Cisco dCloud

Radware DDos v1
Last Updated: 09-NOV-2017

About This Demonstration

This guide for this preconfigured demonstration includes:

• Requirements

• About This Solution

• Topology

• Get Started

• Scenario 1: BDoS Attack

• Scenario 2: SYN Flood Attacks

• Scenario 3: DNS Attacks

• Scenario 4: Low and Slow Attack

• Scenario 5: Multi-Vector Attack

• Appendix A: Cisco Next Generation Firewall Access

Requirements
The table below outlines the requirements for this preconfigured demonstration.

Table 1. Requirements

Required Optional

● Laptop ● Cisco AnyConnect®

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 22
 Cisco dCloud

About This Solution

The Radware DDos v1 is demonstration of the capabilities of Radware virtual DefensePro (vDP). Here you have the ability to
launch several of the most common network and application level DDoS attacks today and witness Radware’s vDP ability to detect
and mitigate these attacks automatically. There is also an optional component where you can use FTD to analyze the same attack
vectors.

First, you start by launching a few basic UDP, ICMP flood network attacks along with a targeted SYN flood and view the results
using a sample website, then we will show you how to configure Radware’s virtual DefensePro to stop the these attack. Next, we
step up the complexity with several Layer 7 attacks: http get, dns, low and slow and again use vDP to monitor and stop these
attacks as well.

Lastly, you will have the ability to launch a real-world multi-vector attack. DDoS attacks are rarely simple. In the real world, DDoS
attacks are usually a combination of 7 to 12 individual attacks in an attempt to bypass your countermeasures. In addition, the
parameters of these attacks can change over time as well. You will have access to 20+ DDoS scripts to launch one at a time, or
open another window to demonstrate the full capabilities of vDP.

In the end, the purpose of this module is to demonstrate how easy vDP is at blocking those types of attacks – the right tool for the
right job. This leaves FTD to focus on what it does best. After all, a DDoS attack is often part of a multi-vector attack, so while vDP
concentrates on keeping systems available, FTD can focus on the finer intrusion events. FTD + vDP = better together.

dCloud Session

This environment consists of:

• A Radware vDP instance

• Vision management for vDP

• FTDv (Net Generation Firewall)

• FMCv (Firepower Management Center)

• An attacking machine with DOS Scripts

• A Legitimate client

• A Legitimate server running a web page

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 22
 Cisco dCloud

Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.

Figure 1. dCloud Topology

Figure 2. Logical Topology

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 22
 Cisco dCloud

NOTE: This topology has other devices which can be used for other demonstrations. Not all VMs are used in this guide.

Table 2. Lab Devices

System Protocol IP Address Destination TCP Port

DefensePro Serial Telnet 198.18.133.31 6401

Connection

DefensePro SSH SSH 198.18.133.30 22

Connection

DefensePro Attacker VNC 198.18.133.31 8101

Server

Kali Web Attacker VNC 198.18.133.31 3101

Legitimate PC VNC 198.18.133.31 8201

Next-Generation Firewall Telnet 198.18.133.31 8401

Console Connection

Firepower SSH SSH 198.18.133.20 22

Connection

Vision Appliance HTTPS 198.18.133.15 443

FMC HTTPS 198.18.129.100 443

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 22
 Cisco dCloud

Get Started
BEFORE PRESENTING

Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.

It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION

Follow the steps to schedule a session of the content and configure your presentation environment.

1. Initiate your dCloud session. [Show Me How]

NOTE: It may take up to 10 minutes for your session to become active.

2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]

• Workstation 1: 198.18.133.36, Username: administrator, Password: C1sco12345

NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.

3. In your browser go to https://198.18.133.15 or click the Absolute Vision bookmark. Log in using username cisco and
password C1sco12345.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 22
 Cisco dCloud

4. On the left side of the screen, select Cisco-FP-vDP.

5. Choose the vDP and click on the Lock icon to manage the device.

6. Select Operations. If the option is active, click Import Configuration File to download the most current configuration.

7. Chose from Server radio button and select CiscoLab_vDP.txt.

8. Click Update (and reset the vDP). If the option is grayed out, move to the next step.

NOTE: This can take up to 5 minutes as vDP reboots.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 22
 Cisco dCloud

9. Validate the configuration by clicking on Configuration > Network Protection > Network Protection Policies and make
sure no Protection Profiles are attached.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 22
 Cisco dCloud

Scenario 1. BDoS Attack

In this demo you will launch two BDoS attacks a TCP RST flood and a UDP flood to port 80, although stateful devices can mitigate
these floods, the goal of a flood like this is to overwhelm a system with the number of packets per second.

Steps

TCP Flood

1. On the desktop, open TightVNC Viewer. VNC to your Kali Machine at 198.18.133.31:8101. Log in with the userid admin and
password C1sco12345.

