Radware DDOS v1
Radware DDOS v1
Radware DDOS v1
Radware DDos v1
Last Updated: 09-NOV-2017
• Requirements
• Topology
• Get Started
Requirements
The table below outlines the requirements for this preconfigured demonstration.
Table 1. Requirements
Required Optional
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 22
Cisco dCloud
First, you start by launching a few basic UDP, ICMP flood network attacks along with a targeted SYN flood and view the results
using a sample website, then we will show you how to configure Radware’s virtual DefensePro to stop the these attack. Next, we
step up the complexity with several Layer 7 attacks: http get, dns, low and slow and again use vDP to monitor and stop these
attacks as well.
Lastly, you will have the ability to launch a real-world multi-vector attack. DDoS attacks are rarely simple. In the real world, DDoS
attacks are usually a combination of 7 to 12 individual attacks in an attempt to bypass your countermeasures. In addition, the
parameters of these attacks can change over time as well. You will have access to 20+ DDoS scripts to launch one at a time, or
open another window to demonstrate the full capabilities of vDP.
In the end, the purpose of this module is to demonstrate how easy vDP is at blocking those types of attacks – the right tool for the
right job. This leaves FTD to focus on what it does best. After all, a DDoS attack is often part of a multi-vector attack, so while vDP
concentrates on keeping systems available, FTD can focus on the finer intrusion events. FTD + vDP = better together.
dCloud Session
• A Legitimate client
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 22
Cisco dCloud
Topology
This content includes preconfigured users and components to illustrate the scripted scenarios and features of the solution. Most
components are fully configurable with predefined administrative user accounts. You can see the IP address and user account
credentials to use to access a component by clicking the component icon in the Topology menu of your active session and in the
scenario steps that require their use.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 22
Cisco dCloud
NOTE: This topology has other devices which can be used for other demonstrations. Not all VMs are used in this guide.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 22
Cisco dCloud
Get Started
BEFORE PRESENTING
Cisco dCloud strongly recommends that you perform the tasks in this document with an active session before presenting in front of
a live audience. This will allow you to become familiar with the structure of the document and content.
It may be necessary to schedule a new session after following this guide in order to reset the environment to its original
configuration.
Follow the steps to schedule a session of the content and configure your presentation environment.
2. For best performance, connect to the workstation with Cisco AnyConnect VPN [Show Me How] and the local RDP client on
your laptop [Show Me How]
NOTE: You can also connect to the workstation using the Cisco dCloud Remote Desktop client [Show Me How]. The dCloud
Remote Desktop client works best for accessing an active session with minimal interaction. However, many users experience
connection and performance issues with this method.
3. In your browser go to https://198.18.133.15 or click the Absolute Vision bookmark. Log in using username cisco and
password C1sco12345.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 22
Cisco dCloud
5. Choose the vDP and click on the Lock icon to manage the device.
6. Select Operations. If the option is active, click Import Configuration File to download the most current configuration.
8. Click Update (and reset the vDP). If the option is grayed out, move to the next step.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 22
Cisco dCloud
9. Validate the configuration by clicking on Configuration > Network Protection > Network Protection Policies and make
sure no Protection Profiles are attached.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 22
Cisco dCloud
Steps
TCP Flood
1. On the desktop, open TightVNC Viewer. VNC to your Kali Machine at 198.18.133.31:8101. Log in with the userid admin and
password C1sco12345.
2. Select the Terminal icon in the top left and enter cd wgames at the prompt.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 22
Cisco dCloud
3. Enter sudo ./start.sh and enter the root password of C1sco12345. Select item 21 (TCP-RST Attack) by entering 21 and
Enter.
4. Using Putty on the workstation, Telnet to the console of the vDP= 198.18.133.31 Port = 6401.
NOTE: If you receive a log in required message, enter the command login, and enter username admin and password
C1sco12345.
6. Then enter
system inf-stats
You should see large amount of traffic coming in on port 1 (outside pot) and messages that packets using TCP port 0 as
source or destination port are automatically blocked by vDP.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 22
Cisco dCloud
Defense Pro
1. In Vision, enable the BDOS Protection Profile in your session by selecting Configuration > Network Protection > Network
Protection Policies.
4. Click Update Policies to activate the configuration changes. Start the attack again on the attacker machine.
5. On the console, you will see the BDOS drop the attack.
6. In Vision, Select Security Monitoring > Current Attack Table and you will see the attack displayed.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 22
Cisco dCloud
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 22
Cisco dCloud
UDP Flood
1. Disable the current policy by selecting Configuration > Network Protection > Network Protection Policies. Double click on
your policy.
4. From the attack machine, in the terminal run ./start.sh. Chose option 26 wg_UDP_flood_p80.sh.
5. Check the statistics on the vDP using system inf-stats (use system inf-stats reset to reset them first).
Defense Pro
1. Go back to the policy and turn it back on by selecting Configuration > Network Protection > Network Protection Policies.
