Monday, January 11, 2010

Stress testing pf versus iptables

We wanted to know whether pf or iptables was faster at implementing a white or blacklist of ip-addresses. How can you generate packets on one computer pretending to be from a wide range of ip-addresses (i.e. spoofed addresses) and then detect and measure the receipt of them on another computer? A third machine running pf or iptables would need to be in the middle to act as a router/firewall. In fact generating spoofed packets can be achieved with a number of tools. We chose hping3, since it does this but also has a listen function that examines packets with a signature and then prints out the packet contents after this signature. So if we send 10,000 spoofed packets as fast as possible from machine A to machine C via machine B (running pf/iptables) then they should all be dropped if the spoofed address is on the black list. Each such lookup in the black list on machine B will take some CPU time, and the effectiveness of that lookup in pf versus iptables is what we were hoping to measure. The only remaining problem was how to generate a mixture of black/white-listed addresses and others that were definitely not on the list. The lists can be generated by a simple perl script, and by adjusting it we managed to also generate a shell script containing a long series of hping3 commands. We then set up hping3 on machine C and pipe the resulting output to a file. Counting the number of words in the file tells us how many packets made it through the firewall. If the flood of packets overwhelmed the router as we hoped then more will be dropped by the more inefficient firewall.

1 comment:

  1. Hi I have only below rule on my iptables can anyone guid me I am not able to send 25 request in one second, what I am doing wrong? or how can I perform LOAD TEST against this iptables rules??? is their any way to to test this rules?
    /sbin/iptables -I INPUT -p tcp --syn --dport $Port_No -m state --state NEW,ESTABLISHED -m recent --set -j ACCEPT
    /sbin/iptables -I INPUT -p tcp --syn --dport $Port_No -m state --state NEW -m recent --rcheck --seconds 1 --hitcount 25 -j REJECT --reject-with tcp-reset
    /sbin/iptables -A INPUT -p tcp --syn --dport 9080 -m connlimit --connlimit-above 250 -j REJECT --reject-with tcp-reset
    /sbin/service iptables save
    /sbin/service iptables save