In-Depth

Q&A: Stress Testing Your Network Against DoS Attacks

While most companies don’t face worms designed to turn computers against them, denial-of-service attacks remain a problem. How can organizations stress test their network against such attacks? We turned to Alan Newman of Spirent Communications, which manufacturers network stress-testing appliances and simulation software, for some ideas.

• By Mathew Schwartz
• 06/09/2004

The dreaded denial-of-service attack: Though brand-name companies such as Amazon.com and eBay aren’t getting their sites knocked offline in circa-2000’s high-profile, denial-of-service attacks, such attacks remain commonplace. Worms have been coded to cause denial-of-service attacks against a specific site—most recently against Microsoft and SCO.

While most companies don’t face worms designed to turn computers against them, denial-of-service attacks remain a problem. How can organizations stress test their network against attacks, even as they add new network devices, alter firewall configurations, or see increased numbers of corporate users? To answer that question, Security Strategies spoke with Alan Newman, director of marketing for Spirent Communications’ enterprise business; Spirent manufacturers network stress-testing appliances and simulation software.

Do companies still face denial-of-service attacks?

Yes, they’re absolutely getting attacked. It happens every day, multiple times a day, but … the defenses are getting better.

What does your network stress-testing product do?

Basically, Avalanche is a high performance TCP/IP engine. We developed it ourselves. It’s running on a real-time operating system, and on top of that we put a variety of application protocols—HTTP, HTTPS, streaming protocols, Real, QuickTime, FTP, mail, SMTP, [and] POP3.

In addition to that we have a denial-of-service-attack feature, and you can run any mix of those protocols simultaneously, so … we’re able to simulate different user populations coming in—say, one coming in from Far East over a slower line with packet loss, doing e-mail at some time of the morning, while perhaps another group is reviewing streaming media of a regional sales manager’s presentation, and perhaps someone else is over at Yahoo checking their stocks and e-mails.

What’s the device’s use in testing network security?

We basically help IT managers make better purchasing decisions. For example [one client was] doing a bake-off of SSL accelerators, … testing a product from the largest network equipment manufacturer, and found that that product did not meet the [claimed] specifications. … They confronted the manufacturer, and it gave them a free upgrade. Another customer was testing and found they’d misconfigured their server load balancers, and … [was able to] change the balancers.

[With our product] they can test the equipment in the lab, they can make sure it meets needs before they deploy, and for security, they can make sure their infrastructure can resist virus, worm, and denial-of-service attacks.

How do organizations test their network security and load capabilities?

What the larger companies are doing is one of two things. One is, they take a scale model of their network, or of a section of their network, and build it verbatim in the lab. What the other customers do is testing of the live network during off hours.

To replicate their mix of traffic, what customers are generally doing is sniffing, using … some sort of analysis of their network to [take] measurements to figure out their mix of traffic. It is an approximation, but they’ll take that mix and using Avalanche, you can create 100 different scenarios [as mentioned above], based on what you’ve seen in the real world.

The other thing is we have a TCP replay—referring to the file format that Sniffer generally uses—and if you have a proprietary protocol, you can capture and replay that as well.

So organizations can simulate the load on their Web site in a variety of situations?

Exactly, and the timing. So if that propriety protocol happens at 8 in the morning, with a load of 100 users, you can do that, then it goes up to 1,000 at 10 a.m., then up to 10,000 for 10 minutes, then down to 5,000. Also, Avalanche has a companion product, Reflector. While Avalanche simulates all the users, Reflector can simulate all the wanted hardware, so if you need to test a server and firewall in line, you could do that … because it responds to HTTP requests [and] it responds to e-mail requests.

What’s the ideal testing case?

The dream case is that everyone has an exact company network—size, model, software version—in their lab. [But] that’s not possible. It’s just not cost effective. So it’s a delicate balance. People do scale-model testing, and you’d be surprised how many people do the testing in the off hours as well. But for the network-definition testing, that’s always done in the lab, because it doesn’t cost as much to get four or fire devices, with an Avalanche on one.

Ideally, you always test in the lab first?

Exactly … [especially] if you’re [worried about changes]. I was [visiting] a large investment bank in New York, and they’re extremely nervous any time they make a change to the firewall configuration, because I think they have in the range of 50 rules. … They haven’t bought a new one in some time, but when they make a configuration change, they want to make sure that change doesn’t have some unintended consequences.

What about testing against denial of service attacks? Wouldn’t that be dangerous in a production environment?

It’s very, very rare for people to do testing in live environments. It might be production equipment, but it’s [done] off hours or [after] they brought the equipment down—on a segregated part of the network. So maybe they’d say the network will be down from 12 to 3 in the morning, and that’s when they’d be doing this. They may be doing it on the production system, but it’s not live at that moment.

Are there advantages to lab-testing versus using segregated production equipment?

For device infrastructure testing, you’re generally just fine doing it in the labs. You typically have a pretty standard, cookie-cutter configuration. The thing you’re [perhaps] missing is … the confluence of many offices coming into one big … router, but in general most people are happy testing their network infrastructure in the lab.

For Web sites, people are definitely learning stuff when testing their production system off-hours when it’s not live. Companies have told me that … they’re able to extrapolate pretty well, but … they would not have found [things] if they didn’t test those devices in the off hours. For example, … [one company] curiously found that they had a power problem. Whenever they revved up the [full] site, they ended up blowing some power breaker. There are some interesting things that happen in the actual production environment that you wouldn’t see in the lab.

Do you see any particular type of company, or vertical industry, embracing network-testing technology?

Finance and online retail are the obvious guys where if the network goes down, they’re out of business. But there are other people, like [a manufacturer] with automated assembly lines where if the network goes down, [they] go down. Or a railroad company that controls the railroad tracks with their TCP/IP network … if they can’t change the railroad tracks, they’re in trouble … Or [take] companies with large intranets. You can’t order a consulting engagement on the Web, but they run their business on the intranet. If the intranet goes down, they’re losing business.

What drives a company to use technology such as this, besides being proactive?

We normally get calls in when something bad has happened or something is about to change—server consolidation, for example … Any change is the precipitator of phone calls to us. It could be a management change too, a new CIO … nervous about [the] network … [Or] it could be a negative, external event, or about job security. You’d be surprised. I was talking to a CTO in New York, and he was saying Avalanche gives him job security.

So being able to stress-test the network provides job security for those in charge of security and site uptime?

Exactly. This large online company just had a major business event that led to … one of their biggest days online, and they used our product for testing, and the guy was so happy afterwards that they found these problems and fixed them, he was a hero instead of a goat.