syn flood load test

syn flood load test

[Alex Flex]

Hello all!

Not exactly an iptables question, but iam looking to stress load such 
config.

I tried using:

hping3 -p 80 --flood --rand-source -S my-ip-here

However  i wasnt able to get more then 10k pps, i even tried running two 
instances of hping so i ca use two cores of CPU and it doesnt make a 
difference.

Anybody have a suggestion? Iam looking forward to generate 300k pps flood

Alex

Simulating router breaking idle TCP connections with IPTABLES

[Timothy Arceri]

Hi All,

It seems there are some routers floating around that break idle TCP connections after a specified amount of time. 
For example: "Sonicwall devices have that feature to close established connections when they hit a predefined timeout value
with no data passing through."

This causes some issues with Gnome's Nautilus/GVFS and sftp connections that I'm trying to handle more gracfully. The problem is I dont have a router that has this behaviour so I'm looking for a way to simulate it using iptables on my PC.
I have read the thread about this from 2011 http://www.spinics.net/lists/netfilter/msg51963.html but it looks like a solution wasnt provided as the usecase didnt call for doing what was requested.
I however DO want to break the established TCP connections. Does anyone know how I can do this? I don't mind if I need to edit code and rebuild as this is just for testing perposes so I will be reverting once I'm finished.

Thanks for your time,
Tim

Re: Simulating router breaking idle TCP connections with IPTABLES

[Timothy Arceri]

>Hi All,

>
>It seems there are some routers floating around that break idle TCP connections after a specified amount of time. 
>For example: "Sonicwall devices have that feature to close established connections when they hit a predefined timeout value
>with no data passing through."
>
>This causes some issues with Gnome's Nautilus/GVFS and sftp connections that I'm trying to handle more gracfully. The problem is I >dont have a router that has this behaviour so I'm looking for a way to simulate it using iptables on my PC.
>I have read the thread about this from 2011 http://www.spinics.net/lists/netfilter/msg51963.html but it looks like a solution wasnt provided >as the usecase didnt call for doing what was requested.
>I however DO want to break the established TCP connections. Does anyone know how I can do this? I don't mind if I need to edit code >and rebuild as this is just for testing perposes so I will be reverting once I'm finished.
>
>Thanks for your time,
>Tim

To be a little bit clearer I want to causse the behaviour described in section 2.4 here: http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/overview.html

Where the TCP connection is still thought to be active to the peers but the proxy/firewall has no knowlegde on the connection and so the connection breaks up. 

RE: Simulating router breaking idle TCP connections with IPTABLES

[Bob Reiber]

Um, what kind of router do you have? Even some of the very basic home routers have tcp timers on them. 

Bob Reiber
BK Sales and Service
3211 Longfellow Dr
Belmont, CA 94002
Tel: 650 376 1122
Fax: 650 240 4556

-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Timothy Arceri
Sent: Sunday, May 5, 2013 7:13 PM
To: netfilter@vger.kernel.org
Subject: Simulating router breaking idle TCP connections with IPTABLES

Hi All,

It seems there are some routers floating around that break idle TCP connections after a specified amount of time. 
For example: "Sonicwall devices have that feature to close established connections when they hit a predefined timeout value with no data passing through."

This causes some issues with Gnome's Nautilus/GVFS and sftp connections that I'm trying to handle more gracfully. The problem is I dont have a router that has this behaviour so I'm looking for a way to simulate it using iptables on my PC.
I have read the thread about this from 2011 http://www.spinics.net/lists/netfilter/msg51963.html but it looks like a solution wasnt provided as the usecase didnt call for doing what was requested.
I however DO want to break the established TCP connections. Does anyone know how I can do this? I don't mind if I need to edit code and rebuild as this is just for testing perposes so I will be reverting once I'm finished.

Thanks for your time,
Tim

--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at  http://vger.kernel.org/majordomo-info.html



The information in this electronic mail is intended for the named recipients only. It may contain privileged and confidential matter; and if you are not an intended recipient, you are hereby notified that copying, forwarding or other dissemination or distribution of thiscommunication by any means is prohibited. If you have received this electronic mail in error, please notify the sender immediately.
CONFIDENTIALITY NOTICE: This email message is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. Thank you.

Re: Simulating router breaking idle TCP connections with IPTABLES

[Timothy Arceri]

>Why dont you tune the system tcp stack then? All of what your asking for can be done by modifying the tcp settings... Tho of course >under normal cases its not recommended 


Thanks for you reply,


To answer your question: Because I dont know which settings will cause the scenario I described. Are you able to point out which settings I need to change?
I cant see any (with my limited knowledge) that will help.

Thanks,
Tim

Re: syn flood load test

[Vishesh kumar]

For me scapy does this. You can also try scapy for this purpose. Scapy
written in python is very rich but may be a bit of python scripting.

Thanks
Vishesh Kumar
http://linuxmantra.com

On Sun, May 5, 2013 at 11:33 PM, Alex Flex <aflexzor@gmail.com> wrote:
> Hello all!
>
> Not exactly an iptables question, but iam looking to stress load such
> config.
>
> I tried using:
>
> hping3 -p 80 --flood --rand-source -S my-ip-here
>
> However  i wasnt able to get more then 10k pps, i even tried running two
> instances of hping so i ca use two cores of CPU and it doesnt make a
> difference.
>
> Anybody have a suggestion? Iam looking forward to generate 300k pps flood
>
> Alex
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
http://linuxmantra.com

Re: Simulating router breaking idle TCP connections with IPTABLES

[Timothy Arceri]

>Um, what kind of router do you have? Even some of the very basic home routers have tcp timers on them. 


