Denial of Service (DOS) Testing Sample Test Plans - Ixia

Test Case 2: VoIP andTCP SYN Attacks Copyright © Ixia, 2005ObjectiveThis test case will observe what happens ina VoIP environment when a series of SYNattacks are directed at a host. It will showhow VoIP connections can be sabotagedwhen the DUT is not configured correctly.MethodologyA communication channel will be set upbetween two sets of Performance Endpoints,creating several VoIP conversations. A TCPSYN attack will be launched against one ofthe endpoints from a third location. The DUTwill initially allow the attack to proceed. Inthe second iteration, the DUT will be trainedto disallow any TCP connection attemptsfrom the third party location.Figure 1 will be used to model theattack. The VoIP conversations will existbetween the 172.176.25/24 and the192.168.10/24 networks. Another networkwill be superimposed on the same physicalconnection as the 172.176.25/24 network,utilizing an address from the 123.227.25/24network.Note that IxApplifier will be used to installan address range of 172.176.25.101 to172.176.25.120 on the public side of theDUT, and address range of 192.168.10.101to 192.168.10.120 on the private side. Also,the third party address of 123.127.25.100will be installed on the external port. It willtarget address 192.168.10.101 on theinternal port, using the DUT as a gateway ataddress 123.227.25.1.1. Set up VoIP pairs between internaland external clients. The VoIP traffic willtravel in both directions; that is, half of theconnections will have Endpoint 1 on theprivate side of the DUT, and half will haveEndpoint 1 on the public side. Set up a totalof 20 pairs. See the setup in Figure 5.. Ensure that the DUT rules enforcement isturned off.3. Set up the attacking port to use ahardware performance pair. Select theIPv4_Syn_Port80_74Bytes.str pattern. Makesure “Measure hardware performance pairstatistics” is left unchecked so that thevictim port (internal port) responds to theattack. Finally, override the stream line rateand set up a very low rate of attack. You mayhave to experiment a bit with this number. Agood starting point is 0.01%. The objectiveis to slowly overwhelm the victim port as thetest is underway.4. Set the run time for 1 minute, and runthe test. You should see the MOS scoresregistering an almost perfect performanceup to the point that the victim processorgets overwhelmed with TCP requests. At thatpoint, the MOS scores will cease to exist,indicating that no more data is coming infrom the victim port.5. If the target port did not crash, go back tostep 3 and adjust the stream line rate higher.You should not have to go any higher than5% to see the detrimental results of a TCPSYN attack.6. Turn on DUT rule enforcement. Thereare several things that can be done to theDUT, depending on the sophistication of thefiltering required. If the DUT terminates andproxies TCP connections, then you couldturn on TCP SYN-Cookies to stop the effectsof the SYN attack. The simplest method isto simply filter on the malicious address,123.227.25.100. This may not be practicalin the real world, but it can demonstrate theDUT’s ability to filter on undesirable sourceaddresses.7. Run the test again and ensure that theMOS scores stay at their near-perfect levelsthroughout the test.Denial of Service (DOS) Testing: Sample Test Plans