Get the full ebook with Bonus Features for a Better Reading Experience on ebookluna.

com

Network performance and security : testing and

analyzing using open source and low-cost tools 1st
Edition Chapman - eBook PDF

https://ebookluna.com/download/network-performance-and-
security-testing-and-analyzing-using-open-source-and-low-
cost-tools-ebook-pdf/

OR CLICK HERE

DOWLOAD NOW

Download more ebook instantly today at https://ebookluna.com

 Instant digital products (PDF, ePub, MOBI) ready for you
Download now and discover formats that fit your needs...

Build Your Own Cybersecurity Testing Lab: Low-cost

Solutions for Testing in Virtual and Cloud-based
Environments 1st Edition Ric Messier - eBook PDF
https://ebookluna.com/download/build-your-own-cybersecurity-testing-
lab-low-cost-solutions-for-testing-in-virtual-and-cloud-based-
environments-ebook-pdf/
ebookluna.com

(eBook PDF) Cryptography and Network Security Principles

and Practice 7th

https://ebookluna.com/product/ebook-pdf-cryptography-and-network-
security-principles-and-practice-7th/

ebookluna.com

(eBook PDF) Computer Security and Penetration Testing 2nd

Edition

https://ebookluna.com/product/ebook-pdf-computer-security-and-
penetration-testing-2nd-edition/

ebookluna.com

Open Radio Access Network (O-RAN) Systems Architecture and

Design 1st Edition Wim Rouwet - eBook PDF

https://ebookluna.com/download/open-radio-access-network-o-ran-
systems-architecture-and-design-ebook-pdf/

ebookluna.com
(eBook PDF) Advanced Mathematical And Computational Tools
In Metrology And Testing X

https://ebookluna.com/product/ebook-pdf-advanced-mathematical-and-
computational-tools-in-metrology-and-testing-x/

ebookluna.com

Penetration Tester's Open Source Toolkit 4th edition

Edition Faircloth - eBook PDF

https://ebookluna.com/download/penetration-testers-open-source-
toolkit-ebook-pdf/

ebookluna.com

Cryptography and Network Security: Principles and

Practice, Global Edition William Stallings - eBook PDF

https://ebookluna.com/download/cryptography-and-network-security-
principles-and-practice-global-edition-ebook-pdf/

ebookluna.com

Dynamics and Stochasticity in Transportation Systems:

Tools for Transportation Network Modelling 1st Edition -
eBook PDF
https://ebookluna.com/download/dynamics-and-stochasticity-in-
transportation-systems-tools-for-transportation-network-modelling-
ebook-pdf/
ebookluna.com

(eBook PDF) Cost Management: Measuring, Monitoring, and

Motivating Performance, 3rd Canadian Edition

https://ebookluna.com/product/ebook-pdf-cost-management-measuring-
monitoring-and-motivating-performance-3rd-canadian-edition/

ebookluna.com
 Network Performance
and Security
Testing and Analyzing Using
Open Source and Low-Cost Tools

Chris Chapman

Steve Furnell, Technical Editor

AMSTERDAM • BOSTON • HEIDELBERG • LONDON

NEW YORK • OXFORD • PARIS • SAN DIEGO
SAN FRANCISCO • SINGAPORE • SYDNEY • TOKYO
Syngress is an imprint of Elsevier
Syngress is an imprint of Elsevier
50 Hampshire Street, 5th Floor, Cambridge, MA 02139, USA

Copyright © 2016 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or any information storage and
retrieval system, without permission in writing from the publisher. Details on how to seek
permission, further information about the Publisher’s permissions policies, and our arrangements
with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency
can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the
Publisher (other than as may be noted herein).

Notices
Knowledge and best practice in this field are constantly changing. As new research and experience
broaden our understanding, changes in research methods, professional practices, or medical
treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in
evaluating and using any information, methods, compounds, or experiments described herein. In
using such information or methods they should be mindful of their own safety and the safety of
others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors,
assume any liability for any injury and/or damage to persons or property as a matter of products
liability, negligence or otherwise, or from any use or operation of any methods, products,
instructions, or ideas contained in the material herein.

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

Library of Congress Cataloging-in-Publication Data

A catalog record for this book is available from the Library of Congress

ISBN: 978-0-12-803584-9

For information on all Syngress publications

visit our website at https://www.elsevier.com/

Publisher: Todd Green

Acquisition Editor: Brian Romer
Editorial Project Manager: Anna Valutkevich
Production Project Manager: Punithavathy Govindaradjane
Designer: Matthew Limbert

Typeset by Thomson Digital

This book is dedicated to Joan. Without her,
nothing would be possible.
 CHAPTER

Introduction to practical
security and performance
testing
1
This book is intended to help you practically implement real-world security and op-
timize performance in your network. Network security and performance is becoming
one of the major challenges to the modern information technology (IT) infrastruc-
ture. Practical, layered implementation of security policies is critical to the continued
function of the organization. I think not a week goes by where we do not hear about
data theft, hacking, or loss of sensitive data. If you dig deeper into what actually
happens with security breaches, what you read in the news is only a small fraction of
the true global threat of inadequate or poorly executed security. One thing that we all
hear when an article or a news item is released is excessive amounts of buzz words
around security, with little content about how it may have been prevented. The truth
is, security mitigation is still in its infant stages, following a very predictable pattern
of maturity like other network-based technologies. Performance is another critical
part of a well-performing network. Everyone knows they need it, but to test it and
measure it is not only a science, but also an art.
I assume that the reader of this book has a desire to learn about practical security
techniques, but does not have a degree in cyber security. I assume as a prerequisite
to implementing the concepts in this book, the reader has a basic understanding of IT
implementation, has a mid level experience with Windows and Active directory, and
has had some experience with Linux. Furthermore, my intent in this book is to mini-
mize theory and maximize real-world, practical examples of how you can use readily
available open source tools that are free, or relatively low cost, to help harden your
network to attacks and test your network for key performance roadblocks before and
during deployment in a production network. In fact, the major portion of theory that I
will cover is in this chapter, and the focus of that information will be on giving you a
baseline understanding in practical deployment and applications of security and per-
formance. I also assume noting, and will take you through execution of best practices.

