0 valutazioniIl 0% ha trovato utile questo documento (0 voti)
1K visualizzazioni20 pagine
Ddosim is a tool that can be used in a laboratory environment to simulate a distributed denial of service (DDOS) attack against a target server. The test will show the capacity of the server to handle application specific DDoS attacks.
Ddosim is a tool that can be used in a laboratory environment to simulate a distributed denial of service (DDOS) attack against a target server. The test will show the capacity of the server to handle application specific DDoS attacks.
Ddosim is a tool that can be used in a laboratory environment to simulate a distributed denial of service (DDOS) attack against a target server. The test will show the capacity of the server to handle application specific DDoS attacks.
Procedural SQL injection SqlBit a new blind SQL injection exploiter Application Layer DDoS Simulator Update(november 2010): ddosim v0.2 has been released. You can find it at: https://sourceforge.net/projects/ddosim/. ddosim is a tool that can be used in a laboratory environment to simulate a distributed denial of service (DDOS) attack against a target server. The test will show the capacity of the server to handle application specific DDOS attacks. ddosim simulates several zombie hosts (having random IP addresses) which create full TCP connections to the target server. After completing the connection, ddosim starts the conversation with the listening application (e.g. HTTP server). ddosim is written in C++ and runs on Linux. Its current functionalities include: HTTP DDoS with valid requests HTTP DDoS with invalid requests (similar to a DC++ attack) SMTP DDoS TCP connection flood on random port In order to simulate such an attack in a lab environment we need to setup a network like this:
Network configuration for DDOS simulation On the victim machine ddosim creates full TCP connections which are only simulated connections on the attacker side. There are a lot of options that make the tool quite flexible: Usage: ./ddosim -d IP Target IP address -p PORT Target port [-k NET] Source IP from class C network (ex. 10.4.4.0) [-i IFNAME] Output interface name [-c COUNT] Number of connections to establish [-w DELAY] Delay (in milliseconds) between SYN packets [-r TYPE] Request to send after TCP 3-way handshake. TYPE can be HTTP_VALID or HTTP_INVALID or SMTP_EHLO [-t NRTHREADS] Number of threads to use when sending packets (default 1) [-n] Do not spoof source address (use local address) [-v] Verbose mode (slower) [-h] Print this help message Examples: 1. Establish 10 TCP connections from random IP addresses to www server and send invalid HTTP requests (similar to a DC++ based attack): ./ddosim -d 192.168.1.2 -p 80 -c 10 -r HTTP_INVALID -i eth0 2. Establish infinite connections from source network 10.4.4.0 to SMTP server and send EHLO requests: ./ddosim -d 192.168.1.2 -p 25 -k 10.4.4.0 -c 0 -r SMTP_EHLO -i eth0 3. Establish infinite connections at higher speed to www server and make HTTP valid requests: ./ddosim -d 192.168.1.2 -p 80 -c 0 -w 0 -t 10 -r HTTP_VALID -i eth0 4. Establish infinite TCP connections (without sending a Layer 7 request) from local address to a POP3 server: ./ddosim -d 192.168.1.2 -p 110 -c 0 -i eth0
More background info: Some of the hardest to mitigate distributed denial of service attacks are the ones targeting the application layer (in TCP/IP stack). They are difficult to stop because they look legitimate to classic firewalls which let them pass freely (for an example look here). The only way to stop this kind of attacks is deep packet inspection (layer 7 inspection) which means a lot of money/resources. In general, a DDoS attack is performed by an armie of bots (zombies) that simultaneously send attack packets to a victim server. If we talk about UDP packets (ex. targeting a DNS server), the attack is easier to implement because a zombie needs to send a single UDP packet (multiple times) to contribute to the attack. But in case of a TCP based attack, the zombie needs first to establish the full TCP 3-way handshake and then send the data packets (e.g. HTTP GET request). ddosim successfully simulates this attack scenario. If you have any questions regarding ddosim, please let me know. About these ads
Like 4 bloggers like this.
