Ping Flood Attack for NfSen
--------------------------

A low-level, simple attack that seems to work well is:

From one physically attached box flood virtual routers 1-5.
From another physically attached box flood virtual routers 6-9.

Adjust as needed based on class size.

If you have the MacMini and the fitPC in your lab, then these work
well as the two platforms. Otherwise, you may want to physically 
connect a laptop to the classroom backbone switch to avoid having
the ping flood run over wifi.

In Linux open a screen session.
In separate windows launch your flood:

# ping -s 1472 -i .01

You need to be root to use "-i .01"
"-s 1472" will, also, give you a nicely-sized amount of traffic.

You can detach the screen session if you wish.

This works well if you split up the NetFlow / NfSen sessions so 
that people have NfSen installed by the end of session 1, then 
you launch the attack as they go on break. When they return, hope-
fully they have enough icmp history to see the sudden jump in 
traffic for that protocol.

Generally I tell people they are under attack. Their mission is to 
figure out what protocol and from where it is coming for the router 
for their group.

I explain it is low-level on purpose, and might represent "noise" you 
could see in a live network and never even have realized it was
there.

Note: there appears to be a bug in dynampis where some of the ping
flood traffic is echo'ed from the group's router to all the PCs in 
the group and these will see pings coming from 127.0.0.1... It is
not the same amount of traffic, so clearly this needs to be investigated
at some point.

Note: As router 5 is sending flows to Group 6, and router 6 to Group 5, 
depending on where participants are viewing NfSen they may have a 
different viewpoint of where the attack is being launched from.

--
HA