Monday, March 21, 2011

Tomahawk: Stress Testing Network-based Intrusion Prevention Systems!

Testing IDS solutions has always been a nightmare. Just flooding the box with tons of packets is not the best solution. Today, many firewalls jumped into the “Next Generation” train and propose also deep inspection of the packets up to layer 7 (the application layer). The goal of Tomahawk is to test your security devices using real traffic or attacks replayed from a pcap file. You can replay your own captures but they are on-line repositories of pcap files like pcapr or evilfingers where you can find interesting traces of attacks.

Tomahawk is designed to test the traffic from end-to-end (See the topology below). Tomahawk runs on a Linux machine with three NICs. Two are used to send (eth0) and receive (eth1) traffic. The third one is used to manage the box.
Tomahawk Topology
(Click to enlarge)
Tomahawk reads sessions from pcap files. First client’s packet is sent via eth0. If the packet reached eth1, it sends the first server’s packets to eth1, etc. There is a good tutorial on the website. Example of usage:
# ./tomahawk -l 3 -a -f http.pcap   Completed 1 loop of trace http.pcap   Completed 1 loop of trace http.pcap   Completed 1 loop of trace http.pcap   Finished 3 loops of trace http.pcap Completed: 3, Timed out: 0 Retrans: 0 Sent: 12035 Recv: 12035   # ./tomahawk -l 1 -a -f bad-http.pcap   Timeout 1 loop of trace bad-http.pcal   Finished 1 loops of trace http.pcap Completed: 0, Timed out: 1 Retrans: 0 Sent: 546 Recv: 546
The flag “-a” allows you to rewrite IP addresses present in the original pcap file to your own addresses. Useful to map traffic to your DMZ or to a specific server. In parallel to security tests, Tomahawk can also be used to perform performance tests. There are useful flags which allows to control how the traffic is generated:
-n maxActive    Max number of handlers for a file   -l loops        Number of times to replay file   -R rate         playback rate in Mbps (unlimited by default)