A BASELINE UNDERSTANDING OF SECURITY CONCEPTS

What is an attack? It is an attempt to gather information about your organization or
an attempt to disrupt the normal working operations of your company (both may be
considered malicious and generally criminal). Attacks have all the aspects of regular
crime, just oriented toward digital resources, namely your network and its data. A
threat uses some inefficiency, bug, hole, or condition in the network for some ­specific
 1

2 CHAPTER 1 Introduction to practical security and performance testing

objective. The threat risk to your network is generally in proportion to the value or
impact of the data in your network, or the disruption of your services no longer func-
tioning. Let me give a few examples to clarify this point. If your company processed
a high volume of credit card transactions (say you were an e-commerce business)
then the data stored in your network (credit card numbers, customer data, etc.) is a
high target value for theft because the relative reward for the criminals is high. (For
example, credit card theft in 2014 was as high as $8.6B [source: http://www.­heritage.
org/research/reports/2014/10/cyber-attacks-on-us-companies-in-2014].) Or, if your
business handles very sensitive data, such as patient medical record (which gener-
ally have the patient-specific government issued IDs such as social security numbers
attached), you are a prime target. In either case, the value of data in your network
warrants the investment and risk of stealing it. Say, you are a key logistics ship-
ping company, the value to the attacker may be to disrupt your business, causing
wider economic impact (classic pattern for state-sponsored cyber terrorism [exam-
ple: http://securityaffairs.co/wordpress/18294/security/fireeye-nation-state-driven-
cyber-attacks.html]). On the other hand, if you host a personal information blog, it is
unlikely that cyber crime will be an issue. To put it bluntly, it is not worth the effort
for the attackers. The one variable in all of this is the people who attack network “be-
cause they can.” They tend to use open source exploit tools, and tend to be individu-
als or very small groups, but can be anywhere on the Internet. We have to be aware
of the relative value of our data, and plan security appropriately.
There are many ways of attacking a network, let us spend a few moments and
cover some of the basics of security and performance. If we divide attacks into their
classification, we can see the spread of class of attacks growing over time. What
types of attacks may you experience in the production network?

DDoS ATTACK
DDoS, or distributed denial of service, attacks are an attack class with the intent to
disrupt some element of your network by utilizing some flaw in a protocols stack (eg,
on a firewall), or a poorly written security policy. The distributivenes comes into play
because these attacks can first affect devices such as personal computer (PC) or mobile
device on the Internet, and then at a coordinated time, can attack the intended target.
An example would be a TCP SYN flood, where many attempted, but partial, TCP con-
nections are opened with the attempt to crash a service on the target. DDoS attacks may
also be blended with other exploits in multistage attacks for some multistage purpose.

BOTNET/WORM/VIRUS ATTACK
A botnet is a code that first attempts to install its self within the trusted portion of your
network, though combined and blended attacks may spread to other resources across
your network. A botnet has two possible objectives. First, spread as far and as fast as
it can within the target domain and then at a specified time, bring down elements in the
network (like PCs). Second, a botnet can quietly sit in the network, collect data, and
 A baseline understanding of security concepts 3

“phone home” back to a predefined collection site over well-known protocols. This
is considered a scrapping attack because data are collected from behind your firewall
and sent over known-good protocols such as HTTP/HTTP(S) back home.

TROJAN HORSE
A trojan horse is a type of attack that embeds the malicious code in some other
software that seems harmless. The intent is to get the user to download, install, and
run the innocent software, which then will case the code to infect the local resource.
Another great example of this is infected content that is downloaded off of P2P net-
works such as Bittorent; the user runs the content and the malicious code is installed.

ZERO-DAY ATTACK
A zero-day attack is a traffic pattern of interest that in general has no matching patterns
in malware or attack detection elements in the network. All new attacks are characterized
initially as zero-day attacks.

KEYLOGGERS
A keylogger is a code that is installed by malware and sets on a device that has
keyboard input (like a PC) and records keystrokes. The hope of the keylogger is that
it will capture user login credentials, credit card number, government ID numbers,
which can later be sold or used. Keylogger can be deployed by botnets, or themselves
be deployed. Variants of keyloggers will look at other inputs and records. For ex-
ample, variant code may listen to your built-in microphone or record video from the
integrated camera (or just take periodic snapshots).

SQL INJECTION ATTACK

Chances are you have an SQL database somewhere in your network. Attackers know
this and know by its very nature that the database holds valuable data, or at the least
is a choke point in the workflow of your business. An SQL injection attack uses
malformed SQL queries to perform one of two possible functions. First, the simplest
attack is to crash some or part of the database server. This has the obvious effect
of stopping business workflows. Second, an SQL attack may be used to selectively
knock down part of the SQL server, exposing the tables of data for illicit data mining.

CROSS-SITE SCRIPTING ATTACK (XSS ATTACK)

The modern platform for application is the web. What this means is that the sophis-
tication of what is served and processed has greatly increased. The web has moved
from a simple text-based system to a full application API. A cross-site scripting at-
tack takes advantage of this sophistication by attempting to modify the middle ware
of the web application. For example, it may insert JavaScript inside of code to bypass
4 CHAPTER 1 Introduction to practical security and performance testing

a login, capture data, and phone home or become purely malicious. This class of at-
tack is a good example of how attackers desire malicious code to be undetected for as
long as possible, especially when the exploit is attempting to collect data.

PHISHING ATTACK
A phishing attack can come in many forms, but generally focus on web content modifi-
cation and emails. The idea behind a phishing attack is to look legitimate, attempt the tar-
get to give sensitive data, and capture/sell the data for profit or use it for malicious means.

ROOTKIT
A rootkit is a special type of worm that can embed its self deeply into the operating
system (thus the “Root”) such that it can take over the system involuntarily. Rootkits
can be very difficult to remove and detect.

FIRMWARE VIRUS
A firmware virus will attempt to reflash elements that have firmware, such as your
hard drive or PC EFI. This is related to the rootkit family of attacks and in some
cases can physically destroy equipment. For example, a virus inserted in a hard drive
firmware can destroy the lower layer formatting of the drive, or corrupt TRIM setting
to accessibly use SSD memory cells to failure. On a server, EFI virus could increase
CPU core voltage and turn off fans to cause death by heat.

HIJACK ATTACK/RANSOMWARE
This class of attack attempts to take a legitimate active session and insert or redirect
data to a collector. For example, imagine an e-commerce session, where users ship-
ping and credit card information is captured. This class of attack is sometimes called
a “Man in the Middle” attack. In the case of Ransomware, the attack will shut down
the device functions and make the user pay, sometimes even a small amount, to “un-
lock” their PC. Attackers know that if a user pays, say $5, to “recover” their gear, it
may not be worth reporting. This, multiplied by millions, can be big business.

SPOOF/EVASION ATTACK
In this class of attack, the attacker intentionally rewrites Ipv4, UDP, and TCP fields
to try to hide from firewall rules. For example, if I take an attack and use IPv4 frag-
mentation, I might be able to hide the attack from the firewall policy rules, because as
the attacker, I hope the firewall pattern matching code does not cover this condition.

BUFFER OVERFLOW ATTACK

Typically, network application, protocol stacks, buffers, and queues expect data re-
quest in a structured format. A buffer overflow attack will attempt to intentionally
 Volumetric attacks and attack frequency across the internet 5

send malformed or excessive data to “crash” some or part of the application, firewall,
or any network element in between. Sometimes, this is called a knockdown attack.

PASSWORD ATTACK
This kind of attack uses automation to break a password by many iterations. There
are three types of approaches: Brute-force, dictionary, and hybrid attempts. This is
always a roll of the dice, but in some cases, especially with a dictionary technique,
attackers know users have poor password selection habits, and will try clusters of
known combinations first.

PENETRATION ATTACKS
A penetration attack is more complicated than other types of attacks, because it tends
to be multistage, distributed, and orchestrated. These types of attacks can be the most
damaging, because generally they require a level of sophistication and resources to
achieve their target. Many security breaches you might hear about in the news are
sophisticated penetration attacks, especially if there is a large volume of data theft.
Penetration attacks are like high stakes poker. It requires skills, patience, strategy,
and stages, but has very large payouts if successful.

