摘要
新型利用DNS加密技术的病毒对蜜罐的安全带来了新的威胁。针对该问题,文中提出了一种基于SNI信息的加密恶意流量检测与防御的方案。首先利用HTTPS握手包中未加密的Server Name Indication信息,以该信息作为域名黑名单判断的要素,以判断蜜罐对外连接是否为恶意连接。一旦发现为恶意SNI,就调用iptables阻断模块阻断对应IP地址的通信,以阻断该次连接。实验结果表明,该方法具有相比RST阻断方式更高的阻断率,并且在并发连接中也拥有不错的阻断效果。
A new virus that uses DNS encryption technology brings threat to honeypot’s safety.To resolve this problem,this paper proposes a method for detecting and defending encrypted malicious traffic based on SNI information.Firstly,using the unencrypted Server Name Indication(SNI)in the HTTPS handshake packet as the factor which determines entries in the domain blacklist to determine whether this domain is a malicious domain.Once found it is,then use the blocking module to block it.Experimental results shows that this method has a higher blocking rate than the RST blocking method,and it also has a good blocking effect in concurrent connections.
作者
毛伟杰
李永忠
MAO Wei-jie;LI Yong-zhong(School of Computer Science,Jiangsu University of Science and Technology,Zhenjiang 212003,Jiangsu Province,China)
出处
《信息技术》
2021年第8期97-101,共5页
Information Technology
