Cyber Tomography: Find the Hidden Stress Fractureswithin a Cyber Infrastructure and Measure its Resiliency toAttack and High-Stress Traffic LoadMay 2010

Gregory Fresnais - Director of International Business DevelopmentEmail: gfresnais@breakingpoint.com, Tel: +33 6 72 51 09 22

Who is BreakingPoint Systems ?• Founded September 2005

• 285% Revenue growth, 2009 vs. 2008

• 12 Quarters of Consecutive Growth

• Breakthrough, award-winning products

• Privately held and based in Austin, TXSales & Support: US, Canada, UK, France, Italy, Spain, Netherlands,Belgium, Israel, Switzerland, Finland, Sweden, Germany, Norway, IndiaJapan, China, Korea, Taiwan, Malaysia, New Zealand, Australia, …

BreakingPoint Storm CTM

• 130+ applications• 4,500+ live security attacks• 80+ evasions• 40 Gbps blended application traffic• 30M concurrent user sessions• 1.5M New users sessions/second

Cyber Tomography Machine

What can BreakingPoint Systems Offer ?

• BreakingPoint provides New Generation of High Performance TestEquipment at All Inclusive L2, L3, L4, L7, Security and Fuzzing fromthe same test port at the time using the same Management Softwareand same Hardware.

4 No License Model – All Features Available by Default

• Realistic Traffic Simulation Layer 2-7 IPv4 and IPv6

What type of tests does BreakingPoint provide ?

5

Layer4-7

Bit Blaster - Generates Ethernet frames (L2 Tests)

Routing Robot - Generates IP packets (L3 Tests)

Session Sender - Generates TCP and UDP (L4 Tests)

AppSim – 130+ Client and Server Application Protocols (L7 Tests)

L2 and L4 Recreate – Raw Playback, TCP and UDP PCAP

Security Module – 4,500+ unique attacks, 80+ evasion types

Stack Scrambler – Protocol Fuzzing on AppSim Module Protocols

ClientSim – Interaction with Real Server (L7 Tests)

• Malicious Traffic Simulation Layer 2-7 IPv4 and IPv6

No License Model – All Features Available by Default

Create Your Own Mix of Protocols

6

• Replicate the traffic profile of your environment• Modify, save & re-use the BreakingPoint templates• Import traffic profiling information from management systems

Real-Time Statistics

7

• Immediate understanding of device behaviour• Summary and detailed views of key information

Example:Latencystarting tohave animpact

Partial List of 130 Applications

ChatAIM6 KeyserverAIM6 RendezvousAIM6 SwitchboardAOL Instant MessengerIRCJabberMSN DispatchMSN NexusMSN NotificationMSN PassportMSN SwitchboardOSCAROSCAR File TransferQQ IMWindows Live MessengerYahoo! MessengerICQ

AuthenticationDIAMETERRADIUS AccountingRADIUS Access

DatabasesIBM DB2InformixMicrosoft SQLMySQLOraclePostgreSQLSybaseTDSTNS

Data TransferFTPGopherHTTPNNTPRSyncTFTP

Data Transfer / File SharingIPPNetBIOSNETBIOS DGMNETBIOS NSNETBIOS SSNNFSRPC NFSSMBSMB/CIFSSMBv2

EmailIMAPIMAPv4 AdvancedOutlook Web AccessPOP3POP3 AdvancedSMTP

FinancialFIXFIXT

GamesWorld of Warcraft

Enterprise ApplicationsDCE/RPC Endpoint MapperDCE/RPC Exchange DirectoryDCE/RPC MAPI ExchangeSAP

Distributed ComputingCitrixDCE/RPCVMware VMotion

Custom ToolkitsApplicationsRawSecurity Attacks

WebmailAOL Web MailGmailGMX WebmailGMX Webmail AttachmentHotmailHotmail AttachmentOrange WebmailYahoo! MailYahoo! Mail AttachmentOrange Webmail

Partial List of 130 Applications

Remote AccessRDPRFBRLogin

Telnet

Secure Data TransferHTTPSSSH

Voice/MediaH.225.0H.225 RASH.245MMS MM1RTCPRTPRTP Unidirectional StreamRTSPSIPSkypeSkype UDP HelperSTUN

