I need to work on fine tuning my pf.conf. I like to do such experimenting by setting up a test machine to get the pf rules right, before going live on my bare metal server. The test machine would be FreeBSD guest running in a Virtualbox VM on a Windows host. I've worked with test machines like this quite a bit.
One of the things I want to do is imitate what the evil doers are doing. It is pretty obvious that they are using port scanners to probe my system for open ports and then hammering away on those for hours on end. The tougher part is that they are also using multiple IP addresses to do this, presumably by shepherding large botnets to do their bidding.
It looks like a bad guy who is using one IP address and something like nmap to find the open ports, then feeds my IP address and the ports-to-be-hammered into the botnets which follow orders. I have endless logs showing this activity. I may not really understand how this is being done but the logs make it look like this.
In order to imitate these bad guys I need some way to probe my test machine from a range of IP addresses originating from my FreeBSD server box. The IP addresses do not need to be public; I was thinking that a range like 10.0.1.0/16 would likely be plenty. The actual ports being probed don't matter.
Does a utility like this exist? Can it be imitated using a sh or perl script? It would be nice if the time between IP address hits could be configured from milliseconds up. And also that some of the IP addresses repeat at semi-random times during the run. I think using ping to hit the ports would be good enough though perhaps a way to send a SYN would be good as well.
Or perhaps I am thinking about this all wrong in which case I'd appreciate any guidance the hive would care to offer.
TIA.
One of the things I want to do is imitate what the evil doers are doing. It is pretty obvious that they are using port scanners to probe my system for open ports and then hammering away on those for hours on end. The tougher part is that they are also using multiple IP addresses to do this, presumably by shepherding large botnets to do their bidding.
It looks like a bad guy who is using one IP address and something like nmap to find the open ports, then feeds my IP address and the ports-to-be-hammered into the botnets which follow orders. I have endless logs showing this activity. I may not really understand how this is being done but the logs make it look like this.
In order to imitate these bad guys I need some way to probe my test machine from a range of IP addresses originating from my FreeBSD server box. The IP addresses do not need to be public; I was thinking that a range like 10.0.1.0/16 would likely be plenty. The actual ports being probed don't matter.
Does a utility like this exist? Can it be imitated using a sh or perl script? It would be nice if the time between IP address hits could be configured from milliseconds up. And also that some of the IP addresses repeat at semi-random times during the run. I think using ping to hit the ports would be good enough though perhaps a way to send a SYN would be good as well.
Or perhaps I am thinking about this all wrong in which case I'd appreciate any guidance the hive would care to offer.
TIA.
