基于状态引导的放大漏洞挖掘方法  

作　　者：蒋思康 蔡瑞杰 尹小康 陈鸿羽 刘胜利[1] JIANG Sikang;CAI Ruijie;YIN Xiaokang;CHEN Hongyu;LIU Shengli(Information Engineering University,Zhengzhou 450001,China)

机构地区：[1]信息工程大学,河南郑州450001

出　　处：《网络与信息安全学报》2025年第1期165-177,共13页Chinese Journal of Network and Information Security

摘　　要：基于放大的分布式拒绝服务(amplification-based distributed denial of service, ADDoS)攻击对互联网是严重威胁。近年来,ADDoS攻击事件显示该类攻击流量巨大且所利用的协议类型多样,其中放大漏洞是导致ADDoS攻击的主要原因之一。然而,迄今已知的放大漏洞主要是研究人员通过经验知识发现或者通过分析放大攻击事件的流量发现的,缺乏主动挖掘放大漏洞的方法。已有的放大漏洞挖掘方法 AmpFuzz,仅考虑单个请求的放大攻击模式,并且局限于UDP,适用性不强。为此,提出基于状态引导的放大漏洞挖掘方法AFLAMP,通过协议状态引导模糊测试,并采用基于会话的带宽放大系数指导种子选择,以更有效地挖掘放大漏洞。实验结果表明,该方法可有效挖掘放大漏洞,并在5个已知存在放大漏洞的协议服务程序(OpenTFTP、OpenSLP、NTP、Memcached、Dnsmasq)中发现了11个放大漏洞,其中包括6个未知的放大漏洞,相较于AmpFuzz,漏洞检出率提高37.5%。此外,AFLAMP还在基于TCP的协议服务程序(LightFTP)中发现了12个放大漏洞。Amplification-based distributed denial of service(ADDoS)attacks have posed a persistent and severe threat to the Internet.Recent incidents revealed that these attacks not only generated substantial traffic but also ex‐ploited a diverse range of protocol types,with amplification vulnerabilities being identified as a primary cause.Tra‐ditionally,known amplification vulnerabilities were discovered either through empirical knowledge or by analyzing traffic from amplification attack incidents,highlighting a lack of proactive methods for identifying such vulnerabili‐ties.Existing approaches,such as AmpFuzz,were limited to focusing solely on amplification patterns for individual requests and were restricted to the UDP protocol,which constrained their applicability.To address these limitations,a state-guided method for mining amplification vulnerabilities,referred to as AFLAMP,was proposed.This method leveraged protocol state to guide fuzz testing and employed session-based bandwidth amplification coefficients for seed selection,thereby enhancing the effectiveness of vulnerability discovery.Experimental results demonstrate that AFLAMP successfully identifies amplification vulnerabilities,uncovering 11 vulnerabilities in five services known to be susceptible(OpenTFTP,OpenSLP,NTP,Memcached,and Dnsmasq),including six previously unknown vul‐nerabilities.Compared to AmpFuzz,AFLAMP achieves 37.5%increase in the detection rate of vulnerabilities.Addi‐tionally,AFLAMP identifies 12 amplification vulnerabilities in a TCP-based service program(LightFTP).

关 键 词：DDOS攻击 流量放大 模糊测试 协议状态 漏洞挖掘 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]