This entry was posted on March 3, 2009 at 12:14 pm and is filed under DDoS, Tools (StormSecurity) with tags DDoS, ddos flood, denial of service, simulation. You can follow any responses to this entry through the RSS 2.0 feed You can leave a response, or trackback from your own site. 54 Responses to Application Layer DDoS Simulator 1. hora de bloquear endereos IP por pas? - ISTF Says: August 14, 2009 at 2:04 pm [...] [...] Reply 2. Ravi Says: August 18, 2009 at 10:51 am I am encountering this error whilst executing this tool on FC 3 ./ddosim -d 99.99.20.65 -p 80 -c 0 -w 0 -t 10 -r HTTP_VALID -i eth1 ./ddosim: error while loading shared libraries: libnet.so.0: cannot open shared object file: No such file or directory Reply o stormsecurity Says: August 18, 2009 at 7:35 pm You should do an export LD_PRELOAD=libnet.so first. Reply 3. Ghafur Says: November 10, 2009 at 6:44 am Perhaps you can elaborate more on the export LD_PRELOAD=libnet.so. Is it a command or what? Maybe you could briefly write the step by step instructions in shell? Thank you. Reply o stormsecurity Says: November 20, 2009 at 3:29 pm export LD_PRELOAD=libnet.so is kind of a hack. The best method is to install the official package libnet0-dev which will provide you the correct libnet.so library. Reply 4. InfoSec Daily Episode 251 Android Exploit, Adobe, Pwnieexpress, DDoS Sim, CIS, IR & Certs Says: November 6, 2010 at 12:07 am [...] http://stormsecurity.wordpress.com/2009/03/03/application-layer-ddos- simulator/ DDoS Simulator is a tool that can be used in a laboratory environment to simulate a distributed [...] Reply 5. Kai Says: November 6, 2010 at 2:13 pm Hello, i cannot configure ddosim: > configure: error: libnet0 (dev) is required for this program but i have libnet and its headers installed: $ rpm -qf /lib/libnet.so.0 libnet-1.1.2.1-141.1.i586 $ rpm -qf /usr/include/libnet.h libnet-1.1.2.1-141.1.i586 libnet_1.0.2a-devel-1.0.2a-1.1.i586 my system is opensuse 11.3 possibly that libnet0 has another name in it. which files exactly needed for building ddosim? or how could i make any workaround for configure to make it think libnet0 is installed? Cheers Reply o stormsecurity Says: November 6, 2010 at 9:03 pm Hi, Maybe you have libnet1. It must be libnet0. Regards, Reply
Kai Says: November 6, 2010 at 9:10 pm there is no such package in opensuse: http://www.google.com/search?q=site:download.opensuse.org+libnet 0&ie=utf-8&oe=utf-8 http://packages.opensuse- community.org/index.jsp?searchTerm=libnet0 that`s why i think it just has another name (libnet_1.0.2a maybe?). could you please tell me exact list of files (libs, headers, etc) needed for ddosim to work? Cheers
stormsecurity Says: November 9, 2010 at 7:16 am Hi, I developed ddosim in Backtrack (Ubuntu 8.10 basically) and I have the following libnet packages installed: root@bt:~# dpkg -l | grep libnet0 ii libnet0 1.0.2a-7 library for the construction and handling of network packets (obsolete) ii libnet0-dev 1.0.2a-7 Development files for libnet0 (obsolete) Hope this helps, Adrian 6. Que tal simular um ataque DDoS para testar o seu WebLab? | Coruja de TI Says: November 8, 2010 at 11:02 am [...] DDOSIM simula uma srie de mquinas zombies com ips randmicos (o ip do host zombie muda) criando uma [...] Reply 7. DDOSIM v0.2 Says: November 9, 2010 at 8:48 pm [...] [...] Reply 8. andriy Says: November 11, 2010 at 4:02 pm Ubuntu 10.10 configure: error: libnet0 (dev) is required for this program. I have libnet1-dev installed, installing libnet0-dev(downloaded deb) conflicts. Also I need to keep libnet1-dev on my system. How to install ddosim now? Thanks Reply o stormsecurity