incubator-nuttx/Documentation/guides/testingtcpip.rst

143 lines
4.2 KiB
ReStructuredText

=============================
Testing TCP/IP Network Stacks
=============================
When working on the network stack there is a need to test and verify the changes
made. While problems may be discovered by chance, it is hard to reproduce such
situations. The following sections show some methods to stress the target or
generate some specific traffic.
In the examples the target has the IP address 192.168.2.135
SYN Flood Attack
================
Flood the target with SYN packets to exhaust its resources.
It's a good way to test the network driver's buffer management.
.. code-block:: bash
sudo hping3 --flood -S -p 80 192.168.2.135
Building Packets with Scapy
===========================
A wonderful network testing tool is the Scapy lib.
It enables you to build pretty much any packet constellation you need for testing.
You have to add an iptables rule to prevent outgoing RST packets from the OS's
networking stack which does nothing know about our test connection.
To disable outgoing RST packets:
.. code-block:: bash
sudo iptables -A OUTPUT -p tcp --tcp-flags RST RST -d 192.168.2.135 -j DROP
For removing the rule:
.. code-block:: bash
sudo iptables -D OUTPUT -p tcp --tcp-flags RST RST -d 192.168.2.135 -j DROP
**Testing Re-transmission behavior**
When sending a 3-way handshake only, the target should time out and reset the
connection.
The following Python Scapy script starts a HTTP request without further responding.
The stack should start re-transmit the packets and finally time out.
.. code-block:: python
#!/usr/bin/env python
import logging
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
from scapy.all import *
get = 'GET / HTTP/1.1\r\n\r\n'
ip = IP(dst="192.168.2.135")
port = RandNum(1024, 65535)
# Create SYN packet
SYN = ip/TCP(sport=port, dport=80, flags="S", seq=42)
# Send SYN and receive SYN,ACK
SYNACK = sr1(SYN)
# Create ACK with GET request
ACK = ip/TCP(sport=SYNACK.dport, dport=80, flags="A", seq=SYNACK.ack, ack=SYNACK.seq + 1)
# SEND our ACK
send(ACK)
reply, err = sr(ip/TCP(sport=SYNACK.dport, dport=80, flags="A", seq=SYNACK.ack, ack=SYNACK.seq + 1) / get)
Simulating Packet Loss
======================
With simulating packet loss one can test the re-transmission behavior of the
target stack.
To start packet loss:
.. code-block:: bash
# for randomly dropping 10% of incoming packets:
sudo iptables -A INPUT -m statistic --mode random --probability 0.1 -j DROP
# and for dropping 10% of outgoing packets:
sudo iptables -A OUTPUT -m statistic --mode random --probability 0.1 -j DROP
To remove the rules:
.. code-block:: bash
# for the incoming packets:
sudo iptables -D INPUT -m statistic --mode random --probability 0.1 -j DROP
# and for the outgoing packets
sudo iptables -D OUTPUT -m statistic --mode random --probability 0.1 -j DROP
Fuzz-Testing
============
For fuzz testing network applications the excellent
`SPIKE <https://www.immunitysec.com/resources-freesoftware.shtml>`_ tool can be
used. To make it compile under Ubuntu 14.04 LTS you have to add
``-fno-stack-protector`` to CFLAGS.
SPIKE complained about missing SSL libs. I simply linked the existing to the needed
filenames::
/lib/i386-linux-gnu$ sudo ln -s ./libssl.so.1.0.0 ./libssl.so.0
/lib/i386-linux-gnu$ sudo ln -s ./libcrypto.so.1.0.0 ./libcrypto.so.0
Maybe those lib versions aren't the expected by SPIKE but if you don't use SSL
it works fine.
SPIKE provides a proxy server to record requests to your web application. Based
on these requests a application specific fuzz test can be generated.
.. code-block:: bash
~/SPIKE/src$ mkdir requests && cd requests
# Record requests to the target at 192.168.2.135 on port 80
~/SPIKE/src/requests$ ../webmitm -t 192.168.2.135 -p 80
Now use your web application through localhost to record some requests. Then you
can generate your application-specific fuzz test from the recorded requests.
.. code-block:: bash
~/SPIKE/src$ ./makewebfuzz.pl ./requests/http_request-1.0 > myfuzz.c
~/SPIKE/src$ gcc ./myfuzz.c -I../include -o myfuzz -L. -ldlrpc -ldl
Now you can fuzz your target:
.. code-block:: bash
~/SPIKE/src$ LD_LIBRARY_PATH=. ./myfuzz 192.168.2.135 80