NDNperf is a tool developed by Xavier Marchal, PhD student in the team, for NDN server-side performance evaluation and sizing purposes, in order to have an idea of the throughput a content-provider can achieve when it has to generate and transmit NDN Data packets. It is very similar to iPerf as it uses both a client and a server instance to perform the measurements while minimizing the number of instructions between Interest reception and Data emission. NDNperf is distributed under a GPL3 Open Source license and can be downloaded here.



Escape is a Firefox web browser addon designed and developed by the team to bypass HTTPS filtering. The extension was built in the context of evaluating HTTPS traffic filtering techniques based on the Server Name Indication (SNI) extension of TLS and which has been recently used by many firewalls. It offers the ability to bypass such firewalls and access blocked HTTPS websites. In addition, it can be used to bypass legacy filtering of DNS requests. The extension is implemented in JavaScript and is based on another security addon named Convergence. Escape is distributed under a GPL3 Open Source license and can be downloaded here.

KiF: an advanced protocol fuzzing framework


 KIF is an advance protocol fuzzer developed by the team. The tool builds on novel algorithms to make stateful, in depth fuzzing of remote devices. In its current version, it offers stateful fuzzing for Voice Over IP systems using the SIP signaling protocol. It offers smart fuzzing using either on the fly data generation or using pre-generated test suites to enable efficient fuzzed messages issuance. The environment also enables easy specification, addition and execution of new fuzzing scenarios.The framework is entirely developed in Python. The current distribution is provided as a fully pre-installed and running framework packaged in a VMware image. As of today, more than 20 companies and universities signed the NDA and are actively using the KiF framework. More details on KIF can be found on the environment's web site.



SECSIP is developed by the team to defend SIP-based (The Session Initiation Protocol) services from known vulnerabilities. It presents a proactive point of defense between a SIP-based network of devices (servers, proxies, user agents) and the open Internet. Therefore, all SIP traffic is inspected and analyzed against authored Veto specification before it is forwarded to these devices. When initializing, the SecSIP runtime starts loading and parsing authored VeTo blocks to identify different variables, event patterns, operations and actions from each rule. It implements an input and output layer, to capture, inject, send and receive SIP packets from and to the network. Intercepted packets are moved to the SIP Packet parser module. The main function of this module is to extract different fields within a SIP message and trigger events specified within the definition blocks. During each execution cycle when a SIP message arrives, the SecSIP runtime uses a data flow acyclic graph network to find definition matching rules and triggers defined events. The paired events in each operator node are propagated over the graph until a pattern is satisfied. When the pattern is satisfied, the respective rule is fired and the set of actions is executed.



The Neighbor Discovery Protocol Monitor ( NDPMon ) is an IPv6 implemention of the well-known ArpWatch tool. NDPMon monitors the pairing between IPv6 and Ethernet addresses (NDP activities: new station, changed Ethernet address, flip flop...). NDPMon also detects attacks on the NDP protocol, as defined in RFC 3756 (bogon, fake Router Advertisements...). New attacks based on the Neighbor Discovery Protocol and Address Auto-configuration (RFC 2461 and RFC 2462) have been identified and integrated in the tool. An XML file describes the default behavior of the network, with the authorized routers and prefixes, and a second XML document containing the neighbors database is used. This second file can be filled during a learning phase. All NDP activities are logged in the syslog utility, and so the attacks, but these ones are also reported by mail to the administrator. Finally, NDPMon can detect stack vulnerabilities, like the assignment of an Ethernet broadcast address on an interface.

NDPMon comes along with a WEB interface acting as a GUI to display the informations gathered by the tool, and give an overview of all alerts and reports. Thanks to color codes, the WEB interface makes possible for the administrator to have an history of what happened on his network and identify quickly problems. All the XML files used or produced by the daemon (neighbor cache, configuration file and alerts list) are translated in HTML via XSL for better readability. A statistic module is also integrated and gives informations about the discovery of the nodes and their type (MAC manufacturer distribution).

The software package and its source code is freely distributed under an opensource license (LGPL). It is implemented in C, and is available through a SourceForge project at http://ndpmon.sf.net. An open source community is now established for the tool which has distributions for several Operating Systems (Linux, FreeBSD, OpenBSD, NetBSD and Mac OS X). It is also integrated in FreeBSD ports at http://www.freebsd.org/cgi/cvsweb.cgi/ports/net-mgmt/ndpmon/. Binary distributions are also available for .deb and .rpm based Linux flavors.



6Tea is a transition engine designed to help administrators of business networks to transition their network for IPv4 to IPv6. The tool implements the transition algorithms defined in our team, takes as input a network topology and network devices information (like firewall configurations, device types, access protocols for their configuration) and generates a safe Ipv6 configuration for that network. The tool is able to propagate the configuration to the networked devices under the condition of availability of specific plugins. 6tea provides plugins for CISCO routers and firewalls as well as plugins for all major Open Source routers and firewalls. An online version of the tool is also available for third party users interested in generating configurations and addressing plans for their network.

VoIP bots


VoIPbot is a VoIP security tool created as a demonstrator of how attacks can be launched against VoIP/SIP services and users in a remotely and distributed manner. The environment contains bots that can be remotely managed over an Internet Relay Chat (IRC) channel from a cental manager. Our bots are currently able to perform the following tasks :

  • send SPAM over IP Telephony (SPIT),
  • distributed denial of service through intensive generation of invite messages to a target device,
  • active scanning of users through incremental options messages issuance to servers and response analysis,
  • cracking through brute-force testing of passwords against an identified user account,
  • simple device scanning and fingerprinting,
  • target aware device fuzzing.

The tool is developed using the Java programming language. It uses the JAIN-SIP, JMF and PIRCBOT libraries. The tool is distributed under a GPL2 Open Source license. Reports show its use mainly in the testing business so far.


AA4MM (Agents and Artefacts for Multi-modeling and Multi-simulation) is a framework for coupling existing and heterogeneous models and simulators in order to model and simulate complex systems. This is the first implementation of the AA4MM meta-model proposed in Julien Siebert's PhD. AA4M is written in Java and relies upon Java Messaging Services (JMS).AA4MM can be downloaded  here.