2. Select the Terminal icon in the top left and enter cd wgames at the prompt.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 22
 Cisco dCloud

3. Enter sudo ./start.sh and enter the root password of C1sco12345. Select item 21 (TCP-RST Attack) by entering 21 and
Enter.

4. Using Putty on the workstation, Telnet to the console of the vDP= 198.18.133.31 Port = 6401.

5. At the prompt, enter:

system inf-stats reset

NOTE: If you receive a log in required message, enter the command login, and enter username admin and password
C1sco12345.

6. Then enter
system inf-stats

You should see large amount of traffic coming in on port 1 (outside pot) and messages that packets using TCP port 0 as
source or destination port are automatically blocked by vDP.

7. On the attack machine, stop the attack use Ctrl+C.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 22
 Cisco dCloud

Defense Pro

1. In Vision, enable the BDOS Protection Profile in your session by selecting Configuration > Network Protection > Network
Protection Policies.

2. Double click on vDP-Policy policy and select Profiles and Action.

3. In the BDoS Profile select Lab-BDOS and click Submit.

4. Click Update Policies to activate the configuration changes. Start the attack again on the attacker machine.

5. On the console, you will see the BDOS drop the attack.

6. In Vision, Select Security Monitoring > Current Attack Table and you will see the attack displayed.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 22
 Cisco dCloud

7. Double-click on the attack and see more details.

8. Stop the attack on the attack machine using Ctrl+C.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 22
 Cisco dCloud

UDP Flood

1. Disable the current policy by selecting Configuration > Network Protection > Network Protection Policies. Double click on
your policy.

2. Uncheck the Enabled box and click Submit.

3. Click Update Policies.

4. From the attack machine, in the terminal run ./start.sh. Chose option 26 wg_UDP_flood_p80.sh.

5. Check the statistics on the vDP using system inf-stats (use system inf-stats reset to reset them first).

Defense Pro

1. Go back to the policy and turn it back on by selecting Configuration > Network Protection > Network Protection Policies.
Double click on your policy.

2. Check the Enabled box and click Submit.

3. Click Update Policies.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 22
 Cisco dCloud

4. The vDP will now mitigate the attack and you can browse to the demonstration machine at http://27.1.1.100 from the legitimate
machine.

5. On the attack machine, stop the attack using Ctrl+C

6. Before we continue to the next scenario, we remove the BDoS protection. Go to your policy, and remove the bdos profile by
selecting Configuration > Network Protection > Network Protection Policies. Double click on your policy.

7. Select Profiles and Action.

8. In BDoS Profile, click in the dropdown and select the blank profile.

9. Click Submit and Update Policies.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 22
 Cisco dCloud

Scenario 2. SYN Flood Attacks

In this scenario, you will generation two attacks, a simple SYN flood to port 80, this attack is meant to overwhelm a firewall state
table with a massive number of SYN packets, it can be mitigated by both the BDOS Engine and the SYN Flood protection.

The second attack is an HTTP GET flood. This attack bypasses the firewall as legitimate TCP traffic and overwhelms the server.
Use the SYN Flood protection to mitigate the attack.

Steps

SYN Flood

1. On the desktop, open TightVNC Viewer. VNC to your Kali Machine at 198.18.133.31:8101. Log in with the userid admin and
password C1sco12345.

10. Select the Terminal icon in the top left and enter cd wgames at the prompt.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 22
 Cisco dCloud

11. From the terminal start a basic SYN attack by entering sudo ./start.sh and choosing option 22 wg_TCP-Syn.sh.

12. Notice the attack in the system inf-stats table.

Enabled BDOS Protection

1. Select Configuration > Network Protection > Network Protection Policies, double click on the policy and enable again the
BDoS profile. Press Update Policies to activate the changes.

2. Check the dp rtm-stats table and notice the packets that have come in and are getting discarded.

3. Turn off BDOS Protection from the Policy by selecting Configuration > Network Protection > Network Protection Policies.
Double click on your policy.

4. Select Profiles and Action.

5. In the BDoS Profile, click in the dropdown and select the blank profile.

6. Click Submit and Update Policies.

7. Keep the attack running.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 22
 Cisco dCloud

Enable SYN Protection Profile

1. Select Configuration > Network Protection > Network Protection Policies and double click on your policy.

2. Select Profiles and Action.

3. In the SYN Flood Profile option, choose Lab-SYN-nocookie.

4. Click Submit and Update Policies.

5. The vDP will mitigate but this time the attack will be labeled:
DefensePro#19-04-2017 23:56:27 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 27.1.31.100 80 0
Regular "Cisco-VDP" ongoing 728268 341375 N/A 0 N/A medium challenge FFFFFFFF-FFFF-FFFF-0023-
000058F7DC9D

6. Check the system inf-stats.

7. The packets are getting bounced out the same interface the packet comes in on. The vDP is sending out the syn challenge for
this detected synflood, instead of dropping the packet like BDOS.

