tbd: to block connection to malicious host by using “ qb ......tbd: to block connection to...
TRANSCRIPT
![Page 1: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/1.jpg)
TBD: To Block connection to malicious host by using “DQB” and "Shutdowner"
Kunio Miyamoto, Ph.D.
NTTDATA-CERT, NTT DATA Corporation
![Page 2: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/2.jpg)
Index
• Preliminary
• Decepting and Security live next door to each other
• Simple Specification/Architecture
• Simple Operation
• Jackpot!
• Conclusion
![Page 3: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/3.jpg)
Preliminary: Our infrastructure Overview
• We use large amount of computers(above 20k~30k, Windows run most of computers)• Many of them:Windows Embedded(without MS17-010 patches)
• We have deployed and been operating Security Solutions as below:• Firewall(by security vendor)• Quarantine(Patch Management and Internet Access Control) (by security vendor)• USB port control (by security vendor)• URL filter (by security vendor)• End Point Security Software like virus scanner (by security vendor)• SIEM(by ourselves)
• Too many blackbox
![Page 4: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/4.jpg)
Preliminary: Responding to malicious URL
• Find suspicious URL by our SIEM or others• Consider whether URL is malicious or not(<1h)• Send URL Filter operators the request adding malicious URL(s) to URL filter• (wait for a few hours)(>2~3h)
sometimes waits a few days(<1w)• Done
• If malicious URLs are found oftenly, URL Filter operators receive requests oftenly• Too heavy to process requests
![Page 5: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/5.jpg)
Preliminary: Before DQB and Shutdowner
URL Filter(Proxy)/FireWall/DNS etc
Our SIEM
Infected host
Detect
Log
WebWeb Web
Malicious Host
Attacker
Our SIEMEngine
Malicious host detection by various of logs
Detect
IR/Forensics
Manual operation
Works currently
Malicious URL
Problem1: URL Filter operation process( adding malicious URL) needs more time(a few hours ~ a week)
Problem 2: Operation of the isolating infected host is the task of host administrator
NTTDATA-CERT
IT manager
![Page 6: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/6.jpg)
Decepting and Security live next door to each other
We Decept a Certain kind of Responses for Keep Security
![Page 7: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/7.jpg)
Deception and Security
• Deception can make attackers to spend their time/costs for attacks more
• DQB and Shutdowner are system to decept• DQB(DNS Query Blocker): DNS response deception, don’t block DNS Query
• Shutdowner: TCP response deception
• Deploying these systems to:• DQB: same segment that the cache DNS in NTT DATA is placed to decept efficiently
• Shutdowner: same segment of the Proxy Load Balancer to stop C&C communication
![Page 8: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/8.jpg)
Simple Specification/ArchitectureComplex Specification/Architecture makes work slower
![Page 9: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/9.jpg)
Basic Idea is a very simple
• If ②’ is received by Victim faster than ②, ② from Attacker is ignored
①Request
②Responserelated to Request①
①Request
②Responserelated to Request①
Detect Request to Attacker②’Decepted Response
Similar to ②
Victim VictimAttacker
Attacker
![Page 10: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/10.jpg)
To Decept DNS Response: Easy and Simple(1/2)
The ID field identifies the query and is echoed in the response so they can be matched.
Reference: RFC6895 Domain Name System (DNS) IANA Considerations
![Page 11: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/11.jpg)
To Decept DNS Response: Easy and Simple(2/2)
References:RFC768 User Datagram ProtocolRFC791 INTERNET PROTOCOL
![Page 12: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/12.jpg)
To Decept TCP Response: Easy and Simple
Reference: RFC793 TRANSMISSION CONTROL PROTOCOL
![Page 13: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/13.jpg)
DQB architecture①Client requests IP address of evil.example.com
to DNS
②DNS responses IP address of evil.example.com to client(192.168.0.1)
DNS
①
②
Block host list(malicious FQDNlist)
②’
evil.example.com192.168.0.1
evil.example.comIN A 192.168.0.1
evil.example.comIN A 172.16.0.1
172.16.0.1
③’
While monitoring request①,If FQDN in request① exists in malicious FQDN list, response ②’ is sent to client(172.16.0.1 is included in response②’)
client
Client receives response ②’, and client accesses to 172.16.0.1(③’)
…of course, response② is ignored
Landing Host(Safe Host)
Malicious Host
This is interesting
DQB
Sorry page
![Page 14: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/14.jpg)
Shutdowner Architecture①Client sends SYN packet to Proxy load balancer
②Proxy load balancer sends SYN+ACK packet to client
ProxyLoad Balancer
①
②RealSYN+ACK
Block IP addresseslist
②’Decepted SYN+ACK③’
ACK
While SYN packet monitoring,If SYN packet source IP address is included in Block IP addresses list, Decepted SYN+ACK packet②’ is sent.Of course, sequence number in ②’ is not related to sequence number in ②(Real SYN+ACK).
client
Client receives ②’ packet and related ACK packet③’.Proxy Load Balancer don’t know the sequence number in ③’, and sends RST packet④’.When client receives ② after ②’, client sends RST packet to Proxy Load Balancer because of receiving SYN+ACK②’.
