Tools
This page contains a collection of tools that are helpful in
experiment development, running and control. These tools are either
developed by DETER/EMIST participants or are third-party tools we link
to. If you find some of these tools particularly helpful or
problematic, please let
us know. Also, if you have tools
that you have developed and would like to share, email us.
Legend:
 Tool developed and maintained by DETER/EMIST
participants
 Tool developed but no longer maintained by DETER/EMIST participants
 A third party tool, may or may not be maintained
|
Click on links below (each line is a link) to jump to a short
description of a given tool or to a group of tools in a given category.
The Security
Experimentation EnviRonment (SEER), developed by SPARTA, Inc.,
is an experimenter's workbench that provides an integrated environment
for network security experiment design and control.
It includes agents for traffic generation, attack
generation, traffic collection and analysis. There is also a GUI to
help run the experiment from your desktop and visualize traffic on the
nodes. It is fairly easy to learn how to use SEER. It provides a GUI
as a great
entry point for novice users - experiments can be set up, run and
their effect visualized using an intuitive point-and-click interface.
SEER's scripting language, based on Perl,
is a powerful tool for repetitive, large-scale,
flexible experimentation. SEER traffic generators currently support
various legitimate traffic types, and a variety of DoS
attacks. SPARTA's in the process of adding controls for other types of
security experiments (e.g., worms, DNS attacks, routing attacks) to
SEER.
Runs on: all platforms, written in
Java
Best for: legitimate traffic
generation, DoS traffic generation, visualization of traffic levels in
topology
For questions contact:
Brett Willson at SPARTA
ESVT
(Experiment Specification and Visualization Tools), developed by
Penn State University, is an
experimenter's workbench that provides an integrated environment
to interact with DETER or EMULAB testbeds and to conduct network
security emulation/simulation experiments. EVST provides a modular,
component-based topology editor, a TCL script generator, a worm
experiment designer, and a visualization tool for experimental results.
The GUI offers a topology editor toolbar to draw network topologies
and then generate a TCL script from a designed network topology in
several formats. ESVT 2.0 version has an offline tcpdump-to-NetFlow
converter, can support the output of the GT-ITM topology generator,
and has has more advanced visualization and data mining features to
process (tcpdump) experimental output. ESVT is well suited for worm experiments.
Runs on: Windows XP and Windows
2000, written in C++
Best for: worm experiment
generation and visualization
For questions contact: Lunquan Li at PSU
The Purdue Tool Suite,
includes a Scriptable Event System (SES), measurement utilities,
and a collection of scripts that can be used to process and visualize
the measured data. SES helps experimenters controll all test machines
from a central location so that large-scale experiments can be
orchestrated, synchronized and executed in a repeatable
manner. Measurement tool tmeas records a number of
system level statistics about packets, bytes and TCP connections seen
on host interfaces, CPU and memory usage. Tool cwnd_track
tracks the control window for TCP connections. Data analysis scripts
are helpful in analyzing data from BGP logs files and the
tmeas tool, preparing them for plotting programs.
Runs on:UNIX
Best for:experiment scripting,
TCP/CPU/Memory statistics collection
For questions contact:
Roman Chertov at Purdue University
SEER, see
above, generates legitimate traffic using Harpoon
or custom-made Web, DNS, Ping, IRC, FTP and VoIP agents.
Tcpreplay
is a suite of BSD licensed tools, which gives you the ability to
inject previously captured traffic in libpcap format to test a variety of
network devices. It allows you to classify traffic as client or
server, rewrite Layer 2, 3 and 4 headers and finally replay the
traffic back onto the network and through other devices such as
switches, routers, firewalls, NIDS and IPS's. Tcpreplay supports both
single and dual NIC modes for testing both sniffing and inline
devices. .
Runs on: UNIX-flavored OSes and Win32 with Cygwin
Best for: replaying traces to
regenerate same or similar traffic
For questions contact:
Tcpreplay support
Performance testing tools (ttcp, nttcp, nuttcp and iperf),
generate a volume of traffic with given characteristics to test
network performance. This traffic is generally not "well-formed" in
the application sense, but follows transport protocol semantics.
