计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (8): 412-419.doi: 10.11896/jsjkx.230500227

• 信息安全 • 上一篇    下一篇

基于主被动结合的新型UDP反射放大协议识别方法

陈宏伟, 尹小康, 盖贤哲, 贾凡, 刘胜利, 蔡瑞杰   

  1. 信息工程大学 郑州 450001
  • 收稿日期:2023-05-30 修回日期:2023-10-16 出版日期:2024-08-15 发布日期:2024-08-13
  • 通讯作者: 蔡瑞杰(wsxcrj@163.com)
  • 作者简介:(1134673436@qq.com)

New Type of UDP Reflection Amplification Protocol Recognition Method Based on Active-Passive Combination

CHEN Hongwei, YIN Xiaokang, GAI Xianzhe, JIA Fan, LIU Shengli, CAI Ruijie   

  1. Information Engineering University,Zhengzhou 450001,China
  • Received:2023-05-30 Revised:2023-10-16 Online:2024-08-15 Published:2024-08-13
  • About author:CHEN Hongwei,born in 1995,postgra-duate.His main research interests include network device security and network attack detection.
    CAI Ruijie,born in 1990,Ph.D candidate,lecturer.His main research in-terests include network security,binary code analysis and vulnerability disco-very.

PDF (PC)

347

摘要: 反射放大攻击因具有优质的流量倍增能力和反追踪溯源能力正逐步成为主流的DDoS攻击手段。近年来不断涌现以OpenVPN等物联网协议为代表的新型UDP反射放大攻击方法,并且呈现出多协议组合反射放大的趋势。然而,当前UDP反射放大检测方法存在检测结果不准确、检测效率不足等问题。针对上述问题,为提升UDP反射放大检测能力,提出了一种基于主被动结合的新型UDP反射放大协议识别方法。首先,通过主动探测的方法获取已知的物联网反射放大协议流量,并将其作为实验数据集;其次,在流量自动化分析过程中使用双重阈值判定和多元特征匹配方法捕获未知的反射放大协议和触发方式;最后,通过重放的方式进行验证。实验结果表明,该方法可有效检测UDP反射放大流量,精度达到99.88%,并且发现了QUIC协议潜在的反射放大能力,有效提升了反射放大攻击的防护能力。

关键词: DDoS攻击, UDP反射放大, 主被动结合, 主动探测, 流量分析

Abstract: Reflection amplification attack has gradually become a mainstream DDoS attack method because of its high-quality traffic doubling ability and anti-traceability capability.In recent years,new UDP reflection amplification attack methods represented by Internet of Things protocols such as OpenVPN have emerged constantly,showing a trend of multi-protocol combination reflection amplification.However,current UDP reflection amplification detection methods have some problems,such as inaccurate detection results and insufficient detection efficiency.In order to improve the UDP reflection amplification detection capability,a new type of UDP reflection amplification protocol recognition method based on active-passive combination is proposed.Firstly,the known Internet of Things reflection amplification protocol traffic is obtained through active detection method and is used as the experimental dataset.Secondly,in the process of automatic traffic analysis,dual threshold determination and multivariate feature matching are used to capture the unknown reflection amplification protocol and trigger mode.Finally,verify the authenticity through replay.Experimental results show that this method can effectively detect the reflection amplification traffic targeting UDP protocol,with an precision of 99.88%.The potential reflection amplification ability of the QUIC protocol has been disco-vered,effectively improving the protection ability against reflection amplification attacks.

Key words: DDoS attack, UDP reflection amplification, Active-Passive combination, Active detection, Traffic analysis

中图分类号: 

  • TP393
[1]SRINIVAS P.Are You Ready to Counter UDP-Based Amplification Attacks? [EB/OL].(2018-03-27) [2023-03-22].https://blogs.infoblox.com/company/are-you-ready-to-counter-udp-based-amplification-attacks/.
[2]MATTHEW P.The DDoS That Knocked Spamhaus Offline(And How We Mitigated It) [EB/OL].(2013-03-21) [2023-03-22].https://laptrinhx.com/the-ddos-that-knocked-spamhaus-offline-and-how-we-mitigated-it-542830916/.
[3]ALEX F.CVE-2022-26143:TP240PhoneHome reflection/am-plification DDoS attack vector [EB/OL].(2022-03-08) [2023-03-22].https://blog.cloudflare.com/cve-2022-26143/.
[4]CHRISTIAN R.Amplification Hell,Revisiting Network Proto-cols for DDoS Abuse [C]//Proceedings of the 2014 Network and Distributed Systems Security Symposium(NDSS 2014).2014:23-26.
[5]LI G.Research of scanning and drdos attack detection based on netflow[D].Nanjing:Southeast University,2016.
[6]LUX T,CAI R J,LIU S L.Discovery of unknown UDP reflection amplification protocol based on traffic analysis [J].Computer Science,2022,49(S2):211000089-5.
[7]OTHMAN R.Understanding the various types of denial of ser-vice attack [J].Business Week Online,2000.
[8]PAXSON V.An analysis of using reflectors for distributed de-nial-of-service attacks [J].ACM SIGCOMM Computer Communication Review,2001,31(3):38-47.
[9]KEVIN B,ABDULRAHMAN A,YAIR F,et al.Weaponizing Middleboxes for TCP Reflected Amplification [C]//30th USENIX Security Symposium(USENIX Security 2021).2021:3345-3361.
[10]SOO-JIN M,YINY C,RAHUL A S,et al.Accurately Measu-ring Global Risk of Amplification Attacks using Amp Map [C]//30th USENIX Security Symposium(USENIX Security 2021).2021:3881-3898.
[11]JOHANNES K,ILYA G,CHRISTIAN R.AMPFUZZ:Fuzzing for Amplification DDoS Vulnerabilities [C]//31th USENIX Security Symposium(USENIX Security 2022).2022:1043-1060.
[12]IMAN S,ARASH H L,SAQIB H,et al.Developing RealisticDistributed Denial of Service(DDoS) Attack Dataset and Taxo-nomy [C]//2019 International Carnahan Conference on Secu-rity Technology(ICCST).IEEE,2019.
[13]HUSSAIN Y S.Network Intrusion Detection for DistributedDenial-of-Service(DDoS) Attacks using Machine Learning Classification Techniques [D].Toronto:University of Toronto,2011.
[14]MATHEUS P N,LUIZ F C,JAIME L,et al.Long Short-Term Memory and Fuzzy Logic for Anomaly Detection and Mitigation in Software-Defined Network Environment [C]//IEEE Access.IEEE,2020:83765-83781.
[15]SAIF R,MUBASHIR K,SYED I I,et al.DIDDOS:An approach for detection and identification of Distributed Denial of Service(DDoS) cyberattacks using Gated Recurrent Units(GRU) [J].Future Generation Computer Systems,2021,118:453-466.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发