Technical Thursday
White hat performance testing in corona times
30
Nov
Posted by: Eva
Category:
Business, Performance testing
No Comments
You can leave your hat on
When you think of hacking, the first thing that probably comes to mind, is a cool Hollywood hacker like Elliot from Mr. Robot or Neo from The Matrix, frantically hammering away at a keyboard to save the world from evil. Real-life hacking is nowhere as enticing and action-packed, although it can still be pretty exciting. Hackers can roughly be divided in three main categories:
- Black hat: the evil hackers, who try to intrude in company or government networks for personal gain or for causing irreparable damage.
- White hat: the ethical hackers, usually hired by a company to test the cybersecurity of their networks and applications. This is the type of hacking we will delve deeper into.
- Grey hat: somewhere in between black and white, the grey hat hacker might use illegal means to intrude a network, but without malicious intent. This type of hacker typically reports vulnerabilities voluntarily to companies, which consequently might hire them for cybersecurity testing.
“When you think of hacking, the first thing that comes to mind, is a cool Hollywood hacker like Elliot from Mr. Robot or Neo from The Matrix, frantically hammering away at a keyboard to save the world from evil.”
(D)DoS attacks within ethical hacking
The most common form of ethical hacking is penetration testing: finding and reporting vulnerabilities in a network by trying to intrude it using backdoors or other gaps in security. One of the most common tools used for this is the specialized Linux distribution Kali Linux, which provides a comprehensive set of applications to perform various tasks such as Wi-Fi sniffing, brute-force password attacks, vulnerability analysis, and so on.
One aspect of hacking that is missing in this tool set, is performing (D)DoS attacks. DDoS stands for Distributed Denial-of-Service, and aims at trying to bring a website or service down (thus denying the service to users) by flooding it with a large amount of simultaneous requests from multiple source machines (hence distributed). A DoS attack has the same purpose, but without the distributed part, so originating from one source. In Kali Linux there are no specific applications for this, although there are a couple of third-party command line tools such as Torshammer (using the Tor network to simulate multiple proxies or sources), LOIC/HOIC, or Siege (mostly used for load testing).
Coronalert
It is precisely for a simulation of this type of attack that Brightest was approached, to test the robustness of the backend part of the Coronalert app for contact tracing and COVID-19 exposure notifications in Belgium, an essential service amid the on-going pandemic. It was paramount that this application could endure heavy loads if needed, both on the customer facing CDN (Content Delivery Network), and the backend.
The setup of the simulation was conceived as an elaborate stress or load test comparable to a DoS attack. Given prior experience with performance testing in Octoperf, we decided to use this tool as opposed to one of the command line tools mentioned above, since Octoperf provides much more customizable options and visualization, for example the possibility to write elaborate scripts to execute, and the option to use several load generators from different locations to test geographical limitations and distribute the load.
Conclusion
For a moment we could put on our white hat and make a small contribution to the fight against corona, in the form of performance testing the Coronalert application. During the analysis and research phase for this particular use case, we also got a taste of what ethical hacking looks like, and the available tools for this. It was an interesting exploration, and it inspires us to follow the white rabbit, as Neo did in The Matrix. Keep hacking!
Written by Bart Taelemans
