T50 - The Fastest Packet Injector

Monday, July 11, 2016


T50 (f.k.a. F22 Raptor) is a tool designed to perform "Stress Testing". The concept started on 2001, right after release 'nb-isakmp.c', and the main goal was:
  •  Having a tool to perform TCP/IP protocol fuzzer,  covering common regular protocols, such as: ICMP, TCP and UDP.

Things  have  changed,  and the  T50 became a good unique resource capable to perform "Stress Testing". And, after checking the "/usr/include/linux",  some protocols were chosen to be part of its coverage:
  1. ICMP   - Internet Control Message Protocol
  2. IGMP   - Internet Group Management Protocol
  3. TCP    - Transmission Control Protocol
  4. UDP    - User Datagram Protocol

Why "Stress Testing"?  Well, because when people are  designing a new network infra-structure (eg. Datacenter serving to Cloud Computing) they think about:
  1. High-Availability
  2. Load Balancing
  3. Backup Sites (Cold Sites, Hot Sites, and Warm Sites)
  4. Disaster Recovery
  5. Data Redundancy
  6. Service Level Agreements
  7. Etc...

But almost nobody thinks about "Stress Testing", or even performs any test to check how the networks infra-structure behaves under stress,  under overload, and under attack.  Even during a Penetration Test,  people prefer not running any kind of Denial-of-Service testing.  Even worse,  those people are missing one of the three key concepts of security that are common to risk management:
  • Confidentiality
  • Integrity
  • AVAILABILITY

T50 was designed to perform “Stress Testing”  on a variety of infra-structure network devices (Version 2.45), using widely implemented protocols, and after some requests it was was re-designed to extend the tests (as of Version 5.3), covering some regular protocols (ICMP,  TCP  and  UDP),  some infra-structure specific protocols (GRE,  IPSec  and  RSVP), and some routing protocols (RIP,
EIGRP and OSPF).

This new version (Version 5.3) is focused on internal infra-structure,  which allows people to test the availability of its resources, and cobering:
  1. Interior Gateway Protocols (Distance Vector Algorithm):
    1. Routing Information Protocol (RIP)
    2. Enhanced Interior Gateway Routing Protocol (EIGRP)
  2. Interior Gateway Protocols (Link State Algorithm): 
    1. Open Shortest Path First (OSPF)
  3. Quality-of-Service Protocols: 
    1. Resource ReSerVation Protocol (RSVP).
  4. Tunneling/Encapsulation Protocols:  
    1. Generic Routing Encapsulation (GRE).

T50 is a powerful and unique packet injector tool, which is capable to:
  1. Send sequentially the following fifteen (15) protocols: 
    1. ICMP   - Internet Control Message Protocol 
    2. IGMPv1 - Internet Group Management Protocol v1 
    3. IGMPv3 - Internet Group Management Protocol v3  
    4. TCP    - Transmission Control Protocol 
    5. EGP    - Exterior Gateway Protocol 
    6. UDP    - User Datagram Protocol 
    7. RIPv1  - Routing Information Protocol v1  
    8. RIPv2  - Routing Information Protocol v2 
    9. DCCP   - Datagram Congestion Control Protocol 
    10. RSVP   - Resource ReSerVation Protocol 
    11. GRE    - Generic Routing Encapsulation  
    12. IPSec  - Internet Protocol Security (AH/ESP) 
    13. EIGRP  - Enhanced Interior Gateway Routing Protocol  
    14. OSPF   - Open Shortest Path First
  2. It is the only tool capable to encapsulate the protocols  (listed above) within Generic Routing Encapsulation (GRE).
  3. Send an (quite) incredible amount of  packets per second,  making  it  a "second to none" tool:  
    • More than 1,000,000 pps of SYN Flood  (+50% of the network uplink)  in  a 1000BASE-T Network (Gigabit Ethernet). 
    • More than 120,000 pps of SYN Flood  (+60% of the network uplink)  in a  100BASE-TX Network (Fast Ethernet).
  4. Perform "Stress Testing" on a variety of network infrastructure, network devices and security solutions in place.
  5. Simulate "Distributed Denial-of-Service" & "Denial-of-Service"  attacks, validating Firewall rules,  Router ACLs,  Intrusion Detection System and Intrusion Prevention System policies.

