SalityBotnet.py 6.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161
  1. import logging
  2. from random import randint, uniform
  3. from lea import Lea
  4. from Attack import BaseAttack
  5. from Attack.AttackParameters import Parameter as Param
  6. from Attack.AttackParameters import ParameterTypes
  7. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  8. # noinspection PyPep8
  9. from scapy.utils import RawPcapReader
  10. from scapy.layers.inet import IP, Ether, TCP, RandShort
  11. class SalityBotnet(BaseAttack.BaseAttack):
  12. template_attack_pcap_path = "resources/sality_botnet.pcap"
  13. def __init__(self):
  14. """
  15. Creates a new instance of the Sality botnet.
  16. """
  17. # Initialize attack
  18. super(SalityBotnet, self).__init__("Sality Botnet", "Injects an Sality botnet'",
  19. "Botnet")
  20. # Define allowed parameters and their type
  21. self.supported_params = {
  22. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  23. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  24. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  25. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  26. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
  27. }
  28. def init_params(self):
  29. """
  30. Initialize the parameters of this attack using the user supplied command line parameters.
  31. Use the provided statistics to calculate default parameters and to process user
  32. supplied queries.
  33. :param statistics: Reference to a statistics object.
  34. """
  35. # PARAMETERS: initialize with default utilsvalues
  36. # (values are overwritten if user specifies them)
  37. most_used_ip_address = self.statistics.get_most_used_ip_address()
  38. if isinstance(most_used_ip_address, list):
  39. most_used_ip_address = most_used_ip_address[0]
  40. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  41. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  42. # Attack configuration
  43. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  44. self.add_param_value(Param.PACKETS_PER_SECOND,
  45. (self.statistics.get_pps_sent(most_used_ip_address) +
  46. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  47. def generate_attack_pcap(self, context):
  48. def update_timestamp(timestamp, pps):
  49. """
  50. Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
  51. :return: Timestamp to be used for the next packet.
  52. """
  53. # Calculate the request timestamp
  54. # A distribution to imitate the bursty behavior of traffic
  55. randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 20, 5 / pps: 7, 10 / pps: 3})
  56. return timestamp + uniform(1 / pps, randomdelay.random())
  57. def getIntervalPPS(complement_interval_pps, timestamp):
  58. """
  59. Gets the packet rate (pps) in specific time interval.
  60. :return: the corresponding packet rate for packet rate (pps) .
  61. """
  62. for row in complement_interval_pps:
  63. if timestamp <= row[0]:
  64. return row[1]
  65. return complement_interval_pps[-1][1] # in case the timstamp > capture max timestamp
  66. # Timestamp
  67. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  68. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  69. # Calculate complement packet rates of BG traffic per interval
  70. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  71. # Initialize parameters
  72. packets = []
  73. mac_source = self.get_param_value(Param.MAC_SOURCE)
  74. ip_source = self.get_param_value(Param.IP_SOURCE)
  75. # Pick a DNS server from the background traffic
  76. ip_dns_server = self.statistics.process_db_query("SELECT ipAddress FROM ip_protocols WHERE protocolName='DNS' ORDER BY protocolCount DESC LIMIT 1;")
  77. if not ip_dns_server or ip_source == ip_dns_server:
  78. ip_dns_server = self.statistics.get_random_ip_address()
  79. mac_dns_server = self.statistics.get_mac_address(ip_dns_server)
  80. # Bot original config in the template PCAP
  81. origin_mac_src = "08:00:27:e5:d7:b0"
  82. origin_ip_src = "10.0.2.15"
  83. origin_mac_dns_server = "52:54:00:12:35:02"
  84. origin_ip_dns_server = "10.0.2.2"
  85. ttl_map = {}
  86. ip_map = {origin_ip_src : ip_source, origin_ip_dns_server: ip_dns_server}
  87. mac_map = {origin_mac_src : mac_source, origin_mac_dns_server: mac_dns_server}
  88. path_attack_pcap = None
  89. # Inject Sality botnet
  90. # Read sality_botnet pcap file
  91. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  92. for pkt_num, pkt in enumerate(exploit_raw_packets):
  93. eth_frame = Ether(pkt[0])
  94. ip_pkt = eth_frame.payload
  95. # Ether
  96. if eth_frame.getfieldval("src") in mac_map:
  97. eth_frame.setfieldval("src", mac_map[eth_frame.getfieldval("src")])
  98. if eth_frame.getfieldval("dst") in mac_map:
  99. eth_frame.setfieldval("dst", mac_map[eth_frame.getfieldval("dst")])
  100. # IP
  101. if ip_pkt.getfieldval("src") in ip_map:
  102. ip_pkt.setfieldval("src", ip_map[ip_pkt.getfieldval("src")])
  103. if ip_pkt.getfieldval("dst") in ip_map:
  104. ip_pkt.setfieldval("dst", ip_map[ip_pkt.getfieldval("dst")])
  105. ## TTL
  106. if ip_pkt.getfieldval("ttl") not in ttl_map:
  107. source_ttl = self.statistics.get_most_used_ttl(ip_pkt.getfieldval("src"))
  108. if not source_ttl:
  109. source_ttl = self.statistics.process_db_query("SELECT ttlValue FROM ip_ttl ORDER BY RANDOM() LIMIT 1;")
  110. ttl_map[ip_pkt.getfieldval("ttl")] = source_ttl
  111. ip_pkt.setfieldval("ttl", ttl_map[ip_pkt.getfieldval("ttl")])
  112. new_pkt = (eth_frame / ip_pkt)
  113. new_pkt.time = timestamp_next_pkt
  114. pps = max(getIntervalPPS(complement_interval_pps, timestamp_next_pkt), 10)
  115. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps)
  116. packets.append(new_pkt)
  117. # Store timestamp of first packet (for attack label)
  118. self.attack_start_utime = packets[0].time
  119. self.attack_end_utime = packets[-1].time
  120. if len(packets) > 0:
  121. packets = sorted(packets, key=lambda pkt: pkt.time)
  122. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  123. # return packets sorted by packet time_sec_start
  124. # pkt_num+1: because pkt_num starts at 0
  125. return pkt_num + 1, path_attack_pcap