TCPOpera

1
TCP-Opera

• Fiona Wong and S. Felix Wu
• Security Laboratory
• Computer Science Department
• University of California, Davis

2
Outline

• Introduction
• What is TCPreplay?
• What are TCPreplays limitations?
• TCPopera
• What is TCPopera?
• TCPopera Phase 1
• TCPopera design and implementation

3
Outline Continued

• TCPopera Phase 2
• Evaluation
• TCPopera evaluation
• Future Work
• Conclusion

4
Introduction - TCPreplay

• TCPreplay replays traffic saved in files created
  by TCPdump.
• Created in the hopes of improving NIDS (network
  intrusion detection systems) testing.

5
Introduction - TCPreplay

• How does TCPreplay help test NIDS systems?
• Performance degrades as network traffic
  increases.
• Attacks are hidden by heavily loaded traffic.

6
Introduction - TCPreplay

• TCPreplay advantages
• - Allows for exact replication of real traffic
  seen on real networks.
• TCPreplay disadvantages
• - Limitation on the type of network traffic that
  can be replayed

7
Introduction - TCPreplay

• TCP-Replay is too static
• We can not replay the retransmission and
  congestion control.
• We can not replay in a different network or
  operational environment.

8
Introduction continued

• What we need is a tool that can extend
  TCPreplays abilities.

The solution is.
TCPopera!
9
TCPopera

• Given a TCP-Dump file
• We would like to produce different variations of
  the base dump file.

• TCPopera is a tool that extends TCPreplay by
  allowing users to define network conditions and
  play out traffic in a realistic environment where
  packets may be delayed or lost.

10
TCPopera

• TCPopera has the potential of being a very
  complex tool.
• Issues
• Considering time and labor constraints, how can
  we build a useful tool?
• Basic approach
• A simple working prototype

11
TCPopera High-Level Model
New TCPdump file
Original TCPdump file
TCPopera
12
TCPopera Phase 1 Requirements

• TCPopera Phase 1 Prototype requirements
• 1.  Support a stop and wait protocol.
• 2.    Retransmission mechanism defined by the
  following parameters
• Timeout mechanism
• Maximum allowable retransmissions
• Congestion control algorithm (AIMD, etc)
• 3.   Support a maximum of one connection.

13
TCPopera Phase 1 Requirements

• TCPopera Phase 1 Prototype requirements
• Given a TCPdump file as input TCPopera will
  generate a TCPdump file based on a given TCP
  behavioral portfolio, or, tcp_prof
• TCP_PROF defines a specific network entities TCP
  behavior.

14
TCPopera Phase 1 Requirements

• Percentage total packet loss.
• Percentage total packet delay
• Percentage data packet loss.
• Percentage ACK packet loss.
• Percentage data packet delay.
• Percentage ACK packet delay.
• Amount of delay
• Packet loss occurring on sending, receiving, or
  both sending and receiving sides.
• Packet delay occurring on sending, receiving, or
  both sending and receiving sides.

tcp_prof
198.206.5.211
15
TCPopera Phase 1 Design

• TCPopera can be approached in two ways.
• Using a simple heuristic to define data
  dependencies between messages in a TCPdump file.
• Peering into the data payload and determine the
  exact dependencies between messages in a TCPdump
  file.

16
TCPopera Phase 1 Design

• What do I mean by dependency?

17
TCPopera Phase 1 Design

• Another example

18
TCPopera Phase 1 Design

• For the protocol we use the first approach.
• Dependency Heuristics
• Every packet is dependent on the most recent
  opposite-direction packet.
• If one packet is followed by two consecutive
  packets in the opposite direction, then the first
  packet of the two consecutive packets is a
  response to the first packet.

19
TCPopera Phase 1 Design

• Dependency Heuristics continued
• 3. The first packet in any scenario is a data
  packet.
• 4. If packet A is dependent on packet B, and
  packet A immediately proceeds B, then packet A is
  an ACK.
• 5. If packet B is dependent on packet A and
  packet B is larger than an ACK packet, we label
  packet B as an ACK/Data pack.

