Home Explore Help
Sign In
leon.boeck
/
ID2T-toolkit-BotnetTraffic
forked from SPIN/ID2T-toolkit
2
0
Fork 0
Files Issues 0 Wiki
Page: Mapping IPs to IDs
Adding padding to the packets
Additional Plots
Calling the attack
Choosing an Interval from the Abstract Communication Input File
DB Table for Degree Statistics of each IP Address
DB Table for Extended Conversation Statistics
Ephemeral Ports assigment
Generate Random Ports
Home
Input of a CSV or XML File Containing Abstract Botnet Communication
Mapping IP Address to ASN
Mapping IPs to IDs
Mapping of PCAP Packets to Input CSV XML Messages
Supported Attack Parameters
Test for deterministic output
Timings of Messages and their Responses
botnet_comm_processor
Mapping IPs to IDs
Dustin Born edited this page 6 years ago

Introduction

To give every bot its own IP, a mapping of IPs to IDs has to be done. Here, we differ between initator and responder bots. Both classes get assigned different types of IPs.

Mapping for Initiator Bots

Initator bots are the bots that send at least one request to another bot. For this tool, every initiator bot is assigned a network local IP. We call all IPs that are in the same subnet as the router (i.e. (would) have the router as gateway) network local IPs. This can be a subnet behind NAT, part of an Autonomous System or something else.

Mapping for Responder Bots

Responder bots are the bots that do not send any requests to another bot. For this tool, every responder bot is assigned a network external IP. We call every IP that is not network local network external. As an example, if the local network has private IP addresses, every public IP address is considered network external.

Generating New Local IPs

If new local IPs have to be generated, the following algorithm applies: For information about existing IPs and data flows, the input PCAP is used. First, the minimum and maximum IP that have the router as destination are found. Now, if new local IPs need to be generated, not assigned IPs between the minimum and maximum IP are randomly selected and returned. Once this space has been drained, new local IPs are created that lie above the maximum IP. To make it seem more realistic, IPs that are relatively close to the latest maximum IP are chosen for this.

Generating New External IPs

New external IPs are generated randomly. It is ensured that no "special" IPs are chosen. Special IPs mean IPs that fall into the range of private, link-local, localhost, multicast or reserved IPs.

Finding the Router

The router is found by finding the MAC address that is most frequently used, as every outgoing packet's destination MAC address is the router's. So in normal situations where network-local hosts do not excessively communicate with each other, this algorithm reliably works to find the router's MAC address. The router's IP can only be found, if the local network has private IPs, since otherwise we cannot differ which public IP is actually external and which one is the router's.

Delete Page

This will delete the page "Mapping IPs to IDs". Please be certain.

No
Yes