According to My Competitors I'm No Longer An Idiot
BreakingPoint is growing by leaps and bounds, as evidenced by our news release we put out a few weeks ago. We are really excited about our growth and that people are now demanding our approach to testing. Sales numbers aren’t the only way to measure growth; the reaction of your competitors is another way. This isn’t our first rodeo and one thing remains constant in business; you know you are growing faster than the competition when they stop calling your ideas dumb and start adopting them. I thought it would be fun to point out a few examples.
Layer 2-7 Testing
BreakingPoint was founded because of our frustration as equipment manufacturers with the testing industry. We knew the only way to test is by testing Layer 2-7 completely. Unfortunately at the time, and to this day, test vendors such as Ixia and Spirent have different solutions for Layer 2/3 and Layer 4-7 testing, meaning additional hardware, additional licenses and disparate reporting and of course Windows-only management software to run them.
At the latest round of trade shows, it was great to see our competitors (Ixia and Spirent) talking more and more about comprehensive Layer 2-7 testing. It means they are listening to the community now, and in the future hopefully provide comprehensive solutions. The first step is always to market it, and the second step is to build it. They just got to the first step but hopefully will advance to the second step. Granted the second step is a bit bigger than just updating a website.
Application Protocols
Each application protocol brings its own challenge to your network and the gear that runs your network. It comes down to a simple fact, if you aren't testing network equipment and servers with the same application protocols that they will be hit with in the real world, they will fail. Today we have more then 70 stateful applications for use in testing and we were the first to allow for testing with applications such as VMware VMotion, AIM, CIFS/SMB, BitTorrent and many others.
I beat the drum around application protocols as a customer of test equipment for 10 years and I guess I didn’t bang loud enough. Now, I see that Ixia supports 10 application protocols as of today, but please leave me a comment if you know of more. I know 10 doesn’t sound like a lot compared to 70, and it’s not. But it’s a huge increase from pure BitBlasting that they mostly focused on.
Security
Many of us who started BreakingPoint have backgrounds in security and security equipment. Not only have we discovered multiple security vulnerabilities, but also we have deep knowledge about how security affects performance. Any equipment can perform admirably with no security policies on and zero strikes hitting it, but show me performance when all the policies are on and the box is getting hammered. Much like our focus on application protocols, this is the reason we supply 4,000+ security strikes, 80+ evasion techniques, application layer fuzzing and complete Microsoft Tuesday coverage.
In the realm of security we are now seeing our competitors incorporate a dose of security into their solutions. An example is Ixia's partnership with Codenomicon (they were sharing a booth at RSA Conference), and Spirent’s ThreatEx product. It is good to see folks moving in this direction since it is so important. I would just stress to testers to make sure you test security and performance at the same time; otherwise you aren’t doing any testing. In the real world, security attacks happen at the same time as legitimate traffic, testing them separately provides almost no value.
Simplifying Licensing
In my past as an equipment manufacturer and testing tools customer, the complex pricing and service models presented by test vendors constantly frustrated me. I can remember too many times when I was sold test equipment and then had to buy additional licenses and modules to actually make it work properly…don’t even get me started on the multi-page proposals.
This not only stalls development, it leaves a bad taste in the mouths of engineers about testing. Our goal was to provide a complete service and support package for each user that gives them everything they need, from the latest firmware upgrades to all the application protocols and security strikes at a single price…eliminating the need for licenses. Our competitors’ current architectures make this technologically difficult, but their embracing of other elements tells me that perhaps the time is coming when we will see a more simplified pricing model throughout the industry.
Network Processors
Earlier this year we doubled the performance ability of our 3-slot BreakingPoint Elite chassis from 20 to 40 Gbps of Layer 4-7 app traffic through a firmware upgrade for all of our users. Our use of network processor technology allows us this flexibility and enormous benefit for users. The key, of course, is in how you program the NP and for nearly ten years we have been actively working at this skill.
This sentiment seems to not be shared by Spirent during a discussion in this LinkedIn message board (need to join the LinkedIn group), but Ixia announced at Toolapoolza they are coming out with a network processor powered blade: beta is May 11th and release is scheduled for June 11th. I am so excited about this; I’m a big fan of network processors no matter who uses them. I can’t wait to see what they get out of it. It was getting lonely being the only one able to do high performance application protocols (7.5 million concurrent connections at 20 Gbps per card as of release 1.3.1 and continues to increase).
Stalling
Our fellow test vendors have been convinced we are on the right path and are starting to follow along. Heck, from our website traffic analysis, folks from Ixia and Spirent are spending an average of 2.5 hours per day on our website. That would be fine, except they spend so much time downloading my picture I may file a stalker petition with the courts. Do they even have courts in Romania, home of the Ixia Development Center? ;)
The stage they are currently in is called the “Stalling stage”. Tell the customers you have the same thing and it’s cheaper and faster and available next quarter. And they say that every quarter – the truth is that annoys customers and causes more problems than it solves. It also sends more business my way when they fail to deliver.
Goliath vs. Daniel
My favorite thing about writing this post was that during proof reading it struck me how Spirent (LSE: SPT.L) has 1,500 employees and Ixia (NASDAQ: XXIA) has 850 employees. We are, of course, significantly smaller, but this allows us to develop faster, quicker and smarter then these guys, well at least according to them. It's not always the guy with the slingshot, sometimes all it takes is vision :)
Denial of Service Attacks
Recently there was a Dark Reading article on a new type of TCP DOS attack, of course the authors have learned their PR lessons and it's all hush-hush until the next big conference or product launch. Of course that leaves us all guessing as to what the attack could be. So I thought I would cover some basics about Denial of Service Attacks for people interested.
