the allocatedresources to time out.Teardrop AttackFragmented packets that continuouslyoverlapping offsets are sent from aclient to a server. The server cannotreconstruct the original payload fromthe fragmented overlapping packets andeventually crashes.Ping AttackAn ICMP Ping Request is sent to aserver at a high rate, causing bandwidthproblems on the server’s network.Ping of Death (POD) AttackICMP Ping Requests are sent froma client to a server; however, eachpacket is a fragment of a complete PingRequest of extremely large size. Thismay cause the server to over allocateresources and crash.Unreachable Host AttackAn “ICMP Host Unreachable” messagemay be sent to a server that is already incommunication with another host. Thiswill likely cause the server to drop thatconnection. Test case examplesThree test cases are observed in thefollowing sections. These simple test casesshow how to set up IxChariot for testingthe performance of networks and specificdevices when being loaded with both DoSand standard application traffic.Figure 1 shows the setup that will beused for the test cases outlined below. Alladdresses used in the course of testingappear in this Figure, including both IPv4 andIPv6 addresses. Only two physical Ixia portsare used in this scenario. Copyright © Ixia, 2005Denial of Service (DOS) Testing: Sample Test Plans
Test Case 1: Ping Attackon Oracle TrafficObjectiveIn this test case, you will create a typicaltraffic pattern of Oracle traffic, operating overa known port. After measuring throughput,response time and transaction rates, youwill start a DoS Ping attack and compare theresults.Methodology1. Create an Oracle transaction as per thefollowing criteria:• Endpoint 1 and Endpoint 2 networkaddresses assigned as per your setup• Set up the “How does the Consoleknow Endpoint 1” address using the Ixiamanagement address, e.g.; 10.0.3.1.Similarly, set up a management addressfor the “How does Endpoint 1 knowEndpoint 2?” address, e.g.; 10.0.3.2• Use a sample script such as Oracle_AP_Tier2_Invoice_Mult_Dist.scr” scriptfor this pair.• Edit the script so that it usesTCP port 2321. Also, use minimumtransaction delays and unlimited senddata rate.• Replicate pairs n times according toyour traffic volume. In this case, the pairwas replicated 19 times so that thereare a total of 20 Oracle traffic flows inthis test.• Set the run time for 1 minute. Besure to choose the ‘Batch mode’ runoption.• In the resulting charts, you may wantto display a total rather than the resultsof each individual script.. Ensure that the DUT allows all traffic(rules not enforced) to pass through togenerate a set of baseline test results.3. Run the transaction and record resultsin the “No DoS/No DUT” column in table1 below. See Figure 2 for a typical resultsscreen.4. Now instruct the DUT to enforce its rules,and then re-run the transaction. Record theresults in the “No DoS/DUT” column in table1 below. This should tell you whether or notthe DUT is affecting traffic rates. Note thatthe DUT should be set up to defend againstthe DoS Ping attack, which will be used in asubsequent step.5. Now instruct the DUT to NOT enforce itsrules and insert a DoS attack. This particularattack should emanate from Endpoint 1 andtarget Endpoint 2.6. Depending on the capabilities of your DUTand the available network bandwidth, youmay want to override the stream line rate(e.g. 15%). Also, ensure that the “Measurehardware performance pair statistics”checkbox is in the UNCHECKED position.This will ensure that the target CPU (in thiscase, the Ixia CPU) handles the details of theincoming ICMP Ping requests. See Figure 3for a description of what this should look like.Run and record the results in the “DoS NoDUT” column of table 1. For a comparativelook at results with DoS and no DUT, seeFigure 4.7. Now enable the DUT and re-run thetransaction. Record the results in the “DoS /DUT” column in table 1 below.8. The completed table should give you agood comparative analysis of how well yourDUT can protect internal hosts from DoS Pingattacks. Copyright © Ixia, 2005Denial of Service (DOS) Testing: Sample Test Plans
Page 1 and 2: Denial of Service (DOS) TestingSamp
Page 3: Denial of Service (DOS) Testing: Sa
Page 7 and 8: Figure 3: Setting up for DoS Ping a
Page 9: Figure 5: VoIP setup Copyright © I

Denial of Service (DOS) Testing Sample Test Plans - Ixia

Create successful ePaper yourself

Delete template?

Save as template?