You might want to take a look at Traffic IQ, there is a Pro and a Basic
version of the product and it designed to replay traffic both normal and
threat to test inline network and security devices such as firewalls, IDS &
IPS systems, evaluation software is available from our site at
www.karalon.com we also have a Traffic IQ Gateway product which can be used
to apply evasion techniques to traffic flowing through it.
Best
Tony
-----Original Message-----
From: Robert D. Holtz [mailto:robert.d.holtz@gmail.com]
Sent: 19 August 2006 19:07
To: 'Joey Peloquin'
Cc: 'miaomitiff119'; focus-ids@securityfocus.com
Subject: RE: Worm attack generation tools
Good luck on your quest.
These types of experiments are always fun learning experiences!
Great scientific discoveries aren't followed by "Eureka!" ... it's more like
"that's funny".
-----Original Message-----
From: Joey Peloquin [mailto:joeyp@cotse.net]
Sent: Saturday, August 19, 2006 9:39 AM
To: Robert D. Holtz
Cc: 'miaomitiff119'; focus-ids@securityfocus.com
Subject: Re: Worm attack generation tools
Robert D. Holtz wrote:
You would be surprised at what one infected machine can crank out.
I've seen two mediocre machines cripple a four T1 MLPPP bundle. I've
done time at a CLEC and one of our most common problems was folks
insisting
there
internet connection was down when it was actually an infected machine
on their internal LAN going nuts. I could watch the traffic once it
entered into the core and was able to see that it was trash.
What type of bandwidth are you trying to throw at these things?
I would assume that the IDS system is "mainly" watching ingress
traffic
from
the internet which for the most part won't be too high due to the cost
of this type of access.
This assumption goes out the window if you have IDS systems separating
departments, business units, etc. Then you're talking LAN speeds.
Department segregation within the LAN is exactly what I'm talking about,
though I can't speak for the OP. Ingress worm traffic does virtually
nothing to us, because it's usually the same 'ole vectors, 135, 139 or 445,
which have been blocked, filtered, or otherwise denied (perimeter routers,
before the traffic even gets to our IPS) from the Internet for many moons.
Still, I like your style, and wish I would have thought of throwing "real"
worm traffic at my boxes.
Cheers,
-jp
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
