1 | Ping Flood Attack for NfSen |
---|
2 | -------------------------- |
---|
3 | |
---|
4 | A low-level, simple attack that seems to work well is: |
---|
5 | |
---|
6 | From one physically attached box flood virtual routers 1-5. |
---|
7 | From another physically attached box flood virtual routers 6-9. |
---|
8 | |
---|
9 | Adjust as needed based on class size. |
---|
10 | |
---|
11 | If you have the MacMini and the fitPC in your lab, then these work |
---|
12 | well as the two platforms. Otherwise, you may want to physically |
---|
13 | connect a laptop to the classroom backbone switch to avoid having |
---|
14 | the ping flood run over wifi. |
---|
15 | |
---|
16 | In Linux open a screen session. |
---|
17 | In separate windows launch your flood: |
---|
18 | |
---|
19 | # ping -s 1472 -i .01 |
---|
20 | |
---|
21 | You need to be root to use "-i .01" |
---|
22 | "-s 1472" will, also, give you a nicely-sized amount of traffic. |
---|
23 | |
---|
24 | You can detach the screen session if you wish. |
---|
25 | |
---|
26 | This works well if you split up the NetFlow / NfSen sessions so |
---|
27 | that people have NfSen installed by the end of session 1, then |
---|
28 | you launch the attack as they go on break. When they return, hope- |
---|
29 | fully they have enough icmp history to see the sudden jump in |
---|
30 | traffic for that protocol. |
---|
31 | |
---|
32 | Generally I tell people they are under attack. Their mission is to |
---|
33 | figure out what protocol and from where it is coming for the router |
---|
34 | for their group. |
---|
35 | |
---|
36 | I explain it is low-level on purpose, and might represent "noise" you |
---|
37 | could see in a live network and never even have realized it was |
---|
38 | there. |
---|
39 | |
---|
40 | Note: there appears to be a bug in dynampis where some of the ping |
---|
41 | flood traffic is echo'ed from the group's router to all the PCs in |
---|
42 | the group and these will see pings coming from 127.0.0.1... It is |
---|
43 | not the same amount of traffic, so clearly this needs to be investigated |
---|
44 | at some point. |
---|
45 | |
---|
46 | Note: As router 5 is sending flows to Group 6, and router 6 to Group 5, |
---|
47 | depending on where participants are viewing NfSen they may have a |
---|
48 | different viewpoint of where the attack is being launched from. |
---|
49 | |
---|
50 | -- |
---|
51 | HA |
---|