Presd2 04
-
Upload
niels-groeneveld -
Category
Documents
-
view
216 -
download
2
Transcript of Presd2 04
Cyber Tomography: Find the Hidden Stress Fractureswithin a Cyber Infrastructure and Measure its Resiliency toAttack and High-Stress Traffic LoadMay 2010
Gregory Fresnais - Director of International Business DevelopmentEmail: [email protected], Tel: +33 6 72 51 09 22
Who is BreakingPoint Systems ?• Founded September 2005
• 285% Revenue growth, 2009 vs. 2008
• 12 Quarters of Consecutive Growth
• Breakthrough, award-winning products
• Privately held and based in Austin, TXSales & Support: US, Canada, UK, France, Italy, Spain, Netherlands,Belgium, Israel, Switzerland, Finland, Sweden, Germany, Norway, IndiaJapan, China, Korea, Taiwan, Malaysia, New Zealand, Australia, …
BreakingPoint Storm CTM
• 130+ applications• 4,500+ live security attacks• 80+ evasions• 40 Gbps blended application traffic• 30M concurrent user sessions• 1.5M New users sessions/second
Cyber Tomography Machine
What can BreakingPoint Systems Offer ?
• BreakingPoint provides New Generation of High Performance TestEquipment at All Inclusive L2, L3, L4, L7, Security and Fuzzing fromthe same test port at the time using the same Management Softwareand same Hardware.
4 No License Model – All Features Available by Default
• Realistic Traffic Simulation Layer 2-7 IPv4 and IPv6
What type of tests does BreakingPoint provide ?
5
Layer4-7
Bit Blaster - Generates Ethernet frames (L2 Tests)
Routing Robot - Generates IP packets (L3 Tests)
Session Sender - Generates TCP and UDP (L4 Tests)
AppSim – 130+ Client and Server Application Protocols (L7 Tests)
L2 and L4 Recreate – Raw Playback, TCP and UDP PCAP
Security Module – 4,500+ unique attacks, 80+ evasion types
Stack Scrambler – Protocol Fuzzing on AppSim Module Protocols
ClientSim – Interaction with Real Server (L7 Tests)
• Malicious Traffic Simulation Layer 2-7 IPv4 and IPv6
No License Model – All Features Available by Default
Create Your Own Mix of Protocols
6
• Replicate the traffic profile of your environment• Modify, save & re-use the BreakingPoint templates• Import traffic profiling information from management systems
Real-Time Statistics
7
• Immediate understanding of device behaviour• Summary and detailed views of key information
Example:Latencystarting tohave animpact
Partial List of 130 Applications
ChatAIM6 KeyserverAIM6 RendezvousAIM6 SwitchboardAOL Instant MessengerIRCJabberMSN DispatchMSN NexusMSN NotificationMSN PassportMSN SwitchboardOSCAROSCAR File TransferQQ IMWindows Live MessengerYahoo! MessengerICQ
AuthenticationDIAMETERRADIUS AccountingRADIUS Access
DatabasesIBM DB2InformixMicrosoft SQLMySQLOraclePostgreSQLSybaseTDSTNS
Data TransferFTPGopherHTTPNNTPRSyncTFTP
Data Transfer / File SharingIPPNetBIOSNETBIOS DGMNETBIOS NSNETBIOS SSNNFSRPC NFSSMBSMB/CIFSSMBv2
EmailIMAPIMAPv4 AdvancedOutlook Web AccessPOP3POP3 AdvancedSMTP
FinancialFIXFIXT
GamesWorld of Warcraft
Enterprise ApplicationsDCE/RPC Endpoint MapperDCE/RPC Exchange DirectoryDCE/RPC MAPI ExchangeSAP
Distributed ComputingCitrixDCE/RPCVMware VMotion
Custom ToolkitsApplicationsRawSecurity Attacks
WebmailAOL Web MailGmailGMX WebmailGMX Webmail AttachmentHotmailHotmail AttachmentOrange WebmailYahoo! MailYahoo! Mail AttachmentOrange Webmail
Partial List of 130 Applications
Remote AccessRDPRFBRLogin
Telnet