Double click on your policy.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 22
Cisco dCloud
4. The vDP will now mitigate the attack and you can browse to the demonstration machine at http://27.1.1.100 from the legitimate
machine.
6. Before we continue to the next scenario, we remove the BDoS protection. Go to your policy, and remove the bdos profile by
selecting Configuration > Network Protection > Network Protection Policies. Double click on your policy.
8. In BDoS Profile, click in the dropdown and select the blank profile.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 22
Cisco dCloud
The second attack is an HTTP GET flood. This attack bypasses the firewall as legitimate TCP traffic and overwhelms the server.
Use the SYN Flood protection to mitigate the attack.
Steps
SYN Flood
1. On the desktop, open TightVNC Viewer. VNC to your Kali Machine at 198.18.133.31:8101. Log in with the userid admin and
password C1sco12345.
10. Select the Terminal icon in the top left and enter cd wgames at the prompt.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 22
Cisco dCloud
11. From the terminal start a basic SYN attack by entering sudo ./start.sh and choosing option 22 wg_TCP-Syn.sh.
1. Select Configuration > Network Protection > Network Protection Policies, double click on the policy and enable again the
BDoS profile. Press Update Policies to activate the changes.
2. Check the dp rtm-stats table and notice the packets that have come in and are getting discarded.
3. Turn off BDOS Protection from the Policy by selecting Configuration > Network Protection > Network Protection Policies.
Double click on your policy.
5. In the BDoS Profile, click in the dropdown and select the blank profile.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 22
Cisco dCloud
1. Select Configuration > Network Protection > Network Protection Policies and double click on your policy.
5. The vDP will mitigate but this time the attack will be labeled:
DefensePro#19-04-2017 23:56:27 WARNING 200000 SynFlood "SYN Flood HTTP" TCP 0.0.0.0 0 27.1.31.100 80 0
Regular "Cisco-VDP" ongoing 728268 341375 N/A 0 N/A medium challenge FFFFFFFF-FFFF-FFFF-0023-
000058F7DC9D
7. The packets are getting bounced out the same interface the packet comes in on. The vDP is sending out the syn challenge for
this detected synflood, instead of dropping the packet like BDOS.
1. On the attack machine, start a new attack by entering sudo ./start.sh and choosing option 11 wg_HTTPGetFlood.sh.
NOTE: The HTTP get will have no problem passing the syn challenge with basic syn protection and not be detected by the firewall
and the vDP.
Defense Pro
1. To mitigate, select Configuration > Network Protection > Network Protection Policies and double click on your policy.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 22
Cisco dCloud
5. On the Attack machine, you will notice the speed drop significantly once the protection is active. You will also notice the SYN
flood protection in the Security Monitoring.
6. In case you cannot see the vDP detecting the attack, change the SYN flood profile to use the HTTP_Low protection instead
of the standard HTTP protection or change the standard HTTP protection to lower Activation threshold.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 22
Cisco dCloud
Steps
Mitigating an Attack
The DNS attack can be mitigated also in two ways. BDOS will be able to block a DNS flood attack targeting the network with no
DNS servers. However, it will create a signature and block legitimate DNS requests if the flood is targeting a DNS server.
1. From the Attack machine, start a DNS Query flood by entering sudo ./start.sh and choosing option 7.
3. Once the attack started, check on the vDP console the system inf-stats table.
Defense Pro
5. In case the DNS is not being detected, the problem may be that the attack tool is not generating enough query per seconds.
6. Go to Configuration > Network Protection > DNS Protection Profiles and double-click on the existing profile.
a. Select the Manual Triggers tab and change the thresholds to lower values like
b. Activation threshold = 40 QPS, Termination threshold = 10 QPS and Max QPS to 50.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 22
Cisco dCloud
7. You will notice quickly the attack is now mitigated in the Security Monitoring window.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 22
Cisco dCloud
Steps
Starting an Attack
A Low and Slow Attack is similar to a HTTP GET flood, except that it starts with slow connections, first sending a few connections
and then building up connections using incomplete GET requests.
1. From the Attack machine, start low and slow Attack by entering ./start.sh and choosing option 19 wg_slowloris,sh.
2. Once the attack is started, check on the vDP console using the command system inf-stats table.
3. Connect to the legitimate client using VNC. The server at http://27.1.1.100 either stops responding or significantly slows down
after a short while because of the attack.
