BreakingPoint & VMware Networking

Today, I'll show you how you can use a VMware server to quickly switch between different test devices without ever leaving your desk. Then I'll fire up some sample tests against a virtual Linux host.

Why VMware

Working for BreakingPoint Labs, we are faced with rapid release cycles and a broad range of tasks. Sometimes it is working to provide timely Microsoft Patch Tuesday Strike coverage, other times it is reverse engineering a protocol and implementing it with Application Simulator. Frequently we have to quickly pick up strange new aspects of the computer world and just run with it.

Since we switch gears a lot, we make heavy use of VMware Workstation™ on our personal development machines. This works perfectly right up until we need to use BreakingPoint to target our environment. Our development BreakingPoint test products are located in a rack in a lab, but we are living in cubicle land.

VMware Server 2™ is a nice solution. It has a remote web console where all of the BreakingPoint Labs developers can add/configure new virtual servers without affecting each others setup. With a dedicated server in our rack for VMware, we can configure what kind of target our BreakingPoint product is connected to without ever leaving our cubes.

The Setup

You can grab a copy of VMware Server 2 here. You'll need a server with adequate RAM and disk space, as well as at least 3 physical network interfaces. That is one for a regular LAN connection and at least two that connect directly to the ports on you BreakingPoint product.

After getting VMware up and running, you'll need to add two new virtual interfaces in bridged mode. This can be very simply done by the "vmware-config.pl" wizard. I like to name these VMLAN1 and VMLAN2. If you like, you can also add new vmnet interfaces for the other two test ports. These will take the traffic your BreakingPoint product is generating and pipe it into your virtual environment.

When you create a new virtual machine, you should be able to see and add the custom bridged network interfaces via the "add new hardware" wizard. After your virtual machine is booted, you will want to make sure the virtual machine's network settings match up with a configured BreakingPoint "Network Neighborhood".

Blasting Linux with a Packet Cannon

As an example, I'll run a test against a Linux VM that I have set up. I would say the typical use case for Linux networking is a home NAT router/firewall. So, I've set up a standard Ubuntu Server in VMware and configured it to perform NAT for all LAN hosts with a simple iptables script. BreakingPoint is also configured to use a NAT Network Neighborhood so that it will recognize packets with the source address rewritten.

# eth2 is the LAN side, eth1 is the WAN side
echo 1 >> /proc/sys/net/ipv4/ip_forward
/sbin/iptables -F
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE 
/sbin/iptables -A FORWARD -i eth2 -j ACCEPT # Let LAN traffic through
/sbin/iptables -A FORWARD -o eth2 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

This firewall script will enable NAT with connection tracking for the traffic that passes through the Linux device. The tracking of every session should be putting quite a load on the virtual CPU. I will also be running ntop on the VM to get some graphs of what traffic it sees from its perspective.

Application Simulator: Small to Medium Business Apps

I'll start off by running the Application Simulator preset for SOHO routers for 10 minutes. This will send a reasonable amount of traffic considering that it is virtual networking on commodity hardware. This test is about right for such a router. Note the CPU usage for the ntop daemon.

Ntop Stats from the Linux VM

Ntop CPU Usage

BreakingPoint Traffic (RX and TX rates match up)

Application Simulator: Max Bandwidth

This Application Simulator preset run as many of the highest bandwidth applications as fast as it can. Considering just how much that can be, this will simply DoS the Linux VM. The data rate is fast enough that even though the traffic is realistic, its effectively just a SYN flood. The gathered data shows effectively the same thing.

NTop Stats (Not much is getting through)

BreakingPoint Traffic (RX rate nowhere near TX rate)

Switching Gears

The real awesomeness of using VMware comes when you finish with one task and need to do something completely different. I started off with a Linux bandwidth test and now I need to run some Strikes against a Windows Vista machine. All I have to do is boot the Vista virtual machine and double check my network settings.

Strike Level 5 Running Against Windows Vista

Have it your way

There is no reason to limit yourself to just one or two test ports either. With VMware, you can configure any number of hosts connected by any number of LAN segments. You could daisy-chain a few software IPS machines and see how far malicous traffic can go within your network. Or you could run a one-armed test against a web server that is behind a firewall all while flooding the router with P2P traffic. The options are nearly limitless.