Synthetic Distributed Bandwidth Flood
Distributed bandwidth floods are one of the earliest and still active attacks in the Internet due to their ability to exploit the low bandwidth of endpoints in the Internet with a network of compromised low bandwidth hosts. While mechanisms are still being proposed and developed to prevent or reduce the effects of the attacks, they are still active in the Internet today. Although they are arguably one of the easiest attacks to detect in bound with the use of traffic volume, detecting out bound bandwidth floods with low participation at the source networks is more difficult. Being able to detect this type of behavior could detect bots in a network for removal.
Attack Model
The attack model used is to allow varying magnitude of the bandwidth flood (attack participants), while keeping the victim of the attack constant. The ports used in the attack are random for both source and destination, and the flow sizes represent a rate of 45KB/s by default, which is a typical rate of home connection bot participant, or any user specified rate. Varying the magnitude, which is the number of attack participants, across a single interval or multiple intervals averaged together is useful for understanding at what magnitudes an anomaly detection method can detect that attack with a specific traffic feature, or what traffic feature can detect the bandwidth flood the earliest in magnitude. The attack rate per host can be specified by the user, default is set to 45KB/s.
Generating the Attack
The synthetic distributed bandwidth flood can be generated at a single magnitude by directly using the following two available methods:
- insert_ib_flood(interval, num_attackers, attack_rate, victim)
- Description: insert num_attackers inbound attack flows at an attack_rate in KB/s against victim (internal to your subnet) into interval
- Return type: none
- insert_ob_flood(interval, num_attackers, attack_rate, victim)
- Description: insert num_attackers outbound attack flows at an attack_rate in KB/s against victim (external to your subnet) into interval
- Return type: none
An alternative method is to use the dp_synthetic.rb tool which allows you to generate the flood and monitor the network as the magnitude is varied in any way you define. To read more about how to monitor the network as the magnitude is increased, read the user generating synthetic attack guide for information about the user defined user_iteration() method. This method can also do more than just monitoring the network, but can also introduce multi-dimensional attacks or other flow processing.
dp_synthetic.rb command line parameters:
- --attack-type: [ib_flood,ob_flood], the flood type
- --magnitude: [0 - 2147483648], the number of attackers participating in the flood at a rate defaulted at 45KBps
- --end-magnitude: [1 - 2147483648], if you want to vary the magnitude of the attack, which is the number of attackers participating, REQUIRES --step
- --step: introduce this many new attackers each round REQUIRED FOR --end-magnitude
- --victim: specify the victim of the flood, should be a host within your subnet if the flood type is inbound
Example Attacks
Running an inbound bandwidth flood against local host address 140000 at a rate of 45KB/s. The attack starts at magnitude 0 (-m) and ends at magnitude 300 (-e), stepping 300 (-s). A random interval is selected to place the attack in (-n). Notice some of the entropy values change after the attack was inserted. Keep in mind there is no attack at magnitude 0 which is the first iteration. We are using the user_iteration() example for our user method which monitors the entropy, as described in the generating synthetic attacks overview page.
$ ./dp_synthetic.rb -a ib_flood -v 140000 -m 0 -e 300 -s 300 -n 1 -r 45 > ib_flood_300
Running @ 0 magnitude...
computing entropy for interval 2005-02-17 11:15:00...
Running @ 300 magnitude...
Adding attacks...
computing entropy for interval 2005-02-17 11:15:00...
$ cat ib_flood_300
0 0.126605802802102 0.276964848423946 0.551271119066336 0.557018496180056 0.566427047919341 0.568769517280779 0.736208464698116
300 0.126605802802102 0.276964848423946 0.570456505511628 0.575826219208981 0.580950187092449 0.552642362557091 0.731821811777201
The following is an example of using the irb command line and the attack specific Ruby methods directly for a synthetic attack generation. The follow is to manually insert an inbound flood attack in the interval "2005-02-01 00:00:00" against host 131734 using the insert_ib_flood(interval, num_attackers, attack_rate, victim) method directly:
irb> create_attack_table("flows") # Create the attack table, then check the top 3 hosts in terms of destination packets
irb> stats_addr_dst("2005-02-01 00:00:00","all_flows").first(3).each {|host,dst_packets| puts "#{host} #{dst_packets}"}
133104 1700225
189143 1485686
173251 1090641
irb> stats_addr_dst("2005-02-01 00:00:00","all_flows").assoc(131734).last # how many packets does our victim originally have destined to him?
=> 2
irb> insert_ib_flood("2005-02-01 00:00:00", 5000, 45, 131734) # FIRE ZEE MISSLES!
irb> stats_addr_degree_in("2005-02-01 00:00:00","all_flows").assoc(131734).last # he has a lot of new unique friends talking to him
=> 5001
irb> stats_addr_dst("2005-02-01 00:00:00","all_flows").assoc(131734).last # the damage has been done...
=> 45000002
irb> stats_addr_dst("2005-02-01 00:00:00","all_flows").first(3).each {|host,dst_packets| puts "#{host} #{dst_packets}"}
131734 45000002
133104 1700225
189143 1485686
irb> clear_attack_table()
irb> stats_addr_dst("2005-02-01 00:00:00","all_flows").assoc(131734).last # back to normal!
=> 2
irb> delete_attack_table() # clean up after ourselves...
