-
Notifications
You must be signed in to change notification settings - Fork 23
Mapping IPs to IDs
To give every bot its own IP, a mapping of IPs to IDs has to be done. Here, we differ between initator and responder bots. Both classes get assigned different types of IPs.
Initator bots are the bots that send at least one request to another bot. For this tool, every initiator bot is assigned a network local IP. We call all IPs that are in the same subnet as the router (i.e. (would) have the router as gateway) network local IPs. This can be a subnet behind NAT, part of an Autonomous System or something else.
Responder bots are the bots that do not send any requests to another bot. For this tool, every responder bot is assigned a network external IP. We call every IP that is not network local network external. As an example, if the local network has private IP addresses, every public IP address is considered network external.
If new local IPs have to be generated, the following algorithm applies: For information about existing IPs and data flows, the input PCAP is used. First, the minimum and maximum IP that have the router as destination are found. Now, if new local IPs need to be generated, not assigned IPs between the minimum and maximum IP are randomly selected and returned. Once this space has been drained, new local IPs are created that lie above the maximum IP. To make it seem more realistic, IPs that are relatively close to the latest maximum IP are chosen for this.
New external IPs are generated randomly. It is ensured that no "special" IPs are chosen. Special IPs mean IPs that fall into the range of private, link-local, localhost, multicast or reserved IPs.
The router is found by finding the MAC address that is most frequently used, as every outgoing packet's destination MAC address is the router's. So in normal situations where network-local hosts do not excessively communicate with each other, this algorithm reliably works to find the router's MAC address. The router's IP can only be found, if the local network has private IPs, since otherwise we cannot differ which public IP is actually external and which one is the router's.