MALWARE
Malware is a generic class of attack that may refer to distributed as trojans, worms,
botnets via applications, websites, or emails. Malware is the most prodigious form of
attacks, with Q4 millions of variants flowing through the Internet annually. It should
be noted that attacks can form hierarchies. For example, malware may be used to
insert rootkits or keyloggers. Malware may also insert other malware as a cascading
infection through your network.

VOLUMETRIC ATTACKS AND ATTACK FREQUENCY ACROSS

THE INTERNET
With over 82,000 new malware attacks daily [source: http://www.pcworld.com/
article/2109210/report-average-of-82-000-new-malware-threats-per-day-in-2013.
html], it should be assumed that you will be attacked hourly. It is projected that
by 2020, this rate will increase to over 100 GBps per day, every day, 365 days a
year [source: https://www.neustar.biz/resources/whitepapers/ddos-protection/2014-­
annual-ddos-attacks-and-impact-report.pdf]. So form the perspective of your net-
work; it is a safe bet that each and every day you will be either directly targeted or
indirectly experience attacks on your public Internet peering points. Understanding
this point is very important, because it is no longer “when” but “how and where”
you will be targeted. Knowing that you will be perpetually attacked, and still having
6 CHAPTER 1 Introduction to practical security and performance testing

the requirement of transacting business over the Internet is a critical mindset toward
security and performance of the modern network.
There are two really good websites that will show live attacks based on a world
map.
NorseIP (http://map.ipviking.com/) and Digital Attack Map (http://www.
digitalattackmap.com/#anim=1&color=0&country=ALL&list=0&time=16843&view
=map) will show live attacks based on country.
Both of these sites should be used to see patterns of attacks across the Internet.
The intent is to demonstrate scope and scale of attacks that happen daily.

SECURITY NETWORK ELEMENTS

So, what are the devices and subsystems in the network that can help manage securi-
ty? These devices should always allow with minimal impact for valid user workflows
while catching and mitigating attacks.
Here are some of the devices.

DISTRIBUTED FIREWALL
Original firewalls were a single appliance with a trusted, untrusted, and DMZ net-
work connections. They would have a policy that would allow or drop conversations.
This model has evolved into a distributed firewall, which will allow you to write an
enterprise-wide policy and distribute it across key peering points in the network as
well as firewall nodes sharing threat information network wide. So what are some of
the functions of the modern firewall.

Traffic access policy

Access policies are the rules that you decide you wish to allow between zones. Im-
plicit in these policies is a “Deny All” which is implied at the end of your policy.
Therefore, traffic you explicitly do not allow should be denied. The concept of creat-
ing the smallest number of “Pinholes” in the policy is considered a best practice. Old-
er firewall technology was based on ACCPT/DENY/IGNORE rules on the basis of
destination TCP or UDP port numbers. This class of firewall is considered obsolete
and should not be used. The reason is simple, destination port numbers are far easy to
spoof. The modern policy will not only know the transport protocols like HTTP, but
it should also understand services such as specific web applications and SIP.

Access control
Access control is a Go/No-Go policy that looks at source, destination, and traffic and
makes a decision to allow or deny a conversation. It is considered “mild” security, but
is useful to deploy in a layered security model.

Location management
Where is the user geographically sourced. Are they from an approved location or not?
 Security network elements 7

User management
Who specifically is using the application, and are they authorized?

Access times
Is this user allowed this workflow at this time, or not?

Workflow intelligence
Is this person allowed access to this par of the application or not?

Logging
Logging, or documentation of event to a central logging server, will keep a histori-
cal record of events. Logging can be very CPU intensive, so what and how you log
is critical. Best practice is to log negative events. In some jurisdictions, logging is
becoming a legal requirement.

Remote access/VPN
Remote access, generally subdivided into site-to-site (remote branch) and remote
access (point-to-point ) virtual private network (VPN), is a technology that creates a
tunnel through the Internet that is secure and encrypted. The main flavors are IPSec
(older) and SSL-VPN (newer).

IPS/IDS
The purpose of this element is to detect or prevent intrusion and perform some ac-
tion. Typically, this element will either be passively inline with traffic (IPS) to allow
it to block attack, or hang off of a network tap (IDS) such that the element will detect
and perform some action. For example, the IPS/IDS service contains a database of
patterns that predict an attack. If a traffic flowing through the appliance triggers three
patterns, and IDS will log the event, IPS will attempt to block the traffic.

PROXY SERVER
A proxy server is a device that will terminate TCP connections and regenerate them
on the outbound side. Typically, the user must configure the proxy server and port
number in the local application, such as the web browser. Proxy servers can be a
layer of protection, because they isolate traffic above TCP/UDP from the original
connections. This has the benefit of potentially blocking TCP-based attacks. Proxy
server should be considered a layer of security, but should never be deployed as the
exclusive element of security.

TOR NETWORK
“The Onion Router” (ToR) is an anonymity routing technology that hides the identity
of users through random path routing. A ToR shim is useful to evade specific pathways
(where people may be spying) since it picks paths randomly. ToR is not absolutely
secure, and must always be combined with other encryption to improve security.
8 CHAPTER 1 Introduction to practical security and performance testing

PERSONAL FIREWALL/ANTI-VIRUS/ANTI-MALWARE
This class of security object is typically installed on the desktop. They tend to per-
form “Leaf” analysis, inspecting the local file system and memory for infections.
They can use significant local resources, and generally require “syncing” to keep the
local database up to date. The implication of the personal firewall is two fold. First,
the firewall is only as good as the underlying technology used to scan traffic. It is
possible for a firewall to miss an attack because the scanning engine was not engi-
neered to detect the attack. Second, a firewall is only as good as its last database sync.
The implication is that periodic work is required for all nodes to keep up to date.

A BASELINE UNDERSTANDING OF NETWORK

PERFORMANCE CONCEPTS
Network performance is one of those topics that everyone knows they need,
but is hard to quantify and qualify. I would like to spend a moment and discuss
network performance, what it is, what effects performance, and how it is measured.
Network performance is related to security in the sense that both attack mitigation,
attack effect and quality of experience must be measured together. All three vectors
of performance are considered entangled.

WHAT IS NETWORK PERFORMANCE?

First, network performance is not one thing; it is many things working together for
a user experience. As more services are placed on the network such as voice, video,
data workflows within the company, a decrease in user experience is not only annoy-
ing to the users but can sharply reduce productivity in the network. So, performance
testing is really the study of user experience over time in the network from different
populations, under different conditions.

PSYCHOLOGY OF USER EXPERIENCE

The modern user relies upon the network being available, always on, predictable,
and reliable. For example, if a user browses to an internal CRM system, and gets a
“404 ­Error,” the event breaks availability and predictability requirements of the user,
and perceptual experience goes down because they simply cannot do their job. In many
ways, the old POTS (Plain Old Telephone System, or pre Internet voice networks)
dial tone concept of 99.999% uptime at fiber optic quality (remember the old add
of hearing a pin drop) has set a benchmark and is transformed into a form of a Web
Dial tone expectation. This is simply a reflection of the reliance of the user upon the
network for even fundamental day-to-day operations. The first attribute of how users
perceive user experience is that they do not recognize when workflows perform well;
they simply expect this day in and day out. This is an important attribute to recognize,
 A baseline understanding of network performance concepts 9

because the network can have a great experience factor for a full year, and users will
tend to not take that fact into consideration. When a user in the network perceives a
negative event such as a slow loading page, or disrupted voice quality on SIP, then
they place a very strong weight on the times the network did not work vs. the times
it did work. In general, users just expect the network and its services to just work all
the time. Furthermore, users frame their experience on the basis of the service, not the
protocol. What I mean by this is they will see the “CRM” is good or bad, not HTTP
and user experience is a measure perceived impairment for workflow within the ser-
vice. So what can go wrong in a service? These are divided into hard and soft errors.

