Home Explore Help
Sign In
leon.boeck
/
ID2T-toolkit-BotnetTraffic
forked from SPIN/ID2T-toolkit
2
0
Fork 0
Files Issues 0 Wiki
Page: Supported Attack Parameters
Adding padding to the packets
Additional Plots
Calling the attack
Choosing an Interval from the Abstract Communication Input File
DB Table for Degree Statistics of each IP Address
DB Table for Extended Conversation Statistics
Ephemeral Ports assigment
Generate Random Ports
Home
Input of a CSV or XML File Containing Abstract Botnet Communication
Mapping IP Address to ASN
Mapping IPs to IDs
Mapping of PCAP Packets to Input CSV XML Messages
Supported Attack Parameters
Test for deterministic output
Timings of Messages and their Responses
botnet_comm_processor
Supported Attack Parameters
Dustin Born edited this page 6 years ago

No parameter is mandatory. If no parameters are specified, default ones are chosen. The default value for every attack parameter is listed below.

Parameters

  • attack.duration
    Specifies the duration of the attack in seconds as an integer.

  • bots.count
    Specifies number of bots that actively initiate communication by sending a HELLO or NL_REQUEST to other bots. An integer is expected as input.

  • file.csv
    Specifies the input CSV file that reflects the abstract bot communication which the packet injection is based on. Using this parameter also converts the abstract communication in CSV notation to XML notation and stores it in the same directory as the input CSV file.

  • file.xml
    Specifies the input XML file that reflects the abstract bot communication which the packet injection is based on.

  • hidden_mark
    Specifies whether all packets generated by the attack should have a security-ip-option. This ip-option is not used anymore and will not be displayed by wireshark and will most likely not be interpreted by programs operating on the pcap. For that reason this option is the best way to mark packets generated by the attack. To filter for packets with this option use "ip.opt.sec_prot_auth_nsa == 1" in wireshark.
    This value is either True or False.

  • inject.after-pkt
    Specifies after which packet the attack packets are injected. Note: a value of 1 means that the packets are injected directly at the beginning. An integer is expected as input.

  • inject.at-timestamp
    Specifies at which timestamp the attack packets are injected. Note: the timestamp is relative to the start of the packet capture. The timestamp is a float number.

  • interval.selection.strategy
    Specifies the selection strategy of a communication interval from the input CSV/XML. The three options are random, optimal and custom. For further details, look here.

  • interval.selection.start
    If interval.selection.strategy is custom, the selected interval starts with the message at this index/linenumber. Indices/linenumbers start at 1. If interval.selection.strategy is not selected, specifying interval.selection.start does not affect the selection of the interval in any way. Can be combined with interval.selection.end.

  • interval.selection.end
    If interval.selection.strategy is custom, the selected interval ends with the message at this index/linenumber. Indices/linenumbers start at 1. If interval.selection.strategy is not selected, specifying interval.selection.end does not affect the selection of the interval in any way. Can be combined with interval.selection.start.

  • ip.reuse.external
    Specifies the percentage of external (e.g. public) IPs contained in the input .pcap file that are to be reused. If additionally parameter ip.reuse.total is specified, the total percentage of external IP reuse is computed as ip.reuse.total * ip.reuse.external. A float number 0 <= x <= 1 is expected.

  • ip.reuse.local
    Specifies the percentage of local (e.g. private) IPs contained in the input .pcap file that are to be reused. If additionally parameter ip.reuse.total is specified, the total percentage of local IP reuse is computed as ip.reuse.total * ip.reuse.local. A float number 0 <= x <= 1 is expected.

  • ip.reuse.total
    Specifies the percentage of all IPs contained in the input .pcap file that are to be reused. This can be combined with ip.reuse.external or ip.reuse.local as explained above. A float number 0 <= x <= 1 is expected.

  • multiport
    Specifies the port selection strategy for destinations ports of packets. If True use the strategy for ephemeral ports, if False use port generation strategy of the sality botnet. No other values are allowed.

  • nat.present
    Specifies if the injected network-local bots are behind a Network Address Translation (NAT) system. If so, network-external bots cannot initiate communication with network-local bots. Possible values are True or False.

  • packet.padding
    Specifies the amount of additional padding that is added to the packets. The padding has to be an integer between 0 and 100.

  • ttl.from.caida
    Specifies whether the distribution for assigning TTLs is based on the input PCAP or on the CAIDA dataset. To base it on the CAIDA dataset, specify True, otherwise False.

Default Values

  • attack.duration
    The attack last as long as the input PCAP does.

  • bots.count
    One (initiator) bot.

  • file.csv
    No default.

  • file.xml
    The default XML file is resources/MembersMgmtComm_example.xml.

  • hidden_mark
    False

  • inject.after-pkt
    The packet after which the attack is injected is chosen at random, but lies within the first fifth of all packets.

  • inject.at-timestamp
    See default for inject.after-pkt.

  • interval.selection.strategy
    optimal.

  • interval.selection.start
    If interval.selection.strategy is custom, and no valid start or end index was specified, the start index is chosen at random.

  • interval.selection.end
    Does not have a default value.

  • ip.reuse.external
    0.5 (reuse half).

  • ip.reuse.local
    0.5 (reuse half).

  • ip.reuse.total
    1 (reuse all).

  • multiport
    False

  • packet.padding
    20 Bytes.

  • ttl.from.caida
    True, i.e. the TTL distribution is based on the input PCAP.

Delete Page

This will delete the page "Supported Attack Parameters". Please be certain.

No
Yes