Runs on: UNIX-flavored OSes
Best for: bulk volume traffic generation
Webstone, benchmark owned by Mindcraft Inc.,
measures performance of web server software and
hardware products. Webstone consists of a program called the webmaster which
can be installed on a client in the network or on a separate
computer. The webmaster distributes web client software as well as
configuration files for testing to the client computers, that contact
the web server to retrieve web pages or files in order to test web
server performance. Webstone also tests operating system software, CPU
and network speeds. While it was developed with the idea of
measuring the performance of web servers, it can be used to generate
background traffic in a network as the multiple clients keep
contacting the server over a period of time thereby simulating web
traffic in the network.
Runs on: UNIX-flavored OSes and
Windows NT
Best for:Web traffic generation
NTGC - Network Traffic
Compiler Generator,
developed at UC Davis, can generate a
traffic stream that statistically represents real network traffic. It
was designed for DDoS and worm defense experiments. It extracts
traffic attributes from pre-captured traffic traces in tcpdump (pcap)
format and converts these attributes into configuration files driving
low-level traffic generators such as ttcp or D-ITG.
Runs on: UNIX-flavored OSes
Best for:generating traffic
similar to collected trace
For questions contact:
Allen Ting at UC Davis
TCPOpera -
Interactive Internet Traffic Replay, developed at UC Davis,
is an interactive Internet traffic replay tool. The primary goals of
TCPopera are (1) replaying TCP connections in a stateful manner, and
(2) supporting traffic models for trace manipulation. TCPopera
emulates the TCP protocol stack to replay traces interactively,
considering TCP-level connection parameters and IP-level flow
parameters to dynamically decide when to play each packet.
Runs on: UNIX-flavored OSes
Best for: generating traffic
similar to collected trace
Harpoon,
developed at University of Wisconsin, is a flow-level traffic
generator.
It uses a set of
distributional parameters that can be automatically extracted from
Netflow traces to generate flows that exhibit the same statistical
qualities present in measured Internet traces, including temporal and
spatial characteristics. Harpoon can be used to generate
representative background traffic for application or protocol testing,
or for testing network switching hardware. Note, however, that while
traffic dynamics will resemble the one found in traces, Harpoon
traffic runs over HTTP and application behavior may be different from
the real one.
Runs on: UNIX-flavored OSes
Best for: generating traffic
from traces or from high-level specifications.
SEER, see
above, generates attack traffic using Flooder
tool, developed by SPARTA, and Cleo tool developed by UCLA. Look at
SEER's Web page for a more detailed description of these tools. For
security
reasons we are not releasing their source code, but tools are very
versatile and we are open to adding new features, should you need
them.
The following collection of real DDoS tools has little new
to offer with regard to attack traffic generation, when compared to
SEER's capabilities. In general, SEER can generate same traffic
variations as this tools, and more, and is easier to control and
customize. If, however, you are testing a defense that looks at
control traffic of DoS networks these tools may be useful to you. They
are all downloadable from third-party Web sites and are not
maintained.
Trinoo
deploys a master/slave architecture, where
an attacker sends
commands to the master via TCP and masters and slaves communicate via
UDP.
Both master and slaves are password protected to prevent them from
being taken
over by another attacker. Trinoo generates UDP packets of a given size
to random
ports on one or multiple target addresses, during a specified attack
interval.
TFN2K
is an improved version of
the TFN attack tool. It includes several features designed
specifically to make
TFN2K traffic difficult to recognize and filter, to remotely execute
commands, to
obfuscate the true source of the traffic, to transport TFN2K traffic
over multiple
transport protocols including UDP, TCP, and ICMP, and features to
confuse
attempts to locate other nodes in a TFN2K network by sending decoy
packets.
TFN2K obfuscates the true traffic source by spoofing source
addresses. Attackers
can choose between random spoofing and spoofing within a specified
range of
addresses (to defeat ingress filtering). In addition to
flooding, TFN2K
can also perform some vulnerability attacks by sending malformed or
invalid packets.
Stacheldraht
combines features of Trinoo
and TFN tools and adds encrypted communication between the attacker
and
the masters. Stacheldraht uses TCP for encrypted communication between
the
attacker and the masters, and TCP or ICMP for communication between
master
and agents. Another added feature is the ability to perform automatic
updates
of agent code. Available attacks are UDP flood, TCP SYN flood, ICMP
ECHO
flood and Smurf attacks.