Defense Pro
3. Choose Signature Protection Profile and in the drop down select DOS-All.
5. You will notice quickly the attack is now mitigated in the Security Monitoring window.
6. Check the legitimate client. The server should start to respond again.
7. Once done stop the attack on the attacker machine using Ctrl+C.
NOTE: In addition to the DOS-All Signature this can also be mitigated with a SYN Protection, if you want you can chose the LAB-
SYN-Cookie option and the tool will not be able to pass the HTTP challenge.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 22
Cisco dCloud
wg_dns_flood.py DNS Query Flood Sends DNS requests for www.radware.com to the server
wg_dns_garbage_flood.sh DNS Garbage Flood Sends garbage (HTML page) to a DNS server on port 53
wg_HTTP_bruteforce.sh HTTP Flood / Siege Sends an HTTP-Flood to a page which needs authentication (/accounts.aspx)
wg_HTTP_GetFlood.sh HTTP Flood Sends a lot of HTTP Get requests to the start page of the server
wg_HTTP_GetFlood_pass302.sh HTTP Flood Similar to GetFlood.sh but added the ability to overcome the HTTP-302 challenge
wg_HTTP_largePDF.sh HTTP Flood Sends a lot of HTTP requests to a large file on the server to use all upstream bandwith and
legitimate clients have a slow response from the server
wg_HTTP_PostFlood.sh HTTP Flood Sends a lot of HTTP POST requests to the start page of the server
wg_HTTP_Search.sh HTTP Flood Sends a lot of HTTP get requests to the search page of the server to create high cpu
utilization
wg_LOIC.sh LOIC Low Orbit Ion Cannon (LOIC) was originally developed by Praetox Technologies as an open-
source network stress testing tool. It allowed developers to subject their servers to heavy
network traffic loads for diagnostic purposes, but it has since been modified in the public
domain through various updates and been widely used by Anonymous as a DDoS tool.
https://security.radware.com/ddos-knowledge-center/ddospedia/loic-low-orbit-ion-
cannon/
wg_NTP_reflective_flood.sh NTP reflective flood https://security.radware.com/ddos-threats-attacks/threat-advisories-attack-
reports/ntp-reflected-flood/
wg_pyloris.sh Pyloris Pyloris is a slow HTTP DoS tool.
https://security.radware.com/ddos-knowledge-center/ddospedia/pyloris/
wg_rudy.sh R.U.D.Y R.U.D.Y. Attack (R-U-Dead-Yet?) is a slow-rate HTTP POST (Layer 7) denial-of-service tool.
https://security.radware.com/ddos-knowledge-center/ddospedia/rudy-r-u-dead-yet/
wg_slowloris.sh Slow Loris Slowloris is a denial-of-service (DoS) tool developed by the grey hat hacker “RSnake” that
causes DoS by using a very slow HTTP request.
https://security.radware.com/ddos-knowledge-center/ddospedia/slowloris/
wg_TCP-Ack_flood.sh TCP Flood Floods the server with TCP-ACK out of state packets
wg_TCP-Push_Ack.sh TCP Flood Floods the server with TCP-Push-ACK out of state packets
wg_TCP-RST.sh TCP Flood Floods the server with TCP-RST out of state packets
wg_TCP-Syn.sh TCP Flood Floods the server with TCP-SYN packets initiating new sessions
wg_thc-ssl-dos.sh THC-SSL-DOS THC-SSL DOS was developed by a hacking group called The Hacker’s Choice (THC), as a
proof-of-concept to encourage vendors to patch a serious SSL vulnerability.
https://security.radware.com/ddos-knowledge-center/ddospedia/thc-ssl-dos/
wg_torshammer.sh TORSHAMMER Torshammer is a slow-rate HTTP POST (Layer 7) DoS tool created by phiral.net.
https://security.radware.com/ddos-knowledge-center/ddospedia/tors-hammer/
wg_UDP_Flood_DNS.sh DNS Flood Floods the server with random DNS packets
wg_UDP_flood_p80.sh UDP Flood Floods the server with random packets on port 80 assuming port 80 is open due to
misconfiguraiton on the firewall. This put load on the IP stack of the server
wg_UDP_flood_p81.sh UDP Flood Floods the server on port 81 with UDP packets
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 22
Cisco dCloud
1. To open the Firepower Management Console, please open the Google Chrome browser from wkst1 and browse to the
shortcut FMC in the toolbar. Firepower login credentials are username of dcloud and password of C1sco12345
NOTE: If a health warning exists declaring there is no traffic on the FTD interface, this is a normal issue as traffic is only happening
from attacks started manually. Any warning will clear once you begin the attack scenarios. You may also receive licensing alerts of
more hosts seen then licensed. This is expected due to the mass number of DDoS attack hosts that may make it to the NGFW if
the Radware solution is not set to block them.
In the real world, you could simply black hole the Kali box and be done. However, the real world is not that simple. A DDoS attack
could be from a botnet of thousands or millions of devices or from an IP address, you simply cannot turn off like AWS running your
apps, or if you are a university, the student dorms. Radware vDP is designed to automatically detect and mitigate these types of
attacks. Cisco FTD + vDP = better together.
© 2017 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 22