DDoSAttack.py 15 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304
  1. import logging
  2. from random import randint, uniform, choice
  3. from lea import Lea
  4. from scipy.stats import gamma
  5. from Attack import BaseAttack
  6. from Attack.AttackParameters import Parameter as Param
  7. from Attack.AttackParameters import ParameterTypes
  8. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  9. # noinspection PyPep8
  10. from scapy.layers.inet import IP, Ether, TCP, RandShort
  11. from collections import deque
  12. class DDoSAttack(BaseAttack.BaseAttack):
  13. def __init__(self):
  14. """
  15. Creates a new instance of the DDoS attack.
  16. """
  17. # Initialize attack
  18. super(DDoSAttack, self).__init__("DDoS Attack", "Injects a DDoS attack'",
  19. "Resource Exhaustion")
  20. # Define allowed parameters and their type
  21. self.supported_params = {
  22. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  23. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  24. Param.PORT_SOURCE: ParameterTypes.TYPE_PORT,
  25. Param.IP_DESTINATION: ParameterTypes.TYPE_IP_ADDRESS,
  26. Param.MAC_DESTINATION: ParameterTypes.TYPE_MAC_ADDRESS,
  27. Param.PORT_DESTINATION: ParameterTypes.TYPE_PORT,
  28. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  29. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  30. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT,
  31. Param.NUMBER_ATTACKERS: ParameterTypes.TYPE_INTEGER_POSITIVE,
  32. Param.ATTACK_DURATION: ParameterTypes.TYPE_INTEGER_POSITIVE,
  33. Param.VICTIM_BUFFER: ParameterTypes.TYPE_INTEGER_POSITIVE
  34. }
  35. def init_params(self):
  36. """
  37. Initialize the parameters of this attack using the user supplied command line parameters.
  38. Use the provided statistics to calculate default parameters and to process user
  39. supplied queries.
  40. :param statistics: Reference to a statistics object.
  41. """
  42. # PARAMETERS: initialize with default values
  43. # (values are overwritten if user specifies them)
  44. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  45. # attacker configuration
  46. num_attackers = randint(1, 16)
  47. # The most used IP class in background traffic
  48. most_used_ip_class = self.statistics.process_db_query("most_used(ipClass)")
  49. self.add_param_value(Param.IP_SOURCE, self.generate_random_ipv4_address(most_used_ip_class, num_attackers))
  50. self.add_param_value(Param.MAC_SOURCE, self.generate_random_mac_address(num_attackers))
  51. self.add_param_value(Param.PORT_SOURCE, str(RandShort()))
  52. self.add_param_value(Param.PACKETS_PER_SECOND, 0)
  53. self.add_param_value(Param.ATTACK_DURATION, randint(5,30))
  54. # victim configuration
  55. random_ip_address = self.statistics.get_random_ip_address()
  56. self.add_param_value(Param.IP_DESTINATION, random_ip_address)
  57. destination_mac = self.statistics.get_mac_address(random_ip_address)
  58. if isinstance(destination_mac, list) and len(destination_mac) == 0:
  59. destination_mac = self.generate_random_mac_address()
  60. self.add_param_value(Param.MAC_DESTINATION, destination_mac)
  61. self.add_param_value(Param.VICTIM_BUFFER, randint(1000,10000))
  62. def generate_attack_pcap(self, context):
  63. def update_timestamp(timestamp, pps, delay=0):
  64. """
  65. Calculates the next timestamp to be used based on the packet per second rate (pps) and the maximum delay.
  66. :return: Timestamp to be used for the next packet.
  67. """
  68. if delay == 0:
  69. # Calculate the request timestamp
  70. # A distribution to imitate the bursty behavior of traffic
  71. randomdelay = Lea.fromValFreqsDict({1 / pps: 70, 2 / pps: 20, 5 / pps: 7, 10 / pps: 3})
  72. return timestamp + uniform(1 / pps, randomdelay.random())
  73. else:
  74. # Calculate the reply timestamp
  75. randomdelay = Lea.fromValFreqsDict({2 * delay: 70, 3 * delay: 20, 5 * delay: 7, 10 * delay: 3})
  76. return timestamp + uniform(1 / pps + delay, 1 / pps + randomdelay.random())
  77. def get_nth_random_element(*element_list):
  78. """
  79. Returns the n-th element of every list from an arbitrary number of given lists.
  80. For example, list1 contains IP addresses, list 2 contains MAC addresses. Use of this function ensures that
  81. the n-th IP address uses always the n-th MAC address.
  82. :param element_list: An arbitrary number of lists.
  83. :return: A tuple of the n-th element of every list.
  84. """
  85. range_max = min([len(x) for x in element_list])
  86. if range_max > 0: range_max -= 1
  87. n = randint(0, range_max)
  88. return tuple(x[n] for x in element_list)
  89. def index_increment(number: int, max: int):
  90. if number + 1 < max:
  91. return number + 1
  92. else:
  93. return 0
  94. def getIntervalPPS(complement_interval_pps, timestamp):
  95. """
  96. Gets the packet rate (pps) for a specific time interval.
  97. :param complement_interval_pps: an array of tuples (the last timestamp in the interval, the packet rate in the crresponding interval).