The main differentiator of the T50 is that it is able to send  all protocols, sequentially,  using one single SOCKET,   besides it is capable to be used to modify network routes,  letting IT Security Professionals performing advanced "Penetration Test".

Install
sudo apt-get install build-essential
git clone https://github.com/fredericopissarra/t50
cd t50
./configure
sudo make install

Usage
$ t50 --help
T50 Experimental Mixed Packet Injector Tool 5.6.3
Originally created by Nelson Brito 
Previously maintained by Fernando Mercês 
Maintained by Frederico Lamberti Pissarra 

Usage: t50  [options]
Common Options:
    --threshold NUM           Threshold of packets to send     (default 1000)
    --flood                   This option supersedes the 'threshold'
    --encapsulated            Encapsulated protocol (GRE)      (default OFF)
 -B,--bogus-csum              Bogus checksum                   (default OFF)
    --turbo                   Extend the performance           (default OFF)
 -l,--list-protocols          List all available protocols
 -v,--version                 Print version and exit
 -h,--help                    Display this help and exit

GRE Options:
    --gre-seq-present         GRE sequence # present           (default OFF)
    --gre-key-present         GRE key present                  (default OFF)
    --gre-sum-present         GRE checksum present             (default OFF)
    --gre-key NUM             GRE key                          (default RANDOM)
    --gre-sequence NUM        GRE sequence #                   (default RANDOM)
    --gre-saddr ADDR          GRE IP source IP address         (default RANDOM)
    --gre-daddr ADDR          GRE IP destination IP address    (default RANDOM)

DCCP/TCP/UDP Options:
    --sport NUM               DCCP|TCP|UDP source port         (default RANDOM)
    --dport NUM               DCCP|TCP|UDP destination port    (default RANDOM)

TCP Options:
    --acknowledge NUM         TCP ACK sequence #               (default RANDOM)
    --sequence NUM            TCP SYN sequence #               (default RANDOM)
    --data-offset NUM         TCP data offset                  (default 5)
 -F,--fin                     TCP FIN flag                     (default OFF)
 -S,--syn                     TCP SYN flag                     (default OFF)
 -R,--rst                     TCP RST flag                     (default OFF)
 -P,--psh                     TCP PSH flag                     (default OFF)
 -A,--ack                     TCP ACK flag                     (default OFF)
 -U,--urg                     TCP URG flag                     (default OFF)
 -E,--ece                     TCP ECE flag                     (default OFF)
 -C,--cwr                     TCP CWR flag                     (default OFF)
 -W,--window NUM              TCP Window size                  (default NONE)
    --urg-pointer NUM         TCP URG pointer                  (default NONE)
    --mss NUM                 TCP Maximum Segment Size         (default NONE)
    --wscale NUM              TCP Window Scale                 (default NONE)
    --tstamp NUM:NUM          TCP Timestamp (TSval:TSecr)      (default NONE)
    --sack-ok                 TCP SACK-Permitted               (default OFF)
    --ttcp-cc NUM             T/TCP Connection Count (CC)      (default NONE)
    --ccnew NUM               T/TCP Connection Count (CC.NEW)  (default NONE)
    --ccecho NUM              T/TCP Connection Count (CC.ECHO) (default NONE)
    --sack NUM:NUM            TCP SACK Edges (Left:Right)      (default NONE)
    --md5-signature           TCP MD5 signature included       (default OFF)
    --authentication          TCP-AO authentication included   (default OFF)
    --auth-key-id NUM         TCP-AO authentication key ID     (default 1)
    --auth-next-key NUM       TCP-AO authentication next key   (default 1)
    --nop                     TCP No-Operation                 (default EOL)

