MQTT DoS DDoS IoT Attack
Description
The data collected on a raspberry pi 3B+ as a mosquitto brocker, and as mosquittos clients, from 12 sessions with terminator on an ubuntu 20 (4 publishers and 8 subscribers). The data collection was done with wireshark. The normal traffic was done during 3 days and produced 142.000 data entries. The attack traffic lasted 2 to 3 minutes for hundreds of thousands of data with the most popular and useful tools like hping3 and LOIC. The complete dataset is 424.716 harvested entries. The choice of the dataset fields was made in relation to the parameters most affected by a DDos attack. The dataset can be used for research purposes and on the other hand with machine learning techniques and implementation in IDS or IPS.
Files
Steps to reproduce
We used a Raspberry pi 3B+ as a MQTT mosquitto broker, the terminator 2.1.1 application for publishers and subscribers, Wireshark 3.6.6 as a network information collector, a GNU bash, version 5.1.16 for the production of mqtt trafic, The hping3 version 3.0.0-alpha-2 and LOIC 1.0.8.0 for the attacker side. For normal data collection the bash script randomly produced MQTT traffic for 72 hours during which wireshark collected information on the broker (raspberry). On the other hand, the attack was done with LOIC and hping3 during 2 to 3 minutes. These different attacks produced a result exported in csv file, labeled and then joined in a single csv file of 400000 entries. with hping3 we used the command which is the most realistic for not alerting a IDS; the command is hping3 -c 1500 -d 120 -S -w 64 -p 1883 --flood --rand-source ip_address where we tell the hping3 application to send 1500 packets of 120 bytes with a 64 bit window on port 1883 which is the MQTT port, TCP SYN bursts with random ip addresses to produce a distributed denial of service. For the denial of service attack we configured the LOIC application to send paquets to ip address wich our target on the 1883 port. At the other and we use the following bash code to produce a normal mqtt trafic on the network.