At Galois, we’ve been investigating new ways to defend against very large distributed denial of service (DDoS) attacks. Under the DHS-funded DDoS Defense program, we’re developing 3DCoP: software that creates a “community of peers” that can detect and mitigate attacks together.
We’re interested in attacks that can exceed 1 Tbps (terabits per second) of total traffic, such as the DNS-based attacks from October 2016. To develop solutions for these giant attacks, we need to study this kind of traffic and run experiments with it.
This is where we run into some problems. Traffic captures of real DDoS attacks – especially at magnitudes anywhere near 1 Tbps – are hard to come by. Even with captures of smaller DDoS attacks, we can only see the traffic as viewed from one network, such as a victim or a recipient of backscatter from the attack.
For our work, we need the whole picture of a DDoS attack: views of the traffic from all networks involved, with many thousands of end points. Unfortunately, this is very difficult to simulate with standard network simulation software like ns-3 and OMNeT++, especially when you add in realistic non-attack traffic.
To tackle this problem we created ddosflowgen: a tool that models a DDoS attack and generates synthetic traffic datasets from multiple views. You can define the number of attacking networks and adjust parameters such as the attack vectors present, the amplification factor, and the number of attack sources per network. Our tool includes non-attack traffic in the output by rewriting IP addresses from a reference noise dataset.
Unlike packet-based simulations, which are not feasible at terabit scales, ddosflowgen simulates traffic using a “flow” representation. This format (implemented with SiLK) uses summaries of IP headers to describe traffic in a compact form. Flow representation makes it possible to simulate extremely high packet and bit rates, and we’re currently experimenting with 1.2 Tbps attack scenarios.
ddosflowgen simulates a variety of threats:
- amplifiers/reflectors, such as DNS and NTP servers
- flooders within a botnet, like Mirai in attack mode
- probes from a botnet, like Mirai scanning for IoT
ddosflowgen is open source, and is available on Github. We are releasing this primarily as an aid to other researchers, and to start a discussion about how best to generate repeatable test cases for defenses against massive attacks. Please enjoy, and we’re happy to consider updates, but understand that we intend this tool largely as reference material rather than as a long-running software project.
This project is the result of funding provided by the Science and Technology Directorate of the United States Department of Homeland Security under contract number D15PC00186. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Department of Homeland Security, or the U.S. Government.