I have a Netgear WNR1000v3. Cant find any settings for tcp timers.

RE: Simulating router breaking idle TCP connections with IPTABLES

[Bob Reiber]

Look in port triggering. I think there is a timer setting there where you can specify when to close the tcp port

Bob Reiber
BK Sales and Service
3211 Longfellow Dr
Belmont, CA 94002
Tel: 650 376 1122
Fax: 650 240 4556

-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Timothy Arceri
Sent: Monday, May 6, 2013 3:59 AM
To: netfilter@vger.kernel.org
Subject: Re: Simulating router breaking idle TCP connections with IPTABLES

>Um, what kind of router do you have? Even some of the very basic home routers have tcp timers on them. 


I have a Netgear WNR1000v3. Cant find any settings for tcp timers.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at  http://vger.kernel.org/majordomo-info.html



The information in this electronic mail is intended for the named recipients only. It may contain privileged and confidential matter; and if you are not an intended recipient, you are hereby notified that copying, forwarding or other dissemination or distribution of thiscommunication by any means is prohibited. If you have received this electronic mail in error, please notify the sender immediately.
CONFIDENTIALITY NOTICE: This email message is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. Thank you.

Re: Simulating router breaking idle TCP connections with IPTABLES

[Timothy Arceri]

Thanks Bob, I have been attempting to use the port triggering for sftp i.e ssh connections on port 22 but they dont seem to be getting triggered. Is it likely that the ssh port would be ignored from port triggering on this router?? The router logs do not show anything to indicate that it even attempted port triggering.

Thanks for your help,
Tim



----- Original Message -----
From: Bob Reiber <bob@bkss.net>
To: Timothy Arceri <t_arceri@yahoo.com.au>; "netfilter@vger.kernel.org" <netfilter@vger.kernel.org>
Cc: 
Sent: Tuesday, 7 May 2013 1:34 AM
Subject: RE: Simulating router breaking idle TCP connections with IPTABLES

Look in port triggering. I think there is a timer setting there where you can specify when to close the tcp port

Bob Reiber
BK Sales and Service
3211 Longfellow Dr
Belmont, CA 94002
Tel: 650 376 1122
Fax: 650 240 4556

-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Timothy Arceri
Sent: Monday, May 6, 2013 3:59 AM
To: netfilter@vger.kernel.org
Subject: Re: Simulating router breaking idle TCP connections with IPTABLES

>Um, what kind of router do you have? Even some of the very basic home routers have tcp timers on them. 


I have a Netgear WNR1000v3. Cant find any settings for tcp timers.

Re: Simulating router breaking idle TCP connections with IPTABLES

[Bob Reiber]

Tim,

Just to be clear, you are using sftp via the wan port to access a server
inside the firewall? I think the port triggering timer acts on idle
sessions. So if you connect and then don't do anything the timer should
close the session.

Bob Reiber
BK Sales and Service
tel: (650) 376 1122




On 5/9/13 12:46 AM, "Timothy Arceri" <t_arceri@yahoo.com.au> wrote:

>Thanks Bob, I have been attempting to use the port triggering for sftp
>i.e ssh connections on port 22 but they dont seem to be getting
>triggered. Is it likely that the ssh port would be ignored from port
>triggering on this router?? The router logs do not show anything to
>indicate that it even attempted port triggering.
>
>Thanks for your help,
>Tim
>
>
>
>----- Original Message -----
>From: Bob Reiber <bob@bkss.net>
>To: Timothy Arceri <t_arceri@yahoo.com.au>; "netfilter@vger.kernel.org"
><netfilter@vger.kernel.org>
>Cc: 
>Sent: Tuesday, 7 May 2013 1:34 AM
>Subject: RE: Simulating router breaking idle TCP connections with IPTABLES
>
>Look in port triggering. I think there is a timer setting there where you
>can specify when to close the tcp port
>
>Bob Reiber
>BK Sales and Service
>3211 Longfellow Dr
>Belmont, CA 94002
>Tel: 650 376 1122
>Fax: 650 240 4556
>
>-----Original Message-----
>From: netfilter-owner@vger.kernel.org
>[mailto:netfilter-owner@vger.kernel.org] On Behalf Of Timothy Arceri
>Sent: Monday, May 6, 2013 3:59 AM
>To: netfilter@vger.kernel.org
>Subject: Re: Simulating router breaking idle TCP connections with IPTABLES
>
>>Um, what kind of router do you have? Even some of the very basic home
>>routers have tcp timers on them.
>
>
>I have a Netgear WNR1000v3. Cant find any settings for tcp timers.
>--
>To unsubscribe from this list: send the line "unsubscribe netfilter" in
>the body of a message to majordomo@vger.kernel.org
>More majordomo info at  http://vger.kernel.org/majordomo-info.html



The information in this electronic mail is intended for the named recipients only. It may contain privileged and confidential matter; and if you are not an intended recipient, you are hereby notified that copying, forwarding or other dissemination or distribution of thiscommunication by any means is prohibited. If you have received this electronic mail in error, please notify the sender immediately.CONFIDENTIALITY NOTICE: This email message is for the sole use of the intended recipient and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message and any attachments. Thank you.