| | 1 | = Synthetic Horizontal Scan = |
|---|
| | 2 | |
|---|
| | 3 | When attackers attempt to find hosts which are vulnerable to a specific attack, a horizontal scan is typically used used which checks the availability of a specific service across hosts by targeting a single port associated with the service. For example, port 445 is highly vulnerable on to remote exploits in the Windows operating system and is therefore a popular port for horizontal scanning where attackers will scan subnets of the Internet looking for hosts with this port open to attack. |
|---|
| | 4 | |
|---|
| | 5 | == Attack Model == |
|---|
| | 6 | |
|---|
| | 7 | The horizontal scan attack model has a single attacker attempt connections across hosts at a user specified rate (magnitude) using a single port. The source port used is generated randomly and the destination port is fixed. The attacking hosts address is statically defined and the destination host addresses are generated as a series starting from the low magnitude value and ending at the high magnitude value. Flow size distribution is currently one packet generated by the attacker and zero packets generated by the destination. |
|---|
| | 8 | |
|---|
| | 9 | == Generating the Attack == |
|---|
| | 10 | |
|---|
| | 11 | The horizontal scans can be generated at a single magnitude (scan_rate) by directly using the following two available methods where the ''interval'' is the timestamp to insert the address, ''start_victim'' is the starting address to begin the sequential scan, ''scan_rate'' is the magnitude in hosts per second, ''scan_port'' is the port to scan, and ''scanner'' is the host address of the scanner: |
|---|
| | 12 | |
|---|
| | 13 | * ''insert_ib_hscan(interval, start_victim, scan_rate, scan_port, scanner)'' |
|---|
| | 14 | * Description: insert an inbound horizontal scan in interval from scanner on scan_port at a rate of scan_rate in hosts per second, sequentially attacking destination host addresses starting at start_victim |
|---|
| | 15 | * Return type: none |
|---|
| | 16 | |
|---|
| | 17 | * ''insert_ob_hscan(interval, start_victim, scan_rate, scan_port, scanner)'' |
|---|
| | 18 | * Description: insert an outbound horizontal scan in interval from scanner on scan_port at a rate of scan_rate in hosts per second, sequentially attacking destination host addresses starting at start_victim |
|---|
| | 19 | * Return type: none |
|---|
| | 20 | |
|---|
| | 21 | An alternative method is to use the [source:scripts/ruby/dp_synthetic.rb dp_synthetic.rb] tool which allows you to generate the synthetic horizontal attack and monitor the network as the magnitude is varied in any way you define. To read more about how to monitor the network as the magnitude is increased, read the user [wiki:GeneratingSyntheticAttacks#GeneratingSyntheticAttacks generating synthetic attack] guide for information about the user defined ''user_iteration()'' method. This method can also do more than just monitoring the network, but can also introduce multi-dimensional attacks or other flow processing. |
|---|
| | 22 | |
|---|
| | 23 | [source:scripts/ruby/dp_synthetic.rb dp_synthetic.rb] command line parameters: |
|---|
| | 24 | |
|---|
| | 25 | * ''--attack-type'': [ib_hscan,ob_hscan], the scan type (REQUIRED) |
|---|
| | 26 | |
|---|
| | 27 | * ''--scan_port'': [0 - 65535] the port to scan horizontally (default 80) |
|---|
| | 28 | |
|---|
| | 29 | * ''--subnet'': specify the local subnet where activity will be directed to or from (REQUIRED) |
|---|
| | 30 | |
|---|
| | 31 | * ''--atacker'': the host address of the attacker performing the horizontal scan (default is start of subnet for outbound, end of subnet+1 for inbound) |
|---|
| | 32 | |
|---|
| | 33 | * ''--victim'': the host address to start the horizontal scan at, should be within the specified local subnet (default is start of subnet for inbound, end of subnet+1 for outbound) |
|---|
| | 34 | |
|---|
| | 35 | * ''--magnitude'': [0 - 2147483648], the scan rate in hosts per second of the attacker (REQUIRED) |
|---|
| | 36 | |
|---|
| | 37 | * ''--end-magnitude'': [1 - 2147483648], the highest scan rate to reach before haulting, (REQUIRES --step) |
|---|
| | 38 | |
|---|
| | 39 | * ''--step'': the amount to increase the scan rate in hosts per second each iteration (REQUIRED FOR --end-magnitude) |
|---|
| | 40 | |
|---|
| | 41 | == Example Attacks == |
|---|
| | 42 | |
|---|
| | 43 | An inbound horizontal scan in a single random interval (-n) on port ''80'' (-p) from attacker ''1654321'' (-k) to subnet addresses sequentially between 0 and 100000 (-u) starting at victim address 5 (-v). The attack starts at scan rate of 0 hosts/sec (-m), increases at a rate of 300 hosts/sec (-s), and ends at a rate of 300 hosts/sec (-e). |
|---|
| | 44 | |
|---|
| | 45 | {{{ |
|---|
| | 46 | $ ./dp_synthetic.rb -a ib_hscan -p 80 -k 1654321 -u 0,100000 -m 0 -e 300 -s 300 -n 1 -v 5 > ib_hscan_300 |
|---|
| | 47 | |
|---|
| | 48 | Running @ 0 magnitude... |
|---|
| | 49 | computing entropy for interval 2005-02-08 19:40:00... |
|---|
| | 50 | |
|---|
| | 51 | Running @ 300 magnitude... |
|---|
| | 52 | Adding attacks... |
|---|
| | 53 | computing entropy for interval 2005-02-08 19:40:00... |
|---|
| | 54 | |
|---|
| | 55 | $ cat ib_hscan_300 |
|---|
| | 56 | 0 0.119113613283867 0.272295341734853 0.588708342296892 0.587857455575229 0.593813077949223 0.595118273505283 0.769632014108444 |
|---|
| | 57 | 300 0.0638814180281338 0.272295341734853 0.587730144440043 0.587146805679675 0.593821578726339 0.575579546301505 0.767651312605998 |
|---|
| | 58 | }}} |
|---|
| | 59 | |
|---|
| | 60 | To reproduce the same attack as above which used the [source:scripts/ruby/dp_synthetic.rb dp_synthetic.rb], but instead using the direct methods and only at a single magnitude of 300: |
|---|
| | 61 | {{{ |
|---|
| | 62 | irb> insert_ib_hscan('2005-02-01 00:00:00', 5, 300, 80, 1654321) |
|---|
| | 63 | irb> exit |
|---|
| | 64 | $ psql dp |
|---|
| | 65 | dp=> select interval,src_ip,dst_ip,src_port,dst_port,src_packets,dst_packets from attack_flows; |
|---|
| | 66 | |
|---|
| | 67 | interval | src_ip | dst_ip | src_port | dst_port | src_packets | dst_packets |
|---|
| | 68 | ---------------------+---------+--------+----------+----------+-------------+------------- |
|---|
| | 69 | 2005-02-01 00:00:00 | 1654321 | 5 | 33176 | 80 | 1 | 0 |
|---|
| | 70 | 2005-02-01 00:00:00 | 1654321 | 6 | 48244 | 80 | 1 | 0 |
|---|
| | 71 | 2005-02-01 00:00:00 | 1654321 | 7 | 13864 | 80 | 1 | 0 |
|---|
| | 72 | 2005-02-01 00:00:00 | 1654321 | 8 | 16386 | 80 | 1 | 0 |
|---|
| | 73 | 2005-02-01 00:00:00 | 1654321 | 9 | 38486 | 80 | 1 | 0 |
|---|
| | 74 | ..... |
|---|
| | 75 | }}} |
|---|