  98. :param timestamp: the timestamp at which the packet rate is required.
  99. :return: the corresponding packet rate (pps) .
  100. """
  101. for row in complement_interval_pps:
  102. if timestamp <= row[0]:
  103. return row[1]
  104. # In case the timestamp > capture max timestamp
  105. return complement_interval_pps[-1][1]
  106. def get_attacker_config(ipAddress: str):
  107. """
  108. Returns the attacker configuration depending on the IP address, this includes the port for the next
  109. attacking packet and the previously used (fixed) TTL value.
  110. :param ipAddress: The IP address of the attacker
  111. :return: A tuple consisting of (port, ttlValue)
  112. """
  113. # Determine port
  114. port = attacker_port_mapping.get(ipAddress)
  115. if port is not None: # use next port
  116. next_port = attacker_port_mapping.get(ipAddress) + 1
  117. if next_port > (2 ** 16 - 1):
  118. next_port = 1
  119. else: # generate starting port
  120. next_port = RandShort()
  121. attacker_port_mapping[ipAddress] = next_port
  122. # Determine TTL value
  123. ttl = attacker_ttl_mapping.get(ipAddress)
  124. if ttl is None: # determine TTL value
  125. is_invalid = True
  126. pos = ip_source_list.index(ipAddress)
  127. pos_max = len(gd)
  128. while is_invalid:
  129. ttl = int(round(gd[pos]))
  130. if 0 < ttl < 256: # validity check
  131. is_invalid = False
  132. else:
  133. pos = index_increment(pos, pos_max)
  134. attacker_ttl_mapping[ipAddress] = ttl
  135. # return port and TTL
  136. return next_port, ttl
  137. BUFFER_SIZE = 1000
  138. # Determine source IP and MAC address
  139. num_attackers = self.get_param_value(Param.NUMBER_ATTACKERS)
  140. if num_attackers is not None: # user supplied Param.NUMBER_ATTACKERS
  141. # The most used IP class in background traffic
  142. most_used_ip_class = self.statistics.process_db_query("most_used(ipClass)")
  143. # Create random attackers based on user input Param.NUMBER_ATTACKERS
  144. ip_source_list = self.generate_random_ipv4_address(most_used_ip_class, num_attackers)
  145. mac_source_list = self.generate_random_mac_address(num_attackers)
  146. else: # user did not supply Param.NUMBER_ATTACKS
  147. # use default values for IP_SOURCE/MAC_SOURCE or overwritten values
  148. # if user supplied any values for those params
  149. ip_source_list = self.get_param_value(Param.IP_SOURCE)
  150. mac_source_list = self.get_param_value(Param.MAC_SOURCE)
  151. num_attackers = len(ip_source_list)
  152. # Initialize parameters
  153. packets = deque(maxlen=BUFFER_SIZE)
  154. port_source_list = self.get_param_value(Param.PORT_SOURCE)
  155. mac_destination = self.get_param_value(Param.MAC_DESTINATION)
  156. ip_destination = self.get_param_value(Param.IP_DESTINATION)
  157. most_used_ip_address = self.statistics.get_most_used_ip_address()
  158. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  159. if pps == 0:
  160. result = self.statistics.process_db_query("SELECT MAX(maxPktRate) FROM ip_statistics WHERE ipAddress='"+ip_destination+"';")
  161. if result is not None and not 0:
  162. pps = num_attackers * result
  163. else:
  164. result = self.statistics.process_db_query("SELECT MAX(maxPktRate) FROM ip_statistics WHERE ipAddress='"+most_used_ip_address+"';")
  165. pps = num_attackers * result
  166. # Calculate complement packet rates of the background traffic for each interval
  167. attacker_pps = pps / num_attackers
  168. complement_interval_attacker_pps = self.statistics.calculate_complement_packet_rates(attacker_pps)
  169. # Check ip.src == ip.dst
  170. self.ip_src_dst_equal_check(ip_source_list, ip_destination)
  171. port_destination = self.get_param_value(Param.PORT_DESTINATION)
  172. if not port_destination: # user did not define port_dest
  173. port_destination = self.statistics.process_db_query(
  174. "SELECT portNumber FROM ip_ports WHERE portDirection='in' AND ipAddress='" + ip_destination + "' ORDER BY portCount DESC LIMIT 1;")
  175. if not port_destination: # no port was retrieved
  176. port_destination = self.statistics.process_db_query(
  177. "SELECT portNumber FROM ip_ports WHERE portDirection='in' GROUP BY portNumber ORDER BY SUM(portCount) DESC LIMIT 1;")
  178. if not port_destination:
  179. port_destination = max(1, str(RandShort()))
  180. attacker_port_mapping = {}
  181. attacker_ttl_mapping = {}
  182. # Gamma distribution parameters derived from MAWI 13.8G dataset