TelephonySMPPMM1H.323

System/Network AdminDNSDNS (Deprecated)IDENTFingerLDAPNTPRPC BindRPC MountSNMPSNMPv1Sun RPCSyslogTime

Testing and MeasurementChargenDaytimeDiscardEchoOWAMP ControlOWAMP TestQOTDTWAMP ControlTWAMP Test

Social NetworkingTwitterMySpace

Peer-to-PeerAppleJuiceBitTorrent PeerBitTorrent TrackerBitTorrenteDonkeyGnutella LeafGnutella UltrapeerPPLiveQQLiveWinny

Security Test Reporting: High Level

10

Security Test Reporting: Details

11

BreakingPoint Elite Solution

• Chassis-based solution with 2 test blade slots:– 1x Blade of 8x Gigabit Ports SFP– 1x Blade of 4x 10Gigabit Ports XFP

• Blades can be used in any combination, operate independently, and offer multi-user support

– 1x Controller with Management and DUT Monitoring Ports12

BreakingPoint Hardware Performance

1x Blade 8x Gigabit 1x Blade 4x 10GigabitL2/L3 Packet/Sec 12 Million 60 MillionL2/L3 Bandwidth 8 Gbps (64 Bytes) 40 Gbps (64 Bytes)L4/L7 New User/Sec 500,000 750.000L4/L7 Concurrent Users 10 Million 15 MillionL4/L7 Bandwidth 8 Gbps 20 Gbps

13

2x Blades 16x Gigabit 2x Blades 8x 10GigabitL2/L3 Packet/Sec 24 Million 120 MillionL2/L3 Bandwidth 16 Gbps (64 Bytes) 80 Gbps (64 Bytes)L4/L7 New User/Sec 20 Million 30 MillionL4/L7 Concurrent Users 10 Million 15 MillionL4/L7 Bandwidth 16 Gbps 40 Gbps

Case Study IDS/IPSPerformance, Stability and

Security Test

14

Test Goal

• Validation of different 10 GigE IPS/IDS Vendors:– Vendor 1– Vendor 2– Vendor 3– Vendor 4

• Test Plan:– Performance Test for Good Traffic

• L3 Maximum Packet Forwarding for Different Packet Size• L4 Maximum TCP/SEC, TCP OPEN and TCP Bandwidth• L7 Maximum HTTP/SEC and Mix of Application Protocols

– Security Test for Malicious Traffic– Performance and Security Test for Good and Malicious Traffic

15

Customer NetworkTest Infrastructure

16

Customer Network Test Infrastructure

17

BreakingPoint IDS/IPS Test Infrastructure

18

IDS/IPSPerformance Test Result

for Good TrafficLayer 3 Stateless Traffic

19

L3 UDP Stateless Traffic Test Results

Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 464 Bytes 1.7 Gbps 2.8 Gbps 0.45 Gbps 1.1 Gbps512 Bytes 4.8 Gbps 9.3 Gbps 3.3 Gbps 4.2 Gbps1518 Bytes 16 Gbps 9 Gbps 10 Gbps 5.3 Gbps4096 Bytes NA 19.8 Gbps NA NALatency [uSec] 34 uSec 31 uSec 250 uSec 150 uSec

20

IDS/IPSPerformance Test Result

for Good TrafficLayer 4 Stateful Traffic

andLayer 7 HTTP Traffic

21

L4 and L7 – TCP Test and HTTP Test

Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 4TCP RATE 40,000 750,000 90,000 250,000TCP OPEN 2,000,000 5,000,000 3,983,786 6,000,000TCP BANDWIDTHBANDWIDTH 6.5 Gbps 10 Gbps 5.5 Gbps 6 Gbps

22

Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 4HTTP RATE 25,000 140,135 18,000 75,000HTTP OPEN 800,000 3,000,000 1,790,000 4,200,000HTTP BANDWIDTHBANDWIDTH 3.1 Gbps 10 Gbps 5.1 Gbps 6.35 Gbps