8. Stop the attack on the attack machine using Ctrl+C.

HTTP Get Flood

1. On the attack machine, start a new attack by entering sudo ./start.sh and choosing option 11 wg_HTTPGetFlood.sh.

2. This will start an HTTP Get flood.

NOTE: The HTTP get will have no problem passing the syn challenge with basic syn protection and not be detected by the firewall
and the vDP.

Defense Pro

1. To mitigate, select Configuration > Network Protection > Network Protection Policies and double click on your policy.

2. Select Profiles and Action.

3. In the SYN Flood Profile option choose Lab-SYN-cookie.

4. Click Submit and Update Policies.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 22
 Cisco dCloud

5. On the Attack machine, you will notice the speed drop significantly once the protection is active. You will also notice the SYN
flood protection in the Security Monitoring.

6. In case you cannot see the vDP detecting the attack, change the SYN flood profile to use the HTTP_Low protection instead
of the standard HTTP protection or change the standard HTTP protection to lower Activation threshold.

7. Stop the attack on the attack machine using Ctrl+C.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 22
 Cisco dCloud

Scenario 3. DNS Attack

Steps

Mitigating an Attack

The DNS attack can be mitigated also in two ways. BDOS will be able to block a DNS flood attack targeting the network with no
DNS servers. However, it will create a signature and block legitimate DNS requests if the flood is targeting a DNS server.

1. From the Attack machine, start a DNS Query flood by entering sudo ./start.sh and choosing option 7.

2. Run the system inf –stats reset command.

3. Once the attack started, check on the vDP console the system inf-stats table.

Defense Pro

1. Select Configuration > Network Protection > Network Protection Policies.

2. Double click on your policy and click Action.

3. Choose DNS Profile and in the drop down select Lab-DNS.

4. Click Submit and Update Policies.

5. In case the DNS is not being detected, the problem may be that the attack tool is not generating enough query per seconds.

6. Go to Configuration > Network Protection > DNS Protection Profiles and double-click on the existing profile.

a. Select the Manual Triggers tab and change the thresholds to lower values like

b. Activation threshold = 40 QPS, Termination threshold = 10 QPS and Max QPS to 50.

c. Click Submit and Update Policies.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 22
 Cisco dCloud

7. You will notice quickly the attack is now mitigated in the Security Monitoring window.

8. Once done stop the attack using Ctrl+C.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 22
 Cisco dCloud

Scenario 4. Low and Slow Attack

Steps

Starting an Attack

A Low and Slow Attack is similar to a HTTP GET flood, except that it starts with slow connections, first sending a few connections
and then building up connections using incomplete GET requests.

1. From the Attack machine, start low and slow Attack by entering ./start.sh and choosing option 19 wg_slowloris,sh.

2. Once the attack is started, check on the vDP console using the command system inf-stats table.

3. Connect to the legitimate client using VNC. The server at http://27.1.1.100 either stops responding or significantly slows down
after a short while because of the attack.

Defense Pro

1. Select Configuration > Network Protection > Network Protection Policies.

2. Double click on your policy and click Action.

3. Choose Signature Protection Profile and in the drop down select DOS-All.

4. Click Submit and Update Policies.

5. You will notice quickly the attack is now mitigated in the Security Monitoring window.

6. Check the legitimate client. The server should start to respond again.

7. Once done stop the attack on the attacker machine using Ctrl+C.

NOTE: In addition to the DOS-All Signature this can also be mitigated with a SYN Protection, if you want you can chose the LAB-
SYN-Cookie option and the tool will not be able to pass the HTTP challenge.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 22
 Cisco dCloud

Scenario 5. Multi-Vector Attack

In this section, you become the hacker. Here is a list of the scripts on the Kali box and their description. Try running a few more
scripts with all of the existing vDP policies enabled. Try running a couple of the scripts at the same time in separate cmd windows
and monitor the results in Vision.

