基于流量分析发现未知UDP反射放大协议

Discovery of Unknown UDP Reflection Amplification Protocol Based on Traffic Analysis

近年来,DDOS攻击的频率和规模日益扩大,对网络安全造成了极大挑战。其中,UDP反射放大攻击因其攻击成本低、攻击流量巨大、难以追踪溯源等特征成为了黑客青睐的攻击手段。当前的过滤和防御策略大多来源于受攻击后的分析与复盘,面对层出不穷的新型UDP反射攻击存在一定的被动性和滞后性。文中提出了一种基于流量分析来发现存在UDP反射放大潜力的未公开协议的方法。该方法立足放大性和反射性这两个根本特征,从日常网络流量中筛选出符合反射放大特性的流量样本,然后通过重放攻击验证样本是否具备可重复性,记录符合条件的样本,用于对相关服务协议进行研究,最终成功发现新型未公开反射放大协议。用所提方法构建的检测程序,在实验环境和互联网中分别进行了准确率及处理速率测试,成功发现了多种反射放大协议,以积极主动的方式来防御可能出现的反射放大攻击。

In recent years,the frequency and scale of DDOS attacks have increased,which has posed great challenges to network security.Among them,UDP reflection amplification attacks have become the attack method favored by hackers due to their low attack cost,huge attack traffic,and difficulty in tracing the source.Most of the current filtering and defense strategies are derived from the analysis and review after the attack,and there is a certain degree of passivity and lag in the face of the endless new UDP reflection attacks.This paper proposes a method based on traffic analysis to discover undisclosed protocols with the potential of UDP reflection amplification.Based on the two fundamental characteristics of magnification and reflectivity,this method selects traffic samples that meet the characteristics of reflective amplification from daily network traffic.Then,the replay attack is used to verify whether the samples are repeatable,and the qualified samples are recorded for research on related service protocols.Finally,a new type of undisclosed reflection amplification protocol is successfully discovered.The detection program constructed with this method has been tested for accuracy and processing rate in the experimental environment and the Internet respectively,and a variety of reflection amplification protocols are found to proactively defend against possible reflection amplification attacks.