Track2Agenda: README-ping-flood.txt

File README-ping-flood.txt, 1.8 KB (added by trac, 6 years ago)
Line 
1Ping Flood Attack for NfSen
2--------------------------
3
4A low-level, simple attack that seems to work well is:
5
6From one physically attached box flood virtual routers 1-5.
7From another physically attached box flood virtual routers 6-9.
8
9Adjust as needed based on class size.
10
11If you have the MacMini and the fitPC in your lab, then these work
12well as the two platforms. Otherwise, you may want to physically
13connect a laptop to the classroom backbone switch to avoid having
14the ping flood run over wifi.
15
16In Linux open a screen session.
17In separate windows launch your flood:
18
19# ping -s 1472 -i .01
20
21You need to be root to use "-i .01"
22"-s 1472" will, also, give you a nicely-sized amount of traffic.
23
24You can detach the screen session if you wish.
25
26This works well if you split up the NetFlow / NfSen sessions so
27that people have NfSen installed by the end of session 1, then
28you launch the attack as they go on break. When they return, hope-
29fully they have enough icmp history to see the sudden jump in
30traffic for that protocol.
31
32Generally I tell people they are under attack. Their mission is to
33figure out what protocol and from where it is coming for the router
34for their group.
35
36I explain it is low-level on purpose, and might represent "noise" you
37could see in a live network and never even have realized it was
38there.
39
40Note: there appears to be a bug in dynampis where some of the ping
41flood traffic is echo'ed from the group's router to all the PCs in
42the group and these will see pings coming from 127.0.0.1... It is
43not the same amount of traffic, so clearly this needs to be investigated
44at some point.
45
46Note: As router 5 is sending flows to Group 6, and router 6 to Group 5,
47depending on where participants are viewing NfSen they may have a
48different viewpoint of where the attack is being launched from.
49
50--
51HA