Application Layer DDoS Simulator

Update(november 2010):  ddosim v0.2 has been released. You can find it at: https://sourceforge.net/projects/ddosim/.

ddosim is a tool that can be used in a laboratory environment to simulate a distributed denial of service (DDOS) attack against a target server. The test will show the capacity of the server to handle application specific DDOS attacks. ddosim simulates several zombie hosts (having random IP addresses) which create full TCP connections to the target server. After completing the connection, ddosim starts the conversation with the listening application (e.g. HTTP server).

ddosim is written in C++ and runs on Linux. Its current functionalities include:

  • HTTP DDoS with valid requests
  • HTTP DDoS with invalid requests (similar to a DC++ attack)
  • SMTP DDoS
  • TCP connection flood on random port

In order to simulate such an attack in a lab environment we need to setup a network like this:

Network configuration for DDOS simulation

Network configuration for DDOS simulation

On the victim machine ddosim creates full TCP connections – which are only simulated connections on the attacker side.

There are a lot of options that make the tool  quite flexible:

Usage: ./ddosim
-d IP                   Target IP address
-p PORT            Target port
[-k NET]             Source IP from class C network (ex. 10.4.4.0)
[-i IFNAME]      Output interface name
[-c COUNT]       Number of connections to establish
[-w DELAY]       Delay (in milliseconds) between SYN packets
[-r TYPE]             Request to send after TCP 3-way handshake. TYPE can be HTTP_VALID or HTTP_INVALID or SMTP_EHLO
[-t NRTHREADS]   Number of threads to use when sending packets (default 1)
[-n]                       Do not spoof source address (use local address)
[-v]                       Verbose mode (slower)
[-h]                       Print this help message

Examples:

1. Establish 10 TCP connections from random IP addresses to www server and send invalid HTTP requests (similar to a DC++ based attack):

./ddosim   -d 192.168.1.2   -p 80   -c 10   -r HTTP_INVALID  -i eth0

2. Establish infinite connections from source network 10.4.4.0 to SMTP server and send EHLO requests:

./ddosim   -d 192.168.1.2   -p 25   -k 10.4.4.0   -c 0   -r SMTP_EHLO  -i eth0

3. Establish infinite connections at higher speed to www server and make HTTP valid requests:

./ddosim   -d 192.168.1.2   -p 80   -c 0   -w 0   -t 10   -r HTTP_VALID  -i eth0

4. Establish infinite TCP connections (without sending a Layer 7 request)  from local address to a POP3 server:

./ddosim   -d 192.168.1.2   -p 110   -c 0  -i eth0

 

More background info:

Some of the hardest to mitigate distributed denial of service attacks are the ones targeting the application layer (in TCP/IP stack). They are difficult to stop because they look legitimate to classic firewalls which let them pass freely (for an example look here). The only way to stop this kind of attacks is deep packet inspection (layer 7 inspection) which means a lot of money/resources.

In general, a DDoS attack is performed by an armie of bots (zombies) that simultaneously send attack packets to a victim server. If we talk about UDP packets (ex. targeting a DNS server), the attack is easier to implement because a zombie needs to send a single UDP packet (multiple times) to contribute to the attack. But in case of a TCP based attack, the zombie needs first to establish the full TCP 3-way handshake and then send the data packets (e.g. HTTP GET request). ddosim successfully simulates this attack scenario.

If you have any questions regarding ddosim, please let me know.

About these ads

57 Responses to “Application Layer DDoS Simulator”

  1. I am encountering this error whilst executing this tool on FC 3

    ./ddosim -d 99.99.20.65 -p 80 -c 0 -w 0 -t 10 -r HTTP_VALID -i eth1
    ./ddosim: error while loading shared libraries: libnet.so.0: cannot open shared object file: No such file or directory

  2. Perhaps you can elaborate more on the “export LD_PRELOAD=libnet.so”. Is it a command or what? Maybe you could briefly write the step by step instructions in shell? Thank you.

