计算机科学

计算机科学 ›› 2022, Vol. 49 ›› Issue (11A): 211000089-5.doi: 10.11896/jsjkx.211000089

• 信息安全 • 上一篇    下一篇

基于流量分析发现未知UDP反射放大协议

陆炫廷, 蔡瑞杰, 刘胜利   

  1. 数学工程与先进计算国家重点实验室 郑州 450001
    战略支援部队信息工程大学 郑州 450001
  • 出版日期:2022-11-10 发布日期:2022-11-21
  • 通讯作者: 刘胜利(dr_liushengli@ 163.com)
  • 作者简介:(251758821@qq.com)
  • 基金资助:
    国家重点研发计划(2019QY1300);科技委基础加强项目(2019-JCJQ-ZD-113)

Discovery of Unknown UDP Reflection Amplification Protocol Based on Traffic Analysis

LU Xuan-ting, CAI Rui-jie, LIU Sheng-li   

  1. State Key Laboratory of Mathematical Engineering and Advanced Computing,Zhengzhou 450001,China
    Information Engineering University,Zhengzhou 450001,China
  • Online:2022-11-10 Published:2022-11-21
  • About author:LU Xuan-ting,born in 1992,postgra-duate.His main research interests include network device security and network attack detection.
    LIU Sheng-li,born in 1973,Ph.D professor.His main research interests include network device security and network attack detection.
  • Supported by:
    National Basic Research Program of China(2019QY1300) and Science & Technology Commission Foundation Strengthening Project(2019-JCJQ-ZD-113).

PDF (PC)

386

摘要: 近年来,DDOS攻击的频率和规模日益扩大,对网络安全造成了极大挑战。其中,UDP反射放大攻击因其攻击成本低、攻击流量巨大、难以追踪溯源等特征成为了黑客青睐的攻击手段。当前的过滤和防御策略大多来源于受攻击后的分析与复盘,面对层出不穷的新型UDP反射攻击存在一定的被动性和滞后性。文中提出了一种基于流量分析来发现存在UDP反射放大潜力的未公开协议的方法。该方法立足放大性和反射性这两个根本特征,从日常网络流量中筛选出符合反射放大特性的流量样本,然后通过重放攻击验证样本是否具备可重复性,记录符合条件的样本,用于对相关服务协议进行研究,最终成功发现新型未公开反射放大协议。用所提方法构建的检测程序,在实验环境和互联网中分别进行了准确率及处理速率测试,成功发现了多种反射放大协议,以积极主动的方式来防御可能出现的反射放大攻击。

关键词: 分布式拒绝服务攻击, UDP反射放大攻击, 网络安全, 流量检测, 主动防御

Abstract: In recent years,the frequency and scale of DDOS attacks have increased,which has posed great challenges to network security.Among them,UDP reflection amplification attacks have become the attack method favored by hackers due to their low attack cost,huge attack traffic,and difficulty in tracing the source.Most of the current filtering and defense strategies are derived from the analysis and review after the attack,and there is a certain degree of passivity and lag in the face of the endless new UDP reflection attacks.This paper proposes a method based on traffic analysis to discover undisclosed protocols with the potential of UDP reflection amplification.Based on the two fundamental characteristics of magnification and reflectivity,this method selects traffic samples that meet the characteristics of reflective amplification from daily network traffic.Then,the replay attack is used to verify whether the samples are repeatable,and the qualified samples are recorded for research on related service protocols.Finally,a new type of undisclosed reflection amplification protocol is successfully discovered.The detection program constructed with this method has been tested for accuracy and processing rate in the experimental environment and the Internet respectively,and a variety of reflection amplification protocols are found to proactively defend against possible reflection amplification attacks.

Key words: DDOS, UDP reflection amplification attack, Cyber security, Flow detection, Active defense

中图分类号: 