This is interesting
Shutdowner
SYN④’RST
③RST
![Page 15: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/15.jpg)
Performance?
• 0.055~0.117(msec):DQB processing time from receiving packet to sending decepted response packet• Real DNS server software processes slower than DQB
• 0.019~0.023(msec): Shutdowner processing time from receiving SYN packet to sending decepted SYN+ACK packet• Real TCP/IP stack processes slower than Shutdowner
![Page 16: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/16.jpg)
Performance in real environment
Request packet
After 0.5msec, Response packet(Decepted packet by DQB)
After 7.2msec, Response packet(True packet by BIND)
Win!
![Page 17: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/17.jpg)
DQB and Shutdowner hardware spec?
• DQB works on:• PowerEdge R230(<$2k)
• Xeon(R) CPU E3-1271 v3 @ 3.60GHz * 1
• 16GB of memory
• Intel I350 GbE NIC(4 ports)
• Shutdowner works on:• PowerEdge R230(<$2k)
• Xeon(R) CPU E3-1271 v3 @ 3.60GHz * 1
• 16GB of memory
• Intel I350 GbE NIC(4 ports)
![Page 18: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/18.jpg)
Simple OperationComplex Systems Operations make works slower
![Page 19: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/19.jpg)
Web application for DQB/Shutdowner Operation
• We developed a Web application for managing DQB and Shutdowner• Add / View / Delete malicious FQDN or IP address simply
• Malicious FQDN/IP address can be added by Web API in Web Application.
①input ②click ④click
③check
⑤click
![Page 20: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/20.jpg)
Released in 2015
• Almost no trouble for 4 years
![Page 21: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/21.jpg)
After DQB and Shutdowner
URL Filter(Proxy)/FireWall/DNS etc
Our SIEM
Infected host
Detect
Log
WebWeb Web
Malicious Host
Attacker
Our SIEMEngine
Malicious host detection by various of logs
Detect
IR/Forensics
Works currently
Malicious FQDN/IP address of Infected host
NTTDATA-CERTNTTDATA-CERT
DQB andShutdowner
![Page 22: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/22.jpg)
After DQB and Shutdowner: Responding to malicious URL got faster• Find suspicious URL by our SIEM or others
• Consider whether URL is malicious or not(<1h)• Set malicious FQDN got from malicious URL to DQB(<1min)• Send request URL filter operators set of malicious FQDN once a week• After URL filter operators work, unset malicious FQDN from DQB• Done
• Even if malicious URLs are found oftenly, URL Filter operators don’t receive requests oftenly( once a week )• Set
![Page 23: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/23.jpg)
Good point and Better point
• Good point ( we thought before deployment )• Reducing access from our company to malicious hosts by using DQB
• Reducing operations by simple Web UI
• Reducing operations of URL filter operators
• Better point ( we didn’t think before deployment )• No complaint from users
• Presentation in Annual FIRST Conference
• Malware infection detection(partly)
Our contact is shown in sorry page
![Page 24: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/24.jpg)
Limitations and our environment’s case
• Limitations• DQB cannot process DNS request via TCP and DNS over TLS
• Decepted response by DQB is ignored when DNSSEC is used
• When IP address is included in malicious URL(e.g. http://10.0.0.1/... ), DQB don’t work
• In our environment• UDP is used for DNS request, and DNSSEC is disabled, then DQB works well
• Not so much URL including malicious IP address(es) found
No Problem!
![Page 25: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/25.jpg)
Jackpot!Decepting DNS response makes malware infected hosts accessing to “our” landing host
![Page 26: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/26.jpg)
Example: Responding to Malware infection
• NTT DATA infected Ransomware in 5th, Jan. 2018…• Many nodes were crushed by Ransomware infection
• We use large amount of computers• above 20k~30k, Windows run most of computers
• Many of them:Windows Embedded(without MS17-010 patches)
• Most of them goes to bluescreened
![Page 27: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/27.jpg)
In NTT DATA’s web site:
5rh, Jan, 2018 Ransomware Infection
https://www.nttdata.com/jp/ja/news/information/2018/012201/
![Page 28: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/28.jpg)
Increased access to DQB host• When Ransomware runs on infected node
• Attempts “Killswitch” FQDN resolution(by DNS)
• DQB knows “Killswitch” FQDN and send decepted DNS response
• DQB works hard, and access to host announced by DQB( we call “Landing Host”) increases
![Page 29: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/29.jpg)
Why too many accesses were made by Ransomware?