Says: November 12, 2010 at 10:53 am Hi, Libnet0-dev is required for ddosim to work. Maybe it would be a good approach to install it in a (Debian based) virtual machine. Regards, Adrian Reply 9. Nikesh Says: November 15, 2010 at 9:21 am Oh boy, this is great tool, I will surely going to try it out Reply o stormsecurity Says: November 15, 2010 at 6:28 pm Please share your results with us. Reply 10. aaa Says: November 16, 2010 at 2:47 pm Can I compile with another version of libnet? Reply o stormsecurity Says: November 16, 2010 at 9:55 pm Sorry, Im afraid you cannot do that with the current version of ddosim. You need libnet0. Try apt-get install libnet0-dev. Reply 11. insecure DDOSIM Layer 7 DDoS Simulator Says: November 19, 2010 at 10:55 am [...] More Info : 1) DDOSIM at Sourceforge 2) Application Layer DDoS Simulator [...] Reply 12. Break The Security Says: December 8, 2010 at 8:09 am Great tool. Is there any tools for windows? Break The security Reply o stormsecurity Says: December 8, 2010 at 9:20 pm Thanks. I do not know a (free) similar tool for Windows If anyone knows, please share. Reply 13. DDOSIMLayer 7 DDoS Simulator | Kanoor Tech Says: December 22, 2010 at 12:12 pm [...] More Info : 1) DDOSIM at Sourceforge 2) Application Layer DDoS Simulator [...] Reply 14. inckie Says: December 22, 2010 at 6:58 pm Installing in Ubuntu 10.10 Install required packages: sudo apt-get install build-essential sudo apt-get install libpcap-dev wget http://mirrors.us.kernel.org/ubuntu//pool/universe/libn/libnet0/libnet0_1.0.2a- 7_amd64.deb sudo dpkg -i libnet0_1.0.2a-7_amd64.deb wget http://mirrors.us.kernel.org/ubuntu//pool/universe/libn/libnet0/libnet0- dev_1.0.2a-7_amd64.deb sudo dpkg -i libnet0-dev_1.0.2a-7_amd64.deb wget http://downloads.sourceforge.net/project/ddosim/ddosim-0.2.tar.gz tar xfv ddosim-0.2.tar.gz cd ddosim-0.2/ ./configure make sudo make install It should be updated to use libnet1 instead. then you could just say sudo apt-get install libnet1-dev Reply o stormsecurity Says: December 23, 2010 at 2:32 pm Thanks for posting these steps. However, the libnet0 package should not conflict with a previously existing libnet1. The system that I used for building and testing the application was a 32 bit machine with Backtrack (Ubuntu 8.10) and libnet0-dev. Reply o ubiqcx-mail Says: July 26, 2011 at 10:08 am nice tutorial works well in my BT5_x86 Reply 15. Muddassar Masood Says: December 24, 2010 at 6:07 am This is really an awesome tool, wish it could run out of lab environment to test application in real time environment, anyways thanks for addition. Reply o stormsecurity Says: December 24, 2010 at 7:48 am Running DDOSIM out of lab is not really possible because it simulates distributed (multiple source IPs) attacks using a connection-orented protocol (TCP) which needs at least the 3way handshake before sending any useful data. So the communication must be bidirectional. The packets (TCP SYN-ACK) sent by the server must reach the attacker (having random IP address). I do not think the simulation of a distributed DOS on a connection oriented protocol is possible outside lab environment. If anyone has other ideas, please share. Reply 16. DDOS Says: December 27, 2010 at 7:02 am so if we put the ip address of the victim server outside the lab like 221.223.224.225 on port 80, will it work then? Reply o stormsecurity Says: December 27, 2010 at 9:20 am No, it will NOT work. Simply because the packets sent by the target server will never reach the attacker (to complete the 3way handshake). Reply
DDOS Says: December 27, 2010 at 10:07 am So do you have any alternative for that?