Secure Data TransferHTTPSSSH
Voice/MediaH.225.0H.225 RASH.245MMS MM1RTCPRTPRTP Unidirectional StreamRTSPSIPSkypeSkype UDP HelperSTUN
TelephonySMPPMM1H.323
System/Network AdminDNSDNS (Deprecated)IDENTFingerLDAPNTPRPC BindRPC MountSNMPSNMPv1Sun RPCSyslogTime
Testing and MeasurementChargenDaytimeDiscardEchoOWAMP ControlOWAMP TestQOTDTWAMP ControlTWAMP Test
Social NetworkingTwitterMySpace
Peer-to-PeerAppleJuiceBitTorrent PeerBitTorrent TrackerBitTorrenteDonkeyGnutella LeafGnutella UltrapeerPPLiveQQLiveWinny
Security Test Reporting: High Level
10
Security Test Reporting: Details
11
BreakingPoint Elite Solution
• Chassis-based solution with 2 test blade slots:– 1x Blade of 8x Gigabit Ports SFP– 1x Blade of 4x 10Gigabit Ports XFP
• Blades can be used in any combination, operate independently, and offer multi-user support
– 1x Controller with Management and DUT Monitoring Ports12
BreakingPoint Hardware Performance
1x Blade 8x Gigabit 1x Blade 4x 10GigabitL2/L3 Packet/Sec 12 Million 60 MillionL2/L3 Bandwidth 8 Gbps (64 Bytes) 40 Gbps (64 Bytes)L4/L7 New User/Sec 500,000 750.000L4/L7 Concurrent Users 10 Million 15 MillionL4/L7 Bandwidth 8 Gbps 20 Gbps
13
2x Blades 16x Gigabit 2x Blades 8x 10GigabitL2/L3 Packet/Sec 24 Million 120 MillionL2/L3 Bandwidth 16 Gbps (64 Bytes) 80 Gbps (64 Bytes)L4/L7 New User/Sec 20 Million 30 MillionL4/L7 Concurrent Users 10 Million 15 MillionL4/L7 Bandwidth 16 Gbps 40 Gbps
Case Study IDS/IPSPerformance, Stability and
Security Test
14
Test Goal
• Validation of different 10 GigE IPS/IDS Vendors:– Vendor 1– Vendor 2– Vendor 3– Vendor 4
• Test Plan:– Performance Test for Good Traffic
• L3 Maximum Packet Forwarding for Different Packet Size• L4 Maximum TCP/SEC, TCP OPEN and TCP Bandwidth• L7 Maximum HTTP/SEC and Mix of Application Protocols
– Security Test for Malicious Traffic– Performance and Security Test for Good and Malicious Traffic
15
Customer NetworkTest Infrastructure
16
Customer Network Test Infrastructure
17
BreakingPoint IDS/IPS Test Infrastructure
18
IDS/IPSPerformance Test Result
for Good TrafficLayer 3 Stateless Traffic
19
L3 UDP Stateless Traffic Test Results
Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 464 Bytes 1.7 Gbps 2.8 Gbps 0.45 Gbps 1.1 Gbps512 Bytes 4.8 Gbps 9.3 Gbps 3.3 Gbps 4.2 Gbps1518 Bytes 16 Gbps 9 Gbps 10 Gbps 5.3 Gbps4096 Bytes NA 19.8 Gbps NA NALatency [uSec] 34 uSec 31 uSec 250 uSec 150 uSec
20
IDS/IPSPerformance Test Result
for Good TrafficLayer 4 Stateful Traffic
andLayer 7 HTTP Traffic
21
L4 and L7 – TCP Test and HTTP Test
Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 4TCP RATE 40,000 750,000 90,000 250,000TCP OPEN 2,000,000 5,000,000 3,983,786 6,000,000TCP BANDWIDTHBANDWIDTH 6.5 Gbps 10 Gbps 5.5 Gbps 6 Gbps
22
Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 4HTTP RATE 25,000 140,135 18,000 75,000HTTP OPEN 800,000 3,000,000 1,790,000 4,200,000HTTP BANDWIDTHBANDWIDTH 3.1 Gbps 10 Gbps 5.1 Gbps 6.35 Gbps
IDS/IPSPerformance Test Results
For Good TrafficLayer 7 Mix Protocols
23
L7 – Application Mix Protocols
L7 – Mix of Application Protocols
Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 4SESSION RATE 7376 53594 24924 30,000SESSIONS OPEN 16469 21251 18877 108,000BANDWIDTHBANDWIDTH 0.58 Gbps 3.8 Gbps 1.3 Gbps 2.6 Gbps
25
IDS/IPSSecurity Test Results
forMalicious Traffic
26
Security Test Accuracy of Attacks Detection
Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 4444 ATTACKS LEVEL 2 SEED 1 99 225 46 309444 ATTACKS LEVEL 2 SEED 1000 99 228 68 311
27
IDS/IPSPerformance and Security Test
Resultsfor
Good and MaliciousTraffic
28
L7 – Mix of Good and Malicious Traffic
29
Test Scenario Vendor 1 Vendor 2 Vendor 3 Vendor 4SESSION RATE 4,300 50,000 16,500 30,000SESSIONS OPEN 110,000 40,000 108,000 88,000BANDWIDTHBANDWIDTH 0.35 Gbps 4.1 Gbps 1.3 Gbps 2.6 Gbps444 SEND ATTACKSLEVEL 2 SEED 1
20 208 42 192
BreakingPointResiliency Score
30
Components of Resiliency Scoring
Resiliency Score
StabilityStability
PerformancePerformance
SecuritySecurity
• Simple method to evaluatenetwork devices under realworld hostile conditions
• Fixed standard to evaluatemultiple devices– Performance
• Frame rate• Concurrent sessions• New session rate
– Security• Susceptibility to direct attack• Optional strike blocking abilities
– Stability• Resistance to fault injection
31
What Type of Device could be tested ?
• Switch• Router• Firewall• Load Balancer• Proxy• Intrusion Prevention System (IPS)• Universal Threat Management (UTM)
32
Real World Scenarios – Stress and Score
Application Protocols• BlackBerry Services, IMAP,
Oracle, P2P, Streaming Media,Skype, Web Downloads,Webmail, etc.
• SMB/CIFS, HTTP, HTTPS,FTP, SMTP, IM
• 130+ Applications
Network Protocols• TCP, UDP, ICMP• IPv4, IPv6• BGP and more
Physical• Ethernet• 1GigE• 10GigE
Final Score
34
Application Traffic Simulationusing
BreakingPoint Storm CTMto validate
Lawful Intercept Solution
35
Lawful Interception Infrastructure
36
Lawful Interception Test Infrastructure
37
LI Performance for L3 Traffic Test Results
Test Scenario no Trigger Vendor64 Bytes - A to B 2.5 Gbps1518 Bytes - A to B 10 Gbps4096 Bytes Not Supported
38
Test Scenario no Trigger Vendor64 Bytes 3.75 Million Packet per Second1518 Bytes 814,000 Packet per Second4096 Bytes Not Supported
Test Scenario no Trigger Vendor64 Bytes - A to B <-> B to A 1.25 Gbps / 1.25 Gbps1518 Bytes - A to B <-> B to A 5 Gbps / 5 Gbps4096 Bytes Not Supported
LI Performance for L4 TCP Test, L7 HTTP Test andL7 HTTP Content
Test Scenario using TCP Trigger Vendor 1New TCP Session per Second 200,000Concurrent TCP Session 5 MillionTCP Bandwidth 4 Gbps
39
Test Scenario using HTTP Trigger Vendor 1New HTTP Transaction per Second 50,000Concurrent HTTP Transaction 1 MillionHTTP Bandwidth 1 Gbps
Test Scenario Looking for Key Word Vendor 1Webmail Yahoo Session per Second Key Word 5,000Webmail Yahoo Concurrent Session Key Word 155,000Webmail Yahoo Bandwidth Key Word 400 Mbps
Issue of Lawful Interception Solution
• Network Probe• Performance Issue at 5 Gbps on 10 GigE Interface causing Crash/Reboot
– Loss Data Capture during Reboot - Critical for 1 GigE or 10 GigE Network• Inaccuracy of Application Protocol Identification
– Missing Data Webmail, Instant Messenger, Social Networking
• Mediation Device• Overloaded
– Impossibility to apply HI1 request for traffic capture to Network Probe– Impossibility to received traffic captured from Network Probe– Impossibility to convert the intercepted traffic to HI2 and HI3 format– Impossibility to send the information to LEA
• Information provided by Law Interception Solution could be notreliable affecting the Law Enforcement Agencies, Regulatory orAdministrative Agencies, and Intelligence Services.
