| 1 | Ping Flood Attack for NfSen |
|---|
| 2 | -------------------------- |
|---|
| 3 | |
|---|
| 4 | A low-level, simple attack that seems to work well is: |
|---|
| 5 | |
|---|
| 6 | From one physically attached box flood virtual routers 1-5. |
|---|
| 7 | From another physically attached box flood virtual routers 6-9. |
|---|
| 8 | |
|---|
| 9 | Adjust as needed based on class size. |
|---|
| 10 | |
|---|
| 11 | If you have the MacMini and the fitPC in your lab, then these work |
|---|
| 12 | well as the two platforms. Otherwise, you may want to physically |
|---|
| 13 | connect a laptop to the classroom backbone switch to avoid having |
|---|
| 14 | the ping flood run over wifi. |
|---|
| 15 | |
|---|
| 16 | In Linux open a screen session. |
|---|
| 17 | In separate windows launch your flood: |
|---|
| 18 | |
|---|
| 19 | # ping -s 1472 -i .01 |
|---|
| 20 | |
|---|
| 21 | You need to be root to use "-i .01" |
|---|
| 22 | "-s 1472" will, also, give you a nicely-sized amount of traffic. |
|---|
| 23 | |
|---|
| 24 | You can detach the screen session if you wish. |
|---|
| 25 | |
|---|
| 26 | This works well if you split up the NetFlow / NfSen sessions so |
|---|
| 27 | that people have NfSen installed by the end of session 1, then |
|---|
| 28 | you launch the attack as they go on break. When they return, hope- |
|---|
| 29 | fully they have enough icmp history to see the sudden jump in |
|---|
| 30 | traffic for that protocol. |
|---|
| 31 | |
|---|
| 32 | Generally I tell people they are under attack. Their mission is to |
|---|
| 33 | figure out what protocol and from where it is coming for the router |
|---|
| 34 | for their group. |
|---|
| 35 | |
|---|
| 36 | I explain it is low-level on purpose, and might represent "noise" you |
|---|
| 37 | could see in a live network and never even have realized it was |
|---|
| 38 | there. |
|---|
| 39 | |
|---|
| 40 | Note: there appears to be a bug in dynampis where some of the ping |
|---|
| 41 | flood traffic is echo'ed from the group's router to all the PCs in |
|---|
| 42 | the group and these will see pings coming from 127.0.0.1... It is |
|---|
| 43 | not the same amount of traffic, so clearly this needs to be investigated |
|---|
| 44 | at some point. |
|---|
| 45 | |
|---|
| 46 | Note: As router 5 is sending flows to Group 6, and router 6 to Group 5, |
|---|
| 47 | depending on where participants are viewing NfSen they may have a |
|---|
| 48 | different viewpoint of where the attack is being launched from. |
|---|
| 49 | |
|---|
| 50 | -- |
|---|
| 51 | HA |
|---|