stormsecurity Says: December 29, 2010 at 9:56 pm Nope. Dont think there is one 17. P.Vaishnavi Says: February 17, 2011 at 4:06 am How to include application level attacks in payload? I tried editing ddosim.cpp and compiling it, but it says In file included from ddosim.h:9, from ddosim.cpp:7: /usr/include/libnet.h:87:2: error: #error byte order has not been specified, youll In file included from ddosim.h:9, from ddosim.cpp:7: /usr/include/libnet.h:88: error: expected unqualified-id before string constant How to change the code to include payload? Reply o stormsecurity Says: February 18, 2011 at 12:42 pm What you can easily do right now is to modify the current payloads in senderThread.cpp and recompile ddosim. Custom payloads is a feature planned for the next release. Reply
P.Vaishnavi Says: March 17, 2011 at 4:22 am The payload is declared as u_char * it takes only 4 bytesi changed the type to char * in tcputils.cpp , tcputils.h , senderthread.cpp.it throws an errorhow to include payload of greater size ? 18. Moe Says: March 12, 2011 at 6:25 am Hi, Im doing a research on DoS and I wonder if this tool could help establish DoS case. I have the following questions: 1) can I run it on a single machine not connected to LAN (in other words, Does the machine that runs the DDosim has to be connected physically to other machine?) 2) suppose I run the tool, can I collect the results in order to graph them?? 3) Can I modify the code to get a specific scenario? Your response through this is highly appreciated Best Regards, Moe Reply o stormsecurity Says: March 12, 2011 at 11:15 am Hi Moe, 1. Yes, if your target server is on a virtual machine hosted on the same physical machine. Running ddosim against yourself (on localhost) I do not think is possible. 2. No, in this version of ddosim you cannot collect the results. You have just the statistics displayed periodically (number of connections established, reset, finished). Maybe in a future version I will implement the collection feature, thanks for suggestion. 3. Yes, you can modify the code to do whatever you want it to do. Cheers, Adrian Reply 19. Old man Says: May 17, 2011 at 5:47 pm With help from the previous comments I was able to compile on CentOS 5. Make gives me an error: ddosim.cpp: In function int main(int, char**): ddosim.cpp:58: error: libnet_host_lookup was not declared in this scope ddosim.cpp:184: error: libnet_host_lookup was not declared in this scope ddosim.cpp: In function u_long getLocalIp(const std::string&, std::string&): ddosim.cpp:292: error: libnet_open_link_interface was not declared in this scope ddosim.cpp:296: error: libnet_get_ipaddr was not declared in this scope ddosim.cpp: In function u_long resolveNameToIp(char*, std::string&): ddosim.cpp:316: error: libnet_name_resolve was not declared in this scope ddosim.cpp:317: error: LIBNET_ERR_FATAL was not declared in this scope ddosim.cpp:317: error: libnet_error was not declared in this scope make: *** [ddosim.o] Error 1 Anybody can help me? Thank you. Reply o stormsecurity Says: May 18, 2011 at 6:38 am You most probably do not have the development package for libnet0 installed. Reply 20. gatnjef Says: August 16, 2011 at 9:34 am Hi, thanks for writing a tool like this. However, I was wondering if you can use it against a host over the internet with the -n option (no spoofing). I tested it (against a machine under my control), but no ack is sent after synack is received and therefore the tool ends up performing a syn flood. Could you please comment on this? Many thanks. Reply o stormsecurity Says: August 19, 2011 at 7:43 am Hi, I tested this scenario and it works. Make sure you have connectivity / correct routing set. To create 10 connections to the target host without spoofing the source address you should use the following command: ./ddosim -d http://www.your_host.com -p 80 -i eth0 -c 10 -r HTTP_VALID -n -v You should receive a final status like this: Final results: TCP connections: 10 SYN_SENT, 10 ESTABLISHED, 0 RST, 0 FIN_WAIT_1 Cheers, Reply 21. sergey Says: December 24, 2011 at 4:54 pm please help me to configur and run ddosim on centos 5 Thank you Reply o stormsecurity Says: December 26, 2011 at 9:21 am Hi, I did not test ddosim on other Linux distributions. If you have the necessary libraries, it should compile and work smoothly. Cheers, Reply 22. Keshav Says: February 28, 2012 at 11:29 am I have a network environment thats pretty much similar to whats described here above except that the packets ddosim goes thro a switch to the server. All Im seeing is SYNs TCP connections: 180300 SYN_SENT, 0 ESTABLISHED, 0 RST, 0 FIN_WAIT_1. 