LPTv4 Module 24 Denial of Service Penetration Testing_NoRestriction

/ECSA/LPT

EC Council Module XXIVEC-Council Module XXIV

Denial of Service Penetration TestingPenetration Testing

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here



Communication Penetration Testing

gPenetration Testing

Penetration Testing

How Does a Denial of Service Attack Work? Attack Work?

Denial of service (DoS) attacks are designed to bring down an Denial of service (DoS) attacks are designed to bring down an enterprise network or e-commerce site by flooding it with large amounts of traffic, similar to hundreds of people repeatedly dialing a telephone number to keep it busy and unavailable.



Distributed Denial of Service Attackac

A Distributed Denial Of Service (DDOS) attack uses the A Distributed Denial Of Service (DDOS) attack uses the same methods as a regular DOS attack, but it is launched from multiple sources.

These attacks can effectively bring down Internet access. To most businesses, this would result in inconvenience and some loss of

d i iproductivity.

To web-based and ecommerce companies, this could result in To web based and ecommerce companies, this could result in substantial monetary losses- from loss of sales and customer confidence issues.



Warning

Check with your client before performing Denial of Service y p gattacks on the company.

Successful DoS attacks might render their systems unusable resulting in loss of revenues.



How to Conduct Denial of Service Attack Penetration Testing?g

Step 1: Test heavy loads on server

S Ch k f S l bl Step 2: Check for DoS vulnerable systems

Step 3: Run SYN attack on server

Step 4: Run port flooding attacks on serverStep 4: Run port flooding attacks on server

Step 5: Run IP fragmentation attack on server

Step 6: Run ping of deathStep 6: Run ping of death

Step 7: Run teardrop attack

Step 8: Run smurf (ping flooding or ICMP storm) attackStep 8: Run smurf (ping flooding or ICMP storm) attack

Step 9: Run email bomber on email servers

Step 10: Flood the website forms and guestbook with bogus entries



Step 11: Place huge orders on e-commerce gateways and cancel before reaching the credit card screen

Step 1: Test Heavy Loads on ServerServer

Test the web server for load capacity.

Tools:

• Web Application Stress (WAS)

• JmeterT tLOAD• TestLOAD



Step 2: Check for DoS Vulnerable SystemsSystems

Scan the network

Tools:

• NMAP• GFI LANGuard• Nessus



Step 3: Run SYN Attack on Server

Bombard target with connection request packetsBombard target with connection request packets.

Tools:

• Trin00• Tribe Flood

TFN2K• TFN2K• Synful• Synk4



Step 4: Run Port Flooding Attack on Serveron Server

Use port flooding attack to flood the port and increase the CPU b i i i ll h i h usage by maintaining all the connection requests on the ports

under blockade.

• MutilateP i5

Tools:

• Pepsi5



Step 5: Run IP Fragmentation Attack on ServerAttack on Server

Use IP fragmentation attack to crash the server by sending large number of IP packetsof IP packets.

• Syndrop

Tools:

Syndrop• Jolt2



Step 6: Run Ping of Death

Send an IP packet larger thanh 6 6 b b f ithe 65,536 bytes by fragmenting

it.

It is also known as longICMP,sPING, ICMP bug or IceNewk.

• Utility Ping

Tool:



Step 7: Run Teardrop Attack

Send a large number of overlapping IP fragments to crash the i operating system.

Tools:

• WinNuke• ssping

Tools:



Step 8: Run Smurf (ping flooding or ICMP storm) Attackor ICMP storm) Attack

Use Internet Control Message Protocol (ICMP) message to block the t ffitraffic.

Flood the target system through spoofed broadcast ping message.g y g p p g g

Tool:

• Papasmurf



Step 9: Run Email Bomber on Email Servers

Send a large number ofgmails to a target mailserver.

• Mail Bomber• Attache Bomber

Tools:

• Attache Bomber• Advanced Mail Bomber



Step 10: Flood the Website Forms and Guestbook With Bogus Entriesg

Fill the forms with arbitrary and lengthy entries



Step 11: Place Huge Orders on E-commerce Gateways and Cancel Before Reaching the Credit

C d SCard Screen

Check for input constraints



ISS Internet Scanner

This tool scans the hosts systems to determine whether they are vulnerable to a variety of DoS conditions

d tt kand attacks.