    • stormsecurity Says:

      ‘export LD_PRELOAD=libnet.so’ is kind of a hack. The best method is to install the ‘official’ package libnet0-dev which will provide you the correct libnet.so library.

  3. Hello,

    i cannot configure ddosim:

    > configure: error: libnet0 (dev) is required for this program

    but i have libnet and its headers installed:

    $ rpm -qf /lib/libnet.so.0
    libnet-1.1.2.1-141.1.i586
    $ rpm -qf /usr/include/libnet.h
    libnet-1.1.2.1-141.1.i586
    libnet_1.0.2a-devel-1.0.2a-1.1.i586

    my system is opensuse 11.3 – possibly that “libnet0″ has another name in it. which files exactly needed for building ddosim?
    or how could i make any workaround for configure to make it think libnet0 is installed?

    Cheers

  4. [...] DDOSIM simula uma série de máquinas zombies com ips randômicos (o ip do host zombie muda) criando uma [...]

  5. Ubuntu 10.10
    configure: error: libnet0 (dev) is required for this program.

    I have libnet1-dev installed, installing libnet0-dev(downloaded deb) conflicts. Also I need to keep libnet1-dev on my system. How to install ddosim now?
    Thanks

    • stormsecurity Says:

      Hi,

      Libnet0-dev is required for ddosim to work. Maybe it would be a good approach to install it in a (Debian based) virtual machine.

      Regards,
      Adrian

  6. Oh boy, this is great tool, I will surely going to try it out :)

  7. Can I compile with another version of libnet?

    • stormsecurity Says:

      Sorry, I’m afraid you cannot do that with the current version of ddosim. You need libnet0.
      Try apt-get install libnet0-dev.

  8. [...] More Info : 1) DDOSIM at Sourceforge 2) Application Layer DDoS Simulator [...]

  9. Break The Security Says:

    Great tool. Is there any tools for windows?

    Break The security

  10. [...] More Info : 1) DDOSIM at Sourceforge 2) Application Layer DDoS Simulator [...]

  11. Installing in Ubuntu 10.10

    Install required packages:
    sudo apt-get install build-essential
    sudo apt-get install libpcap-dev
    wget http://mirrors.us.kernel.org/ubuntu//pool/universe/libn/libnet0/libnet0_1.0.2a-7_amd64.deb
    sudo dpkg -i libnet0_1.0.2a-7_amd64.deb
    wget http://mirrors.us.kernel.org/ubuntu//pool/universe/libn/libnet0/libnet0-dev_1.0.2a-7_amd64.deb
    sudo dpkg -i libnet0-dev_1.0.2a-7_amd64.deb

    wget http://downloads.sourceforge.net/project/ddosim/ddosim-0.2.tar.gz
    tar xfv ddosim-0.2.tar.gz
    cd ddosim-0.2/
    ./configure
    make
    sudo make install

    It should be updated to use libnet1 instead. then you could just say
    sudo apt-get install libnet1-dev

    • stormsecurity Says:

      Thanks for posting these steps.
      However, the libnet0 package should not conflict with a previously existing libnet1.
      The system that I used for building and testing the application was a 32 bit machine with Backtrack (Ubuntu 8.10) and libnet0-dev.

    • ubiqcx-mail Says:

      nice tutorial
      works well in my BT5_x86

  12. Muddassar Masood Says:

    This is really an awesome tool, wish it could run out of lab environment to test application in real time environment, anyways thanks for addition.

    • stormsecurity Says:

      Running DDOSIM out of lab is not really possible because it simulates distributed (multiple source IPs) attacks using a connection-orented protocol (TCP) which needs at least the 3way handshake before sending any useful data.

      So the communication must be bidirectional. The packets (TCP SYN-ACK) sent by the server must reach the attacker (having random IP address).

      I do not think the simulation of a distributed DOS on a connection oriented protocol is possible outside lab environment.

      If anyone has other ideas, please share.

  13. so if we put the ip address of the victim server outside the lab like 221.223.224.225 on port 80, will it work then?