40
Enterprise Mix Protocols
41
Service Provider Mix Protocols
42
Education Mix Protocols
43
Create your own Mix of L7 Protocols
44
Native Email Protocol Simulation
45
Native Email Protocol Simulation
46
Native Email Protocol Simulation
47
Native Peer-to-Peer Simulation
48
Native Voice over IP Simulation
49
Native Voice over IP Simulation
50
Native Webmail Protocol Simulation
51
Native Webmail Protocol Simulation
52
Native Instant Messenger Simulation
53
Native Instant Messenger Simulation
54
BreakingPoint API to Develop New Protocols
• Custom Application Toolkit is an API to developNew Version of Protocol– Webmail– Instant Messenger– P2P– Social Networking
• Programming in XML and Ruby• Custom Application Toolkit is fully integrated with
BreakingPoint Storm CTM to simulate NewVersion of Protocol at High Performance
55
Botnet Simulationusing
BreakingPoint Storm CTMto validate
Anti-DDoS Solution
56
What do we need to simulate Botnet ?
• Botnet Master Simulation– Control Zombie / Bot via Command and Control Server
• Command and Control Server Simulation– Communication with the Zombie Request / Response
• Zombie / Bot Simulation– Send the DDoS Attack
• Target Server Simulation– Received the DDoS Attack
57
What type of Botnet Attack do we need simulate ?
• It’s important to simulate all types of Botnet Attack.• L3 DDoS Attack
– ICMP Flood, …• L4 DDoS Attack
– TCP Flood, UDP Flood, BGP Flood , …• L7 DDoS Attack
– DNS Flood, HTTP Flood, HTTPS Flood, SMTP Flood,
58
Botnet using BreakingPoint Storm CTM
• BreakingPoint Storm CTM can simulate largeBotnet to validate Anti-DDoS.
• BreakingPoint Storm CTM can simulate all partsof Botnet including Botnet Master, Commandand Control Server, Large number of Zombie/Botand Target Server that will received the BotnetAttack.
• BreakingPoint Storm CTM can simulate realworld test scenario mixing legitimate traffic withBotnet traffic to make sure that the good is trafficis allow but the DDoS Traffic is blocked.
59
Botnet with Star C&C Server
60
BreakingPoint SimulationBotnet with Star C&C Server
61
Botnet with Multi C&C Server
62
BreakingPoint SimulationBotnet with Multi C&C Server
63
Botnet with Hierarchical C&C Server
64
BreakingPoint SimulationBotnet with Hierarchical C&C Server
65
HTTP Botnet using Pull Communication
66
IRC Botnet using Push Communication
67
Botnet Attack Simulation using HTTP C&C Server
68
Botnet Attack Simulation using IRC C&C Server
69
Defined Number of IPv4 Infected PC
70
Defined Number of IPv6 Infected PC
71
Botnet Configuration using HTTP C&C Server
72
Botnet Configuration using IRC C&C Server
73
BreakingPoint Botnet API for Advance Simulation
• Custom Application Toolkit is an API to simulatecomplex Botnet– Communication between Botmaster and C&C Server– Communication between C&C Server and C&C Server– Communication between C&C Server and Zombie– DDoS Attack between Zombie and Target Server
• Programming in XML and Ruby• Custom Application Toolkit is fully integrated with
BreakingPoint Storm CTM to simulate NewBotnet at High Performance
74
Botnet Maximum Session per Second
75
Botnet Maximum Bandwidth
76
Botnet Ramp Up DDoS Attack
77
Botnet Steady Stage DDoS Attack
78
Botnet Ramp Down DDoS Attack
79
Summary ofBreakingPoint Systems
Testing Products
80
BreakingPoint Capabilities
81
Thank You.Questions?
82
Gregory Fresnais - Director of International Business [email protected] - +33 6 72 51 09 22