Provides more background information on the attacks.



Mercury Quick Test Professional

It is an effective solution for functional test and regression testiautomation.

Uses the concept of Keyword-driven testing to simplify test creation andmaintenancemaintenance.

Useful for both technical and non-technical users.

Advantages:

• Sophisticated test suites can be created with minimal training• Fixes defects faster and meets production deadlines through the

presence of complete document, and replicates defects for d l



developers

Flame Thrower Stress Testing Tool

Flame Thrower provides validation of network solutions to ease i h kmanaging the network.

The test platform allows to stress test possible attacks such as the HTTP, p pSSL, FTP, email, streaming, LANs, and IPv6.

Iterative and regressive testing is possible resulting in a number of tests Iterative and regressive testing is possible resulting in a number of tests conducted with accuracy and validity.

The tool reports the results depending on which metrics to secure the The tool reports the results depending on which metrics to secure the network can be applied.



Avalanche

Avalanche eliminates expensive testing infrastructures by integratingp g y g gthe behavior of numerous users into a single, compact device.

Benefits:

• Interoperates with the reflector test appliances to offer precise multi-protocol responses to the requests generated.

• Provides integrated statistics in a single report, and exports them g g p , pinto JPEG, PDF, or HTML formats.



Reporting Tool: Avalanche AnalyzerAnalyzer

Avalanche Analyzer analyzes the information produced by Avalanche Analyzer analyzes the information produced by Avalanche testing tools in the form of intuitive graphs or reports.

Facilitates the analysis of multiprotocol tests by supporting protocols such as HTTP, SSL, and RTSP/RTP POP3.protocols such as HTTP, SSL, and RTSP/RTP POP3.



Avalanche Analyzer: Summary ScreenScreen



Avalanche Analyzer: Real-time Statistics With “Tear-off” ChartsStatistics With Tear off Charts



Avalanche Analyzer: Mapping Trends Over TimeMapping Trends Over Time



b iWeb Testing ToolsTools

EC CouncilEC-Council

Pylot

http://www.pylot.org/

The pylot tool is used for testing performance and scalability of web services.

It runs HTTP load tests, which are useful for capacity planning, benchmarking, analysis, and system tuning.

M l i h d d l d

Features:

• Multi-threaded load generator• Supports both HTTP and HTTPS (SSL) • Verifies responses with regular expressions• Execution/monitoring console (wxPython GUI)



• Execution/monitoring console (wxPython GUI)• Real-time stats

Pylot: Screenshot



JCrawler

http://jcrawler.sourceforge.net/

JCrawler is a stress-testing tool used for web applications.

• Crawling/exploratory featureH tt

Features:

• Human pattern• Cookies with HTTP redirects• Platform independent• Easy to configurey g



vPerformer

http://www.verisium.com/products/vPerformer/index.htmlp // /p / /

vPerformer will assess the performance and scalability of the web applicationsapplications.

This tool will measure the performance characteristics of your application by generating automated test scripts.application by generating automated test scripts.

D t i i b k d

Features:

• Does not a require a programming background• Develop customized, data-driven, reusable, and goal-oriented test scripts for

a highly productive testing process• Flexibility of distributed testing with a single point of control• Support for multiple platforms browsers web servers application servers



• Support for multiple platforms, browsers, web servers, application servers, and database servers over a LAN or WAN

vPerformer: Screenshot



Curl-Loader

http://curl-loader.sourceforge.net/

Curl-Loader will generate application load and behavior of thousands and tens of thousand HTTP/HTTPS and FTP/FTPS clients, each with its own IP address.

This tool is useful for performance loading of various application services, for testing web and ftp servers and traffic generation.



RealityLoad XF On-Demand Load TestingLoad Testing

http://www.gomez.com/http://www.gomez.com/

Gomez Reality Load XF is an on-demand load testing tool that generates a real world simulation of the actual traffic conditions produced by their p yend users.

Evaluate response time, availability, and consistency of performance over ISP and geographiesISP and geographies.