  14. P.Vaishnavi Says:

    How to include application level attacks in payload? I tried editing ddosim.cpp and compiling it, but it says
    In file included from ddosim.h:9,
    from ddosim.cpp:7:
    /usr/include/libnet.h:87:2: error: #error “byte order has not been specified, you’ll”
    In file included from ddosim.h:9,
    from ddosim.cpp:7:
    /usr/include/libnet.h:88: error: expected unqualified-id before string constant

    How to change the code to include payload?

    • stormsecurity Says:

      What you can easily do right now is to modify the current payloads in senderThread.cpp and recompile ddosim.

      Custom payloads is a feature planned for the next release.

      • P.Vaishnavi Says:

        The payload is declared as u_char *… it takes only 4 bytes…i changed the type to char * in tcputils.cpp , tcputils.h , senderthread.cpp….it throws an error…how to include payload of greater size ?

  15. Hi,

    I’m doing a research on DoS and I wonder if this tool could help establish DoS case. I have the following questions:

    1) can I run it on a single machine not connected to LAN (in other words, Does the machine that runs the DDosim has to be connected physically to other machine?)

    2) suppose I run the tool, can I collect the results in order to graph them??

    3) Can I modify the code to get a specific scenario?

    Your response through this is highly appreciated

    Best Regards,
    Moe

    • stormsecurity Says:

      Hi Moe,

      1. Yes, if your target server is on a virtual machine hosted on the same physical machine. Running ddosim against yourself (on localhost) I do not think is possible.

      2. No, in this version of ddosim you cannot collect the results. You have just the statistics displayed periodically (number of connections established, reset, finished). Maybe in a future version I will implement the collection feature, thanks for suggestion.

      3. Yes, you can modify the code to do whatever you want it to do.

      Cheers,
      Adrian

  16. Old man Says:

    With help from the previous comments I was able to compile on CentOS 5. Make gives me an error:
    ddosim.cpp: In function ‘int main(int, char**)’:
    ddosim.cpp:58: error: ‘libnet_host_lookup’ was not declared in this scope
    ddosim.cpp:184: error: ‘libnet_host_lookup’ was not declared in this scope
    ddosim.cpp: In function ‘u_long getLocalIp(const std::string&, std::string&)’:
    ddosim.cpp:292: error: ‘libnet_open_link_interface’ was not declared in this scope
    ddosim.cpp:296: error: ‘libnet_get_ipaddr’ was not declared in this scope
    ddosim.cpp: In function ‘u_long resolveNameToIp(char*, std::string&)’:
    ddosim.cpp:316: error: ‘libnet_name_resolve’ was not declared in this scope
    ddosim.cpp:317: error: ‘LIBNET_ERR_FATAL’ was not declared in this scope
    ddosim.cpp:317: error: ‘libnet_error’ was not declared in this scope
    make: *** [ddosim.o] Error 1

    Anybody can help me?
    Thank you.

  17. Hi, thanks for writing a tool like this. However, I was wondering if you can use it against a host over the internet with the -n option (no spoofing). I tested it (against a machine under my control), but no ack is sent after synack is received and therefore the tool ends up performing a syn flood. Could you please comment on this? Many thanks.

    • stormsecurity Says:

      Hi, I tested this scenario and it works. Make sure you have connectivity / correct routing set.
      To create 10 connections to the target host without spoofing the source address you should use the following command:
      ./ddosim -d http://www.your_host.com -p 80 -i eth0 -c 10 -r HTTP_VALID -n -v

      You should receive a final status like this:
      Final results:
      TCP connections: 10 SYN_SENT, 10 ESTABLISHED, 0 RST, 0 FIN_WAIT_1

      Cheers,

  18. please help me to configur and run ddosim on centos 5

    Thank you

    • stormsecurity Says:

      Hi,

      I did not test ddosim on other Linux distributions. If you have the necessary libraries, it should compile and work smoothly.

