One of the problems I have found in this arena is that many hosts (windows particularly) cannot hold open more than about 5000 simultaneous TCP connections. I know some unices have similar problems, though my understanding is that it is possible to frob the BSD kernel at least to get at least 40,000 simultaneous connections. That is all very well and good, but unless there are enough target machines behind the firewall to handle that many connections, or you get to run your own listener on another frobbed box on the inside, you aren't going to be able to hold open that many connections. One possibility in terms of solution is to take something like Dan Kaminsky's excellent Paketto Keiretsu toolkit (http://www.doxpara.com/), in particular the scanrand stateless SYN scanner, add a SYN+ACK and have it connect to the same port instead of scanning... Anyhow, the point of using scanrand stuff is that it's basically stateless. The reason many kernels won't handle more than a few thousand sockets (as I understand it) is that typically kernels allocate some non-paged pool for each connection, and non-paged pool is a limited resource. At least I think that's how it works on MS. Phil > -----Original Message----- > From: Jason Dixon [mailto:jasondixonat_private] > Sent: Saturday, December 07, 2002 8:34 PM > To: pen-testat_private > Subject: Firewall Load Testing > > > My apologies if this isn't the right forum for this question; > I'm running into great difficulty finding the right tool for > this job short of writing my own. All of the other lists > I've tried have come up blank. > > Basically, I'm looking to test a firewall's capabilities. At > the very least, I'd like to have endpoint-to-endpoint > creation and analyzation of thousands of concurrent, possibly > varying in protocol type, connections through the firewall. > At the very most, I'd like something to pen/load test the > firewall in order to determine maximum states, connections > (vpn and otherwise), etc. > > Is anyone familiar with a good toolkit or collection of *nix > utilities that will do what I'm looking for? > > TIA, > J. > > > > > -------------------------------------------------------------- > -------------- > This list is provided by the SecurityFocus Security > Intelligence Alert (SIA) Service. For more information on > SecurityFocus' SIA service which automatically alerts you to > the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Dec 10 2002 - 13:28:00 PST