Features:

• Find and troubleshoot bottlenecks in the web applications• Provides deep diagnostics

W b f ti



• Web performance expertise

RealityLoad XF On-Demand Load Testing: ScreenshotsLoad Testing: Screenshots



StressTester

http://www.reflective.com/stresstester.htmlp // /

StressTester is an enterprise load and performance testing tool for web applicationsapplications.

It monitors as many of the resources of the system under test as required.q

Features:

• Zero scripting• Suitable for any web, JMS, IP, or SQL applications• Operating system independent



StressTester: Screenshot



The Grinder

http://grinder.sourceforge.net/p //g g /

A Java load-testing framework freely available under a BSD-style open-source licensesource license.

Orchestrate activities of a test script in many processes across many hi i hi l l li timachines, using a graphical console application.

Test scripts make use of client code embodied in Java plug-ins. Most users do not write plug-ins themselves, instead using one of the supplied users do not write plug ins themselves, instead using one of the supplied plug-ins.

It comes with a mature plug-in for testing HTTP services, as well as a l h ll HTTP i b i ll d d



tool that allows HTTP scripts to be automatically recorded.

Proxy Sniffer

http://www.proxy-sniffer.com/

Web load and stress testing tool from Ingenieurbüro David Fischer GmbH.

Capabilities include:

GmbH.

• HTTP/S Web Session Recorder that can be used with any web browser.

• Recordings can then be used to automatically create optimized g y pJava-based load test programs.

• Automatic protection from "false positive" results by examining actual web page content.

• Detailed Error Analysis using saved error snapshots; real time



• Detailed Error Analysis using saved error snapshots; real-time statistics.

Funkload

http://funkload.nuxeo.org/p // g/

Web load testing, stress testing, and functional testing tool written in Python and distributed as free software under the GNU GPL

Features:

Python and distributed as free software under the GNU GPL.

• Emulates a web browser (single-threaded) using webunit• HTTPS support• produces detailed reports in ReST HTML or PDFproduces detailed reports in ReST, HTML, or PDF



Avalanche

http://www.spirentcom.com/

Load-testing appliance from Spirent Communications

• Designed to stress-test security, network, and web application

Features:

g y ppinfrastructures by generating large quantities of user and network traffic

• Simulates as many as two million concurrently-connected users with unique IP addresses

• Emulates multiple web browsers• Supports web services testing • Supports HTTP 1.0/1.1, SSL, FTP, RTSP/ RTP, MS Win Media,

SMTP, POP3, DNS, Telnet, and video on demand over multicast



SMTP, POP3, DNS, Telnet, and video on demand over multicast protocols

Loadea

http://www.loadea.com/p // /

Stress testing tool runs on WinXP; free evaluation version for two virtual users

Modules:

users

• Capture module provides a development environment, utilizes C# scripting and XML based data

• Control module defines, schedules, and deploys tests, defines , , p y ,number of virtual users, etc.

• Analysis module analyzes results and provides reporting capabilities



LoadManager

http://www.alvicom.hu/

L d t t bilit d f t ti t l f Load, stress, stability, and performance testing tool from Alvicom

Runs on all platforms supported by Eclipse and Java such as Linux, Windows, HP Unix, and others



TestLOAD

http://www.origsoft.com/

TestLOAD is an automated load testing solution for IBM iSeries from Original Software Group Ltd.

Rather than placing artificial load on the network, it runs natively on the server, simulating actual system performance, monitoring and capturing batch activity server jobs and green-screen activitycapturing batch activity, server jobs and green-screen activity.

It is used for web and other applications.



t s used o eb a d ot e app cat o s.

NeoLoad

http://www.neotys.com/

Load testing tool for web applications from Neotys with clear and intuitive graphicalinterface, no scripting/fast learning curve, clear and comprehensive reports and test results.

A user can design complex scenarios to handle real world applications.

Features:

• Data replacement• Data extraction• System monitors• SSL recording• PDF and HTML reporting• IP spoofing



Multi-platform: Windows, Linux, Solaris

PowerProxy

http://www.powerproxy.net/

A lo cost HTTP/HTTPs pro from Orderl Soft are Ltd has a range of A low cost HTTP/HTTPs proxy, from Orderly Software Ltd., has a range of basic load-testing features to test web servers and show debugging information about every request and response received or sent.

