An overview of the toolset, in brief. ISIC includes five tools for the more well know protocols:
If you have access to the console on the device that you're testing, you can easily measure the effectiveness of the attack on resources. Although, on proprietary low end routers, we do not have that ability, so the best course of action is to observe latency of TCP and IP.
Normal latency:
Under Load:
Measuring SYN/ACK response times with Hping:
Using NMap, we do a full port scan of TCP and UDP. Ports with active services are more likely to be susceptible to attack. Note: depending upon the way the vendor has decided to implement the UDP standard, the scan may be completely unreliable.
When first starting out, it's a good move to simply flood lawful packets. This means, no fragmentation, no bogus header lengths, no invalid IP versions, etc. This is a baseline test to determine stability under heavy traffic.
The break down:
wrapper.sh is the custom script built for continuous stress testing. It's basically a frontend to all five ISIC tools. The -s rand tells isic to send packets from random source IP addresses and -d 10.1.1.1 is our target. Finally, we come to the random seed, -r 605. ISIC uses a value to seed the pseudo random number generator (PRNG), this is a necessity for reproducing results.
If the target held its ground on the initial flooding, we can move on to more sophisticated techniques. These involve fragmentation, bogus header lengths and an assortment of other percentage options which Mike Frantzen has included in ISIC's utilities. These are as follows:
By default, these are set to a semi-arbitrary amount and can be disabled by setting to zero. Using these percentage switches and directing traffic towards the ports that were discovered through NMap's probes, we can glean better results.
When searching for flaws it's important to remember that you may not find a problem until a few million packets in. Also, creativity goes a long way. For instance, try sending from really strange source address, like 127.0.0.1, 0.0.0.0, 255.255.255.255 and even from the target's IP. Or try sending packets through port 0. This is technically illegal, going by the standard, but sometimes you can elicit interesting results.
Finally, after finding a flaw, if you believe that a single packet has crashed your target, you can use the (-k) switch to skip ahead 'X' number of packets. Remember though, ISIC has to recreate all of them using the same random seed, so this still will take some time.
Contact the vendor then BUGTRAQ, BUGTRAQ, BUGTRAQ...
No comments:
Post a Comment