HARD ERRORS
When a user cannot login (authentication problem) or receives a “404 page not
found” error a hard error occurs. These events can occur randomly, periodically, or
one shot. They are very measurable and discrete because the condition either exists
or does not exist. Hard errors have a lot of perceived weight by the user because it
directly prevents them from completing their task, increasing frustration. In addition,
a hard error can be weighed on the basis of when and where it occurs. For example,
if a user cannot log in to the CRM, the hard error impact on user experience can
range from annoying (low impact coefficient) to panic (high impact coefficient) on
the basis of the specific user condition and criticality of the desired user action. The
bottom line on hard errors is that they are never good, they contribute the greatest to a
negative user experience, they can be perceptually multiplied based on the user situa-
tion, and they take a very long time to balance out with well-performing workflows.

SOFT ERRORS
If a hard error is black and white, a soft error is a shade of gray. They tend to be
expressed as slowdown of a service which can occur randomly, periodic, or per-
sistently. The tendency of the user to notice a soft error is directly proportional to
critical nature of the service and where the user is within the workflow. Soft errors
impact the perception of quality in a meaningful but different way than more direct
hard errors. Whereas a hard error such as a page not found is perceived as a definite
failure, soft errors like slow loading pages, or high variability in page time loading
will cumulatively degrade the perception of quality over time. Users will assign more
negative impact to soft errors on the basis of frequency, cluster events, or if there is
a perceived pattern of slowdowns. For example, if a user between 8 and 9 am each
day sees the CRM system to be “slow” they will place much more negative influence,
such as a hard error coefficient, than if it happened “last Tuesday, one time,” which
tend to be more easily dismissed by the user. Users recognize patterns, and give extra
weight to those patterns.
Hard errors are remembered for long durations of time, especially if there is a
high coefficient of effect. This is then followed by pattern or clusters of soft er-
rors, followed by nonreoccurring soft errors. These experience events do also get
10 CHAPTER 1 Introduction to practical security and performance testing

e­ xamined by the users as a set. So seeing periodic hard errors and clusters of soft
errors dramatically lowers user experience.

QUALITY OF EXPERIENCE FOR WEB-BASED SERVICES

So much of our crucial work is done by web applications. The trend is for the web
to take over desktop applications, and effectively become a programmable interface.
Web-based services, such as CRM, order processing/logistics, or even a replacement
for office applications, go straight to the core faction of the company. Understanding
how to measure web services is crucial to understanding not only good user experi-
ence, but also the impact of security events on user experience. So what are the at-
tributes of a web-based service, and how do users perceive quality.
The web service may use web technologies, but is by no means a classic static web
page. A service is a fully stateful application, spilt between the web browser and the
back end. As such, the applications differentiate users through some form of authenti-
cation. Several hard error events may occur. If the user browses to the login page and
receives a 4xx error or they type in valid credentials and the web application freezes,
the user will defiantly perceive this as a hard error. Authentication may also experi-
ence soft errors. In general, an application is considered to have excellent authentica-
tion performance if the user can be authenticated and logged in within 1 second or
less, 2–3 seconds is considered acceptable and >4 seconds is considered to be “slow.”
Web-based application tends to have screens and workflows through screens to
perform actions. At the individual screen level, if the page does not load or if an ob-
ject on the page is missing, then the screen is experiencing a hard error. As a rule of
thumb, if the page renders in <1 second, the perception is excellent, >2 seconds, and
the page begins to be perceived as slow. At >7 seconds, most users will simply abort,
and consider the page to have experienced a hard error. Many pages also require the
user to post data to the server; the same timeframes for page load time are reflected
to a post response page from the server.
So a test workflow would have a user authenticating and walking through work-
flows that are considered typical and critical to the organization. The test is looking
out for hard error events and measuring authentication, page render time, and data
post times for the application.

QUALITY OF EXPERIENCE FOR VOICE

Voice on the network is a critical service that most people rely on day after day. The
measurement of quality of experience is more defined for voice using an MOS algo-
rithm based on ITU P.861 and P.862. This score is a range from 1 (unacceptable) to
5 (excellent). In general, you want a score of 4.2 or higher.
Why does MOS (Mean Opinion Score) matter? MOS scoring was derived by gath-
ering a statically significant number of callers, and having them rate the call
quality across numerous sample (Source: http://voip.about.com/od/voipbasics/a/
MOS.htm). It was assumed that person would use the pre-Internet fiber optic
 Network events that can effect hard and soft errors for flows 11

l­andline phone network as a benchmark. MOS scoring was derived from this
study. It is assumed that MOS scoring is a factual and meaningful measure model
that predicts how users will judge voice quality. Given that we use the phone daily,
it should be considered a core service in the network.
We have to differentiate what we are measuring, an MOS score will measure an
impact of the network on voice, but that does not translate into excellent call quality.
Say, for example, the handsets have a bug or simple do not decode voice well, no
amount of network tuning will get you acceptable quality. It is strongly recommended
that you ask the handset and IP phone vendor to specifically test and demonstrate SIP
through their device. In addition, hard errors can also occur in specific SIP functions
such as bridging, call transfer, voicemail, etc. We will not cover these specific types
of hard error events, but you should be aware of them.

QUALITY OF EXPERIENCE IN VIDEO

Video in the network is going through a rapid transition from older format (Flash/
RTMP) to a more modern ABR HTML5-based video. The big difference is how video
is encoded and transported. This book will exclusively deal with ABR HTML5 video
around the DASH standard, which is the most relevant in the network. ABR video
is video transported over HTTP protocol. We must also make the same declaration
about understanding what domain is tested as voice. We will focus on the impact of
the network on video, but we will not cover encoder/decoder quality. It is mentioned
here because the encoder and decoder can make a well-transported video stream look
good or bad. HTML5 video performance is measured in HTTP goodput as a ratio of
offered versus received bandwidth. HTTP goodput is the data rate between the HTTP
stack and the video decoder, so it takes into consideration TCP events, network condi-
tions, etc. In addition, as a ratio normalized as a percent, the user can easily measure
even the most modern technologies such as 4k video streams. For an excellent video,
the user wants a goodput ratio of 98%+, consistently through the video stream.

NETWORK EVENTS THAT CAN EFFECT HARD AND SOFT

ERRORS FOR FLOWS
A flow is a pathway across the network connecting a client and a server, whereby
data flow through the path. That pathway can become impaired, and it is important to
understand how different types of impairments effect user experience. Here is a list
of some common network situations that can reduce user experience.

