Bonesi - The Ddos Botnet Simulator


BoNeSi, the DDoS Botnet Simulator is a Tool to copy Botnet Traffic inward a testbed surroundings on the wire. It is designed to report the final result of DDoS attacks.

What traffic tin hold out generated?

BoNeSi generates ICMP, UDP too TCP (HTTP) flooding attacks from a defined botnet size (different IP addresses). BoNeSi is highly configurable too rates, information volume, source IP addresses, URLs too other parameters tin hold out configured.



What makes it dissimilar from other tools?
There are enough of other tools out at that spot to spoof IP addresses amongst UDP too ICMP, but for TCP spoofing, at that spot is no solution. BoNeSi is the commencement tool to copy HTTP-GET floods from large-scale bot networks. BoNeSi also tries to avoid to generate packets amongst tardily identifiable patterns (which tin hold out filtered out easily).

Where tin I run BoNeSi?
We highly recommend to run BoNeSi inward a unopen testbed environment. However, UDP too ICMP attacks could hold out run inward the cyberspace equally well, but yous should hold out carefull. HTTP-Flooding attacks tin non hold out imitation inward the internet, because answers from the webserver must hold out routed dorsum to the host running BoNeSi.

How does TCP Spoofing work?

BoNeSi sniffs for TCP packets on the network interface too responds to all packets inward venture to flora TCP connections. For this feature, it is necessary, that all traffic from the target webserver is routed dorsum to the host running BoNeSi



How practiced is the perfomance of BoNeSi?
We focused rattling much on functioning inward venture to copy large botnets. On an AMD Opteron amongst 2Ghz nosotros were able to generate upward to 150,000 packets per second. On a to a greater extent than recent AMD Phenom II X6 1100T amongst 3.3Ghz yous tin generate 300,000 pps (running on 2 cores).

Are BoNeSi attacks successful?
Yes, they are rattling successful. UDP/ ICMP attacks tin easily fill upward the bandwidth too HTTP-Flooding attacks knock out webservers fast. We also tested BoNeSi against state-of-the-art commercial DDoS mitigation systems too where able to either crash them or hiding the laid on from beingness detected.

A present video of BoNeSi inward activity tin hold out found here.

Detailed Information
BoNeSi is a network traffic generator for dissimilar protocol types. The attributes of the created packets too connections tin hold out controlled past times several parameters similar post charge per unit of measurement or payload size or they are determined past times chance. It spoofs the source ip addresses fifty-fifty when generating tcp traffic. Therefor it includes a elementary tcp-stack to handgrip tcp connections inward promiscuous mode. For right work, 1 has to ensure that the response packets are routed to the host at which BoNeSi is running. Therefore BoNeSi cannot used inward arbitrary network infrastructures. The almost advanced form of traffic that tin hold out generated are http requests.
TCP/HTTP In venture to brand the http requests to a greater extent than realistic, several things are determined past times chance:
  • source port
  • ttl: 3..255
  • tcp options: out of 7 dissimilar existent life options amongst dissimilar lengths too probabilities
  • user agent for http header: out of a past times file given listing (an representative file is included, encounter below)
Copyright 2006-2007 Deutsches Forschungszentrum fuer Kuenstliche Intelligenz This is gratuitous software. Licensed nether the Apache License, Version 2.0. There is NO WARRANTY, to the extent permitted past times law.

Installation
: $ ./configure : $ brand : $ brand install

Usage
: $ bonesi [OPTION...]    Options:    -i, --ips=FILENAME               filename amongst ip listing   -p, --protocol=PROTO             udp (default), icmp or tcp   -r, --send_rate=NUM              packets per second, 0 = infinite (default)   -s, --payload_size=SIZE          size of the paylod, (default: 32)   -o, --stats_file=FILENAME        filename for the statistics, (default: 'stats')   -c, --max_packets=NUM            maximum publish of packets (requests at tcp/http), 0 = infinite (default)       --integer                    IPs are integers inward host byte venture instead of inward dotted annotation   -t, --max_bots=NUM               create upward one's hear max_bots inward the 24bit prefix randomly (1-256)   -u, --url=URL                    the url (default: '/') (only for tcp/http)   -l, --url_list=FILENAME          filename amongst url listing (only for tcp/http)   -b, --useragent_list=FILENAME    filename amongst useragent listing (only for tcp/http)   -d, --device=DEVICE              network listening device (only for tcp/http, e.g. eth1)   -m, --mtu=NUM                    laid MTU, (default 1500). Currently entirely when using TCP.   -f, --frag=NUM                   laid fragmentation agency (0=IP, 1=TCP, default: 0). Currently entirely when using TCP.   -v, --verbose                    impress additional debug messages   -h, --help                       impress assistance message too exit

Additionally Included Example Files
50k-bots
  • 50,000 ip addresses generated randomly to role amongst --ips option
browserlist.txt
  • several browser identifications to role amongst --useragentlist option
urllist.txt
  • several urls to role amongst --urllist option