• After Infection, access to kill switch occurs
• Multiple Infections, Multiple Accesses
…
![Page 30: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/30.jpg)
DQB work when ransomware is infected
DNS
①
②②’
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.coma.b.c.d
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com evil.example.comIN A a.b.c.d www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
IN A 10.x.x.x10.x.x.x
③’
clientLanding Host(Safe Host)
DQB
Name resolution for killswitch access:DNS request to resolve IP address of www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
killswitch access
killswitch access logIs stored
![Page 31: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/31.jpg)
Amount of KillswitchAccess:
• About 500k accesses• 6 – 7 accesses to “landing host”
0
200000
400000
600000
04 January2018
05 January2018
06 January2018
07 January2018
08 January2018
09 January2018
Access to DQB landing host
Access to DQB host Weekend and holiday
![Page 32: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/32.jpg)
Responding to Ransomware infection
• Isolate network segment that includes infected hosts
• Harden terminal(s) to prevent infection
• Few terminals cannot be responded→use DQB log to exploit by using MS17-010(and place the target to bluescreened state) 10.x.x.x - - [18/Jan/2018:02:31:39 +0900] "GET / HTTP/1.1" 200 670 "-" "-" www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com• We developed the auto response tool in a few hours and got effective operation tool
(and we got rest time)• If we have PoC code for exploitation, crushing system is easier than getting shell access
![Page 33: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/33.jpg)
Conclusion
• We don’t need so expensive solution(s), but we need(and developed) our requested tool
• Solution like “DQB” and “Shutdowner” can be developed if you understand network protocol and architecture basis and you can develop some tools by using C and Python
• We may be able to develop tools not only detection, but also response by ourselves
• if you know your enemy and know yourself, in a hundred battles you will never be defeated; know your enemy ( from “The Art of War” by Sun Tzu )
![Page 35: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/35.jpg)
ReferencesThis section is not talked but useful to understand DQB and Shutdowner architecture
![Page 36: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/36.jpg)
For example: FQDN matching and frame building strategy
• Matching www.example.comwww.example.com is described “¥3www¥7example¥3com¥0” in DNS request packet→DQB use FQDN “¥3www¥7example¥3com¥0”, and don’t parse “¥3www¥7example¥3com¥0” to “www.example.com”.
• Prebuilt DNS response except IP addresses, Port numbers and IDDon’t build packet fully and dynamically
![Page 37: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/37.jpg)
Design for Performance
• Programming Language: C
• On-memory processing and intend CPU cachemain loop: smaller, no library call (of course, systemcalls are not library call)
• Logging to shared memory(and write file by logger process)
• Don’t use malloc() timely, use malloc() for entire use at first.To prevent bugs caused by memory management mistaken
• Lock free(for delay prevention caused by scheduler)use flags instead of (any kind of) lock
• Read packet header +α only
![Page 38: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/38.jpg)
Design for Performance
• Don’t use async processing for socket() to assure the time systemcall finished is the time decepted packet is sent
int asyn_flag = 0;// (snip)
fd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));(void)ioctl(fd, FIOASYNC, &asyn_flag);
• If you can, DPDK is suitable for DQB and Shutdowner
• Shutdowner: use bloom filter, use pointer array(use syntax like “if” or switch … case in IP address matching)void *func[IP address space];func[] is valiable that contains function to send decepted syn+ack packet or do nothingwhen packet is received, call func[srcIP]
• DQB: Don’t process dynamically like FQDN parse, and preprocess to build response packet framework
![Page 39: TBD: To Block connection to malicious host by using “ QB ......TBD: To Block connection to malicious host by using “DQB” and "Shutdowner" Kunio Miyamoto, Ph.D. NTTDATA-CERT,](https://reader033.vdocuments.net/reader033/viewer/2022050516/5fa0492efa50d97af77d109f/html5/thumbnails/39.jpg)
Traffic Generator by using Linux pktgen
#!/bin/sh
modprobe pktgen
echo "rem_device_all" > /proc/net/pktgen/kpktgend_0echo "add_device eth2" > /proc/net/pktgen/kpktgend_0echo "count 100000" > /proc/net/pktgen/eth2echo "clone_skb 1" > /proc/net/pktgen/eth2echo "pkt_size 60" > /proc/net/pktgen/eth2# delay specified value (nanosec order)echo "delay 20000" > /proc/net/pktgen/eth2echo "src_min 172.16.0.2" > /proc/net/pktgen/eth2echo "src_max 172.16.0.2" > /proc/net/pktgen/eth2echo "src_mac a0:36:9f:a8:8a:3c" > /proc/net/pktgen/eth2echo "dst 172.16.0.3" > /proc/net/pktgen/eth2echo "dst_mac a0:36:9f:a8:86:b8" > /proc/net/pktgen/eth2echo "start" > /proc/net/pktgen/pgctrl
cat /proc/net/pktgen/eth2