Synthetic Worm Activity
Worm activity is very similar to horizontal scanning activity except it takes place across multiple attackers (infected hosts) rather than a single attacker scanning a set of hosts. Another difference between the two attacks is that each infected host from worm activity can scan at a much lower rate to keep spreading since there are multiple attackers now scanning the Internet. Whereas the scan rate was varied as the magnitude of horizontal scans, the scan rate is fixed for synthetic worm activity and the control of the experiment is the number of infected hosts participating at this fixed scan rate.
Attack Model
The attack model for synthetic worm activity is to use the number of infected hosts as the control and the rate at which the they scan at specified by the user. Each infected host scans either a random host in the Internet if it is outbound, or randomly within the local user specified subnets. The flow sizes are a single packet generated by the infected hosts and zero packets generated by the scan victims. Source ports are random and the destination port is a single user specified port.
Generating the Attack
The synthetic worm attacks can be generated at a single magnitude (infected_hosts) by directly using the following two available methods where the interval to insert the attack, the scan_port to use for the scan, scan_rate for each host, and the local intranet subnet address start and ends must be specified:
- insert_ib_worm(interval, infected_hosts, subnet_start, subnet_end, scan_rate, scan_port)
- Description: insert worm activity on scan_port in interval sourced from infected_hosts random Internet addresses to random intranet addresses between subnet_start and subnet_end where each infected scanning host scans at a rate of scan_rate in hosts per second
- Return type: none
- insert_ob_worm(interval, infected_hosts, subnet_start, subnet_end, scan_rate, scan_port)
- Description: insert worm activity on scan_port in interval sourced from infected_hosts random intranet addresses between subnet_start and subnet_end to random Internet addresses where each infected scanning host scans at a rate of scan_rate in hosts per second
- Return type: none
An alternative method is to use the dp_synthetic.rb tool which allows you to generate the synthetic worm attacks and monitor the network as the magnitude is varied in any way you define. To read more about how to monitor the network as the magnitude is increased, read the user generating synthetic attack guide for information about the user defined user_iteration() method. This method can also do more than just monitoring the network, but can also introduce multi-dimensional attacks or other flow processing.
dp_synthetic.rb command line parameters:
- --attack-type: [ib_hscan,ob_hscan], the scan type
- --magnitude: [0 - 2147483648], the number of infected hosts scanning randomly
- --end-magnitude: [1 - 2147483648], the max number of infected hosts to introduce before haulting, REQUIRES --step
- --step: the number of new infected hosts to introduce each iteration REQUIRED FOR --end-magnitude
- --scan_port: the port the infected hosts will scan
- --rate: the rate at which each worm will scan in hosts per second
Example Attacks
Example worm inbound activity generated by using the direct methods against with a fixed magnitude of 2 infected hosts, scanning at a rate of 1 host per second on port 80, and a local subnet specified between 0 and 100:
irb> insert_ib_worm('2005-02-01 00:00:00', 2, 0, 100, 1, 80)
irb> exit
$ psql dp
dp=> select interval,src_ip,dst_ip,src_port,dst_port,src_packets,dst_packets from attack_flows;
interval | src_ip | dst_ip | src_port | dst_port | src_packets | dst_packets
---------------------+------------+--------+----------+----------+-------------+-------------
2005-02-01 00:00:00 | 1043065618 | 41 | 33649 | 80 | 1 | 0
2005-02-01 00:00:00 | 1043065618 | 92 | 23134 | 80 | 1 | 0
2005-02-01 00:00:00 | 1043065618 | 57 | 9418 | 80 | 1 | 0
....
(600 rows)
