Unfortunately there is limited information on techniques and processes businesses can use to test their own servers against realistic DDoS attacks. This presentation will give techniques and process for simulating a DDoS attack against a companies own servers or similar systems as part of a penetration test. We will discuss DoS attack types, setting up the bots, performing the attacks, and administering the bots themselves. This presentation is technical in nature. We will also be linking to tools that can be used to perform the DoS attacks (along with tools we've written), AMI instance and Virtual Machines designed specifically for this type of testing, and a simple console we developed to administer the bot herder and bots. The techniques discussed in this presentation have been tested by during assessments in which the target organization has asked us to perform DDoS attacks as part of a penetration test or using information gained from packet captures during incident response assessments of DDoS attacks.
NOTE: I share most responsible security professionals general concern with presenting on how to perform DDoS attacks. This presentation can really be broken down into two pieces. The first is on DoS techniques. Most of the techniques for the DoS portion I will be discussing are discussed elsewhere, I will just be bringing them together in one talk so that the average whitehat can have a strong understanding of how they work and how to perform them. No new tools or scripts will be in this portion. The other half of the talk is on ways that companies can simulate these attacks. In particular using EC2 and other cloud vendors which make spinning up 100 bots at once for a short period of time reasonable in cost and approximate in attacking bandwidth/etc (IMO I guess depending on the attacker that one wants to emulate, they wouldn't be 'anonymous' level of attacks, but they could emulate a group of script kiddies renting a bot army). The way I look at it, I'm doubtful that this portion of the talk would be useful to script kiddies as illegally using the cloud for a DDoS attack is a bad idea (requires a credit card, they are known IPs, the attack can easily be cut off at the source, etc.). This portion I will be releasing a console application which basically gets all of the scripts we used to administer our bots (e.g. spin up a bunch of bots, copy a file to all of them, keep track of what they're doing, run a command across all, etc.) into one script.