When you think of hacking, the first thing that probably comes to mind, is a cool Hollywood hacker like Elliot from Mr. Robot or Neo from The Matrix, frantically hammering away at a keyboard to save the world from evil. Real-life hacking is nowhere as enticing and action-packed, although it can still be pretty exciting. Hackers can roughly be divided in three main categories:
The most common form of ethical hacking is penetration testing: finding and reporting vulnerabilities in a network by trying to intrude it using backdoors or other gaps in security. One of the most common tools used for this is the specialized Linux distribution Kali Linux, which provides a comprehensive set of applications to perform various tasks such as Wi-Fi sniffing, brute-force password attacks, vulnerability analysis, and so on.
One aspect of hacking that is missing in this tool set, is performing (D)DoS attacks. DDoS stands for Distributed Denial-of-Service, and aims at trying to bring a website or service down (thus denying the service to users) by flooding it with a large amount of simultaneous requests from multiple source machines (hence distributed). A DoS attack has the same purpose, but without the distributed part, so originating from one source. In Kali Linux there are no specific applications for this, although there are a couple of third-party command line tools such as Torshammer (using the Tor network to simulate multiple proxies or sources), LOIC/HOIC, or Siege (mostly used for load testing).
It is precisely for a simulation of this type of attack that Brightest was approached, to test the robustness of the backend part of the Coronalert app for contact tracing and COVID-19 exposure notifications in Belgium, an essential service amid the on-going pandemic. It was paramount that this application could endure heavy loads if needed, both on the customer facing CDN (Content Delivery Network), and the backend.
The setup of the simulation was conceived as an elaborate stress or load test comparable to a DoS attack. Given prior experience with performance testing in Octoperf, we decided to use this tool as opposed to one of the command line tools mentioned above, since Octoperf provides much more customizable options and visualization, for example the possibility to write elaborate scripts to execute, and the option to use several load generators from different locations to test geographical limitations and distribute the load.
For a moment we could put on our white hat and make a small contribution to the fight against corona, in the form of performance testing the Coronalert application. During the analysis and research phase for this particular use case, we also got a taste of what ethical hacking looks like, and the available tools for this. It was an interesting exploration, and it inspires us to follow the white rabbit, as Neo did in The Matrix. Keep hacking!
Written by Bart Taelemans