BANDWIDTH CONSTRICTION
Typically, there are many hops in the network between the client and the server. Band-
width constriction can happen anywhere in this chain, and tends to be a ­“weakest
12 CHAPTER 1 Introduction to practical security and performance testing

link” event. Constriction of a flows bandwidth may either be based on a policy or a

limit of a network element or elements. When the bandwidth pathway is restricted,
TCP window size may never grow to MSS, and you will see artificially slower per-
formance in such things as total page render time.

NETWORK LATENCY
Latency can play a big part in performance. Latency in a datacenter should be very
small (100’s of uSeconds). Across a WAN, on a point-to-point link, the natural “in
the ground” latency is approximately 1 mSec per 100 km of distance. The effect of
latency is that it can slow bandwidth and if latency is too high, TCP may time out,
reduce the window size, and try to recover, which is expensive to performance. Too
much latency can also effect audio quality, forcing a lower quality coded to be ne-
gotiated.

JITTER
This impairment is dynamic variation in latency across time. SIP stacks especially
do not like jitter. This impairment is impossible to eliminate, but should be managed
and capped at less than ±0.5% of the average latency, maximum.

CONVERSATION SEQUENCING ERRORS

The order of packets in a flow can make a big difference on the quality of experience
(QoE); sequencing errors are a single or compound set of incorrect alignment of
packet order. The impact of the sequencing errors depends upon the layer 4 (TCP or
UDP) of the upper layer service. For TCP, there is generally a local buffer whereby
if the packet sequencing error event resolves itself within the buffer, TCP can locally
rearrange the packets to minimize the event. If the sequencing event is outside the
buffer, it is treated like a lost packet event, and TCP will attempt to recover, eating up
performance cycles. UDP-based services in the presence of sequence numbers have
no local Layer 4 buffer, and rely on the upper layer service to recover. Thus, TCP is
better than UDP in performance if the sequence event can resolve its self in the local
buffer. The first kind of sequencing error is a lost packet. In this event the packet is
simply dropped in the network. This will always force a recovery mechanism in ei-
ther TCP or UDP’s upper layer service. This is a very hard error, and never beneficial
to the flow. The next kind of error is a reorder event, such as packets being swapped.
As long as the event occurs within a short set of packets, this event is annoying but
recoverable. Duplicate packets can have more of an impact, because for TCP-based
services, the TCP stack has to recognize that it received something it previously
received and discard it, which takes time and resources. Late packets look like lost
packets, but eventually make it to the stack. Again, as long as this is within the local
window, TCP can compensate (UDP cannot). Sequencing errors are never beneficial,
and frankly you should not see them in a modern device.
Other documents randomly have
different content
 Fig. 1090.—Algonquian petroglyphs. Cunningham’s island, Lake Erie.

Fig. 1090 is reproduced from Schoolcraft (p), and is a copy taken in

1851 of an inscription sculptured on a rock on the south side of
Cunningham’s island, Lake Erie. Mr. Schoolcraft’s explanation, given
in great detail, is fanciful. It is perhaps only necessary to explain that
the dotted lines are intended to divide the partially obliterated from
the more distinct portions of the glyph. The central part is the most
obscure.
It is to be remarked that this petroglyph is in some respects similar
in general style to those before given as belonging to the eastern
Algonquian type, but is still more like some of the representations of
the Dighton rock inscription, one of them being Fig. 49, supra, and
others, which it still more closely resembles in the mode of drawing
human figures, are in the copies of Dighton rock on Pl. liv, Chap.
xxii. In some respects this Cunningham’s island glyph occupies a
typical position intermediate between the eastern and western
Algonquian.
A good type of western Algonquian petroglyphs was discovered by
the party of Capt. William A. Jones (b), in 1873, with an illustration
here reproduced as Fig. 1091, in which the greater number of the
characters are shown, about one-fifth real size.

Fig. 1091.—Algonquian petroglyphs. Wyoming.

An abstract of his description is as follows:

* * * Upon a nearly vertical wall of the yellow sandstones,
just back of Murphy’s ranch, a number of rude figures had
been chiseled, apparently at a period not very recent, as
they had become much worn. * * * No certain clue to the
connected meaning of this record was obtained, although
Pínatsi attempted to explain it when the sketch was shown
to him some days later by Mr. F. W. Bond, who copied the
inscriptions from the rocks. The figure on the left, in the
upper row, somewhat resembles the design commonly
used to represent a shield, with the greater part of the
ornamental fringe omitted, perhaps worn away in the
inscription. We shall possibly be justified in regarding the
whole as an attempt to record the particulars of a fight or
battle which once occurred in this neighborhood. Pínatsi’s
remarks conveyed the idea to Mr. Bond that he
understood the figure [the second in the upper line] to
signify cavalry, and the six figures [three in the middle of
the upper line, as also the three to the left of the lower
line] to mean infantry, but he did not appear to recognize
the hieroglyphs as the copy of any record with which he
was familiar.
Throughout the Wind river country of Wyoming many petroglyphs
have been found and others reported by the Shoshoni Indians, who
say that they are the work of the “Pawkees,” as they call the
Blackfeet, or, more properly, Satsika, an Algonquian tribe which
formerly occupied that region, and their general style bears strong
resemblance to similar carvings found in the eastern portion of the
United States, in regions known to have been occupied by other
tribes of the Algonquian linguistic stock.
The four specimens of Algonquian petroglyphs presented here in
Figs. 1088-91 and those referred to, show gradations in type. In
connection with them reference may be made to the numerous
Ojibwa bark records in this work; the Ottawa pipestem, Fig. 738;
and they may be contrasted with the many Dakota, Shoshoni, and
Innuit drawings also presented.
The petroglyphs found scattered throughout the states and
territories embraced within the area bounded by the Rocky
mountains on the east and the Sierra Nevada on the west, and
generally south of the forty-eighth degree of latitude, are markedly
similar in the class of objects represented and the general style of
their delineation, without reference to their division into pecked or
painted characters; also in many instances the sites selected for
petroglyphic display are of substantially the same character. This
type has been generally designated as the Shoshonean, though
many localities abounding in petroglyphs of the type are now
inhabited by tribes of other linguistic stocks.
Mr. G. K. Gilbert, of the U. S. Geological Survey, has furnished a
small collection of drawings of Shoshonean petroglyphs from Oneida,
Idaho, shown in Fig. 39, supra.
Five miles northwest from this locality and one-half mile east from
Marsh creek is another group of characters on basalt bowlders,
apparently totemic, and drawn by Shoshoni. A copy of these, also
contributed by Mr. Gilbert, is given in Fig. 1092.
 Fig. 1092.—Shoshonean petroglyphs. Idaho.

All of these drawings resemble the petroglyphs found at Partridge

creek, northern Arizona, and in Temple creek canyon, southeastern
Utah, mentioned supra, pages 50 and 116, respectively.
 Fig. 1093.—Shoshonean petroglyphs. Utah.

Mr. I. C. Russell, of the U. S. Geological Survey, has furnished

drawings of rude pictographs at Black Rock spring, Utah,
represented in Fig. 1093. Some of the other characters not
represented in the figure consist of several horizontal lines, placed
one above another, above which are a number of spots, the whole
appearing like a numerical record having reference to the figure
alongside, which resembles, to a slight extent, a melon with tortuous
vines and stems. The left-hand upper figure suggests the masks
shown in Fig. 713.
 Fig. 1094.—Shoshonean rock-painting. Utah.

