What is Inundator?

Inundator is a multi-threaded, queue-driven, anonymous intrusion detection false positives generator with support for multiple targets.

Jump to downloads.

When would I use Inundator?

Whenever you feel like it. Seriously. It's anonymous, so why not watch the world burn?

Example Scenarios:
  • Before, during, and after a real attack to bury any potential alerts among a flood of false positives.
  • Seriously mess with an IDS analyst and keep an InfoSec department busy for days investigating false positives.
  • Test the effectiveness of an intrusion detection or prevention system. Less alerts means a better product; more alerts means a horrible product.

How does Inundator work?

At a high level, Inundator builds an attack queue, organized by destination port, by parsing the content: and uricontent: fields from Snort's poorly written pattern-matching rules. Inundator then builds a target queue by peforming a port scan to identify open TCP ports on each target provided by the user. Once the queues have been built, Inundator will launch the requested number of worker threads. Each worker thread will select a random target from the target queue, as well as a random open port on the selected target. A random attack for the selected port will then be selected from the attack queue, and this information is used to build a completely innocent packet or request that contains patterns matching typical intrusion detection rules. The crafted attack will then be sent to the target via a SOCKS proxy (we default to Tor's local proxy.) This procedure is repeated in an infinite loop by each worker thread until the user aborts.

Quite obviously, the actual ruleset used by the target intrusion detection system will play a very large part in whether our crafted attacks trigger a false positive. Inundator will generate an overwhelming number of false positives on systems which use extremely poor pattern matching rules, and little to no false positives on systems which use well written rules, heuristic-based detection, or anomaly-based detection mechanisms.

Downloading and Installing Inundator.

BackTrack Linux:

Inundator is now part of BackTrack Linux! Inundator is in the default installation of BackTrack 4 R1, so if you're an R1 user, you don't need to install it :) If you're using BackTrack 4 Final, you can simply install Inundator via BackTrack's software repository as you would any other software package. If you're using BackTrack 3 or prior, you really should just upgrade to R1; else follow the instructions for "All Other Operating Systems" below.

Debian and Other Debian-Based Distributions:

The preferred method of installation for all other .deb-based distributions is via our software repository. This is by far the best and simplest way of installing Inundator and its dependencies.

Add our repository to /etc/apt/sources.list:
deb http://inundator.sourceforge.net/repo/ all/

Next, download and install our GPG key:
wget http://inundator.sourceforge.net/inundator.asc
apt-key add inundator.asc

Then you can automatically pull in Inundator and all its dependencies:
aptitude update
aptitude install inundator

All Other Operating Systems:

Please download the source tarball here. Please note that Inundator has only been tested on a small number of platforms, but it is presumed to work without issue on any POSIX operating system. Installation should be as simple as running 'make install,' however you will need to manually install Inundator's dependencies in order for it to run:

- Nmap
- Perl (>= 5.10)
- Net::SOCKS (>=0.03)
- Net::CIDR (>= 0.11)
- Snort's rules files
- Oinkmaster (for keeping Snort rules up to date)
- Tor (If you don't have a remote SOCKS proxy to exploit.)


If you need assistance with Inundator, have found a bug, or would like to submit a feature request or patch, please visit our tracker.

Copyright (C) 2010, bindshell.nl. All rights reserved.
Inundator is licensed under the three-clause BSD license.

Get Inundator at SourceForge.net. Fast, secure and Free Open Source software downloads