Creating a device that produces live attacks while simultaneously generating high speed, non-malicious traffic
SITUATION/CHALLENGE - Intrusion Prevention Systems are often the first layer of defense that an organization has against malicious attacks and worms. These devices must protect against thousands of unique attacks, each of which can be modified and encoded in various ways. Testing these devices, both as a developer of the product and a user, is difficult and error-prone, due to the lack of available test tools. To adequately test an IPS (or its older cousin, the Intrusion Detection System), the user must be able to run real attack traffic through the device in a variety of configurations to ensure that attacks are correctly blocked while not impacting network performance.
Existing test solutions rely on replaying traffic captures of successful attacks. These "canned" attacks are sent through the target device, and the results are correlated to determine which ones were blocked and which were not. In order to simulate real-world conditions, another test device must be used to generate background traffic and ensure that all non-malicious traffic passes through the device. The problem with these tools is that the attacks are static data—a successful defense against a canned attack does not guarantee that a real attack would not be able to slip through the device. Background traffic generation needs to be closely synchronized with the attack traffic to match real-world conditions, which can be difficult when using a separate test tool.
Name: HD Moore
Title: Director of Security Research
Company: BreakingPoint Systems
SOLUTION - When I joined BreakingPoint systems in October 2005, the challenge was simple; build the most comprehensive and flexible attack suite in existence. I leveraged my experience developing the Metasploit Framework to build a working prototype. This prototype traced the network operations of each exploit, recorded them, and provided a template that could be regenerated at a later time. Each week a new prototype was created, eventually leading to a special XML format that defined the content and behavior of a given attack.
This XML format relied on a recursive parser, allowing arbitrary transforms and data generation routines to be applied within a structure. Every XML block generated data based on its attributes and contents, using data from its child elements, allowing complicated protocols to be quickly implemented. The result was a clean, consistent XML format that off-loaded attack generation to a library of attack and protocol specific routines, tailoring the output based on user-defined options. This allowed truly dynamic attacks to be created, with the ability to extend them in the future simply by updating the backend library.
At the lowest level, the IP networking code provides independent fragmentation and reassembly engines. IP fragment reassembly is one of the hardest things to get right inside content-aware network devices, and our product needed to test every possible combination. Finally, I had a solution that could fragment based on one device profile but reassemble based on another. Full control over each of the fields in the IP header was exposed to the users through options.
Next, I moved on to the TCP, UDP, ICMP, and other IP-based protocol stacks. The TCP implementation required a similar amount of effort, since we wanted to support segment reordering, repeat segments with different data and bad checksums, and a variety of other non-standard TCP behavior that can be used in real attacks. All of the TCP, UDP, and ICMP headers can be defined by the user, at run-time, on a per-attack basis.
Once the security engine was implemented, it was time to start adding attacks. Meanwhile, I had been assembling a team of security specialists and exploit developers. These guys were tasked with identifying all of the high risk vulnerabilities that had been found since the year 2000, prioritizing them, and writing exploits using the attack XML format.
The attacks were written as dynamically as possible and covered as many different vectors and transports as was feasible. Ultimately, we developed over 3,400 individual attacks. These attacks could be configured at every single layer, from the IP stack, to the TCP segment size, all the way down to which user-agent was sent in a given HTTP request.
The final result was a dynamic and extremely configurable attack delivery system that integrates with the rest of the BPS-1000 product (background traffic, load testing, monitoring, etc.) and provides the best possible coverage test for Intrusion Prevention Systems. My team still works on new attacks every day and shoots for 48-hour exploit turnaround on the monthly patches released by Microsoft.
Info Security Products Guide
CONCLUSION - The security engine in the BPS-1000 product generates realistic attack traffic in a way that truly tests the abilities of content-aware network devices. Prior to having the BPS-1000, our customers would go into a bake-off and significantly miss many of the attacks that were sent, even though they had some form of existing coverage for those vulnerabilities.
Since the attacks produced by the BreakingPoint product change during each test, customers using the BPS-1000 can create signatures and defensive algorithms that are much more robust than those created using static attacks. This leads to much better results in competitive bake-offs and a much higher level of protection for the end users of the tested products.
New attacks are released every week by the security team, allowing product developers and end users alike to test the effectiveness of their solutions. BreakingPoint is the only test vendor that provides immediate exploit coverage of the vulnerabilities patched by Microsoft each month.
HD Moore is Director of Security Research at BreakingPoint Systems where he focuses on the security testing features of the BreakingPoint Systems’ product line. Prior to joining BreakingPoint, HD co-founded Digital Defense, a managed security services firm, where he developed a vulnerability assessment platform and lead the security research team. HD is the founder of the Metasploit Project and one of the core developers of the Metasploit Framework, the leading open-source exploit development platform. In his spare time, HD searches for new vulnerabilities, develops security tools, and contributes to open-source security projects. Moore is a frequent speaker at various tradeshows, including BlackHat, CanSecWest, Hack-in-a-Box, IDG Security Standard, and past Interop events.
In July 2006, Moore launched the Month of Browser Bugs (MOBB) project. The project aimed to release one browser vulnerability every day for a month and succeeded. The MOBB was praised by admirers who congratulated the project for its efforts to enlighten software makers and security managers to the threats posed by data fuzzing tools. In November, 2006, pseudonymous researcher "LMH" announced the Month of Kernel Bugs project. Moore submitted the first entry for this project, a flaw in Apple's AirPort wireless driver.