This tool is used for Windows.



webStress

http://www.moniforce.com/

Load and stress testing service from MoniForce BV

Includes recommendations on how to fix performance-related problems



HostedToolbox

htt // h t dt lb /http://www.hostedtoolbox.com/

Hosted load testing service from hostedLABS LLCHosted load testing service from hostedLABS, LLC

Browser based test script recording, no downloads or system requirements requirements

Works with any client or server

Executed from hostedLAB's distributed infrastructure with servers in multiple locations



Test Complete Enterprise

http://www.automatedqa.com/

Automated test tool from AutomatedQA Corp. includes web load testing capabilities



WebPartner Test and Performance Center Performance Center

http://www.webpartner.com/

Test tool from WebPartner for stress tests, load performance testing, transaction diagnostics and website monitoring of HTTP/HTTPS web transactions and XML/SOAP/WSDL web servicestransactions and XML/SOAP/WSDL web services



QTest

http://www.quotium.com/p // q /

Web load testing tool from Quotium Technologies SA

Capabilities:

• Cookies managed natively• Making the script modeling phase shorter• HTML and XML parser• Allowing display and retrieval of any element from a HTML

page or an XML flux in test scripts• Option of developing custom monitors using supplied APIs



LoadDriver

http://www.inforsolution.com/p // /

Load test tool from Inforsolutions emphasizes ease of use; directlydrives multiple instances of MSIE, rather than simulating browsersp , g b

Supports browser-side scripts/objects, HTTP 1.0/1.1, HTTPS, cookies,cache, Windows authentication

Tests can be scriptlessly parameterized with data from text files orcustom ODBC data source for:

• Individual userID, password• Page to start• Data to enter• Links to click



• Links to click• Cache, initial cache state

Test Perspective Load Test

htt // k t /http://www.keynote.com/

Do-it-yourself load testing service from Keynote Systems for web li tiapplications

Utilizes Keynote's load-generating infrastructure on the Internet

Conduct realistic outside-the-firewall load and stress tests to validate performance of entire web application infrastructure



SiteTester1

http://www.pilotltd.com/eng/index.html

Load test tool from Pilot Software Ltd.

Allows definition of requests, jobs, procedures and tests, HTTP1.0/1.1 compatible requests, POST/GET methods, and cookies

Running in multi threaded or single threaded modeRunning in multi-threaded or single-threaded mode

Generates various reports in HTML format

Keeps and reads XML formatted files for test definitions and test logs



Requires JDK1.2 or higher

httperf

http://www hpl hp com/research/linux/httperf/http://www.hpl.hp.com/research/linux/httperf/

Web server performance/benchmarking tool from HP Research Labsp / g

Provides a flexible facility for generating various HTTP workloads and measuring server performancemeasuring server performance

Focus is not on implementing one particular benchmark but on providing a robust, high-performance, extensible toolp g g p

Available free as source code



NetworkTester

http://advanced.comms.agilent.com/networktester/

Tool (formerly called 'NetPressure') from Agilent Technologies uses real user traffic, including DNS, HTTP, FTP, NNTP, streaming media, POP3, SMTP, NFS, CIFS, IM, etc. -

Features:

including DNS, HTTP, FTP, NNTP, streaming media, POP3, SMTP, NFS, CIFS, IM, etc. through access authentication systems such as PPPOE, DHCP, 802.1X, IPsec, as necessary

• Unlimited scalability• GUI-driven management station• No scriptingNo scripting• Open API• Errors isolated and identified in real-time• Traffic monitored at every step in a protocol exchange (such as time of DNS lookup,

time to logon to server, etc.)



• All transactions logged, and detailed reporting available

WAPT

http://www.loadtestingtool.com/

Web load and stress testing tool from SoftLogica LLC

• Handles dynamic content and HTTPS/SSL

Features:

y /• Easy to use• Support for redirects and all types of proxies• Clear reports and graphs



Microsoft Application Center Test

http://msdn.microsoft.com/library/default.asp?url=/library/en-/ /h / lus/act/htm/actml_main.asp

Tool for stressing web servers and analyzing performance and scalability bl ith b li ti i l di ASP d th t th problems with web applications, including ASP, and the components they use

Supports several authentication schemes and SSL protocol for use in testing personalized and secure sitespersonalized and secure sites

The programmable dynamic tests can also be used for functional testing

Visual Studio .NET Edition



ANTS

http://www.red-gate.com/products/ants_bundle/index.htm

Advanced .NET Testing System from Red Gate Software

A load and stress testing tool focused on .NET web applications, including XML web services

ANTS generates multiple concurrent users via recordable Visual Basic .NET scripts and records the user experiences, at the same time performance counter information from Windows system is integrated into the results



Apache JMeter

http://jakarta.apache.org/jmeter/p //j p g/j /

Java desktop application from the Apache Software Foundation designed to load test functional behavior and measure performancefunctional behavior and measure performance.

