PREPARE - The Probe-response attack framework https://www.tk.informatik.tu-darmstadt.de/de/research/secure-smart-infrastructures/prepare/
|Michael Stahn 8d64a3f608 update||8 years ago|
|prepare||8 years ago|
|tracing||8 years ago|
|zmap||8 years ago|
|LICENSE||8 years ago|
|README.md||8 years ago|
|setup_evironment.sh||8 years ago|
This project implements the probe-response attack (PRA) using the effective attack logic probosed by Bethencourt et al. (see Mapping Internet Sensors With Probe Response Attacks, 2005) improved by further methodologies. The first one is made of a generic encoding scheme using checksums to filter out non-probe events from attack reports. The second is a fingerprinting approach using feedback on network level to cluster monitor nodes in the following attack iteration. The attack framework is targeted against TraCINg and DShield and is extensible towards new CIDS (see Extension). Furthermore this project contains a TraCINg installation extended to mitigate the threat originated from PRAs and a simulation environment allowing to simulate attacks on TraCINg.
This project is made of the following parts:
For Ubuntu the following command installs all needed packages. Depended on the OS version some version can deviate.
: apt-get install libgmp3-dev libjson-c-dev libffi-dev npm nodejs-legacy gcc gengetopt byacc libpcap-dev libgmp3-dev mongodb flex cmake build-essential python-dev python3-dev python3-pip python-virtualenv arping
The following should be installed for 32Bit-compatibility.
: apt-get install lib32z1 lib32ncurses5 lib32bz2-1.0 libpcap0.8:i386 libcap-1*
In the case of simulations the linux kernel module dummy has to be present (default on on Ubuntu)
Configure linux to allow more memory usage for network purposes. Add the following to /etc/sysctl.conf:
: net.core.rmem_default = 268435456 : net.core.wmem_max = 2147483647 : net.core.wmem_default = 268435456 : net.core.netdev_max_backlog = 10000000 : Call: sysctl -p
Disable sending RST to minimize traffic
: iptables -A OUTPUT -p tcp -m tcp --tcp-flgas RST,RST RST,RST -j DROP : Undo of the previous command: : iptables -D OUTPUT -p tcp -m tcp --tcp-flags RST,RST RST,RST -j DROP
: virtualenv -p /usr/bin/python3.4 /root/.virtualenv : source /root/.virtualenv/bin/activate
: pip install -r prepare/requirements.txt
: cp prepare/bugfix_socketio/* /root/.virtualenv/lib/python3.4/site-packages/socketIO_client/
: cd zmap : rm CMakeCache.txt : ./build_zmap.sh : ./update_ip_blacklist.sh : See README.md for more informations.
Some side notes:
: Old modules of Node.js should be removed before installing: rm -rf node_modules : Some additional Node.js modules are used which should already be installed using the standard installation. Otherwise they can be installed using: cd tracing && npm install chance collections event-stream fs
Problems with MongoDB:
: The Latency of Mongo-DB is too large on high traffic which is why data insertion is commented out in postHandler.js (not needed)
: . ./setup_evironment.sh startinterface
: Set correkt tracing_domain in TracingReportFetcher in the attack framework (or create dedicated report fetcher)
: marker value bits=32, marker checksum bits=0 (when doing IP filtering) : use_source_ip_filter in report_fetcher.py : sleeptime in DShieldReportFetcher constructor : optional: adjust parameters in main_attack.py:
: ip_stage1 (main_attack.py) : cidr_bits_stage1: Choose only a subnet to scan (main_attack.py) : cores: amount of cores to be used (scanner_wrapper.py)
: python main_attack.py --help : python main_attack.py -i eth10 -m [mac_gateway] -r 10000 -b 32 -c 0
The attack framework can be extended for new CIDS by subclasing ReportFetcher in report_fetcher.py and implementing before_scanning() and after_scanning(). The new class has to be placed in the same module. The new report fetcher can be chosen by its class name when starting the attack framework using the parameter report_fetcher_classname.