Mr. Gilbert Thompson, of the U. S. Geological Survey, has discovered

pictographs at Fool creek canyon, Utah, shown in Fig. 1094, which
strongly resemble those still made by the Moki of Arizona. Several
characters are identical with those last mentioned, and represent
human figures, one of which is drawn to represent a man, shown by
a cross, the upper arm of which is attached to the perinæum. These
are all drawn in red color and were executed at three different
periods. Other neighboring pictographs are pecked and unpainted,
while others are both pecked and painted.
Both of these pictographs from Utah may be compared with the
Moki pictographs from Oakley springs, Arizona, copied in Fig. 1261.
Dr. G. W. Barnes, of San Diego, California, has kindly furnished
sketches of pictographs prepared for him by Mrs. F. A. Kimball, of
National city, California, which were copied from records 25 miles
northeast of the former city. Many of them found upon the faces of
large rocks are almost obliterated, though sufficient remains to
permit tracing. The only color used appears to be red ocher. Many of
the characters, as noticed upon the drawings, closely resemble those
in New Mexico, at Ojo de Benado, south of Zuñi, and in the canyon
leading from the canyon at Stewart’s ranch, to the Kanab creek
canyon, Utah. This is an indication of the habitat of the Shoshonean
stock apart from the linguistic evidence with which it agrees.
From the numerous illustrations furnished of petroglyphs found in
Owens valley, California, reference is here made to Pl. ii a, Pl. iii h,
and Pl. vii a as presenting suggestive similarity to the Shoshonean
forms above noted, and apparently connecting them with others in
New Mexico, Arizona, Sonora, and Central and South America.

Fig. 1095.—Arizona petroglyph.

Mr. F. H. Cushing (a) figured three petroglyphs, now reproduced in

Figs. 1095 and 1096, from Arizona, and referred to them in
connection with figurines found in the ruined city of Los Muertos, in
the Salado valley, as follows:
Beneath the floor of the
first one of these huts
which we excavated,
near the ranch of Mr.
George Kay Miller, were
discovered, disposed
precisely as would be a
modern sacrifice of the
kind in Zuñi, the
paraphernalia of a Fig. 1096.—Arizona petroglyph.
Herder’s sacrifice,
namely, the paint line,
encircled, perforated medicine cup, the Herder’s amulet
stone of chalcedony, and a group of at least fifteen
remarkable figurines. The figurines alone, of the articles
constituting this sacrifice, differed materially from those
which would occur in a modern Zuñi “New Year Sacrifice”
of the kind designed to propitiate the increase and
prosperity of its herds. While in Zuñi these figurines
invariably represent sheep (the young of sheep mainly;
mostly also females), the figurines in the hut at “Los
Guanacos,” as I named the place, represented with rare
fidelity * * * some variety, I should suppose, of the
auchenia or llama of South America.
Summing up the evidence presented by the occurrence of
numerous “bola stones” in these huts and within the
cities; by the remarkably characteristic forms of these
figurines; by the traditional statement of modern Zuñis
regarding “small hairy animals” possessed by their
ancestors, no less than by the statements of Marcus
Nizza, Bernal Diaz, and other Spanish writers to the same
effect, and adding to this sum the facts presented in
sundry ritualistic pictographs, I concluded, very boldly, * *
* that the ancient Pueblos-Shiwians, or Aridians, * * *
must have had domesticated a North American variety of
 the auchenia more nearly resembling, it would seem, the
guanaco of South America than the llama.
It is ascertained that the petroglyphs copied by Mr. Cushing as above
are pecked upon basaltic rock in the northern face of Maricopa
mountains, near Telegraph pass, south of Phœnix, Arizona.
The following information is obtained from Dr. H. Ten Kate (a):
In several localities in the sierra in the peninsula of
California and Sonora are rocks painted red. These
paintings are quite rude and are inferior to many of the
pictographs of the North American Indians. Figs. 1097 and
1098 were found at Rincon de S. Antonio. The right-hand
division of Fig. 1097 is a complete representation, and the
figures copied appear on the stone in the order in which
they are here given. The left-hand division of the same
figure represents only the most distinct objects, selected
from among a large number of others, very similar, which
cover a block of marble several meters in height. The
object in the upper left-hand corner of Fig. 1097 measures
20 to 21 centimeters; the others are represented in
proportion.

Fig. 1097.—Petroglyphs, Lower California.

 Fig. 1098.—Petroglyphs in Lower California.

These two figures resemble petroglyphs reported from the Santa

Inez range, west of Santa Barbara, Lower California.
The same author, op. cit., p. 324, says:
Fig. 1098 represents symbols which were the most easily
distinguished among the great number of those which
cover two immense granite blocks at Boca San Pedro. The
rows of dots (or points) which are seen at the left of this
figure measure 1.50 meters, the parallel lines traced at
the right are about 1 meter.
This figure is like another found farther east (see Fig. 31) from
Azuza canyon, California.
A number of Haida pictographs are reproduced in other parts of this
work. In immediate connection with the present topic Fig. 1099 is
presented. It shows the carved columns in front of the chief’s house
at Massett, Queen Charlotte island.
 Fig. 1099.—Haida Totem Post.

The following illustrations from New Zealand are introduced here for
comparison.
 Fig. 1100.—New Zealand house posts.

Dr. F. von Hochstetter (b) writing of New Zealand, says:

The dwellings of the chiefs at Ohinemutu are surrounded
with inclosures of pole fences, and the Whares and
Wharepunis, some of them exhibiting very fine specimens
of the Maori order of architecture, are ornamented with
grotesque wood carvings. Fig. 1100 is an illustration of
some of them. The gable figure with the lizard having six
feet and two heads is very remarkable. The human figures
are not idols, but are intended to represent departed sires
of the present generation.
Niblack (c) gives a description of the illustration reproduced as Fig.
1101.
 Tiki. At Raroera Pah, New Zealand.
From Wood’s Natural History, page
180. Of this he says: “This gigantic
tiki stands, together with several
others, near the tomb of the
daughter of Te Whero-Whero, and,
like the monument which it seems
to guard, is one of the finest
examples of native carving to be
found in New Zealand. The precise
object of the tiki is uncertain, but
the protruding tongue of the upper
figure seems to show that it is one
of the numerous defiant statues
which abound in the islands. The
natives say that the lower figure
represents Maui the Auti who,
according to Maori tradition, fished
up the islands from the bottom of
the sea.”
Dr. Bransford (b) gives an illustration,
copied here as the left-hand character
of Fig. 1102, with the description of the
site, viz: “On a hillside on the southern Fig. 1101.—New Zealand tiki.
end of the island of Ometepec,
Nicaragua, about a mile and a half east
of Point San Ramon.” On a rough, irregular stone of basalt,
projecting 3 feet above ground, was the following figure on the
south side:
 Fig. 1102.—Nicaraguan petroglyphs.