IP Options:
 -s,--saddr ADDR              IP source IP address             (default RANDOM)
    --tos NUM                 IP type of service               (default 0x40)
    --id NUM                  IP identification                (default RANDOM)
    --frag-offset NUM         IP fragmentation offset          (default 0)
    --ttl NUM                 IP time to live                  (default 255)
    --protocol PROTO          IP protocol                      (default TCP)

ICMP Options:
    --icmp-type NUM           ICMP type                        (default 8)
    --icmp-code NUM           ICMP code                        (default 0)
    --icmp-gateway ADDR       ICMP redirect gateway            (default RANDOM)
    --icmp-id NUM             ICMP identification              (default RANDOM)
    --icmp-sequence NUM       ICMP sequence #                  (default RANDOM)

EGP Options:
    --egp-type NUM            EGP type                         (default 3)
    --egp-code NUM            EGP code                         (default 3)
    --egp-status NUM          EGP status                       (default 1)
    --egp-as NUM              EGP autonomous system            (default RANDOM)
    --egp-sequence NUM        EGP sequence #                   (default RANDOM)
    --egp-hello NUM           EGP hello interval               (default RANDOM)
    --egp-poll NUM            EGP poll interval                (default RANDOM)

RIP Options:
    --rip-command NUM         RIPv1/v2 command                 (default 2)
    --rip-family NUM          RIPv1/v2 address family          (default 2)
    --rip-address ADDR        RIPv1/v2 router address          (default RANDOM)
    --rip-metric NUM          RIPv1/v2 router metric           (default RANDOM)
    --rip-domain NUM          RIPv2 router domain              (default RANDOM)
    --rip-tag NUM             RIPv2 router tag                 (default RANDOM)
    --rip-netmask ADDR        RIPv2 router subnet mask         (default RANDOM)
    --rip-next-hop ADDR       RIPv2 router next hop            (default RANDOM)
    --rip-authentication      RIPv2 authentication included    (default OFF)
    --rip-auth-key-id NUM     RIPv2 authentication key ID      (default 1)
    --rip-auth-sequence NUM   RIPv2 authentication sequence #  (default RANDOM)

DCCP Options:
    --dccp-data-offset NUM    DCCP data offset                 (default VARY)
    --dccp-cscov NUM          DCCP checksum coverage           (default 0)
    --dccp-ccval NUM          DCCP HC-Sender CCID              (default RANDOM)
    --dccp-type NUM           DCCP type                        (default 0)
    --dccp-extended           DCCP extend for sequence #       (default OFF)
    --dccp-sequence-1 NUM     DCCP sequence #                  (default RANDOM)
    --dccp-sequence-2 NUM     DCCP extended sequence #         (default RANDOM)
    --dccp-sequence-3 NUM     DCCP sequence # low              (default RANDOM)
    --dccp-service NUM        DCCP service code                (default RANDOM)
    --dccp-acknowledge-1 NUM  DCCP acknowledgment # high       (default RANDOM)
    --dccp-acknowledge-2 NUM  DCCP acknowledgment # low        (default RANDOM)
    --dccp-reset-code NUM     DCCP reset code                  (default RANDOM)