      Cheers,

  19. I have a network environment that’s pretty much similar to what’s described here above except that the packets ddosim goes thro’ a switch to the server. All I’m seeing is SYNs

    TCP connections: 180300 SYN_SENT, 0 ESTABLISHED, 0 RST, 0 FIN_WAIT_1. 6040

    and wireshark says:

    Acknowledgement Number: Broken TCP. The acknowledgement field is nonzero while the ACK flag is not set.

    Not sure what’s going on.. Has anyone seen this behavior?

  20. One thing I missed noting at ‘February 28, 2012 at 11:29 am':

    I tested with HTTP_VALID, HTTP_INVALID and the plain TCP connection flood (as shown in the example in the article above). They all appear to show the same behavior.
    Any clues appreciated.

  21. (continuation from February 28, 2012 at 11:34 am):
    Upon further investigation, I saw ddosim indeed sends non-zero ACKs when TCP ACK flag is not set. However, the TCP connections complete when the host running ddosim and the victim server are connected directly (as suggested by the author).
    It’s the device standing in between the hosts in my setup, that’s dropping the requests because of invalid ACK number.
    It would be nice to nice to see the problem fixed, if it’s easy.

    • stormsecurity Says:

      Since the TCP connections complete when the host running ddosim and the victim server are connected directly, it means that the network device that is standing between attacker and victim is modifying the packets somehow.
      You can make a simple test – try to establish a single connection using ddosim – and check that all the packets sent from attacker reach the victim and vice versa.

  22. Geeks,

    I am still not able to figure out how to recover from the set back of libnet0-dev on centos. Any help would be greatly appreciated.

    Regards

    • stormsecurity Says:

      As I already said, I did not test ddosim on CentOS. DDosim was built and tested on a Backtrack machine (Debian based) having the package libnet0-dev installed.

  23. Hi ,
    My tool works. Now I have question if I use application DDoS attack could You tell me how often and how many http reguest are send to victim? Can we manage number of request or type of request?
    For example we can setup how many connection TCP we can setup and how many user we can simulate but for example when we do application DDOS then we do not need many connection and many users but many request. Can we setup this parameter?

    best regards,
    Sebastian

    • stormsecurity Says:

      Hi Sebastian,

      I’m glad you made it work :)
      The current version of ddosim does not report the number of requests/second sent to victim server. However, the parameter -w specifies the delay between packets. You can adjust it in order to obtain an efficient packet rate.

      I’m afraid that multiple requests per user are not possible in the current architecture of ddosim. Right now you have a distinct user making a single HTTP request. I’ll think about this for the next release.

      Cheers,
      Adrian

      • Hi Adrian,
        When will You think release new version Your software?
        I am very interesting this tool. Do You know mabe other tool which I can use?

        BR,
        Sebastian

  24. Anupam Gohain Says:

    Sir I have a question regarding the HTTP GET flood creation. Does DDOSIM creates HTTP GET flood or does it create SYN flood since when i simulated DDOSIM in my computer, there was no complete 3-way handshake because i could see only SYN and SYN+ACK but no ACK. Please reply. Thanks in advance.

    • stormsecurity Says:

      DDOSIM can do HTTP GET flood. In order for this to happen, the SYN-ACK packet must reach back the attacker machine. This happens if: (1) option -n is used or (2) the victim machine must be configured such that it send ALL packets to the attacker machine (ex. attacker is victim’s default gateway).

      • Anupam Gohain Says:

        I have used -n option but it shows the ip address of the attacker. I wanted a HTTP GET flood using random ip addresses and to create a complete 3-wau handshake.

  25. stormsecurity Says:

    It works only in a lab environment because you MUST set the default gateway of the victim as described in my post.

    Adrian

  26. yeah I am using it in a lab enviroment, but I want to simulate for example 10 different ips to send request to the same server, but if the server requested to set cookie, the redirecct will be sent to the false ip address or to the address that generated the false ips? hope my question is clear, and thanks for your reply! :)

  27. stormsecurity Says:

    If you configured your network topology and network settings as described in the article, you should receive the redirect packet to the false IP address.
    However, the ddosim does not know how to handle cookies (in this current version.)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: