Benefits of stress testing

Stress testing is the process of validating the ability of a software or web application to maintain a certain level of effectiveness, functionality and behavior under unfavorable or extreme conditions. It provides insight into how software or web applications will behave with maximum load. Some of the benefits of stress testing include:

It can be used to determine the robustness of a software or web application with maximum load under extreme conditions. It helps to determine the maximum limit or threshold software or web applications can manage before failing. It can be used to identify how the software or web application handles errors. It can be used to identify bugs such as synchronization and timing bugs, resource loss bugs and more. It can be used to identify interlock and priority problems, memory leaks, data loss and corruption. It can be used to identify triggers and warning signs. It can be used to determine security vulnerabilities when a software or web application is under extreme conditions. It helps to evaluate how the software or web applications recover from extreme conditions or when unexpected behaviors occur. It helps to ensure that system failures from extreme conditions or unexpected behaviors do not result in a security breach, data leak or corruption.

Top 5 tools on Kali Linux for stress testing

1. SlowHTTPtest

SlowHTTPtest is a configurable tool used to simulate low-bandwidth application-layer denial of service attacks by prolonging HTTP connections in various ways. It connects to a web server via HTTP and hogs critical resources such as the CPU and the RAM resulting in a denial of service (DoS). Some of its features include:

Can be used on many Linux distributions, OSX and Windows. Can be used to test the web server for DoS vulnerabilities. Can be used to test how many concurrent connections the web server can handle. Can be used to carry out various application layer DoS attacks such as slowloris, Slow HTTP Post, Slow Read Attacks and Apache Range Header attacks. It exploits the HTTP protocol by sending partial HTTP requests, using a very low transfer rate or by slowly reading responses to legitimate HTTP requests. Customizable data output from simple status information auto-generated every five seconds (level one) to full traffic dump (level four).

SlowHttpTest.

2. THC-SSL-DOS

THC-SSL-DOS was developed by The Hacker’s Collective as a proof of concept for the SSL/TLS renegotiation vulnerability (CVE-2009-3555). It is used to verify the performance of SSL by performing a resource exhaustion attack on the SSL protocol. It works by initiating a regular SSL handshake and immediately requesting for the renegotiation of the encryption key constantly until the server runs out of resources resulting in a crash. Some of its features include:

Can be used on UNIX and Windows. Exploits the SSL secure renegotiation feature whereas many negotiations as possible are triggered via a single TCP connection. Can be used to exploit the SSL key renegotiation feature enabled on servers. The point of exhaustion used here is that establishing an SSL connection requires 15 times more processing power on the server than on the client.

THC-SSL-DOS.

3. FunkLoad

FunkLoad is an open-source python-based tool used for functional and load testing of web applications by emulating a single-threaded web browser. It can also be used to compile web agents by scripting web repetitive tasks. Some of its features include:

Can be used for various types of testing including functional, regression, load, performance and stress testing. Easy to install and compile. Can be used to test different web servers like PHP, Python, Java and more. Provides a detailed report about the performance of the web application tested. Provides trend reports to view the performance evolution with multiple reports to give an overview of the load changes. Easily customizable tests using a config file or command-line options. Can turn a functional test into a load test. Provides detailed bench reports in various formats such as ReST, HTML, Org-Mode and PDF. Provides basic services such as Linux monitoring, credential server and random data generator. Test scenarios imported from tcpwatch recorder.

4. DHCPig

DHCPig is a python-based tool that can be used to attack the DHCP server with an advanced exhaustion or consumption attack. The exhaustion or consumption attacks work by exhausting the IP address pool configured in the DHCP server. This results in new users/clients/workstations not getting IP addresses and this leads to IP address starvation. It also sends gratuitous ARP requests to all windows hosts knocking them offline. Some of its features include:

Can be used on Linux and Windows. Requires root privileges. Can be used to simulate DHCP clients with random MAC addresses. The script will execute until the IP address pool is exhausted and thus prevents new clients from obtaining IP addresses. Can attempt to unregister live neighbors by forging DHCP RELEASE messages sending them to the DHCP server. This prevents hosts with a currently assigned IP address from renewing it. Can disconnect Windows machines by simulating IP address conflicts resulting in the Windows machine releasing their current address to fetch a new one from the DHCP server.

DHCPig.

5. InviteFlood

InviteFlood is a tool used to perform SIP/SDP INVITE message flooding over UDP/IP on VOIP networks. It can be utilized to perform DoS attacks (including preventing users from initiating calls) against SIP devices (like PBX and IP telephones) by flooding them with INVITE Request messages. Some of its features include:

Can be used on several Linux distributions. Targets SIP gateways/proxies and SIP phones. Can be used to carry out SIP proxy attacks. Focuses on SIP devices such as SIP phones, media gateways, PBX and more. Most SIP networks use UDP which allows a malicious individual to leverage in flooding a SIP proxy or phone using the InviteFlood tool. It is a transmit-only tool. It cannot be used to respond to authentication challenges or call dialog handshaking. It keeps flooding the SIP gateway with several requests resulting in users unable to initiate phone calls.

InviteFlood,

Utilizing Kali Linus tools in stress testing

There are many benefits to carrying out stress testing on web applications, software and the network. Kali Linux provides many specialized tools for stress testing.  

Sources:

    Kali Linux Tools Listing, Kali     FunkLoad, Github     SlowHTTPTest, GitHub     Vulnerability Analysis: Stress Testing Tools, Medium     DHCP Exploitation Guide, White Winter Wolf     DHCP Pool Exhaustion Attack, Networklibrary     SIP Proxy Attacks, Flylib     The THC SSL DoS Threat, InfoSec Institute