3
0

SalityBotnet.py 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
  1. import logging
  2. from random import randint
  3. from scapy.utils import RawPcapReader
  4. from scapy.layers.inet import Ether
  5. from Attack import BaseAttack
  6. from Attack.AttackParameters import Parameter as Param
  7. from Attack.AttackParameters import ParameterTypes
  8. from ID2TLib.Utility import update_timestamp, get_interval_pps
  9. logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
  10. # noinspection PyPep8
  11. class SalityBotnet(BaseAttack.BaseAttack):
  12. template_attack_pcap_path = "resources/sality_botnet.pcap"
  13. def __init__(self):
  14. """
  15. Creates a new instance of the Sality botnet.
  16. """
  17. # Initialize attack
  18. super(SalityBotnet, self).__init__("Sality Botnet", "Injects an Sality botnet'",
  19. "Botnet")
  20. # Define allowed parameters and their type
  21. self.supported_params = {
  22. Param.MAC_SOURCE: ParameterTypes.TYPE_MAC_ADDRESS,
  23. Param.IP_SOURCE: ParameterTypes.TYPE_IP_ADDRESS,
  24. Param.INJECT_AT_TIMESTAMP: ParameterTypes.TYPE_FLOAT,
  25. Param.INJECT_AFTER_PACKET: ParameterTypes.TYPE_PACKET_POSITION,
  26. Param.PACKETS_PER_SECOND: ParameterTypes.TYPE_FLOAT
  27. }
  28. def init_params(self):
  29. """
  30. Initialize the parameters of this attack using the user supplied command line parameters.
  31. Use the provided statistics to calculate default parameters and to process user
  32. supplied queries.
  33. :param statistics: Reference to a statistics object.
  34. """
  35. # PARAMETERS: initialize with default utilsvalues
  36. # (values are overwritten if user specifies them)
  37. most_used_ip_address = self.statistics.get_most_used_ip_address()
  38. if isinstance(most_used_ip_address, list):
  39. most_used_ip_address = most_used_ip_address[0]
  40. self.add_param_value(Param.IP_SOURCE, most_used_ip_address)
  41. self.add_param_value(Param.MAC_SOURCE, self.statistics.get_mac_address(most_used_ip_address))
  42. # Attack configuration
  43. self.add_param_value(Param.INJECT_AFTER_PACKET, randint(0, self.statistics.get_packet_count()))
  44. self.add_param_value(Param.PACKETS_PER_SECOND,
  45. (self.statistics.get_pps_sent(most_used_ip_address) +
  46. self.statistics.get_pps_received(most_used_ip_address)) / 2)
  47. def generate_attack_pcap(self):
  48. # Timestamp
  49. timestamp_next_pkt = self.get_param_value(Param.INJECT_AT_TIMESTAMP)
  50. pps = self.get_param_value(Param.PACKETS_PER_SECOND)
  51. # Calculate complement packet rates of BG traffic per interval
  52. complement_interval_pps = self.statistics.calculate_complement_packet_rates(pps)
  53. # Initialize parameters
  54. packets = []
  55. mac_source = self.get_param_value(Param.MAC_SOURCE)
  56. ip_source = self.get_param_value(Param.IP_SOURCE)
  57. # Pick a DNS server from the background traffic
  58. ip_dns_server = self.statistics.process_db_query("SELECT ipAddress FROM ip_protocols WHERE protocolName='DNS' ORDER BY protocolCount DESC LIMIT 1;")
  59. if not ip_dns_server or ip_source == ip_dns_server:
  60. ip_dns_server = self.statistics.get_random_ip_address()
  61. mac_dns_server = self.statistics.get_mac_address(ip_dns_server)
  62. # Bot original config in the template PCAP
  63. origin_mac_src = "08:00:27:e5:d7:b0"
  64. origin_ip_src = "10.0.2.15"
  65. origin_mac_dns_server = "52:54:00:12:35:02"
  66. origin_ip_dns_server = "10.0.2.2"
  67. ttl_map = {}
  68. ip_map = {origin_ip_src : ip_source, origin_ip_dns_server: ip_dns_server}
  69. mac_map = {origin_mac_src : mac_source, origin_mac_dns_server: mac_dns_server}
  70. path_attack_pcap = None
  71. # Inject Sality botnet
  72. # Read sality_botnet pcap file
  73. exploit_raw_packets = RawPcapReader(self.template_attack_pcap_path)
  74. for pkt_num, pkt in enumerate(exploit_raw_packets):
  75. eth_frame = Ether(pkt[0])
  76. ip_pkt = eth_frame.payload
  77. # Ether
  78. if eth_frame.getfieldval("src") in mac_map:
  79. eth_frame.setfieldval("src", mac_map[eth_frame.getfieldval("src")])
  80. if eth_frame.getfieldval("dst") in mac_map:
  81. eth_frame.setfieldval("dst", mac_map[eth_frame.getfieldval("dst")])
  82. # IP
  83. if ip_pkt.getfieldval("src") in ip_map:
  84. ip_pkt.setfieldval("src", ip_map[ip_pkt.getfieldval("src")])
  85. if ip_pkt.getfieldval("dst") in ip_map:
  86. ip_pkt.setfieldval("dst", ip_map[ip_pkt.getfieldval("dst")])
  87. ## TTL
  88. if ip_pkt.getfieldval("ttl") not in ttl_map:
  89. source_ttl = self.statistics.get_most_used_ttl(ip_pkt.getfieldval("src"))
  90. if not source_ttl:
  91. source_ttl = self.statistics.process_db_query("SELECT ttlValue FROM ip_ttl ORDER BY RANDOM() LIMIT 1;")
  92. ttl_map[ip_pkt.getfieldval("ttl")] = source_ttl
  93. ip_pkt.setfieldval("ttl", ttl_map[ip_pkt.getfieldval("ttl")])
  94. new_pkt = (eth_frame / ip_pkt)
  95. new_pkt.time = timestamp_next_pkt
  96. pps = max(get_interval_pps(complement_interval_pps, timestamp_next_pkt), 10)
  97. timestamp_next_pkt = update_timestamp(timestamp_next_pkt, pps)
  98. packets.append(new_pkt)
  99. # Store timestamp of first packet (for attack label)
  100. self.attack_start_utime = packets[0].time
  101. self.attack_end_utime = packets[-1].time
  102. if len(packets) > 0:
  103. packets = sorted(packets, key=lambda pkt: pkt.time)
  104. path_attack_pcap = self.write_attack_pcap(packets, True, path_attack_pcap)
  105. # return packets sorted by packet time_sec_start
  106. # pkt_num+1: because pkt_num starts at 0
  107. return pkt_num + 1, path_attack_pcap