RSVP Options:
    --rsvp-flags NUM          RSVP flags                       (default 1)
    --rsvp-type NUM           RSVP message type                (default 1)
    --rsvp-ttl NUM            RSVP time to live                (default 254)
    --rsvp-session-addr ADDR  RSVP SESSION destination address (default RANDOM)
    --rsvp-session-proto NUM  RSVP SESSION protocol ID         (default 1)
    --rsvp-session-flags NUM  RSVP SESSION flags               (default 1)
    --rsvp-session-port NUM   RSVP SESSION destination port    (default RANDOM)
    --rsvp-hop-addr ADDR      RSVP HOP neighbor address        (default RANDOM)
    --rsvp-hop-iface NUM      RSVP HOP logical interface       (default RANDOM)
    --rsvp-time-refresh NUM   RSVP TIME refresh interval       (default 360)
    --rsvp-error-addr ADDR    RSVP ERROR node address          (default RANDOM)
    --rsvp-error-flags NUM    RSVP ERROR flags                 (default 2)
    --rsvp-error-code NUM     RSVP ERROR code                  (default 2)
    --rsvp-error-value NUM    RSVP ERROR value                 (default 8)
    --rsvp-scope NUM          RSVP SCOPE # of address(es)      (default 1)
    --rsvp-address ADDR,...   RSVP SCOPE address(es)           (default RANDOM)
    --rsvp-style-option NUM   RSVP STYLE option vector         (default 18)
    --rsvp-sender-addr ADDR   RSVP SENDER TEMPLATE address     (default RANDOM)
    --rsvp-sender-port NUM    RSVP SENDER TEMPLATE port        (default RANDOM)
    --rsvp-tspec-traffic      RSVP TSPEC service traffic       (default OFF)
    --rsvp-tspec-guaranteed   RSVP TSPEC service guaranteed    (default OFF)
    --rsvp-tspec-r NUM        RSVP TSPEC token bucket rate     (default RANDOM)
    --rsvp-tspec-b NUM        RSVP TSPEC token bucket size     (default RANDOM)
    --rsvp-tspec-p NUM        RSVP TSPEC peak data rate        (default RANDOM)
    --rsvp-tspec-m NUM        RSVP TSPEC minimum policed unit  (default RANDOM)
    --rsvp-tspec-M NUM        RSVP TSPEC maximum packet size   (default RANDOM)
    --rsvp-adspec-ishop NUM   RSVP ADSPEC IS HOP count         (default RANDOM)
    --rsvp-adspec-path NUM    RSVP ADSPEC path b/w estimate    (default RANDOM)
    --rsvp-adspec-m NUM       RSVP ADSPEC minimum path latency (default RANDOM)
    --rsvp-adspec-mtu NUM     RSVP ADSPEC composed MTU         (default RANDOM)
    --rsvp-adspec-guaranteed  RSVP ADSPEC service guaranteed   (default OFF)
    --rsvp-adspec-Ctot NUM    RSVP ADSPEC ETE composed value C (default RANDOM)
    --rsvp-adspec-Dtot NUM    RSVP ADSPEC ETE composed value D (default RANDOM)
    --rsvp-adspec-Csum NUM    RSVP ADSPEC SLR point composed C (default RANDOM)
    --rsvp-adspec-Dsum NUM    RSVP ADSPEC SLR point composed D (default RANDOM)
    --rsvp-adspec-controlled  RSVP ADSPEC service controlled   (default OFF)
    --rsvp-confirm-addr ADDR  RSVP CONFIRM receiver address    (default RANDOM)

IPSEC Options:
    --ipsec-ah-length NUM     IPSec AH header length           (default NONE)
    --ipsec-ah-spi NUM        IPSec AH SPI                     (default RANDOM)
    --ipsec-ah-sequence NUM   IPSec AH sequence #              (default RANDOM)
    --ipsec-esp-spi NUM       IPSec ESP SPI                    (default RANDOM)
    --ipsec-esp-sequence NUM  IPSec ESP sequence #             (default RANDOM)