  • TP393
[1]PRINCE M.Technical Details Behind a 400Gbs NTP Amplification DDos Attack[EB/OL].(2014-02-13) [2021-10-12].https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/.
[2]NEWMAN L H.GitHub Survived the Biggest DDoS AttackEver Recorded [EB/OL].(2018-03-01) [2021-10-12].https://www.wired.com/story/github-ddos-memcached/?utm_source=quora.
[3]US-CERT.UDP-Based Amplification Attacks [EB/OL].(2019-12-18) [2021-10-12].https://www.wired.com/story/github-ddos-memcached/?utm_source=quora.
[4]PAXSON V.An analysis of using reflectors for distributed denial-of-service attacks [J].ACM SIGCOMM Computer Communication Review,2001,31(3):38-47.
[5]ROSSOW C.Amplification Hell,Revisiting Network Protocols for DDoS Abuse[C]//Proceedings of the 2014 Network and Distributed Systems Security Symposium(NDSS 2014).2014:23-26.
[6]XU Y,KENSHIN.CLDAP is Now the No.3 Reflection Amplified DDoS Attack Vector,Surpassing SSDP and CharGen [EB/OL].(2017-11-01) [2021-10-12].https://blog.netlab.360.com/cldap-is-now-the-3rd-reflection-amplified-ddos-attack-vector-surpassing-ssdp-and-chargen-en/.
[7]BARRY G.Memcached on port 11211 UDP & TCP being exploited [EB/OL].(2018-02-27) [2021-10-12].https://www.senki.org/memcached-on-port-11211-udp-tcp-being-exploited/.
[8]RESPETO J.New ddos vector observed in the wild:wsd attacks hitting 35/GBPS [EB/OL].(2019-09-27) [2021-10-12].https://blogs.akamai.com/sitr/2019/09/new-ddos-vector-obser-ved-in-the-wild-wsd-attacks-hitting-35gbps.html.
[9]ZHOU W F.Research on detection and response technology of udp reflection attack[D].Nanjing:Southeast University,2018.
[1] 柳杰灵, 凌晓波, 张蕾, 王博, 王之梁, 李子木, 张辉, 杨家海, 吴程楠.
基于战术关联的网络安全风险评估框架
Network Security Risk Assessment Framework Based on Tactical Correlation
计算机科学, 2022, 49(9): 306-311. https://doi.org/10.11896/jsjkx.210600171
[2] 王磊, 李晓宇.
基于随机洋葱路由的LBS移动隐私保护方案
LBS Mobile Privacy Protection Scheme Based on Random Onion Routing
计算机科学, 2022, 49(9): 347-354. https://doi.org/10.11896/jsjkx.210800077
[3] 赵冬梅, 吴亚星, 张红斌.
基于IPSO-BiLSTM的网络安全态势预测
Network Security Situation Prediction Based on IPSO-BiLSTM
计算机科学, 2022, 49(7): 357-362. https://doi.org/10.11896/jsjkx.210900103
[4] 邓凯, 杨频, 李益洲, 杨星, 曾凡瑞, 张振毓.
一种可快速迁移的领域知识图谱构建方法
Fast and Transmissible Domain Knowledge Graph Construction Method
计算机科学, 2022, 49(6A): 100-108. https://doi.org/10.11896/jsjkx.210900018
[5] 杜鸿毅, 杨华, 刘艳红, 杨鸿鹏.
基于网络媒体的非线性动力学信息传播模型
Nonlinear Dynamics Information Dissemination Model Based on Network Media
计算机科学, 2022, 49(6A): 280-284. https://doi.org/10.11896/jsjkx.210500043
[6] 陶礼靖, 邱菡, 朱俊虎, 李航天.
面向网络安全训练评估的受训者行为描述模型
Model for the Description of Trainee Behavior for Cyber Security Exercises Assessment
计算机科学, 2022, 49(6A): 480-484. https://doi.org/10.11896/jsjkx.210800048
[7] 杨亚红, 王海瑞.
基于Renyi熵和BiGRU算法实现SDN环境下的DDoS攻击检测方法
DDoS Attack Detection Method in SDN Environment Based on Renyi Entropy and BiGRU Algorithm
计算机科学, 2022, 49(6A): 555-561. https://doi.org/10.11896/jsjkx.210800095
[8] 吕鹏鹏, 王少影, 周文芳, 连阳阳, 高丽芳.
基于进化神经网络的电力信息网安全态势量化方法
Quantitative Method of Power Information Network Security Situation Based on Evolutionary Neural Network
计算机科学, 2022, 49(6A): 588-593. https://doi.org/10.11896/jsjkx.210200151
[9] 王珏, 芦斌, 祝跃飞.
对抗性网络流量的生成与应用综述
Generation and Application of Adversarial Network Traffic:A Survey
计算机科学, 2022, 49(11A): 211000039-11. https://doi.org/10.11896/jsjkx.211000039
[10] 赵宏, 常有康, 王伟杰.
深度神经网络的对抗攻击及防御方法综述
Survey of Adversarial Attacks and Defense Methods for Deep Neural Networks
计算机科学, 2022, 49(11A): 210900163-11. https://doi.org/10.11896/jsjkx.210900163
[11] 杨浩, 闫巧.
基于差分进化算法的字符对抗验证码生成方法
Adversarial Character CAPTCHA Generation Method Based on Differential Evolution Algorithm
计算机科学, 2022, 49(11A): 211100074-5. https://doi.org/10.11896/jsjkx.211100074
[12] 王清旭, 董理君, 贾伟, 刘超, 杨光, 吴铁军.
开放式环境下基于向量表征与计算的动态访问控制
Vector Representation and Computation Based Dynamic Access Control in Open Environment
计算机科学, 2022, 49(11A): 210900217-7. https://doi.org/10.11896/jsjkx.210900217
[13] 吴吉胜, 洪征, 马甜甜, 林培鸿.
基于残差网络和循环神经网络混合模型的应用层协议识别方法
Application Layer Protocol Recognition Based on Residual Network and Recurrent Neural Network
计算机科学, 2022, 49(11): 293-301. https://doi.org/10.11896/jsjkx.210800252
[14] 张师鹏, 李永忠.
基于降噪自编码器和三支决策的入侵检测方法
Intrusion Detection Method Based on Denoising Autoencoder and Three-way Decisions
计算机科学, 2021, 48(9): 345-351. https://doi.org/10.11896/jsjkx.200500059
[15] 周仕承, 刘京菊, 钟晓峰, 卢灿举.
基于深度强化学习的智能化渗透测试路径发现
Intelligent Penetration Testing Path Discovery Based on Deep Reinforcement Learning
计算机科学, 2021, 48(7): 40-46. https://doi.org/10.11896/jsjkx.210400057
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发