This suggests comparison with some of the Moki and British Guiana
figures.
The same authority gives on page 66, from the same island and
neighborhood, the illustration copied as the right-hand character of
the same figure.
By comparing some of the New Mexican, Zuñi, and Pueblo drawings
with the above figure the resemblance is obvious. This is most
notable in the outline of the square abdomen and the widespread
legs.
 Fig. 1103.—Nicaraguan petroglyphs.

Fig. 1103, also mentioned and figured by Dr. Bransford as found with
the preceding in Nicaragua, resembles some of the petroglyphs
presented in the collection from Owens valley, California.
The carvings in Fig. 1104 are from British Guiana, and are
reproduced from im Thurn (i):
 Fig. 1104.—Deep carvings in Guiana.

Most of these figures so strongly resemble some from New Mexico,

and perhaps Arizona, as to appear as if they were made by the same
people. This is specially noticeable in the lowermost characters, and
more particularly so in the last two, resembling the usual
Shoshonean type for toad or frog.
The petroglyph of Boca del Infierno, a copy of which is furnished by
Marcano (f), reproduced as Fig. 1105, is thus described:
 Fig. 1105.—Venezuelan petroglyphs.

In the strange combination that surmounts it, a, there are

seen at the lower part two figures resembling the eyes of
jaguars, but asymmetric. Still the difference is apparent
rather than real. These eyes are always formed of three
circumferences, the central one being at times replaced by
a point, as in the eye at the left; the one at the right
shows its three circumferences, but the outermost is
continuous with the rest of the drawing. The two eyes are
joined together by superposed arches, the smallest of
 which touches only the left eye, while the larger one,
which is not in contact with the left eye, forms the
circumference of the right eye. The whole is surrounded
by 34 rays, pretty nearly of the same size, except one,
which is larger. Is there question of a jaguar’s head seen
from in front with its bristling mane, or is it a sunrise? All
conjecture is superfluous, and it is useless to search for
the interpretation of these figures, whose value, entirely
conventional, is known only by those who invented them.
In b of the same pictograph, alongside of a tangle of
various figures, always formed of geometric lines, we
distinguished, at the left, three points; in the middle a
collection of lines representing a fish. Let us note, finally,
the dots which, as in the preceding case, run out from
certain lines.
The design of c, while quite as complex, has quite another
arrangement. At the left we see again the figure of the
circumferences surrounding a dot, and these are
surmounted by a series of triangles; at the bottom there
are two little curves terminated by dots. At d two
analogous objects are represented; they may be what
Humboldt took to be arms or household implements.
In the above figure, the uppermost character, a, is similar to various
representations of the “sky,” as depicted upon the birch-bark midē'
records of the Ojibwa. The lower characters are similar to several
examples presented under the Shoshonean types, particularly to
those in Owens valley, California.
Dr. A. Ernst in Verhandl. der Berliner, Anthrop. Gesell. (c) gives a
description of Fig. 1106, translated and condensed as follows:
 Fig. 1106.—Venezuelan petroglyphs.

The rock on which the petroglyph is carved is 41

kilometers WSW. of Caracas, and 27 kilometers almost
due north of La Victoria, in the coast mountains of
Venezuela. The petroglyph is found on two large stones
lying side by side and leaning against other blocks of
leptinite, though resembling sandstone. The length of the
two stones is 3.5 m., their height 2 m. The stones lie
beside the road from the colony of Tovar to La Maya, on
the border of a clearing somewhat inclined southward not
far from the woods. The surface is turned south.
Concerning the meaning of the very fragmentary figures I
can not even express a conjecture.
Araripe (c) furnishes the following description of Fig. 1107:
 Fig. 1107.—Brazilian petroglyphs.

In the district of Inhamun, on the road from Carrapateira

to Cracará, at a distance of half a league, following a
footpath which branches off to the left, is a small lake
called Arneiros, near which is a heap of round and long
stones; on one of the round ones is an inscription, here
given in the order in which the figures appear, on the face
toward the north, engraved with a pointed instrument, the
characters being covered with red paint.
The same authority, p. 231, gives the following description of the
lower group in Fig. 1108. It is called Indian writing in Vorá, in
Faxina, province of São Paulo.
 Fig. 1108.—Spanish and Brazilian petroglyphs.

From a rock which is more than 40 meters in height, a

large mass has been detached leaving a greater inclination
of 10 meters. This incline, together with the wall formed
by the detached portion, constitutes a sheltered place
which was used by the Indians as a resting place for their
dead.
On the walls of this grotto are figures engraved in the
stone and painted with “indelible” colors in red and black.
It would seem that the Indians had engraved in these
figures the history of the tribe. The designs are as follows:
A human figure with ornaments of feathers on the head
and neck; a palm tree rudely engraved and painted; a
number of circular holes, 24 or more or less, in a straight
line; a circle with a diameter of 15 inches, having dentated
 lines on the edge; two concentric circles resembling a
clock face, with 60 divisions; immediately following this
the figure of an idol, and various marks all painted in a
very firm black; a figure of the sun with a +; a T; six more
circles; a human hand and foot well carved, etc. In the
wall are fragments of bones.
The two upper groups are copies of petroglyphs in Fuencaliente,
Andalusia, Spain, which are described in Chap. iv, sec. 3, and are
introduced here for convenient comparison with characters in the
lower group of this figure, and also with others in Figs. 1097 and
1107.

Fig. 1109.—Brazilian petroglyphs.

Dr. Ladisláu Netto (c) gives an account of characters copied from the
inscriptions of Cachoeira Savarete, in the valley of the Rio Negro,
here reproduced as Fig. 1109. They represent men and animals,
concentric circles, double spirals, and other figures of indefinite
form. The design in the left hand of the middle line evidently
represents a group of men gathered and drawn up like soldiers in a
platoon.
The same authority, p. 552, furnishes characters copied from rocks
near the villa of Moura in the valley of the Rio Negro, here
reproduced as Fig. 1110. They represent a series of figures on which
Dr. Netto remarks as follows:

Fig. 1110.—Brazilian petroglyphs.

It is singular how frequent are these figures of circles two

by two, one of which seems to simulate one of the
meanders that in a measure represent the form of the
Buddhic cross. This character, represented by the double
cross, is very common in many American inscriptions. It
probably signifies some idea which has nothing to do with
that of nandyavarta.

Fig. 1111.—Brazilian petroglyphs.

The same authority, p. 522, gives carvings copied from the rocks of
the banks of the Rio Negro, from Moura to the city of Mañaus, some
of which are reproduced as Fig. 1111. The group on the left Dr.
Netto believes to represent a crowned chief, having by his side a
figure which may represent either the sun or the moon in motion,
but which, were it carved by civilized men, would suggest nothing
more remarkable than a large compass.
The same authority, p.
553, presents characters
copied from stones on the
banks of the Rio Negro,
Brazil, here reproduced as
Fig. 1112.
They are rather sketches Fig. 1112.—Brazilian pictograph.
or vague tracings and
attempts at drawing than
definite characters. The human heads found in most of the figures
observed at this locality resemble the heads carved in the
inscriptions of Central America and on the banks of the Colorado
river. The left-hand character, which here appears to be simply a
rude drawing of a nose and the eyes belonging to a human face,
may be compared with the so-called Thunderbird from Washington,
contributed by Rev. Dr. Eels (see Fig. 679).
Dr. E. R. Heath (b), in his Exploration of the River Beni, introducing
Fig. 1113, says:
 Fig. 1113.—Brazilian petroglyphs.