EIGRP Options:
    --eigrp-opcode NUM        EIGRP opcode                     (default 1)
    --eigrp-flags NUM         EIGRP flags                      (default RANDOM)
    --eigrp-sequence NUM      EIGRP sequence #                 (default RANDOM)
    --eigrp-acknowledge NUM   EIGRP acknowledgment #           (default RANDOM)
    --eigrp-as NUM            EIGRP autonomous system          (default RANDOM)
    --eigrp-type NUM          EIGRP type                       (default 258)
    --eigrp-length NUM        EIGRP length                     (default NONE)
    --eigrp-k1 NUM            EIGRP parameter K1 value         (default 1)
    --eigrp-k2 NUM            EIGRP parameter K2 value         (default 0)
    --eigrp-k3 NUM            EIGRP parameter K3 value         (default 1)
    --eigrp-k4 NUM            EIGRP parameter K4 value         (default 0)
    --eigrp-k5 NUM            EIGRP parameter K5 value         (default 0)
    --eigrp-hold NUM          EIGRP parameter hold time        (default 360)
    --eigrp-ios-ver NUM.NUM   EIGRP IOS release version        (default 12.4)
    --eigrp-rel-ver NUM.NUM   EIGRP PROTO release version      (default 1.2)
    --eigrp-next-hop ADDR     EIGRP [in|ex]ternal next-hop     (default RANDOM)
    --eigrp-delay NUM         EIGRP [in|ex]ternal delay        (default RANDOM)
    --eigrp-bandwidth NUM     EIGRP [in|ex]ternal bandwidth    (default RANDOM)
    --eigrp-mtu NUM           EIGRP [in|ex]ternal MTU          (default 1500)
    --eigrp-hop-count NUM     EIGRP [in|ex]ternal hop count    (default RANDOM)
    --eigrp-load NUM          EIGRP [in|ex]ternal load         (default RANDOM)
    --eigrp-reliability NUM   EIGRP [in|ex]ternal reliability  (default RANDOM)
    --eigrp-daddr ADDR/CIDR   EIGRP [in|ex]ternal address(es)  (default RANDOM)
    --eigrp-src-router ADDR   EIGRP external source router     (default RANDOM)
    --eigrp-src-as NUM        EIGRP external autonomous system (default RANDOM)
    --eigrp-tag NUM           EIGRP external arbitrary tag     (default RANDOM)
    --eigrp-proto-metric NUM  EIGRP external protocol metric   (default RANDOM)
    --eigrp-proto-id NUM      EIGRP external protocol ID       (default 2)
    --eigrp-ext-flags NUM     EIGRP external flags             (default RANDOM)
    --eigrp-address ADDR      EIGRP multicast sequence address (default RANDOM)
    --eigrp-multicast NUM     EIGRP multicast sequence #       (default RANDOM)
    --eigrp-authentication    EIGRP authentication included    (default OFF)
    --eigrp-auth-key-id NUM   EIGRP authentication key ID      (default 1)

