Configuring attacks on out of the box examples
- Man-In-The-Middle (MIM) Attacks: A Man-In-The-Middle (MITM) attack occurs when a malicious actor intercepts and potentially alters communication between two parties without their knowledge. This breach compromises data integrity and confidentiality, allowing the attacker to steal sensitive information, inject malicious content, or manipulate communication for fraudulent purposes.
- Denial of Service (DDoS) Attacks: A Denial of Service (DoS) attack targets a network or service to make it unavailable to users by overwhelming it with excessive traffic or exploiting vulnerabilities. This results in service disruption, downtime, and potential financial loss, as legitimate users are unable to access the targeted resource.
- DDoS configuration. This is the section that the code uses to setup the attack senario for DDoS attacks.
- NumberOfBots this is the total number of applications that will be evenly distributed across the attacker. Example if the NumberOfBots is set to 4 and there are 2 attackers then there will be 2 applications per attackers.
- threadsPerAttacker this parameter controls the number of attackers in the network.
- Active is the parameter that controls if the attackers are active or not in the network
- Start This parameter controls when the attack starts in seconds
- End This parameter controls when the attack stops in seconds
- TimeOn and TimeOff control how long the attacker floods the network and how long it stops. These parameters can be controlled to conducted burst DDoS attacks.
- PacketSize is the input parameter that controls the size of the packets sent by the attacker to flood the network.
- Rate controls the rates at which the packets are sent by the attacker during the attack
- usePing Currently under development Not currently used but will be used to run a ping attack as a DDoS attack
- NodeType is the starting node where the attacker would be connected to and would flood the packets through
- NodeID is the starting index of the attack. If the value is set to 2, this means that starting node 2 next next number of threadsPerAttacker nodes will be under attack
- endPoint This is the type of node that will be used as a target for the attack. This means that the attack will impact the paths between the Nodetype and the endPoint
"DDoS": [
{
"NumberOfBots": 4,
"threadsPerAttacker": 1,
"Active": 0,
"Start": 10,
"End": 35,
"TimeOn": 25.0,
"TimeOff": 0.0,
"PacketSize": 1500,
"Rate": "40480kb/s",
"usePing": 1,
"NodeType": [
"UE"
],
"NodeID": [
2
],
"endPoint": "CC"
}
],
- MIM configuration. The following section controls the number of MIM attackers on the network.
- In the first section, the Numberattackers and the listMIM controls the number of attackers and lists their indexes.
- The following sections, there are one section per MIM attacker. Currently there is the same number of attacker nodes as the number of Microgrids but not all of them need to be active to work correctly
- Description of the MIM configuration parameters:
- name is the name parameter that is given to each of the attacker nodes
- attack_val is the value that the point value will be set too
- Start and End values control when the attack starts and ends in seconds.
- real_val is the value that the point is set off the attack. When it is set to NA the value of the point will not be set off the attack. When it is set an actual value, the point value will set back to that value after the attack is over.
- node_id is the id of the nodes in gridlabd that is under attack. In the example bellow, the MIM1 is attacking the inverter that is labeled trip_shad_inv1.
- point_id is the aspect of the node that is under attack. In the case of the MIM1 attacker in the example below, the attacker is attacking the Qref value of the trip_shad_inv1 inverter.
- scenario_id and attack_type are the input that controls the type of attacks that can be run by the MIM attacker.
- Scenario 4.a: A Man-In-The-Middle (MITM) attack changes the setpoint of node to introduce issues. The attack happened at approx. Start seconds into data collection. node_id has its point_id setpoint changed from real_val (default) to attack_val (attack value).
- Scenario 4.b: Selected nodes are attacked consistently to cause stability issues. node_id has its point_id value randomly toggled between real_val (default) and attack_val (attack value). The attack starts at approx. 2 minutes into data capture.
- Scenario 3: A command injection attack causes islanding of microgrids. Under-Frequency-Load-Shedding (UFLS) occurs due to lack of sufficient generation on the microgrids. It will flip the switches that are passed in as node_id to the attack_value.
- Scenario 2: changes the point values when the poll response is sent back to the control center
- Scenario 1: MIM acts as an end point of the traffic and does not allow traffic to pass through to the control center.
- PointStart and PointStop control the start and end time for the individual point_id node_id combination. The smallest value needs to match the value for the PointStart should be bigger or equal to the Start input value and the largest value for the PointStop needs to be smaller or equal to the End value. The benefit of using those values is that a user can simulate staggered attacks within a single microgrid. If a user does not want to use them, they need to be set to the same values as the Start and End values for the same number of inputs as the point_id/node_id number of inputs, as seen in the example below.
"MIM": [
{
"NumberAttackers": 3,
"listMIM": "0,1,2"
},
{
"name": "MIM1",
"attack_val": "-50000",
"real_val": "0",
"node_id": "trip_shad_inv1",
"point_id": "Qref",
"scenario_id": "a",
"attack_type": 4,
"Start": 30,
"End": 60,
"PointStart": "30",
"PointStop": "60"
},
{
"name": "MIM2",
"attack_val": "TRIP",
"real_val": "CLOSE",
"node_id": "microgrid_switch4",
"point_id": "status",
"scenario_id": "b",
"attack_type": 3,
"Start": 30,
"End": 60,
"PointStart": "30",
"PointStop": "60"
},
{
"name": "MIM3",
"attack_val": "TRIP,TRIP",
"real_val": "CLOSE,CLOSE",
"node_id": "microgrid_switch2,microgrid_switch3",
"point_id": "status,status",
"scenario_id": "b",
"attack_type": 3,
"Start": 30,
"End": 60,
"PointStart": "30,30",
"PointStop": "60,60"
},
{
"name": "MIM4",
"attack_val": "TRIP",
"real_val": "NA",
"node_id": "microgrid_switch1",
"point_id": "status",
"scenario_id": "b",
"attack_type": 3,
"Start": 30,
"End": 60,
"PointStart": "30",
"PointStop": "60"
}
],
- MIM get enabled by setting includeMIM to 1 in the Simulation section of grid.json
"Simulation":[{
"SimTime": 200,
"StartTime": 0.0,
"PollReqFreq": 10,
"includeMIM": 1,
"UseDynTop": 1,
"MonitorPerf": 0,
"StaticSeed": 1,
"RandomSeed": 777
}
],
- DDoS get enabled by setting Active to 1 in the DDoS section of the grid.json
"DDoS": [
{
"NumberOfBots": 50,
"threadsPerAttacker": 1,
"Active": 0,
"usePing": 0,
"Start": 120,
"End": 240,
"TimeOn": 15.0,
"TimeOff": 0.0,
"PacketSize": 1500,
"Rate": "80Mb/s",
"NodeType": [
"subNode"
],
"NodeID": [
2
],
"endPoint": "MIM"
}
],
Ping attack: When setting usePing to 1, the attacker is sending numerous ping packets to the victim node using the ipv4 protocol. When using that option the attacker does not rely on a specific port being opened. In this case the attacker is conducting what is called a ping attack (https://www.researchgate.net/publication/222619629_PING_attack_-_How_bad_is_it)
When setting usePing to 0, the attacker is sending numerous packets filled with random data to the target node. The attacker in this case is more visible since the target victim has a port that is used by the attacker to receive the data.
Route controller: updating route setups to reconfigure a topology in response to different events on the network.
"Controller": [
{
"use": 0,
"actionFile": "AgentDecisions.txt",
"NodesControlled":[1,2,3,4]
}
],