SalityBotnet.py 5.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141
  1. import logging
  2. from random import randint
  3. from scapy.utils import RawPcapReader
  4. from scapy.layers.inet import Ether
  5. from definitions import ROOT_DIR
  6. from Attack import BaseAttack
  7. from Attack.AttackParameters import Parameter as Param
  8. from Attack.AttackParameters import ParameterTypes
  9. from ID2TLib.Utility import update_timestamp, get_interval_pps, handle_most_used_outputs
  10. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  11. # noinspection PyPep8
  12. class SalityBotnet(BaseAttack.BaseAttack):
  13. template_attack_pcap_path = ROOT_DIR + "/../resources/sality_botnet.pcap"
  14. def __init__(self):
  15. """
  16. Creates a new instance of the Sality botnet.
  17. """
  18. # Initialize attack
  19. super(SalityBotnet, self).__init__("Sality Botnet", "Injects an Sality botnet'",
  20. "Botnet")
  21. # Define allowed parameters and their type
  22. self.supported_params = {
  23. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  24. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  25. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  26. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  27. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
  28. }
  29. def init_params(self):
  30. """
  31. Initialize the parameters of this attack using the user supplied command line parameters.
  32. Use the provided statistics to calculate default parameters and to process user
  33. supplied queries.
  34. :param statistics: Reference to a statistics object.
  35. """
  36. # PARAMETERS: initialize with default utilsvalues
  37. # (values are overwritten if user specifies them)
  38. most_used_ip_address = self.statistics.get_most_used_ip_address()
  39. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  40. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  41. # Attack configuration
  42. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  43. self.add_param_value(Param.PACKETS_PER_SECOND,
  44. (self.statistics.get_pps_sent(most_used_ip_address) +
  45. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  46. def generate_attack_pcap(self):
  47. # Timestamp
  48. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  49. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  50. # Calculate complement packet rates of BG traffic per interval
  51. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  52. # Initialize parameters
  53. packets = []
  54. mac_source = self.get_param_value(Param.MAC_SOURCE)
  55. ip_source = self.get_param_value(Param.IP_SOURCE)
  56. # Pick a DNS server from the background traffic
  57. ip_dns_server = self.statistics.process_db_query("SELECT ipAddress FROM ip_protocols WHERE protocolName='DNS' AND protocolCount=(SELECT MAX(protocolCount) FROM ip_protocols WHERE protocolName='DNS');")
  58. ip_dns_server = handle_most_used_outputs(ip_dns_server)
  59. if not ip_dns_server or ip_source == ip_dns_server:
  60. ip_dns_server = self.statistics.get_random_ip_address()
  61. mac_dns_server = self.statistics.get_mac_address(ip_dns_server)
  62. # Bot original config in the template PCAP
  63. origin_mac_src = "08:00:27:e5:d7:b0"
  64. origin_ip_src = "10.0.2.15"
  65. origin_mac_dns_server = "52:54:00:12:35:02"
  66. origin_ip_dns_server = "10.0.2.2"
  67. ttl_map = {}
  68. ip_map = {origin_ip_src : ip_source, origin_ip_dns_server: ip_dns_server}
  69. mac_map = {origin_mac_src : mac_source, origin_mac_dns_server: mac_dns_server}
  70. path_attack_pcap = None
  71. # Inject Sality botnet
  72. # Read sality_botnet pcap file
  73. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  74. for pkt_num, pkt in enumerate(exploit_raw_packets):
  75. eth_frame = Ether(pkt[0])
  76. ip_pkt = eth_frame.payload
  77. # Ether
  78. if eth_frame.getfieldval("src") in mac_map:
  79. eth_frame.setfieldval("src", mac_map[eth_frame.getfieldval("src")])
  80. if eth_frame.getfieldval("dst") in mac_map:
  81. eth_frame.setfieldval("dst", mac_map[eth_frame.getfieldval("dst")])
  82. # IP
  83. if ip_pkt.getfieldval("src") in ip_map:
  84. ip_pkt.setfieldval("src", ip_map[ip_pkt.getfieldval("src")])
  85. if ip_pkt.getfieldval("dst") in ip_map:
  86. ip_pkt.setfieldval("dst", ip_map[ip_pkt.getfieldval("dst")])
  87. ## TTL
  88. if ip_pkt.getfieldval("ttl") not in ttl_map:
  89. source_ttl = self.statistics.get_most_used_ttl(ip_pkt.getfieldval("src"))
  90. if not source_ttl:
  91. source_ttl = self.statistics.process_db_query("SELECT ttlValue FROM ip_ttl ORDER BY RANDOM() LIMIT 1;")
  92. ttl_map[ip_pkt.getfieldval("ttl")] = source_ttl
  93. ip_pkt.setfieldval("ttl", ttl_map[ip_pkt.getfieldval("ttl")])
  94. new_pkt = (eth_frame / ip_pkt)
  95. new_pkt.time = timestamp_next_pkt
  96. pps = max(get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  97. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps)
  98. packets.append(new_pkt)
  99. # Store timestamp of first packet (for attack label)
  100. self.attack_start_utime = packets[0].time
  101. self.attack_end_utime = packets[-1].time
  102. if len(packets) > 0:
  103. packets = sorted(packets, key=lambda pkt: pkt.time)
  104. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  105. # return packets sorted by packet time_sec_start
  106. # pkt_num+1: because pkt_num starts at 0
  107. return pkt_num + 1, path_attack_pcap