20
TCPopera Phase 1 Design

• TCPopera basic algorithm
• Given a tcpdump file and a configuration file,
  build tcp_port.
• For each TCP packet read, determine if a tcp_port
  exists for the SOURCE entity.
• If a tcp_port exists, based on the parameters
  (dropping rate, etc) for this entity, calculate a
  new timestamp.
• Calculate any retransmissions of packets that
  this current packet is dependent on.

21
TCPopera Phase 1 Design

• Example. Senders retransmission timeout is 1.5
  seconds

• Packet 2 is dropped

22
TCPopera Phase 1 Design

• The new scenario generated is as follows

• Packet 1 is retransmitted

23
TCPopera Phase 1 Design

• Other complicated scenarios
• Sender and receiver retransmission timeouts.

24
TCPopera Design
Packet Config Module
Packet Parse Module
Packet Connections Module
libpcap
TCPopera Module
Packet dependency Module
TCPopera Module
Packet Portfolio Module
Test Module
Packet Processing Module
Congestion control
Timestamp
Retransmit
25
TCPopera Implementation

• Programmed in C
• Libpcap
• Headers for pcap structures
• Portable, system-independent interface for
  user-level network packet capture
• Used by TCPdump and TCPreplay

26
TCPopera Phase 2

• Requirements
• Multiple connection support
• Support for bulk data transfer protocols (ftp)
• May require peering into the pcap data (TCP/IP
  headers)
• Expanded functionality
• Support more congestion control mechanisms

27
Config file Example

• SETDROP ALL 192.186.0.2 25
• SETDROP DACK 192.186.0.3 25
• SETDROP DATA 192.186.0.3 50
• SETRETRANSMIT 192.186.0.2 3
• SETRETRANSMIT 192.186.0.3 2
• SETINITTIMEOUT 192.186.0.2 1.3

28
TCPopera Example

• DROPPED
• 100801.644364 nupte.cs.ucdavis.edu.32780 gt
  192.186.0.3.telnet P 56(1) ack 6 win 5840
  ltnop,nop,timestamp 69960 240133055gt (DF) tos
  0x10
• 100801.644474 192.186.0.3.telnet gt
  nupte.cs.ucdavis.edu.32780 P 67(1) ack 6 win
  5792 ltnop,nop,timestamp 240133066 69960gt (DF)
  tos 0x10
• TCPopera generates
• 1st transmission
• 100806.134362 nupte.cs.ucdavis.edu.32780 gt
  192.186.0.3.telnet P 56(1) ack 6 win 5840
  ltnop,nop,timestamp 69960 240133055gt (DF) tos
  0x10
• RETRANSMISSION
• 100807.824361 nupte.cs.ucdavis.edu.32780 gt
  192.186.0.3.telnet P 56(1) ack 6 win 5840
  ltnop,nop,timestamp 69960 240133055gt (DF) tos
  0x10
• 100807.824471 192.186.0.3.telnet gt
  nupte.cs.ucdavis.edu.32780 P 67(1) ack 6 win
  5792 ltnop,nop,timestamp 240133066 69960gt (DF)
  tos 0x10

29
TCPopera Evaluation

• Verification
• Manual comparison of TCPdump packets and
  TCPoperas labeling of packets to check for
  dependency correctness
• Validation
• Using divert sockets compare TCPopera output to
  actual network behavior.

30
TCPopera Evaluation and Status

• Current Status
• Some verification success
• Need to setup divert sockets to perform
  validation
• 90 of the first prototype has been implemented
  and tested.

31
TCPopera Future

• Perform validation tests
• Implement TCPopera Phase 2

32
TCPopera Conclusions

• TCPopera has the potential of becoming a useful
  tool for testing NIDS systems
• TCPopera may facilitate the process of profiling.

33
Thank-you!