  183. alpha, loc, beta = (2.3261710235, -0.188306914406, 44.4853123884)
  184. gd = gamma.rvs(alpha, loc=loc, scale=beta, size=len(ip_source_list))
  185. path_attack_pcap = None
  186. timestamp_prv_reply, timestamp_confirm = 0, 0
  187. minDelay, maxDelay = self.get_reply_delay(ip_destination)
  188. victim_buffer = self.get_param_value(Param.VICTIM_BUFFER)
  189. attack_duration = self.get_param_value(Param.ATTACK_DURATION)
  190. pkts_num = int(pps * attack_duration)
  191. source_win_sizes = self.statistics.process_db_query(
  192. "SELECT DISTINCT winSize FROM tcp_win ORDER BY RANDOM() LIMIT "+str(pkts_num)+";")
  193. destination_win_dist = self.statistics.get_win_distribution(ip_destination)
  194. if len(destination_win_dist) > 0:
  195. destination_win_prob_dict = Lea.fromValFreqsDict(destination_win_dist)
  196. destination_win_value = destination_win_prob_dict.random()
  197. else:
  198. destination_win_value = self.statistics.process_db_query("most_used(winSize)")
  199. # MSS that was used by IP destination in background traffic
  200. mss_dst = self.statistics.get_most_used_mss(ip_destination)
  201. if mss_dst is None:
  202. mss_dst = self.statistics.process_db_query("most_used(mssValue)")
  203. replies_count = 0
  204. total_pkt_num = 0
  205. # For each attacker, generate his own packets, then merge all packets
  206. for attacker in range(num_attackers):
  207. # Timestamp
  208. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  209. attack_ends_time = timestamp_next_pkt + attack_duration
  210. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, attacker_pps)
  211. attacker_pkts_num = int(pkts_num / num_attackers) + randint(0,100)
  212. for pkt_num in range(attacker_pkts_num):
  213. # Stop the attack when it exceeds the duration
  214. if timestamp_next_pkt > attack_ends_time:
  215. break
  216. # Build request package
  217. # Select one IP address and its corresponding MAC address
  218. (ip_source, mac_source) = get_nth_random_element(ip_source_list, mac_source_list)
  219. # Determine source port
  220. (port_source, ttl_value) = get_attacker_config(ip_source)
  221. request_ether = Ether(dst=mac_destination, src=mac_source)
  222. request_ip = IP(src=ip_source, dst=ip_destination, ttl=ttl_value)
  223. # Random win size for each packet
  224. source_win_size = choice(source_win_sizes)
  225. request_tcp = TCP(sport=port_source, dport=port_destination, flags='S', ack=0, window=source_win_size)
  226. request = (request_ether / request_ip / request_tcp)
  227. request.time = timestamp_next_pkt
  228. # Append request
  229. packets.append(request)
  230. total_pkt_num +=1
  231. # Build reply package
  232. if replies_count <= victim_buffer:
  233. reply_ether = Ether(src=mac_destination, dst=mac_source)
  234. reply_ip = IP(src=ip_destination, dst=ip_source, flags='DF')
  235. reply_tcp = TCP(sport=port_destination, dport=port_source, seq=0, ack=1, flags='SA', window=destination_win_value,options=[('MSS', mss_dst)])
  236. reply = (reply_ether / reply_ip / reply_tcp)
  237. timestamp_reply = update_timestamp(timestamp_next_pkt, attacker_pps, minDelay)
  238. while (timestamp_reply <= timestamp_prv_reply):
  239. timestamp_reply = update_timestamp(timestamp_prv_reply, attacker_pps, minDelay)
  240. timestamp_prv_reply = timestamp_reply
  241. reply.time = timestamp_reply
  242. packets.append(reply)
  243. replies_count+=1
  244. total_pkt_num += 1
  245. attacker_pps = max(getIntervalPPS(complement_interval_attacker_pps, timestamp_next_pkt), (pps/num_attackers)/2)
  246. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, attacker_pps)
  247. # Store timestamp of first packet (for attack label)
  248. if total_pkt_num <= 2 :
  249. self.attack_start_utime = packets[0].time
  250. elif pkt_num % BUFFER_SIZE == 0: # every 1000 packets write them to the pcap file (append)
  251. last_packet = packets[-1]
  252. packets = sorted(packets, key=lambda pkt: pkt.time)
  253. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  254. packets = []
  255. if len(packets) > 0:
  256. packets = sorted(packets, key=lambda pkt: pkt.time)
  257. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  258. # Store timestamp of last packet
  259. self.attack_end_utime = last_packet.time
  260. # Return packets sorted by packet time_sec_start
  261. # pkt_num+1: because pkt_num starts at 0
  262. return total_pkt_num , path_attack_pcap