Originally designed for testing Web Applications but has since expanded to other test functions; may be used to test performance both on static and dynamic resources (files,

l l i bj d i d )

Features:

Servlets, Perl scripts, Java Objects, Data Bases and Queries, FTP Servers and more).

• Can be used to simulate a heavy load on a server, network or object:• To test its strength • To analyze overall performance under different load types

• Can make a graphical analysis of performance or test server/script/object behavior under heavy concurrent load



under heavy concurrent load

TestMaker

http://www.pushtotest.com/

Free open source utility maintained by PushToTest.com and Frank Cohen, for performance, scalability, and functional testing of web application.p , y, g pp

A framework and utility to build and run intelligent test agents that implement user behaviors and drive the system as users would.

Features:

y

• XML-based scripting language• Library of test objects to create test agents• Includes capability to check and monitor email systems using SMTP, POP3,

IMAP protocols



• Java-based tool - runs on any platform

Webhammer

h // /ii / bh h lhttp://www.genusa.com/iis/webhamr2.html

Low-cost utility by Stephen Genusa designed to test web applications y y p g ppand servers

Configurable 1-16 connections per system CPU Configurable 1-16 connections per system CPU



SiteStress

http://www.webmetrics.com/loadtesting.htmlp // / g

Remote, consultative load testing service by Webmetricsg y

Features:

• Simulates end-user activity against designated websites for performance and infrastructure reliability testing

• Can generate an infinitely scalable user load from the GlobalWatchN t kNetwork

• Provides:• Performance reporting• Analysis

i i i d i



• Optimization recommendations

Siege

http://joedog.org/siege/

Open source stress/regression test and benchmark utility

D l d b J ff F l d l d i t ft Li l St i ' t t l b t Developed by Jeffrey Fulmer, modeled in part after Lincoln Stein's torture.pl, but allows stressing many URLs simultaneously

Features:Features:

• Supports basic authentication, cookies, HTTP and HTTPS protocols• Enables testing a web server with a configurable number of concurrent simulated users• Stress a single URL with a specified number of simulated users or stress multiple URL's g p p

simultaneously• Reports total number of transactions, elapsed time, bytes transferred, response time,

transaction rate, concurrency, and server response

i ib d d f h i i f d l d l f



Distributed under terms of the GPL; written in C; for UNIX and related platforms

Jblitz

http://www.clanproductions.com/jblitz/index.htmlttp://www.c a p oduct o s.co /jb t / de . t

Affordable load testing tool from Clan Productions aimed at smallwebsite developersebs te de e ope s

Each part of a site's functionality can be tested apart or together with upto 500 threads to simulate many users

Can request anything normally addressable through browser, including:

• Regular web pages.• ASP scripts.• JSP scripts.• Servlets



Servlets.• CGI scripts.

WebServer Stress Tool

http://www paessler com/http://www.paessler.com/

Web stress test tool from Paessler GmbH handles proxies, passwords, user agents cookies and ASP-session IDsuser agents, cookies and ASP session IDs

Shareware

For Windows

Standard, Professional, and Enterprise versions



Web Polygraph

http://www.web-polygraph.org/p // p yg p g/

Freely available benchmarking tool for caching proxies, origin server accelerators, L4/7 switches, and other web intermediariesaccelerators, L4/7 switches, and other web intermediaries

Other features:

• For high-performance HTTP clients and servers• Realistic traffic generation and content simulation• Ready-to-use standard workloads• Powerful domain-specific configuration language• Portable open-source implementation

C il bl bi i il bl f Wi d



C++ source available; binaries available for Windows

OpenSTA

htt // t /http://www.opensta.org/

'Open System Testing Architecture' is a free, open source web l d/ i li i li d d h G GPLload/stress testing application, licensed under the Gnu GPL

