Finally some progress in the concealment attack. The cip parser does not work as intended, but for now we can use the approach of checking packet length to get tag value and sesison ID.

afmurillo · afmurillo · commit dedd6c045a4e · 2022-05-27T15:03:09.000+08:00
diff --git a/dhalsim/network_attacks/mitm_attack.py b/dhalsim/network_attacks/mitm_attack.py
@@ -33,14 +33,6 @@ def __init__(self, intermediate_yaml_path: Path, yaml_index: int):
         # Process object to handle nfqueue
         self.nfqueue_process = None
 
-    def clear_ip_tables(self):
-
-        os.system(f'iptables -t mangle -D INPUT -p tcp -j NFQUEUE --queue-num 1')
-        os.system(f'iptables -t mangle -D FORWARD -p tcp -j NFQUEUE --queue-num 1')
-
-        os.system('iptables -D FORWARD -p icmp -j DROP')
-        os.system('iptables -D INPUT -p icmp -j DROP')
-        os.system('iptables -D OUTPUT -p icmp -j DROP')
 
     def setup(self):
         """
@@ -55,26 +47,7 @@ def setup(self):
 
         Finally, it launches the thread that will examine all captured packets.
         """
-
-        """"
-        if self.direction == 'source':
-            os.system(f'iptables -t mangle -A PREROUTING -p tcp --sport 44818 -s {self.target_plc_ip} -j NFQUEUE '
-                      f'--queue-num 1')
-        elif self.direction == 'destination':
-            os.system(f'iptables -t mangle -A PREROUTING -p tcp --sport 44818 -d {self.target_plc_ip} -j NFQUEUE '
-                      f'--queue-num 1 ')
-        else:
-            self.logger.error('Wrong direction configured, direction must be source or destination')
-            raise DirectionError('Wrong direction configured')
-        """
-
-        self.clear_ip_tables()
-
-        os.system(f'iptables -t mangle -A PREROUTING -p tcp -j NFQUEUE --queue-num 1')
-
-        os.system('iptables -A FORWARD -p icmp -j DROP')
-        os.system('iptables -A INPUT -p icmp -j DROP')
-        os.system('iptables -A OUTPUT -p icmp -j DROP')
+        self.modify_ip_tables(True)
 
         # Launch the ARP poison by sending the required ARP network packets
         launch_arp_poison(self.target_plc_ip, self.intermediate_attack['gateway_ip'])
@@ -116,7 +89,7 @@ def teardown(self):
         self.logger.debug(f"MITM Attack ARP Restore between {self.target_plc_ip} and "
                           f"{self.intermediate_attack['gateway_ip']}")
 
-        self.clear_ip_tables()
+        self.modify_ip_tables(False)
         self.logger.debug(f"Restored ARP")
 
         self.logger.debug("Stopping nfqueue subprocess...")
@@ -132,6 +105,24 @@ def attack_step(self):
         pass
 
 
+    @staticmethod
+    def modify_ip_tables(append=True):
+
+        if append:
+            os.system(f'iptables -t mangle -A PREROUTING -p tcp -j NFQUEUE --queue-num 1')
+
+            os.system('iptables -A FORWARD -p icmp -j DROP')
+            os.system('iptables -A INPUT -p icmp -j DROP')
+            os.system('iptables -A OUTPUT -p icmp -j DROP')
+        else:
+
+            os.system(f'iptables -t mangle -D INPUT -p tcp -j NFQUEUE --queue-num 1')
+            os.system(f'iptables -t mangle -D FORWARD -p tcp -j NFQUEUE --queue-num 1')
+
+            os.system('iptables -D FORWARD -p icmp -j DROP')
+            os.system('iptables -D INPUT -p icmp -j DROP')
+            os.system('iptables -D OUTPUT -p icmp -j DROP')
+
 def is_valid_file(parser_instance, arg):
     """Verifies whether the intermediate yaml path is valid."""
     if not os.path.exists(arg):
diff --git a/dhalsim/network_attacks/naive_netfilter_queue.py b/dhalsim/network_attacks/naive_netfilter_queue.py
@@ -27,7 +27,6 @@ def capture(self, pkt):
         self.logger.debug('capture method')
         try:
             p = IP(pkt.get_payload())
-            #self.logger.debug('packet')
             if len(p) == 102:
                 self.logger.debug('modifying')
                 if 'value' in self.intermediate_attack.keys():
diff --git a/dhalsim/parser/config_parser.py b/dhalsim/parser/config_parser.py
@@ -181,12 +181,6 @@ class SchemaParser:
                     str,
                     string_pattern
                 ),
-                Optional('direction', default='source'): And(
-                    str,
-                    Use(str.lower),
-                    Or('source', 'destination'), error="'direction' should be one of the following:"
-                                                       " 'source' or 'destination'."
-                ),
                 'tag': And(
                     str,
                     string_pattern,
diff --git a/dhalsim/python2/generic_plc.py b/dhalsim/python2/generic_plc.py
@@ -280,7 +280,7 @@ def get_tag_for_cache(self, tag, plc_ip, cache_update_time):
             try:
                 received = Decimal(self.receive((tag, 1), plc_ip))
                 self.cache[tag] = received
-                self.logger.debug('Received value {value}, from IP {ip}'.format(value=received, ip=plc_ip))
+                #self.logger.debug('Received value {value}, from IP {ip}'.format(value=received, ip=plc_ip))
                 return True
             except Exception as e:
                 self.logger.info(
diff --git a/dhalsim/python2/generic_scada.py b/dhalsim/python2/generic_scada.py
@@ -297,10 +297,10 @@ def update_cache(self, lock, cache_update_time):
                             ip=plc_ip, e=str(e)))
                     time.sleep(cache_update_time)
                     continue
-                self.logger.debug(
-                    "SCADA cache updated for {tags}, with value {values}, from {ip}".format(tags=self.plc_data[plc_ip],
-                                                                                             values=values,
-                                                                                             ip=plc_ip))
+                #self.logger.debug(
+                #    "SCADA cache updated for {tags}, with value {values}, from {ip}".format(tags=self.plc_data[plc_ip],
+                #                                                                             values=values,
+                #                                                                             ip=plc_ip))
 
             time.sleep(cache_update_time)
 
diff --git a/examples/ctown_topology/ctown_config.yaml b/examples/ctown_topology/ctown_config.yaml
@@ -1,5 +1,5 @@
 inp_file: ctown_map.inp
-iterations: 25
+iterations: 2880
 network_topology_type: complex
 plcs: !include ctown_plcs.yaml
 
diff --git a/examples/ctown_topology/ctown_mitm.yaml b/examples/ctown_topology/ctown_mitm.yaml
@@ -6,6 +6,6 @@ network_attacks:
   tag: T3
   direction: destination
   trigger:
-    start: 5
-    end: 20
+    start: 648
+    end: 936
     type: time
