Inundator. – IDS/IPS/WAF Evasion & Flooding Tool

Posted: 8 July, 2010 in english, new, security
Tags: , , , , , , , , ,

What is Inundator?

Inundator is a multi-threaded, queue-driven, anonymous intrusion detection false positives generator with support for multiple targets.

When would I use Inundator?

Whenever you feel like it. Seriously. It’s anonymous, so why not watch the world burn?

Example Scenarios:

  • Before, during, and after a real attack to bury any potential alerts among a flood of false positives.
  • Seriously mess with an IDS analyst and keep an InfoSec department busy for days investigating false positives.
  • Test the effectiveness of an intrusion detection or prevention system. Less alerts means a better product; more alerts means a horrible product.

How does Inundator work?

At a high level, Inundator builds an attack queue, organized by destination port, by parsing the content: and uricontent: fields from Snort’s poorly written pattern-matching rules. Inundator then builds a target queue by peforming a port scan to identify open TCP ports on each target provided by the user. Once the queues have been built, Inundator will launch the requested number of worker threads. Each worker thread will select a random target from the target queue, as well as a random open port on the selected target. A random attack for the selected port will then be selected from the attack queue, and this information is used to build a completely innocent packet or request that contains patterns matching typical intrusion detection rules. The crafted attack will then be sent to the target via a SOCKS proxy (we default to Tor’s local proxy.) This procedure is repeated in an infinite loop by each worker thread until the user aborts.

Quite obviously, the actual ruleset used by the target intrusion detection system will play a very large part in whether our crafted attacks trigger a false positive. Inundator will generate an overwhelming number of false positives on systems which use extremely poor pattern matching rules, and little to no false positives on systems which use well written rules, heuristic-based detection, or anomaly-based detection mechanisms.

more info & download


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s