6040 and wireshark says: Acknowledgement Number: Broken TCP. The acknowledgement field is nonzero while the ACK flag is not set. Not sure whats going on.. Has anyone seen this behavior? Reply 23. Keshav Says: February 28, 2012 at 11:34 am One thing I missed noting at February 28, 2012 at 11:29 am: I tested with HTTP_VALID, HTTP_INVALID and the plain TCP connection flood (as shown in the example in the article above). They all appear to show the same behavior. Any clues appreciated. Reply 24. Keshav Says: February 28, 2012 at 2:32 pm (continuation from February 28, 2012 at 11:34 am): Upon further investigation, I saw ddosim indeed sends non-zero ACKs when TCP ACK flag is not set. However, the TCP connections complete when the host running ddosim and the victim server are connected directly (as suggested by the author). Its the device standing in between the hosts in my setup, thats dropping the requests because of invalid ACK number. It would be nice to nice to see the problem fixed, if its easy. Reply o stormsecurity Says: February 28, 2012 at 6:54 pm Since the TCP connections complete when the host running ddosim and the victim server are connected directly, it means that the network device that is standing between attacker and victim is modifying the packets somehow. You can make a simple test try to establish a single connection using ddosim and check that all the packets sent from attacker reach the victim and vice versa. Reply 25. Nasir Mehmood Malik Says: March 9, 2012 at 1:50 pm Geeks, I am still not able to figure out how to recover from the set back of libnet0-dev on centos. Any help would be greatly appreciated. Regards Reply o stormsecurity Says: March 9, 2012 at 2:41 pm As I already said, I did not test ddosim on CentOS. DDosim was built and tested on a Backtrack machine (Debian based) having the package libnet0- dev installed. Reply 26. Seb Says: April 2, 2012 at 3:15 pm Hi , My tool works. Now I have question if I use application DDoS attack could You tell me how often and how many http reguest are send to victim? Can we manage number of request or type of request? For example we can setup how many connection TCP we can setup and how many user we can simulate but for example when we do application DDOS then we do not need many connection and many users but many request. Can we setup this parameter? best regards, Sebastian Reply o stormsecurity Says: April 4, 2012 at 10:27 am Hi Sebastian, Im glad you made it work The current version of ddosim does not report the number of requests/second sent to victim server. However, the parameter -w specifies the delay between packets. You can adjust it in order to obtain an efficient packet rate. Im afraid that multiple requests per user are not possible in the current architecture of ddosim. Right now you have a distinct user making a single HTTP request. Ill think about this for the next release. Cheers, Adrian Reply
Seb Says: April 4, 2012 at 2:18 pm Hi Adrian, When will You think release new version Your software? I am very interesting this tool. Do You know mabe other tool which I can use? BR, Sebastian 27. stormsecurity Says: November 9, 2010 at 7:17 am It works only in a lab environment because you MUST set the default gateway of the victim as described in my post. Adrian Reply 28. Guest Says: November 11, 2011 at 3:17 pm yeah I am using it in a lab enviroment, but I want to simulate for example 10 different ips to send request to the same server, but if the server requested to set cookie, the redirecct will be sent to the false ip address or to the address that generated the false ips? hope my question is clear, and thanks for your reply! Reply 29. stormsecurity Says: November 14, 2011 at 8:40 am If you configured your network topology and network settings as described in the article, you should receive the redirect packet to the false IP address. However, the ddosim does not know how to handle cookies (in this current version.) Reply Leave a Reply
Blog at WordPress.com. Theme: Black-LetterHead by Ulysses Ronquillo. Follow Follow StormSecurity Get every new post delivered to your Inbox. Powered by WordPress.com