support partition in network attack

[WangXiangUSTC]

Usage

./bin/chaosd attack network partition --help
partition

Usage:
  chaosd attack network partition [flags]

Flags:
      --accept-tcp-flags string   only the packet which match the tcp flag can be accepted, others will be dropped. only set when the protocol is tcp.
  -d, --device string             the network interface to impact
      --direction string          specifies the partition direction, values can be from, to
  -h, --help                      help for partition
  -H, --hostname string           only impact traffic to these hostnames
  -i, --ip string                 only impact egress traffic to these IP addresses
  -p, --protocol string           only impact traffic using this IP protocol, supported: tcp, udp, icmp, all

Global Flags:
      --log-level string   the log level of chaosd, the value can be 'debug', 'info', 'warn' and 'error'

Examples

sudo ./bin/chaosd attack network partition --ip 172.16.112.136 -d ens33

If you want to block only part of the packet, you can set the accept-tcp-flags(only for tcp protocol), just like:

sudo ./bin/chaosd attack network partition --ip 172.16.112.136 -d ens33 -p tcp  --accept-tcp-flags "SYN,ACK SYN,ACK" --direction to

And then you can start a simple HTTP server by python:

python3 -m http.server 9288

Send HTTP request from 172.16.112.136:

 wget 172.16.112.130:9288
--2021-05-07 03:49:56--  http://172.16.112.130:9288/
Connecting to 172.16.112.130:9288... connected.
HTTP request sent, awaiting response...

You will see it is waiting the response, and the HTTP server receive the request:

172.16.112.136 - - [07/May/2021 03:49:56] "GET / HTTP/1.1" 200 -

But the response is blocked.

[Andrewmatilde]

Example sudo ./bin/chaosd attack network partition --ip 172.16.112.136 -d ens33 -p tcp --accept-tcp-flags "SYN,ACK SYN,ACK --direction to"not work.
Return error Error: direction not supported.
I think more comment about direction is necessary for the direction option.And I think the main problem is the subject of direction is missing.

[Andrewmatilde]

I also find the config of iptables was not cleared well.

[WangXiangUSTC]

sudo ./bin/chaosd attack network partition --ip 172.16.112.136 -d ens33 -p tcp --accept-tcp-flags "SYN,ACK SYN,ACK --direction to"

I take a mistake in the description, the command should be sudo ./bin/chaosd attack network partition --ip 172.16.112.136 -d ens33 -p tcp --accept-tcp-flags "SYN,ACK SYN,ACK" --direction to

[Andrewmatilde]

Is it really unnecessary to valid action?

[WangXiangUSTC]

Yeah, require a validate, done in dcb1285

[Andrewmatilde]

Is it possible that user may drop ssh package with partition?

[WangXiangUSTC]

Yes, SSH uses TCP protocol in the transport layer.

[WangXiangUSTC]

add some description of direction in dcb1285 @Andrewmatilde

[WangXiangUSTC]

@Andrewmatilde PTAL again

[WangXiangUSTC]

just ignore the lift's warning now, because it's not the real version we used, there is a replace in the go.mod 😢

[Andrewmatilde]

I think ToChain is not a good name to explain what the func do.

[WangXiangUSTC]

Do you have any suggestions?

[Andrewmatilde]

Maybe NetworkPartitionChains?

[WangXiangUSTC]

OK，I update to PartitionChains without Network, because the object's type is NetworkCommand

[Andrewmatilde]

I think we need a verbose option and log all the iptables command inTrace log level.

[WangXiangUSTC]

I think we need a verbose option and log all the iptables command inTrace log level.

Good idea, I will do it in another pr

[Andrewmatilde]

LGTM

[WangXiangUSTC]

@fewdan PTAL

[fewdan]

LGTM