Periquitos rapids connects so closely with the tail of

“Riberáo” that it is difficult to say where one begins and
the other ends. Our stop at the Periquitos rapids was short
yet productive of a few figures, one rock having
apparently a sun and moon on it, the first seen of that
character.
He further says:
 Fig. 1114.—Brazilian petroglyphs.

On some solid water-worn rocks, at the edge of the fall,

are the following figures [Fig. 1114]. There were many
fractional parts of figures which we did not consider of
sufficient value to copy.

SECTION 2.
HOMOMORPHS AND SYMMORPHS.

It has already been mentioned that characters substantially the

same, or homomorphs, made by one set of people, have a different
signification among others. The class of homomorphs may also
embrace the cases common in gesture signs, and in picture writing,
similar to the homophones in oral language, where the same sound
has several meanings among the same people.
It would be very remarkable if precisely the same character were not
used by different or even the same persons or bodies of people with
wholly distinct significations. The graphic forms for objects and ideas
are much more likely to be coincident than sound is for similar
expressions, yet in all oral languages the same precise sound,
sometimes but not always distinguished by different literation, is
used for utterly diverse meanings. The first conception of different
objects could not have been the same. It has been found, indeed,
that the homophony of words and the homomorphy of ideographic
pictures is noticeable in opposite significations, the conceptions
arising from the opposition itself. The same sign and the same sound
may be made to convey different ideas by varying the expression,
whether facial or vocal, and by the manner accompanying their
delivery. Pictographs likewise may be differentiated by modes and
mutations of drawing. The differentiation in picturing or in accent is
a subsequent and remedial step not taken until after the confusion
had been observed and had become inconvenient. Such confusion
and contradiction would only be eliminated from pictography if it
were far more perfect than is any spoken language.
This heading, for convenience, though not consistently with its
definition, may also include those pictographs which convey different
ideas and are really different in form of execution as well as in
conception, yet in which the difference in form is so slight as
practically to require attention and discrimination. Examples are
given below in this section, and others may be taken from the
closely related sign-language, one group of which may now be
mentioned.
The sign used by the Dakota, Hidatsa, and several other tribes for
“tree” is made by holding the right hand before the body, back
forward, fingers and thumb separated; then pushing it slightly
upward, Fig. 1115; that for “grass” is the same, made near the
ground; that for “grow” is made like “grass,” though, instead of
holding the back of the hand near the ground, the hand is pushed
upward in an interrupted manner, Fig. 1116. For “smoke” the hand
(with the back down, fingers pointing upward as in grow) is then
thrown upward several times from the same place instead of
continuing the whole motion upward. Frequently the fingers are
thrown forward from under the thumb with each successive upward
motion. For “fire” the hand is
employed as in the gesture for
smoke, but the motion is frequently
more waving, and in other cases
made higher from the ground.
Symmorphs, a term suggested by
the familiar “synonym,” are designs
not of the same form, but which
are used with the same significance
or so nearly the same as to have
only a slight shade of distinction
and which sometimes are
practically interchangeable. The
Fig. 1115.—Tree.
comprehensive and metaphorical
character of pictographs renders
more of them interchangeable than is the case with words; still, like
words, some pictographs with essential resemblance of meaning
have partial and subordinate differences made by etymology or
usage. Doubtless the designs are purposely selected to delineate the
most striking outlines of an object or the most characteristic features
of an action; but different individuals and likewise different bodies of
people would often disagree in the selection of those outlines and
features. In an attempt to invent an ideographic, not an
iconographic, design for “bird,” any one of a dozen devices might
have been agreed upon with equal appropriateness, and, in fact, a
number have been so selected by several individuals and tribes,
each one, therefore, being a symmorph of the other. Gesture
language gives another example in the signs for “deer,” designated
by various modes of expressing fleetness, also by his gait when not
in rapid motion, by the shape of his horns, by the color of his tail,
and sometimes by combinations of those characteristics. Each of
these signs and of the pictured characters corresponding with them
may be indefinitely abbreviated and therefore create indefinite
diversity. Some examples appropriate to this line of comparison are
now presented.
 Fig. 1116.—Grow.

SKY.

Fig. 1117.—Sky.

The Indian gesture sign for sky, heaven, is generally made by

passing the index from east to west across the zenith. This curve is
apparent in the Ojibwa pictograph, the left-hand character of Fig.
1117, reported in Schoolcraft (q), and is abbreviated in the Egyptian
character with the same meaning, the middle character of the same
figure, from Champollion (e). A simpler form of the Ojibwa picture
sign for sky is the right-hand character of the same figure, from
Copway (h).

SUN AND LIGHT.

Fig. 1118.—Sun. Oakley springs.

Fig. 1118 shows various representations of the sun taken from a

petroglyph at Oakley springs.
The common Indian gesture sign for sun is: Right hand
closed, the index and thumb curved, with tips
touching, thus approximating a circle, and held toward
the sky, the position of the fingers of the hand forming
a circle as is shown in Fig. 1119. Two of the Egyptian
characters for sun, the left-hand upper characters of
Fig. 1120 are the common conception of the disk. The
rays emanating from the whole disk appear in the two
Fig. 1119.—
adjoining characters on the same figure, taken from Sun. Gesture
the rock etchings of the Moki pueblos in Arizona. From sign.
the same locality are the two remaining characters in
the same figure, which may be distinguished from several similar
etchings for “star,” Fig. 1129, infra, by their showing some indication
of a face, the latter being absent in the characters denoting “star.”

Fig. 1120.—Devices for sun.

With the above characters for sun compare the left-hand character
of Fig. 1121, found at Cuxco, Peru, and taken from Wiener (h).

Fig. 1121.—Sun and light.

In the pictorial notation of the Laplanders the sun bears its usual
figure of a man’s head, rayed. See drawings in Scheffer’s History of
Lapland, London, 1704.
The Ojibwa pictograph for sun is seen in the second character of Fig.
1121, taken from Schoolcraft (r). The sun’s disk, together with
indications of rays, as shown in the third character of the same
figure, and in its linear form, the fourth character of that figure, from
Champollion, Dict., constitutes the Egyptian character for light.
Fig. 1122.—Light. Red-Cloud’s Census. This is to be compared with
the rays of the sun as above shown, but still more closely resembles
the old Chinese character for light, or more specifically “light above
man,” in the left-hand character of Fig. 1123, reported by Dr. Edkins.
 Fig. 1122.—
Light.

Fig. 1123.—Light and sun.

The other characters of the same figure are given by Schoolcraft (s)
as Ojibwa symbols of the sun.
The left-hand character of Fig. 1124, from Proc. U. S. Nat. Museum
(a), shows the top of an heraldic column of the Sentlae (Sun) gens
of the Kwakiutl Indians in Alert bay, British Columbia, which
represents the sun surrounded by wooden rays. A simpler form is
seen in the right character of the same figure where the face of the
sun is also fastened to the top of a pole. The author, Dr. Boas, states
that Fig. 1125 is the sun mask used by the same gens in their
dance. This presents another mode in which the common symbolic