ccie.security lab - traffic generator Ostinato

I remember the times we were trying to develop the own traffic generator because there wasn't any kind of smart tool that could help in case of penetration testing, DoS attack simulation or just for testing purpose. was trying to write some procedures in C language to modify the IP header and was absolutely happy when I got first pagent (special Cisco IOS with traffic generator feature). Then, I have heard about the Ostinato traffic generator, so tried for once ... and I think there's no better open-source traffic generator (except the Kali) that could be used within the UNL.

download/install

I started with downloading the QEMU based image (qcow2) from the Bernhard's web - check here. Then, you can easily use it - just create the folder in /opt/unetlab/addons/qemu/, that begins with ostinato-. Then, copy the hda.qcow2 to that folder and let's start to use it ...

configuring

the concept of using Ostinato is the client/server communication. the client also called the agent is the GUI we can use for controlling the drone controller. there is also python api we can use to control the drone (the UNL device). just add the ostinato drone to your unl lab, using these parameters:


two ethernet interfaces are just because one interface is used for the management purpose and the second is the source interface of the traffic streams. from the UNL perspective, the interfaces are eth0 and eth1, after ostinato starts and you are able to login (username tc without the password), it can be seen the first interface is called cntl and the second is eth0. control interface is configured as a DHCP client by default so you can just configure it statically in case the DHCP server isn't running or the static IP address is the only solution. one-shot solution is ifconfig command from the CLI:

sudo ifconfig cntl 10.0.0.70 netmask 255.255.255.0


or you can add this command to the /opt/bootlocal.sh to keep the current settings after the Ostinato is started. Let's run the GUI (windows based in my case) and add the Ostinato drone IP:


After the IP is entered, the agent connects to the drone via the TCP/7878 and checks the interfaces eligible to send the testing traffic streams. as I'm using the only one testing interface, it should look like this:


generating the traffic

let's try to create some testing traffic, with some specific parameters. To be easily vereified (later in this article), we will use the UDP traffic, that will be destined for one router (L2 MAC will be eth0/0 interface), source will be the ostinato eth0 interface MAC. Destination IP will be the IP address of that router interface and source will be spoofed (1.1.1.1), the L4 will be UDP/63123.

the new stream is created by clicking the left button in the stream window:


when the stream is created, we can assign the name (doubleclick in the name field) and configure the specific parameters by clicking on the settings wheel.


the first tab of the settings is about the general characteristics of the packet content - L1-L7 header and the final size of the frame.


and of course we will continue by specifying the detailes of the individual headers. I have checked the destination router's interface:

R4#sh int e0/0 | in , address Hardware is AmdP2, address is aabb.cc00.0400 (bia aabb.cc00.0400)


and of course the same thing for the drone's eth0 interface:

tc@box:~$ ifconfig eth0 | grep HWaddr eth0 Link encap:Ethernet HWaddr 50:00:00:0C:00:01


so the L2 (MAC) header is about the following settings:


leaving Ethernet header just with the EtherType of 0x0800 (IPv4)


IPv4 header is a little bit more complex so we can change ToS (for the QoS testing purpose), TTL value and IP addresses of course, so let's use our IPs - source is spoofed 1.1.1.1 and the destination is the R4 e0 interface:


have forgotten to specify the UDP source port - it can be any value, so let's use the 32768 and the destination port is as mentioned above - 63123. I will use this port number to verify on the destination router little bit later


and leaving the default value for payload but it can be specified anything you can imagine


we are very close to run this stream and check it on R4, but it's needed to specify the overall characteristics of the flow. it can be specified whether it's continuos stream or bursty stream, then number of packets/bursts and the final rate. I want drone to send 100 packets with the rate of 20 pps, it means 5 seconds of slowly outgoing 100 packets. don't forget to click on the apply button otherwise the stream is not eligible to run!


running and verifying the stream

let's run the sream on the eth0 interface. I'm using the INE topology, so the ostinato eth0 interface is without the IP address, the SW3 switchport is in vlan 104, the same vlan is configured on the e0/0 interface that is pointing the R4's e0/0. port information is showing our ostinato eth interface is up but not sending the traffic. the received packets are just some configuration noise I haven't removed from the network, so please ignore it.


I have configured simple access-list just to track the incoming the stream and avoid any other traffic is entering the interface:

R4#sh access-l Extended IP access list 199 10 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123


so when I click on the "play" button, 100 packets are sent towards the SW3 and R4, with all the characteristics we defined earlier and I should see the incoming traffic (as we used the R4 e0/0's MAC address) in the console output (the debug ip packet det is enabled). And of course I should see the "frames sent" will be increasing up to the 100 packets. let's go ...

the GUI counters look good:


then debugging looks also good:

IP: s=1.1.1.1 (Ethernet0/0), d=192.168.100.4, len 162, stop process pak for forus packet UDP src=32768, dst=63123


and of course the access-list looks as expected:

R4#sh ip access-l Extended IP access list 199 10 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123 (100 matches)


other example

let's try the sequence of the streams - 5 streams with the same characteristics except the ToS field. there will be sent 5 packets per stream (per ToS) with the IP Precedence of 1, 2, 3, 4 and 5. The verification access-list is as follows:

R4#sh access-l Extended IP access list 199 10 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123 precedence priority 20 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123 precedence immediate 30 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123 precedence flash 40 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123 precedence flash-override 50 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123 precedence critical


you can use the "clone stream" option and copy the original stream four times, then set the ToS value only (be aware it's mandatory to use the ToS DEC value!) ... and the corresponding set of streams is:


and of course, as expected:

R4#sh ip access-l Extended IP access list 199 10 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123 precedence priority (5 matches) 20 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123 precedence immediate (5 matches) 30 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123 precedence flash (5 matches) 40 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123 precedence flash-override (5 matches) 50 permit udp host 1.1.1.1 host 192.168.100.4 eq 63123 precedence critical (5 matches)


there is a lot of we can do with Ostinato, dozens of options we can adjust etc. hope you've enjoyed this article and you'll enjoy the work with this great tool!

That's it! how easy ... enjoy and good luck!



add your own note here:

Name: human verification: 4 + 4 =    

your opinions/notes:

Copyright © TR2016