基于主被动结合的新型UDP反射放大协议识别方法  

作　　者：陈宏伟[1] 尹小康 盖贤哲 贾凡 刘胜利[1] 蔡瑞杰 CHEN Hongwei;YIN Xiaokang;GAI Xianzhe;JIA Fan;LIU Shengli;CAI Ruijie(Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]信息工程大学,郑州450001

出　　处：《计算机科学》2024年第8期412-419,共8页Computer Science

摘　　要：反射放大攻击因具有优质的流量倍增能力和反追踪溯源能力正逐步成为主流的DDoS攻击手段。近年来不断涌现以OpenVPN等物联网协议为代表的新型UDP反射放大攻击方法,并且呈现出多协议组合反射放大的趋势。然而,当前UDP反射放大检测方法存在检测结果不准确、检测效率不足等问题。针对上述问题,为提升UDP反射放大检测能力,提出了一种基于主被动结合的新型UDP反射放大协议识别方法。首先,通过主动探测的方法获取已知的物联网反射放大协议流量,并将其作为实验数据集;其次,在流量自动化分析过程中使用双重阈值判定和多元特征匹配方法捕获未知的反射放大协议和触发方式;最后,通过重放的方式进行验证。实验结果表明,该方法可有效检测UDP反射放大流量,精度达到99.88%,并且发现了QUIC协议潜在的反射放大能力,有效提升了反射放大攻击的防护能力。Reflection amplification attack has gradually become a mainstream DDoS attack method because of its high-quality traffic doubling ability and anti-traceability capability.In recent years,new UDP reflection amplification attack methods represented by Internet of Things protocols such as OpenVPN have emerged constantly,showing a trend of multi-protocol combination reflection amplification.However,current UDP reflection amplification detection methods have some problems,such as inaccurate detection results and insufficient detection efficiency.In order to improve the UDP reflection amplification detection capability,a new type of UDP reflection amplification protocol recognition method based on active-passive combination is proposed.Firstly,the known Internet of Things reflection amplification protocol traffic is obtained through active detection method and is used as the experimental dataset.Secondly,in the process of automatic traffic analysis,dual threshold determination and multivariate feature matching are used to capture the unknown reflection amplification protocol and trigger mode.Finally,verify the authenticity through replay.Experimental results show that this method can effectively detect the reflection amplification traffic targeting UDP protocol,with an precision of 99.88%.The potential reflection amplification ability of the QUIC protocol has been disco-vered,effectively improving the protection ability against reflection amplification attacks.

关 键 词：DDOS攻击 UDP反射放大 主被动结合 主动探测 流量分析 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]