= Synthetic Distributed Bandwidth Flood = Distributed bandwidth floods are one of the earliest and still active attacks in the Internet due to their ability to exploit the low bandwidth of endpoints in the Internet with a network of compromised low bandwidth hosts. While mechanisms are still being proposed and developed to prevent or reduce the effects of the attacks, they are still active in the Internet today. Although they are arguably one of the easiest attacks to detect in bound with the use of [wiki:TrafficFeatures#Volume traffic volume], detecting out bound bandwidth floods with low participation at the source networks is more difficult. Being able to detect this type of behavior could detect bots in a network for removal. == Attack Model == The attack model used is to allow varying magnitude of the bandwidth flood (attack participants), while keeping the victim of the attack constant. The ports used in the attack are random for both source and destination, and the flow sizes represent a rate of 45KB/s by default, which is a typical rate of home connection bot participant, or any user specified rate. Varying the magnitude, which is the number of attack participants, across a single interval or multiple intervals averaged together is useful for understanding at what magnitudes an anomaly detection method can detect that attack with a specific [wiki:TrafficFeatures traffic feature], or what [wiki:TrafficFeatures traffic feature] can detect the bandwidth flood the earliest in magnitude. The attack rate per host can be specified by the user, default is set to 45KB/s. == Generating the Attack == The synthetic distributed bandwidth flood can be generated at a single magnitude by directly using the following two available methods: * ''insert_ib_flood(interval, num_attackers, attack_rate, victim)'' * Description: insert ''num_attackers'' inbound attack flows at an ''attack_rate'' in KB/s against ''victim'' (internal to your subnet) into ''interval'' * Return type: none * ''insert_ob_flood(interval, num_attackers, attack_rate, victim)'' * Description: insert ''num_attackers'' outbound attack flows at an ''attack_rate'' in KB/s against ''victim'' (external to your subnet) into ''interval'' * Return type: none An alternative method is to use the [source:scripts/ruby/dp_synthetic.rb dp_synthetic.rb] tool which allows you to generate the flood and monitor the network as the magnitude is varied in any way you define. To read more about how to monitor the network as the magnitude is increased, read the user [wiki:GeneratingSyntheticAttacks#GeneratingSyntheticAttacks generating synthetic attack] guide for information about the user defined ''user_iteration()'' method. This method can also do more than just monitoring the network, but can also introduce multi-dimensional attacks or other flow processing. [source:scripts/ruby/dp_synthetic.rb dp_synthetic.rb] command line parameters: * ''--attack-type'': [ib_flood,ob_flood], the flood type * ''--magnitude'': [0 - 2147483648], the number of attackers participating in the flood at a rate defaulted at 45KBps * ''--end-magnitude'': [1 - 2147483648], if you want to vary the magnitude of the attack, which is the number of attackers participating, ''REQUIRES --step'' * ''--step'': introduce this many new attackers each round ''REQUIRED FOR --end-magnitude'' * ''--victim'': specify the victim of the flood, should be a host within your subnet if the flood type is inbound == Example Attacks == Running an inbound bandwidth flood against local host address 140000 at a rate of 45KB/s. The attack starts at magnitude 0 (-m) and ends at magnitude 300 (-e), stepping 300 (-s). A random interval is selected to place the attack in (-n). Notice some of the entropy values change after the attack was inserted. Keep in mind there is no attack at magnitude 0 which is the first iteration. We are using the ''user_iteration()'' example for our user method which monitors the entropy, as described in the [wiki:GeneratingSyntheticAttacks generating synthetic attacks] overview page. {{{ $ ./dp_synthetic.rb -a ib_flood -v 140000 -m 0 -e 300 -s 300 -n 1 -r 45 > ib_flood_300 Running @ 0 magnitude... computing entropy for interval 2005-02-17 11:15:00... Running @ 300 magnitude... Adding attacks... computing entropy for interval 2005-02-17 11:15:00... $ cat ib_flood_300 0 0.126605802802102 0.276964848423946 0.551271119066336 0.557018496180056 0.566427047919341 0.568769517280779 0.736208464698116 300 0.126605802802102 0.276964848423946 0.570456505511628 0.575826219208981 0.580950187092449 0.552642362557091 0.731821811777201 }}} The following is an example of using the ''irb'' command line and the [wiki:DPUserFunctions#SyntheticAttacks attack specific Ruby methods] directly for a synthetic attack generation. The follow is to manually insert an inbound flood attack in the interval "2005-02-01 00:00:00" against host ''131734'' using the ''insert_ib_flood(interval, num_attackers, attack_rate, victim)'' method directly: {{{ irb> create_attack_table("flows") # Create the attack table, then check the top 3 hosts in terms of destination packets irb> stats_addr_dst("2005-02-01 00:00:00","all_flows").first(3).each {|host,dst_packets| puts "#{host} #{dst_packets}"} 133104 1700225 189143 1485686 173251 1090641 irb> stats_addr_dst("2005-02-01 00:00:00","all_flows").assoc(131734).last # how many packets does our victim originally have destined to him? => 2 irb> insert_ib_flood("2005-02-01 00:00:00", 5000, 45, 131734) # FIRE ZEE MISSLES! irb> stats_addr_degree_in("2005-02-01 00:00:00","all_flows").assoc(131734).last # he has a lot of new unique friends talking to him => 5001 irb> stats_addr_dst("2005-02-01 00:00:00","all_flows").assoc(131734).last # the damage has been done... => 45000002 irb> stats_addr_dst("2005-02-01 00:00:00","all_flows").first(3).each {|host,dst_packets| puts "#{host} #{dst_packets}"} 131734 45000002 133104 1700225 189143 1485686 irb> clear_attack_table() irb> stats_addr_dst("2005-02-01 00:00:00","all_flows").assoc(131734).last # back to normal! => 2 irb> delete_attack_table() # clean up after ourselves... }}}