Script name Attack/Attacktool Description

wg_apache_Killer.sh Apache Killer https://security.radware.com/ddos-knowledge-center/ddospedia/apache-killer/

wg_botnet.sh BoNeSi The DDoS Botnet Simulator https://github.com/Markus-Go/bonesi

wg_dnsflood_STAS.py DNS Flood Sends random packets to a DNS server

wg_dns_flood.py DNS Query Flood Sends DNS requests for www.radware.com to the server

wg_dns_garbage_flood.sh DNS Garbage Flood Sends garbage (HTML page) to a DNS server on port 53

wg_dns_query_flood.py DNS Flood Same as wg_dns_flood.py redundant should be removed

wg_dns_recursive_flood.py DNS Recursive Flood Sends recursive DNS requests to a server

wg_HTTP_bruteforce.sh HTTP Flood / Siege Sends an HTTP-Flood to a page which needs authentication (/accounts.aspx)

wg_HTTP_GetFlood.sh HTTP Flood Sends a lot of HTTP Get requests to the start page of the server

wg_HTTP_GetFlood_pass302.sh HTTP Flood Similar to GetFlood.sh but added the ability to overcome the HTTP-302 challenge

wg_HTTP_largePDF.sh HTTP Flood Sends a lot of HTTP requests to a large file on the server to use all upstream bandwith and
legitimate clients have a slow response from the server

wg_HTTP_PostFlood.sh HTTP Flood Sends a lot of HTTP POST requests to the start page of the server

wg_HTTP_Search.sh HTTP Flood Sends a lot of HTTP get requests to the search page of the server to create high cpu
utilization

wg_LOIC.sh LOIC Low Orbit Ion Cannon (LOIC) was originally developed by Praetox Technologies as an open-
source network stress testing tool. It allowed developers to subject their servers to heavy
network traffic loads for diagnostic purposes, but it has since been modified in the public
domain through various updates and been widely used by Anonymous as a DDoS tool.
https://security.radware.com/ddos-knowledge-center/ddospedia/loic-low-orbit-ion-
cannon/
wg_NTP_reflective_flood.sh NTP reflective flood https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-
reports/ntp-reflected-flood/
wg_pyloris.sh Pyloris Pyloris is a slow HTTP DoS tool.
https://security.radware.com/ddos-knowledge-center/ddospedia/pyloris/

wg_rudy.sh R.U.D.Y R.U.D.Y. Attack (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool.
https://security.radware.com/ddos-knowledge-center/ddospedia/rudy-r-u-dead-yet/

wg_slowloris.sh Slow Loris Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that
causes DoS by using a very slow HTTP request.
https://security.radware.com/ddos-knowledge-center/ddospedia/slowloris/
wg_TCP-Ack_flood.sh TCP Flood Floods the server with TCP-ACK out of state packets

wg_TCP-Push_Ack.sh TCP Flood Floods the server with TCP-Push-ACK out of state packets

wg_TCP-RST.sh TCP Flood Floods the server with TCP-RST out of state packets

wg_TCP-Syn.sh TCP Flood Floods the server with TCP-SYN packets initiating new sessions

wg_thc-ssl-dos.sh THC-SSL-DOS THC-SSL DOS was developed by a hacking group called The Hacker’s Choice (THC), as a
proof-of-concept to encourage vendors to patch a serious SSL vulnerability.
https://security.radware.com/ddos-knowledge-center/ddospedia/thc-ssl-dos/
wg_torshammer.sh TORSHAMMER Torshammer is a slow-rate HTTP POST (Layer 7) DoS tool created by phiral.net.
https://security.radware.com/ddos-knowledge-center/ddospedia/tors-hammer/

wg_UDP_Flood_DNS.sh DNS Flood Floods the server with random DNS packets

wg_UDP_flood_p80.sh UDP Flood Floods the server with random packets on port 80 assuming port 80 is open due to
misconfiguraiton on the firewall. This put load on the IP stack of the server

wg_UDP_flood_p81.sh UDP Flood Floods the server on port 81 with UDP packets

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 22
 Cisco dCloud

Appendix A. Cisco Next Generation Firewall Access

Cisco Next-Generation Firewall is placed into this environment for your extra use and is not required to showcase Radware. It is
currently in routed inline mode, but all policies are set to alert only. Some special configurations have been enabled to show some
of the attacks when they occur, but not all will be seen. You are given full access to showcase the Cisco Firepower solution
working with Radware however you wish.

1. To open the Firepower Management Console, please open the Google Chrome browser from wkst1 and browse to the
shortcut FMC in the toolbar. Firepower login credentials are username of dcloud and password of C1sco12345

NOTE: If a health warning exists declaring there is no traffic on the FTD interface, this is a normal issue as traffic is only happening
from attacks started manually. Any warning will clear once you begin the attack scenarios. You may also receive licensing alerts of
more hosts seen then licensed. This is expected due to the mass number of DDoS attack hosts that may make it to the NGFW if
the Radware solution is not set to block them.

In the real world, you could simply black hole the Kali box and be done. However, the real world is not that simple. A DDoS attack
could be from a botnet of thousands or millions of devices or from an IP address, you simply cannot turn off like AWS running your
apps, or if you are a university, the student dorms. Radware vDP is designed to automatically detect and mitigate these types of
attacks. Cisco FTD + vDP = better together.

© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 22