Utilizes a distributed software architecture based on CORBA

OpenSTA binaries available for Windows



PureLoad

h // i /http://www.minq.se/

Java-based multi-platform performance testing and analysis tool from

Features:

p p g yMinq Software

• 'Comparer' and 'Recorder' capabilities• Dynamic input data• Scenario editor/debugger• Scenario editor/debugger• Load generation for single or distributed sources



ApacheBench

http://www cpan org/modules/by-module/HTTPD/http://www.cpan.org/modules/by module/HTTPD/

Perl API for Apache benchmarking and regression testing

Intended as foundation for a complete benchmarking and regression testing suite for transaction-based mod_perl sites

For stress-testing server while verifying correct HTTP responses

Based on the Apache 1.3.12 ab code

Available via CPAN as tar gz file



Available via CPAN as .tar.gz file

Torture

http://stein.cshl.org/~lstein/torture/torture.html

Bare-bones Perl script by Lincoln Stein for testing:

• Web server speed and responsiveness• Test stability and reliability of a particular web server

Can send large amounts of random data to a server to measure speed and response time of servers, CGI scripts, etc.



WebSpray

http://www.redhillnetworks.com/p // /

Low-cost load testing tool from CAI Networks

Features:

• Link testing capabilities• Can simulate up to 1,000 clients from a single IP address• Supports multiple IP addresses with or without aliases



eValid

http://www.soft.com/

b l f f h h 'Web test tool from Software Research, Inc. that uses a 'Test Enabled Web Browser' test engine that provides:

• Browser based 100% client side quality checking.q y g• Dynamic testing.• Content validation.• Page performance tuning.

W b l di• Web server loading.• Capacity analysis.



WebPerformance Trainer

http://webperformance.com/

Load test tool emphasizing ease-of-use, from WebPerformance, Inc.

Features:

• Supports all browsers and web servers• Records and allows viewing of exact bytes flowing between browser and • Records and allows viewing of exact bytes flowing between browser and

server• No scripting required• Modem simulation allows each virtual user to be bandwidth limited

C i ll h dl i i i i ifi i h • Can automatically handle variations in session-specific items such as cookies, usernames, passwords, IP addresses, and any other parameter to simulate multiple virtual users

F Wi d Li S l i d t UNIX i t



For Windows, Linux, Solaris, and most UNIX variants

WebSuite

http://www.technovations.com/

A collection of load testing, capture/playback, and related tools from Technovations for performance testing of websites

Modules include:

• WebCorder.• Load Director.• Report Generator.• Batch Manager and others.

WebSizr load testing tool supports authentication, SSL, cookies, and redirects

Recorded scripts can be modified manually



For Windows

FORECAST

http://www.facilita.co.uk/p // /

Load testing tool from Facilita Software for web, client-server, network, and database systems

Capabilities:

and database systems

• Proprietary, Java, or C++ scripting• Windows browser or network recording/playback• Network traces can also be taken from over 15 third-party tracing

toolstools• Virtual user data can be parameterized• Works with a wide variety of platforms



e-Load

http://www.empirix.com/http://www.empirix.com/

Load test tool from Empirix Software; for use in conjunction with test scripts from their e-Tester functional test tool

• Allows on-the-fly changes

Features:

test scripts from their e Tester functional test tool

Allows on the fly changes • It has real-time reporting capabilities• Includes script editor with advanced debugging and maintenance

capabilities• Works with a wide variety of platforms



http-Load

htt // / ft /htt l d/http://www.acme.com/software/http_load/

Free load test application from ACME Labs to generate Free load test application from ACME Labs to generate web server loads, from ACME Software

Handles HTTP and HTTPS; for Unix



QALoad

http://www.compuware.com/products/qacenter/

Compuware's QALoad for load/stress testing of web, database, and p Q / g , ,char-based systems

Integration with other Compuware tools Integration with other Compuware tools

Provides an in-depth view by monitoring its operating system, database and network components as well as the application itselfdatabase and network components, as well as the application itself

Works with a variety of databases, middleware, and ERP



Portent Web Load test tool

http // loadtesting com/http://www.loadtesting.com/

Loadtesting.com's low-priced web load testing tool

Has minimal hardware requirements

Page validation via matching string in page

Written in Java; multi-platform; p



SilkPerformer

http://www.segue.com/

Enterprise class load testing tool from SegueEnterprise-class load-testing tool from Segue

Can simulate thousands of users working with multiple protocols and computing environments and computing environments

Allows prediction of behavior of e-business environment before it is deployed, regardless of size and complexity

SilkPerformer Lite version also available for up to 100 simulated users



Radview's WebLoad

http://www.radview.com/http://www.radview.com/

Load testing tool from Radview Software, also available as part of their TestView web testing suite

• Over 75 Performance Metrics

Features:

g

• Over 75 Performance Metrics• Can view global or detailed account of transaction

successes/failures on individual Virtual Client level• Assisting in capturing intermittent errors

All i f i t t t t t t i • Allows comparing of running test vs. past test metrics • Test scripting via visual tool or Javascript• Wizard for automating non-GUI-based services testing; DoS

security testing



Loadrunner

http://www.mercury.com/

M ' l d/ t t ti t l f b d th li tiMercury's load/stress testing tool for web and other applications

Supports a wide variety of application environments, platforms, and d bdatabases

Large suite of network/app/server monitors to enable performance measurement of each tier/server/component and tracing of bottlenecksmeasurement of each tier/server/component and tracing of bottlenecks

Integrates with other Mercury testing and monitoring products



Java Test Tools

• A J2SE/J2EE Coverage testing tool from Alvicom; specializes in testing to MC/DC (Modified Condition/Decision Coverage) depth

Javacov

(Modified Condition/Decision Coverage) depth.

• Open source automated testing harness for acceptance-level and integration testing, written in Java.

Jameleon

• Automated java unit testing tool from Agitar Software.

Agitator

PMD

• Open source tool scans Java code for potential bugs, dead code, duplicate code, etc.

PMD

O t ti l i t l ill h k J d d fi d b i i t i d

JLint

• Open source static analysis tool will check Java code and find bugs, inconsistencies and synchronization problems by doing data flow analysis and building the lock graph.

• A static Java source and byte code analyzer that detects locking and threading issues,

Lint4j



stat c Java sou ce a d byte code a a y e t at detects oc g a d t ead g ssues, performance and scalability problems, and checks complex contracts such as Java serialization by performing type, data flow, and lock graph analysis.

Java Test Tools (cont’d)

FindBugs

• Open source static analysis tool to inspect Java bytecode for occurrences of bug patterns, such as difficult language features, misunderstood API methods, misunderstood invariants when code is modified during maintenance, garden variety mistakes such as typos, use of the wrong boolean, etc.

• Open source tool for checking code layout issues, class design problems, duplicate code, b

CheckStyle

or bug patterns.

Java Development Tools

• Java coverage, metrics, profiler, and clone detection tools from Semantic Designs.

AppPerfect Test Studio



• Suite of testing, tuning, and monitoring products for java development from AppPerfect Corp. Includes: Unit Tester, Code Analyzer, Java/J2EE Profiler and other modules.

WebInspect

htt // id i / http://www.spidynamics.com/

WebInspect - automated security assessment tool for web applications and services from SPI Dynamicsapplications and services, from SPI Dynamics

Features:

• Identifies known and unknown vulnerabilities• Includes checks that validate proper web server configuration• Discovery of all XML input parameters• Parameter manipulation on each XML field looking for vulnerabilities

within the service itself

Requires Windows and MSIE



Requires Windows and MSIE

Summary

The purpose of performing a DoS attack is to test the performance of a p p p g pwebsite.

The DoS attack and DDoS are similar attacks. The difference is that DDoS is a distributed attack wherein the attack is launched from DDoS is a distributed attack, wherein the attack is launched from various unsuspected sources.

Launching a DoS attack can have a negative impact on the business of h i ithe organization.

In denial-of-service attacks, the attackers may make explicit attempts t t th l iti t f i f i itto prevent the legitimate users of a service from using it.

Attackers may try to flood a network, thereby preventing legitimate network traffic



network traffic.





Documents

LPTv4 Module 24 Denial of Service Penetration Testing_NoRestriction