反射放大型DDoS攻擊的預(yù)防策略研究
信息技術(shù)與網(wǎng)絡(luò)安全
郝帥,白翼銘,李致成, 包正晶
華北計(jì)算機(jī)系統(tǒng)工程研究所,北京327722
摘要: 隨著計(jì)算機(jī)和通信技術(shù)的高速發(fā)展,網(wǎng)絡(luò)空間維度與現(xiàn)實(shí)世界的對(duì)照格外清晰,因此安全管理網(wǎng)絡(luò)空間顯得意義重大。針對(duì)近年來(lái)已公布的網(wǎng)絡(luò)環(huán)境中反射放大型分布式拒絕服務(wù)攻擊(Distributed Denial of Service,DDoS)安全問(wèn)題,基于Memcached、DNS、NTP、SNMP、SSDP和CLDAP六種常見協(xié)議對(duì)所存在的漏洞進(jìn)行分析,搭建六種協(xié)議的服務(wù)器仿真環(huán)境,通過(guò)使用交互式數(shù)據(jù)包操作程序scapy編程,實(shí)現(xiàn)對(duì)仿真環(huán)境中目標(biāo)主機(jī)的IP欺騙和帶寬放大。通過(guò)ZoomEye獲取真實(shí)網(wǎng)絡(luò)環(huán)境中的可用IP資源,以仿真環(huán)境中目標(biāo)主機(jī)IP作為受害者,測(cè)試真實(shí)環(huán)境中可用IP資源產(chǎn)生的欺騙效果和帶寬放大倍數(shù),根據(jù)實(shí)驗(yàn)結(jié)果分析反射放大型DDoS的危害并從服務(wù)器和受害者兩個(gè)角度給出防范策略。
中圖分類號(hào): TP309.5
文獻(xiàn)標(biāo)識(shí)碼: A
DOI: 10.19358/j.issn.2096-5133.2021.02.002
引用格式: 郝帥,白翼銘,李致成,等. 反射放大型DDoS攻擊的預(yù)防策略研究[J].信息技術(shù)與網(wǎng)絡(luò)安全,2021,40(2):7-13,23.
文獻(xiàn)標(biāo)識(shí)碼: A
DOI: 10.19358/j.issn.2096-5133.2021.02.002
引用格式: 郝帥,白翼銘,李致成,等. 反射放大型DDoS攻擊的預(yù)防策略研究[J].信息技術(shù)與網(wǎng)絡(luò)安全,2021,40(2):7-13,23.
Research on prevention strategy of reflex amplification DDoS attack
Hao Shuai,Bai Yiming,Li Zhicheng,Bao Zhengjing
(National Computer System Engineering Research Institute of China,Beijing 102200,China)
Abstract: With the rapid development of computer and communication technology, the contrast between cyberspace dimensions and the real world is particularly clear, therefore the security of cyberspace is of great significance.In view of the problem of network security caused by reflection amplification DDoS(Distributed Denial of Service), this paper analyzes the vulnerability based on Memcached, DNS, NTP, SNMP, SSDP and CLDAP protocols,and builds server simulation environment of six protocols. It implements the target in the simulation environment IP spoofing and bandwidth amplification based on interactive packet crafting program. In addition, the IP resources in the real network environment are obtained by ZoomEye. The IP in the simulation environment is taken as the victim to test the spoofing effect and bandwidth magnification of IP resources in real network environment. According to the experimental results, the harm of reflection amplification DDoS is analyzed and the prevention strategies are given from the perspective of server and victim.
Key words : network security;reflex amplification;DDoS attack;IP spoofing;bandwidth amplification
0 引言
據(jù)CERNET 2014年10月的月報(bào)統(tǒng)計(jì),其38個(gè)主節(jié)點(diǎn)中有超過(guò)一半檢測(cè)到來(lái)自國(guó)內(nèi)次數(shù)超過(guò)2 200次、總流量超過(guò)16 TB的NTP反射放大攻擊[1];2016年10月美國(guó)Dyn公司的DNS服務(wù)器遭受DNS反射放大攻擊與SYN洪水攻擊,導(dǎo)致美國(guó)大范圍斷網(wǎng);2017年11月13日到2017年11月15日期間,ZoomEye網(wǎng)絡(luò)空間探測(cè)引擎探測(cè)到一個(gè)活動(dòng)頻繁的攻擊——CLDAP DDoS反射放大攻擊,隨后對(duì)DDoS反射放大攻擊進(jìn)行了第三輪的探測(cè),發(fā)布出《DDoS反射放大攻擊全球探測(cè)分析-第三版》;2018年3月CCERT公布Memcached反射放大攻擊流量占比有大幅增長(zhǎng)[2]。
本文詳細(xì)內(nèi)容請(qǐng)下載:http://m.rjjo.cn/resource/share/2000003372
作者信息:
郝 帥,白翼銘,李致成,包正晶
(華北計(jì)算機(jī)系統(tǒng)工程研究所,北京102200)
此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。