Normal TCP Connection
Client Server
SYN ->
<- SYN-ACK
ACK ->
DATA ->
<- ACK
FIN ->
<- FIN-ACK
SYN Flood
SYN Floods are one of the most basic Denial of Service attacks. The basic way they work is the attacker sends a large number of TCP requests to the victim (a server or network device). This ties up all his connection entries and he can no longer process incoming requests. To jump down to a even more basic level -
To make a connection to a server a number of things have to happen, one of them is generally a TCP connection. The connection involves a three way hand shake. The first is called the SYN, which the client sends, then the server says SYN-ACK - meaning I read you loud and clear. The next stage (third step in the three way handshake), is the client saying okay - we have a connection or ACK. Now we are in established state. So if my devices supports 5,000 connections then and you sent 5,000 SYNs I can't receive any more connections. So I have denied service. Make sense?
SYN Flood
Client Server
SYN ->
<- SYN-ACK
SYN ->
<- SYN-ACK
repeat
This technique has had a solution since 1996 (I know, I have the first patent on it). There are so many ways to solve this problem. One is to make a list of connecting and established connections. When the connecting list is full you throw away the oldest of those in the connecting state or favor something existing in the established list. Hence, clients that you have already spoken to are more trusted then those talking to you the first time. Again, dozens of solutions to the SYN Flood problem.
Connection Attack
A connection attack is basically the same thing as Denial of Service, except in this case I complete the three way hand shake. Now, I've gone onto your established list and eaten up your entries. You can also do this (but it's painful) by focusing on a single IP address and eating up every possible port number (16 bit value), but that requires a lot of connections (~65k) and generally speaking big sites use load balancers and dozens of IP addresses, so it's not useful.
Connection Attack
Client Server
SYN ->
<- SYN-ACK
ACK ->
Other forms of Denial of Service
You can play with TCP stacks to create other types of Denial of Service issues. Sending resets can interrupt connections or playing with the Window Size. I could make the victim think that I'm on a really slow link and it will leave the connection open forever. This works great on network devices in particular because they tend to shortcut the TCP fields to save on memory and speeding up their data searching (hashing, lists, trees, etc).
I did a recent test the other day on making the victim think I am on a slow link. I found devices with specific field size for the TCP header were susceptible to having this type of attack more often. For example, a Windows 2003 Server took 10 packets per connection, while a popular network firewall took 4 packets per connection. This type of attack is intensive in the number of packets (not large one's mind you, but still enough) and it fools even the best load balancers and firewalls. It definitely can bypass SYN-Cookies without a problem.
A good example on TCP Window Size is:
"In theory the TCP window size should be set to the product of the available bandwidth of the network and the round trip time of data going over the network. For example if a network had a bandwidth of 100 Mbits/s and the round trip time was 5 msec, the TCP window should be 100x10^6 times 5x10^-3 or 500x10^3 bits (65 kilobytes)" - so If I want to go slower?
This type of attack is really interesting because an article in Dark Reading recently talks about some folks that think they found the next DOS attack, no details have surfaced so who knows, but my guess it's this type of attack.
Application Denial of Service
Another Denial of Service is to run a CPU intensive program/script/query on the device you are after. For example, if I run a select query that is highly complex on a database I may be denying service to users that want to query as well. Run enough of these and you can starve people out. You could also send malformed data to the program, if the program crashes or runs really slow you deny service. A recent favorite we saw was VoIP related, some compression algorithms are more CPU intensive then others. By selecting a horribly slow one and creating a dozen calls, all voice calls start to suffer in quality - or worse can't happen at all. So you can see Denial of Service isn't just TCP related and there are dozens of ways to make it happen.
Network Device Denial of Service
Network equipment also suffers from Denial of Service problems. How many ARP entries can a device handle? How big is the connection table? Does it have a control path for routing protocols? If I send routing protocol packets, like RIP updates does it slow down packet processing? What if I send a flood of them? If I create a worse case packet for an IDS that leverages Regular Expressions, does it miss traffic? If so, I can sneak my attack by unnoticed.
So it seems that Denial of Service that will end the Internet is the new craze. To be honest, Denial of Service attacks aren't rocket science, to find one you just need to look, it really is that easy. It all comes back to testing; if you test the worst case scenarios in your product, you will come up with simple solutions to protect from these and minimize the possibility of a Denial of Service attack.
BreakingPoint LiveLook: Talking Customer Support
Caught up with Greg Griffith here at BreakingPoint and chatted with him about his role in support and what that entails. If you are a BreakingPoint user you may have already worked with Greg to help you with our testing solutions. Greg also chatted with us about his interests outside of providing support, including lending his film making skills to help us produce our test methodologies and his latest hobby...model rocketry.
BreakingPoint LiveLook: Engaging the Community
Today I decided to talk to Kyle our Director of Marketing at BreakingPoint. Kyle just joined the company a few months back and I really enjoy giving him a hard time for some unknown reason. We knew when we were starting BreakingPoint we wanted to market via the 'net and not traditional sources like magazines and tradeshows. Not to say we won't do those sorts of things, it was just that we wanted to be more about being online.
The online test methodologies, the screencasts, the large amount of product data available online, even this blog are examples of us focused on our communication over the 'net rather then traditional channels.
BreakingPoint LiveLook: Enter the Heat Chamber
This is where you can come to see what is going on inside of BreakingPoint. We have our handy cameras and we are sitting down with some of the folks to talk about what they are currently working on, the network testing market and much more.
August 4, 2008: Hardware Engineer Greg Singleton discusses "The Heat Chamber":
