Replay of Malcious Traffic on Network Testbeds

Alefiya Hussain Yuri Pradkin John Heidemann

[pdf]

Abstract

In this paper we present tools and methods to integrate attack measurements from the Internet with controlled experimentation on a network testbed. We show that this approach provides greater fidelity than synthetic models. We compare the statistical properties of real-world attacks with synthetically generated constant bit rate attacks on the testbed. Our results indicate that trace replay provides fine time-scale details that may be absent in constant bit rate attacks. Additionally, we demonstrate the effectiveness of our approach to study new and emerging attacks. We replay an Internet attack captured by the LANDER system on the DETERLab testbed within two hours.

Reference

Alefiya Hussain, Yuri Pradkin, and John Heidemann. Replay of Malicious Traffic in Network Testbeds. In Proceedings of the 13th IEEE Conference on Technologies for Homeland Security (HST), p. (to appear). Waltham, Massachusetts, USA, IEEE. Novembe 14-16, 2013

@inproceedings{Hussain13a,
     author = "Alefiya Hussain and Yuri Pradkin and John Heidemann",
     title = "Replay of Malicious Traffic in Network Testbeds",
     booktitle = "Proceedings of the 13th IEEE Conference on Technologies for
                  Homeland Security (HST)",
     year = "2013",
     pages = "(to appear)",
     month = "November",
     address = "Waltham, Massachusetts, USA",
     publisher = "{IEEE}",
     url = "http://www.isi.edu/~hussain/publications/Hussain13a.pdf",
}

Tools and Data

This paper demonstrates the difference in fidelity between experiments that use attack traces from the Internet as compared to synthetic attacks.

The experiments were conducted using the MAGI orchestration framework on DETER. Listed below are the scripts used to generate the attacks discussed in Section 3 (Attack Traffic). To rerurn the experiments, swappin the experiment topology, and orchestrate the procedure using the MAGI orchestrator. We have also included the tcpdump files captured at the monitoring point (the node named moat) for each experiment.

Creating the Synthetic Attack: We developed a synthetic flooding attack agent that can send a fixed rate of packets at the specified victim IP. The flooding attack tool and the MAGI agent are available on the DETER testbed at users.isi.deterlab.net:/share/magi/modules.

Single Attacker
Topology: singleattacker.tcl
Procedure: singleattacker.aal
Data: singleattacker.pcap.gz

Multiple Attackers
Topology: tenattackers.tcl
Procedure: tenattackers.aal
Data: tenattackers.pcap.gz

Creating the Replay Attack: We developed an attackreplay agent to replay the DoS attack in the Internet traffic trace. The traffic traces can be requested at the LANDER website (http://www.isi.edu/ant/lander). The trace is processed to isolate the attack traffic. Once the experiment resources are allocated on DETER we run the script getmacs.sh on the node named mine to rewrite the IP and MAC address in the attack trace file. The script also displays the name of the network interface that is connected to the victim node. This interface name is used to configure the attackreplay agent in the procedure file. The experiment can now be orchestrated using the MAGI tools and the attackreplay agent.

Replay Attack
Topology: replayattack.tcl
Procedure: replayattack.aal
Data: replayattack.pcap.gz