IDS/IPSPerformance Test Results

For Good TrafficLayer 7 Mix Protocols

23

L7 – Application Mix Protocols

L7 – Mix of Application Protocols

Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 4SESSION RATE 7376 53594 24924 30,000SESSIONS OPEN 16469 21251 18877 108,000BANDWIDTHBANDWIDTH 0.58 Gbps 3.8 Gbps 1.3 Gbps 2.6 Gbps

25

IDS/IPSSecurity Test Results

forMalicious Traffic

26

Security Test Accuracy of Attacks Detection

Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 4444 ATTACKS LEVEL 2 SEED 1 99 225 46 309444 ATTACKS LEVEL 2 SEED 1000 99 228 68 311

27

IDS/IPSPerformance and Security Test

Resultsfor

Good and MaliciousTraffic

28

L7 – Mix of Good and Malicious Traffic

29

Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 4SESSION RATE 4,300 50,000 16,500 30,000SESSIONS OPEN 110,000 40,000 108,000 88,000BANDWIDTHBANDWIDTH 0.35 Gbps 4.1 Gbps 1.3 Gbps 2.6 Gbps444 SEND ATTACKSLEVEL 2 SEED 1

20 208 42 192

BreakingPointResiliency Score

30

Components of Resiliency Scoring

Resiliency Score

StabilityStability

PerformancePerformance

SecuritySecurity

• Simple method to evaluatenetwork devices under realworld hostile conditions

• Fixed standard to evaluatemultiple devices– Performance

• Frame rate• Concurrent sessions• New session rate

– Security• Susceptibility to direct attack• Optional strike blocking abilities

– Stability• Resistance to fault injection

31

What Type of Device could be tested ?

• Switch• Router• Firewall• Load Balancer• Proxy• Intrusion Prevention System (IPS)• Universal Threat Management (UTM)

32

Real World Scenarios – Stress and Score

Application Protocols• BlackBerry Services, IMAP,

Oracle, P2P, Streaming Media,Skype, Web Downloads,Webmail, etc.

• SMB/CIFS, HTTP, HTTPS,FTP, SMTP, IM

• 130+ Applications

Network Protocols• TCP, UDP, ICMP• IPv4, IPv6• BGP and more

Physical• Ethernet• 1GigE• 10GigE

Final Score

34

Application Traffic Simulationusing

BreakingPoint Storm CTMto validate

Lawful Intercept Solution

35

Lawful Interception Infrastructure

36

Lawful Interception Test Infrastructure

37

LI Performance for L3 Traffic Test Results

Test Scenario no Trigger Vendor64 Bytes - A to B 2.5 Gbps1518 Bytes - A to B 10 Gbps4096 Bytes Not Supported

38

Test Scenario no Trigger Vendor64 Bytes 3.75 Million Packet per Second1518 Bytes 814,000 Packet per Second4096 Bytes Not Supported

Test Scenario no Trigger Vendor64 Bytes - A to B <-> B to A 1.25 Gbps / 1.25 Gbps1518 Bytes - A to B <-> B to A 5 Gbps / 5 Gbps4096 Bytes Not Supported

LI Performance for L4 TCP Test, L7 HTTP Test andL7 HTTP Content

Test Scenario using TCP Trigger Vendor 1New TCP Session per Second 200,000Concurrent TCP Session 5 MillionTCP Bandwidth 4 Gbps

39

Test Scenario using HTTP Trigger Vendor 1New HTTP Transaction per Second 50,000Concurrent HTTP Transaction 1 MillionHTTP Bandwidth 1 Gbps

Test Scenario Looking for Key Word Vendor 1Webmail Yahoo Session per Second Key Word 5,000Webmail Yahoo Concurrent Session Key Word 155,000Webmail Yahoo Bandwidth Key Word 400 Mbps

Issue of Lawful Interception Solution

• Network Probe• Performance Issue at 5 Gbps on 10 GigE Interface causing Crash/Reboot

– Loss Data Capture during Reboot - Critical for 1 GigE or 10 GigE Network• Inaccuracy of Application Protocol Identification

– Missing Data Webmail, Instant Messenger, Social Networking

• Mediation Device• Overloaded

– Impossibility to apply HI1 request for traffic capture to Network Probe– Impossibility to received traffic captured from Network Probe– Impossibility to convert the intercepted traffic to HI2 and HI3 format– Impossibility to send the information to LEA

• Information provided by Law Interception Solution could be notreliable affecting the Law Enforcement Agencies, Regulatory orAdministrative Agencies, and Intelligence Services.

