Jul 252010

From linuxpoison.blogspot.com

Inundator – IDS/IPS/WAF Evasion & Flooding Tool

Inundator is a multi-threaded, queue-driven, IDS evasion tool. Its purpose is to anonymously flood intrusion detection systems (specifically Snort) with traffic designed to trigger false positives via a SOCKS proxy in order to obfuscate a real attack.

The general idea is one would launch inundator prior to starting an attack, allow it to run during the attack, and continue to run it a while longer after you’ve accomplished the attack. The goal, of course, is to generate an overwhelming number of false positives so that your real attack is essentially buried within the other alerts, minimizing the chance of your attack being detected. It could also be used to ruin an IDS analyst’s day, or keep an organization’s infosec department busy for a while.

Other Example Scenarios:
* Before, during, and after a real attack to bury any potential alerts among a flood of false positives.
* Seriously mess with an IDS analyst and keep an InfoSec department busy for days investigating false positives.
* Test the effectiveness of an intrusion detection or prevention system. Less alerts means a better product; more alerts means a horrible product.


Downloading and installing Inundator:

The preferred method of installation for all other .deb-based distributions is via software repository. This is by far the best and simplest way of installing Inundator and its dependencies.

Add repository to /etc/apt/sources.list:
deb http://inundator.sourceforge.net/repo/ all/
Next, download and install our GPG key:
wget http://inundator.sourceforge.net/inundator.asc
apt-key add inundator.asc

Then you can automatically pull in Inundator and all its dependencies:
aptitude update
aptitude install inundator

 Posted by at 2:54 am

Sorry, the comment form is closed at this time.