Copyleft this document owned by yfydz all, the use of GPL, free to copy, reprint, reproduced keep the documents for completeness, for any commercial purposes is strictly prohibited.
msn: [email protected]
1. Preface Firewall testing is currently no real test standard, so many of them simply rely on testers to provide some standard test , Common tester has SmartBit and Ixia, Domestic use of a variety of tests SmartBit more than some of . Tester is mainly based on RFC2544 to test the basic performance of network equipment , Such as throughput. Latency . Packet loss rate. Back to back, etc. , These routers are (IP Layer ) Levels of performance parameters : But can also do some performance testing of the transport layer, such as the maximum number of connections , Maximum connection establishment rate : You can also attack the test, types of attacks, including :land.ping of death.syn flood.teardrop.ping flood.ping sweep.smurf And so the principle of these attacks is described in the previous article had . Tests in previous years, performance testing and functional testing is separate from the test , The configuration can be different between the two : The new trend in the past two years testing performance testing is functional testing is done using the same configuration, the same configuration and performance testing completion , In this case there is a problem in fact . 2. Mistakes Currently the throughput of these tester package testing hair is UDP7 package , Port 7 is echo Services, all packages are the same source and destination address , This large flow of packets in the firewall appears to be the same problem, should be attributed to udp flood The list, imagine if a machine in the utility of such a large number of issued UDP Packet firewall did not report the exception and let the network bandwidth is occupied , Estimates will paralyze the entire network, network management estimates that the firewall can not reuse it . A good test should be a way to package the source and destination addresses to be dynamic, to imitate the actual data flow , Firewalls can be used as a normal package, so the result was more accurate , But seems unable to pronounce the tester such package. If the purpose is the same source IP Package, it should turn off the firewall in the confirmation UDP flood The defense, which also examined whether the firewall is the way a test UDP flood Ability. The same reason , Maximum number of connections in the test and the maximum rate if the connection is established, packets are sent with the same address, then the firewall should be regarded as DOS Attack, in which case the test results are not reliable , Issued by the tester package should be connected to a different address . In the attack test, generally of course, is that package through, the better attack , So in some firewalls do occur in the test reports that no one in seven attacks package through firewalls, but it is also a little problem . Those attacks test, land.ping of death.teardrop.smurf belong to a feature package , All blocking is no problem, for syn flood, Or the use of syn proxy syn cookie If all the technology can also be blocked, because the tester does not send ACK Package, and in many cases even these technologies do not need this , Because the SYN packet sent tester basically do not have TCP Option, you can lose :ping flood And ping sweep is normal practice ping Package can only be identified by statistical methods , When the contract under the speed down to a certain extent, become a normal ping function application , Through the firewall to allow ping packets in the case of how many will be starting with some of the , After some statistical identified only after a ping flood or ping sweep, If the test results are all blocked, but there is a problem that the firewall , Do not rely on statistical functions to identify ping flood / sweep, but by all the blocking ping Package to defense, but to limit the normal ping Features are used . 3. Conclusion Firewall tester tester can not just look at the output figures to determine the firewall is good or bad, but should really understand what is behind various tests , Unfortunately, at present many testers test or only know how to walk again after the test instrument to sort the numbers and not by any analysis .