Synthetic Vertical Scan
A vertical scan is also referred to as a port scan. There is no specific port being targeted, the whole port range is scanned (0-65535) on hosts. This allows attackers to determine what services are running on a machine which can then be targeted with exploits.
Attack Model
The vertical scan attack model has a single attacker attempt connections across hosts at a user specified rate (magnitude) using a the whole port range port. The source port used is generated randomly and the destination port is fixed. The attacking hosts address is statically defined and the destination host addresses are generated as a series starting from the low magnitude value and ending at the high magnitude value. Flow size distribution is currently one packet generated by the attacker and zero packets generated by the destination.
Generating the Attack
The vertical scans can be generated at a single magnitude (scan_rate) by directly using the following two available methods where the interval is the timestamp to insert the address, start_victim is the starting address to begin the sequential scan, scan_rate is the magnitude in hosts per second, scan_port is the port to scan, and scanner is the host address of the scanner:
- insert_ib_vscan(interval, start_victim, scan_rate, scan_port, scanner)
- Description: insert an inbound horizontal scan in interval from scanner on scan_port at a rate of scan_rate in hosts per second, sequentially attacking destination host addresses starting at start_victim
- Return type: none
- insert_ob_vscan(interval, start_victim, scan_rate, scan_port, scanner)
- Description: insert an outbound horizontal scan in interval from scanner on scan_port at a rate of scan_rate in hosts per second, sequentially attacking destination host addresses starting at start_victim
- Return type: none
An alternative method is to use the dp_synthetic.rb tool which allows you to generate the synthetic horizontal attack and monitor the network as the magnitude is varied in any way you define. To read more about how to monitor the network as the magnitude is increased, read the user generating synthetic attack guide for information about the user defined user_iteration() method. This method can also do more than just monitoring the network, but can also introduce multi-dimensional attacks or other flow processing.
dp_synthetic.rb command line parameters:
- --attack-type: [ib_hscan,ob_hscan], the scan type (REQUIRED)
- --subnet: specify the local subnet where activity will be directed to or from (REQUIRED)
- --attacker: the host address of the attacker performing the horizontal scan (default is start of subnet for outbound, end of subnet+1 for inbound)
- --victim: the host address to start the vertical scan at, should be within the specified local subnet (default is start of subnet for inbound, end of subnet+1 for outbound)
- --magnitude: [0 - 2147483648], the scan rate in ports per second of the attacker (REQUIRED)
- --end-magnitude: [1 - 2147483648], the highest scan rate to reach before haulting, (REQUIRES --step)
- --step: the amount to increase the scan rate in hosts per second each iteration (REQUIRED FOR --end-magnitude)