Mstream
generates
a flood of TCP packets with the ACK bit set.
Masters can be controlled remotely by one or more attackers using a
password-
protected interactive login. The communications between attacker and
masters,
and a master and agents, are configurable at compile time and have
varied signif-
icantly from incident to incident. Source addresses in attack packets
are spoofed
at random. The TCP ACK attack exhausts network resources and will
likely
cause a TCP RST to be sent to the spoofed source address (potentially
also
creating outgoing bandwidth consumption at the victim).
Packit (Packet
Toolkit)
is a network auditing tool. Its value is derived from its ability to
customize, inject, monitor, and manipulate IP traffic. By allowing you
to define (spoof) nearly all TCP, UDP, ICMP, IP, ARP, RARP, and
Ethernet header options, Packit can be useful in testing firewalls,
intrusion detection/prevention systems, port scanning, simulating
network traffic, and general TCP/IP auditing. Packit is also an
excellent tool for learning TCP/IP.
KMSim,
developed by Penn State University,
is a simulation code, consisting of coupled Kermack-McKendrick
epidemic equations, to model the spread of a bandwidth-limited,
randomly scanning Internet worm.
Runs on:UNIX
Best for:Simulating simple worms
For questions contact:
Lunqan Li at Penn State University.
PAWS,
developed by University of Delaware,
is a time discrete packet-level simulator. Compared with other
worm modeling and simulations, PAWS replicates more details of the
Internet environment and has less simplification on worm
characteristics and vulnerable hosts behaviors. PAWS simulates a
realistic Internet model and the background traffic load, enabling
investigation of possible congestion effects and sufferings of
legitimate traffic during worm spread. PAWS further supports various
user-customizable parameters that enables testing of different worm
characteristics, host and network diversity models.
Runs on:UNIX
Best for:Simulating various worms,
replicating details of Internet environment
For questions contact: Songjie Wei at University of Delaware
Network
Traffic Digesting (NTD) Tool,
developed by Penn State University,
is an off-line network traffic analysis tool capable of analyzing both
TCPDUMP and Cisco NetFlow export format traces in Windows. The NTD tool can
detect the significant clusters, i.e., clusters whose traffic is
greater than a threshold (either in terms of packet number or bytes)
that is user-specified. The thresholds can be specified for in a
unidimensional fashion (for source IP, destination IP, source port,
destination port or protocol) and also in multidimensional fashion for
the five-tuple.
Runs on:UNIX
Best for: traffic analysis to
detect large clusters of similar packets
For questions contact: Jishen Wang at Penn State University
Rocketfuel-to-ns
, developed by Purdue University,
is a utility to convert RocketFuel-format data files into a set of
configuration files runnable on am emulation testbed like the DETER
testbed. Experiment configurations generated with this tool have the
advantage of not being totally synthetic representations of the
Internet; they provide a router-level topology based off real
measurement data. This distribution also contains many sample NS files
that represent real AS topologies.
Runs on: UNIX
Best for: collecting real AS
topologies and importing them into DETER.
Inet
, developed by University of Michigan,
is a generator of representative Autonomous System (AS) level Internet topologies.
Runs on:FreeBSD, Linux, Mac OS and
Solaris
Best for: synthetic topology
generation, following a power law.
Brite
, developed by Boston University,
is a generator of flat AS, flat Router and hierarchical topologies,
interoperable with various topology generators and simulators.
Best for: synthetic topology
generation using different models and a GUI.
GT-ITM:
Georgia Tech Internetwork Topology Models, developed by Georgia
Tech, generates graphs that model
the topological structure of internetworks.
Runs on:SunOS and Linux
Best for: synthetic topology
generation for small size topologies.
DDoS Defense Benchmarks, developed by University of Delaware,
contain:
- A benchmark suite with a set of scenarios to be
used for defense evaluation, integrated with SEER,
- A set of performance metrics that
characterize an attack's impact and a defense's performance, and
- A
set of tools used for benchmark development, integration of
benchmarks with the DETER testbed and calculation of performance
metrics from tcpdump traces collected during DDoS experimentation.
Runs on: any platform
Best for: testing DDoS defenses
For questions contact:
Jelena Mirkovic at ISI
|