40

Enterprise Mix Protocols

41

Service Provider Mix Protocols

42

Education Mix Protocols

43

Create your own Mix of L7 Protocols

44

Native Email Protocol Simulation

45

Native Email Protocol Simulation

46

Native Email Protocol Simulation

47

Native Peer-to-Peer Simulation

48

Native Voice over IP Simulation

49

Native Voice over IP Simulation

50

Native Webmail Protocol Simulation

51

Native Webmail Protocol Simulation

52

Native Instant Messenger Simulation

53

Native Instant Messenger Simulation

54

BreakingPoint API to Develop New Protocols

• Custom Application Toolkit is an API to developNew Version of Protocol– Webmail– Instant Messenger– P2P– Social Networking

• Programming in XML and Ruby• Custom Application Toolkit is fully integrated with

BreakingPoint Storm CTM to simulate NewVersion of Protocol at High Performance

55

Botnet Simulationusing

BreakingPoint Storm CTMto validate

Anti-DDoS Solution

56

What do we need to simulate Botnet ?

• Botnet Master Simulation– Control Zombie / Bot via Command and Control Server

• Command and Control Server Simulation– Communication with the Zombie Request / Response

• Zombie / Bot Simulation– Send the DDoS Attack

• Target Server Simulation– Received the DDoS Attack

57

What type of Botnet Attack do we need simulate ?

• It’s important to simulate all types of Botnet Attack.• L3 DDoS Attack

– ICMP Flood, …• L4 DDoS Attack

– TCP Flood, UDP Flood, BGP Flood , …• L7 DDoS Attack

– DNS Flood, HTTP Flood, HTTPS Flood, SMTP Flood,

58

Botnet using BreakingPoint Storm CTM

• BreakingPoint Storm CTM can simulate largeBotnet to validate Anti-DDoS.

• BreakingPoint Storm CTM can simulate all partsof Botnet including Botnet Master, Commandand Control Server, Large number of Zombie/Botand Target Server that will received the BotnetAttack.

• BreakingPoint Storm CTM can simulate realworld test scenario mixing legitimate traffic withBotnet traffic to make sure that the good is trafficis allow but the DDoS Traffic is blocked.

59

Botnet with Star C&C Server

60

BreakingPoint SimulationBotnet with Star C&C Server

61

Botnet with Multi C&C Server

62

BreakingPoint SimulationBotnet with Multi C&C Server

63

Botnet with Hierarchical C&C Server

64

BreakingPoint SimulationBotnet with Hierarchical C&C Server

65

HTTP Botnet using Pull Communication

66

IRC Botnet using Push Communication

67

Botnet Attack Simulation using HTTP C&C Server

68

Botnet Attack Simulation using IRC C&C Server

69

Defined Number of IPv4 Infected PC

70

Defined Number of IPv6 Infected PC

71

Botnet Configuration using HTTP C&C Server

72

Botnet Configuration using IRC C&C Server

73

BreakingPoint Botnet API for Advance Simulation

• Custom Application Toolkit is an API to simulatecomplex Botnet– Communication between Botmaster and C&C Server– Communication between C&C Server and C&C Server– Communication between C&C Server and Zombie– DDoS Attack between Zombie and Target Server

• Programming in XML and Ruby• Custom Application Toolkit is fully integrated with

BreakingPoint Storm CTM to simulate NewBotnet at High Performance

74

Botnet Maximum Session per Second

75

Botnet Maximum Bandwidth

76

Botnet Ramp Up DDoS Attack

77

Botnet Steady Stage DDoS Attack

78

Botnet Ramp Down DDoS Attack

79

Summary ofBreakingPoint Systems

Testing Products

80

BreakingPoint Capabilities

81

Thank You.Questions?

82

Gregory Fresnais - Director of International Business Developmentgfresnais@breakingpoint.com - +33 6 72 51 09 22