OSPF Options:
    --ospf-type NUM           OSPF type                        (default 1)
    --ospf-length NUM         OSPF length                      (default NONE)
    --ospf-router-id ADDR     OSPF router ID                   (default RANDOM)
    --ospf-area-id ADDR       OSPF area ID                     (default 0.0.0.0)
 -1,--ospf-option-MT          OSPF multi-topology / TOS-based  (default RANDOM)
 -2,--ospf-option-E           OSPF external routing capability (default RANDOM)
 -3,--ospf-option-MC          OSPF multicast capable           (default RANDOM)
 -4,--ospf-option-NP          OSPF NSSA supported              (default RANDOM)
 -5,--ospf-option-L           OSPF LLS data block contained    (default RANDOM)
 -6,--ospf-option-DC          OSPF demand circuits supported   (default RANDOM)
 -7,--ospf-option-O           OSPF Opaque-LSA                  (default RANDOM)
 -8,--ospf-option-DN          OSPF DOWN bit                    (default RANDOM)
    --ospf-netmask ADDR       OSPF router subnet mask          (default RANDOM)
    --ospf-hello-interval NUM OSPF HELLO interval              (default RANDOM)
    --ospf-hello-priority NUM OSPF HELLO router priority       (default 1)
    --ospf-hello-dead NUM     OSPF HELLO router dead interval  (default 360)
    --ospf-hello-design ADDR  OSPF HELLO designated router     (default RANDOM)
    --ospf-hello-backup ADDR  OSPF HELLO backup designated     (default RANDOM)
    --ospf-neighbor NUM       OSPF HELLO # of neighbor(s)      (default NONE)
    --ospf-address ADDR,...   OSPF HELLO neighbor address(es)  (default RANDOM)
    --ospf-dd-mtu NUM         OSPF DD MTU                      (default 1500)
    --ospf-dd-dbdesc-MS       OSPF DD master/slave bit option  (default RANDOM)
    --ospf-dd-dbdesc-M        OSPF DD more bit option          (default RANDOM)
    --ospf-dd-dbdesc-I        OSPF DD init bit option          (default RANDOM)
    --ospf-dd-dbdesc-R        OSPF DD out-of-band resync       (default RANDOM)
    --ospf-dd-sequence NUM    OSPF DD sequence #               (default RANDOM)
    --ospf-dd-include-lsa     OSPF DD include LSA header       (default OFF)
    --ospf-lsa-age NUM        OSPF LSA age                     (default 360)
    --ospf-lsa-do-not-age     OSPF LSA do not age              (default OFF)
    --ospf-lsa-type NUM       OSPF LSA type                    (default 1)
    --ospf-lsa-id ADDR        OSPF LSA ID address              (default RANDOM)
    --ospf-lsa-router ADDR    OSPF LSA advertising router      (default RANDOM)
    --ospf-lsa-sequence NUM   OSPF LSA sequence #              (default RANDOM)
    --ospf-lsa-metric NUM     OSPF LSA metric                  (default RANDOM)
    --ospf-lsa-flag-B         OSPF Router-LSA border router    (default RANDOM)
    --ospf-lsa-flag-E         OSPF Router-LSA external router  (default RANDOM)
    --ospf-lsa-flag-V         OSPF Router-LSA virtual router   (default RANDOM)
    --ospf-lsa-flag-W         OSPF Router-LSA wild router      (default RANDOM)
    --ospf-lsa-flag-NT        OSPF Router-LSA NSSA translation (default RANDOM)
    --ospf-lsa-link-id ADDR   OSPF Router-LSA link ID          (default RANDOM)
    --ospf-lsa-link-data ADDR OSPF Router-LSA link data        (default RANDOM)
    --ospf-lsa-link-type NUM  OSPF Router-LSA link type        (default 1)
    --ospf-lsa-attached ADDR  OSPF Network-LSA attached router (default RANDOM)
    --ospf-lsa-larger         OSPF ASBR/NSSA-LSA ext. larger   (default OFF)
    --ospf-lsa-forward ADDR   OSPF ASBR/NSSA-LSA forward       (default RANDOM)
    --ospf-lsa-external ADDR  OSPF ASBR/NSSA-LSA external      (default RANDOM)
    --ospf-vertex-router      OSPF Group-LSA type router       (default RANDOM)
    --ospf-vertex-network     OSPF Group-LSA type network      (default RANDOM)
    --ospf-vertex-id ADDR     OSPF Group-LSA vertex ID         (default RANDOM)
    --ospf-lls-extended-LR    OSPF LLS Extended option LR      (default OFF)
    --ospf-lls-extended-RS    OSPF LLS Extended option RS      (default OFF)
    --ospf-authentication     OSPF authentication included     (default OFF)
    --ospf-auth-key-id NUM    OSPF authentication key ID       (default 1)
    --ospf-auth-sequence NUM  OSPF authentication sequence #   (default RANDOM)

Some considerations while running this program:
 1. There is no limitation of using as many options as possible.
 2. Report t50 bugs at https://github.com/fredericopissarra/t50.git.
 3. Some header fields with default values MUST be set to '0' for RANDOM.
 4. Mandatory arguments to long options are mandatory for short options too.
 5. Be nice when using t50, the author DENIES its use for DoS/DDoS purposes.
 6. Running t50 with '--protocol T50' option sends ALL protocols sequentially.





Subscribe via e-mail for updates!