Inundator: A Multi-threaded, Queue-driven, IDS evasion tool!

8 07 2010

What is inundator?

inundator is a multi-threaded, queue-driven, IDS evasion tool. Its purpose is to anonymously flood intrusion detection systems (specifically Snort) with traffic designed to trigger false positives via a SOCKS proxy in order to obfuscate a real attack.

When would I use inundator?

inundator would be used whenever you feel there is a significant chance the attack you’re about to perform may be detected by the target’s intrusion detection system. You would launch inundator prior to starting the attack, and continue running it well after you have finished the attack. The hope is that if your attack is detected by the IDS, the alert will be buried among several thousand false positives, thus minimizing the chance of an IDS analyst detecting the real attack.

How does inundator work?

At a high level, inundator parses enough data from Snort’s vague and poorly- written rules files to generate completely harmless traffic containing the right key words to trigger a false positive. The actual ruleset used by the target IDS will play a very large part in whether our false attacks trigger a false positive, but we make a strong attempt to parse Snort’s rules in a manner which maximizes the chance of our false attacks being detected.

After the rules are parsed, the necessary information for matching each rule is queued up by destination port in the attack queue. An nmap scan is then performed against each specified target to determine which ports are open on each target, and this information is added to the targets queue. inundator then spawns the requested number of threads, and each worker thread selects a random target and random attack from the queues, generates a false attack from the information in the attack queue, and sends the false attack to the target via a SOCKS proxy (inundator attempts to use Tor’s local SOCKS proxy by default.) The worker threads repeat this process in an infinite loop until you decide to abort the application.

via inundator..