1. <i id="8kl0q"></i>

    ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

    譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

    數據來源:ATT&CK Matrices

    原文: https://attack.mitre.org/techniques/T1498

    術語表: /attack/glossary

    網絡拒絕服務

    攻擊者可能執行網絡拒絕服務(DoS)攻擊,以降低或阻止目標資源對用戶的可用性。網絡DoS可以通過耗盡服務所依賴的網絡帶寬來執行。示例資源包括特定的網站,電子郵件服務,DNS和基于Web的應用程序。觀察到對手出于政治目的[1]并支持其他惡意活動,包括分散注意力[2],黑客行為和勒索,而進行網絡DoS攻擊。[3]

    當針對該資源或該資源所依賴的網絡連接和網絡設備的惡意流量很大時,當與系統的網絡連接的帶寬容量耗盡時,將發生網絡DoS。例如,一個對手可能會向服務器托管的服務器發送10Gbps的流量,該服務器由與互聯網建立1Gbps連接的網絡托管。此流量可以由遍布Internet的單個系統或多個系統生成,通常稱為分布式DoS(DDoS)。已經觀察到實現這種網絡飽和的許多不同方法,但是大多數方法可分為兩大類:直接網絡泛洪和反射放大。

    要執行網絡DoS攻擊,有幾個方面適用于多種方法,包括IP地址欺騙和僵尸網絡。

    攻擊者可能會使用攻擊系統的原始IP地址,也可能會欺騙源IP地址,從而使攻擊流量更難追溯到攻擊系統或進行反射。通過減少或消除通過網絡防御設備上的源地址進行過濾的有效性,這可能會增加防御者防御攻擊的難度。

    僵尸網絡通常用于對網絡和服務進行DDoS攻擊。大型僵尸網絡可以從遍布全球互聯網的系統中產生大量流量。攻擊者可能有足夠的資源來構建和控制自己的僵尸網絡基礎結構,也可以租用現有僵尸網絡上的時間進行攻擊。在DDoS的一些最壞情況下,使用了太多的系統來生成洪災,每個系統僅需要發出少量流量即可產生足夠的流量來使目標網絡飽和。在這種情況下,將DDoS流量與合法客戶端區分開變得非常困難。僵尸網絡已用于一些最引人注目的DDoS攻擊,例如2012年針對美國主要銀行的一系列事件。[4]

    對于直接針對托管系統的DoS攻擊。

    Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.

    A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). Many different methods to accomplish such network saturation have been observed, but most fall into two main categories: Direct Network Floods and Reflection Amplification.

    To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.

    Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

    Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks. For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.

    Direct Network Flood 泛洪

    直接網絡泛洪是指使用一個或多個系統向目標服務的網絡發送大量網絡數據包時。幾乎任何網絡協議都可以用于直接網絡泛洪。通常使用無狀態協議(例如UDP或ICMP),但也可以使用有狀態協議(例如TCP)。

    Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for Direct Network Floods. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.

    Reflection Amplification 反射

    攻擊者可以使用Reflection來擴大攻擊流量。這種類型的網絡DoS利用托管并會響應給定欺騙源IP地址的第三方服務器中介的優勢。該第三方服務器通常稱為反射器。攻擊者通過將具有受害者地址欺騙的數據包發送到反射器來完成反射攻擊。與直接網絡洪水類似,可以使用多個系統來進行攻擊,也可以使用僵尸網絡。同樣地,可以使用一個或多個反射器將交通聚焦在目標上。[5]

    反射攻擊通常利用具有比請求更大響應的協議的優勢來放大其流量,通常稱為反射放大攻擊。攻擊者可能能夠使攻擊流量的增加量大于發送給放大器的請求的數量級。這種增加的程度將取決于許多變量,例如所討論的協議,所使用的技術以及實際上在攻擊量方面產生放大作用的放大服務器。DNS [6]和NTP [7]是啟用反射放大泛洪的兩個主要協議,盡管已記錄了在野外使用其他幾個協議的情況。[8] 尤其是,memcache協議顯示自己是一個強大的協議,其放大大小高達請求數據包的51,200倍。[9]

    Adversaries may amplify the volume of their attack traffic by using Reflection. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.

    Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS and NTP, though the use of several others in the wild have been documented.[8] In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.

    標簽

    ID編號: T1498

    策略: 影響

    平臺: Linux,macOS,Windows

    數據源: Sensor health and status ,網絡協議分析,Netflow/Enclave netflow,網絡入侵檢測系統,網絡設備日志

    影響類型: 可用性

    緩解措施

    緩解 描述
    過濾網絡流量 當洪水量超過目標網絡連接的容量時,通常有必要攔截上游的傳入流量,以從合法流量中過濾出攻擊流量。此類防御措施可以由托管Internet服務提供商(ISP)或第三方(例如內容分發網絡(CDN))或專門從事DoS緩解措施的提供商提供。根據洪水量,可以通過阻止源地址發起攻擊,阻止目標端口或阻止用于傳輸的協議來進行本地過濾。由于立即響應可能需要第三方迅速參與,因此分析與受到網絡DoS攻擊影響的關鍵資源相關的風險,并創建災難恢復計劃/業務連續性計劃以響應事件。
    Mitigation Description
    Filter Network Traffic When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.Depending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.As immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents. [10] [10] [10]

    檢測

    有時可以在流量足以影響服務可用性之前實現網絡DoS的檢測,但是這種響應時間通常需要非常積極的監視和響應,或者上游網絡服務提供商所提供的服務。典型的網絡吞吐量監視工具,例如netflow ,SNMP和自定義腳本可用于檢測網絡或服務利用率的突然增加。對網絡流量的實時,自動和定性研究可以確定一種協議中的突然激增,該協議可以用來檢測網絡DoS事件開始時的狀態。通常,前置時間可能會很小,并且網絡或服務的事件可用性指標會下降。然后,可以使用上述分析工具來確定導致中斷的DoS類型,并幫助進行補救 。

    Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an Network DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.

    免费任你躁国语自产在线播放,午夜嘿嘿嘿在线观看,国语自产精品视频在线,女人本色完整版高清,大人片视频免费,国产综合有码无码中文字幕,日日摸日日碰夜夜爽无码 2020自拍偷区亚洲综合第一页,欧美色欧美亚洲日韩在线播放,偷拍中国熟妇牲交,久久99久久99久久综合,男女配种超爽免费视频,少妇被黑人4P到惨叫,国产成人午夜精品影院 我不卡影院免费观看,手机在线不卡一区二区,在线不卡日本v二区三区18,一日本道在线不卡视频,我不卡手机在线观看,国产欧美亚洲综合第一页,欧美顶级情欲片 午夜无码片在线观看影视,在线观看免费无码专区,成年肉动漫在线观看无码,99久久无色码中文字幕,久久SE精品一区二区,午夜无码片在线观看影视 偷柏自拍亚洲不卡综合在线,国产亚洲Av黄在线,久久精品五福影院,人人爽人人爽人人爽,99国产免费和视频,中文字幕无码日韩Av,中国美女牲交视频,国产女人牲交免费视频 日本高清在线无码视频,日本爽快片100色毛片,人与动杂交在线播放,欧美人与禽交片免播放,日本黄大片免费播放片,香港三香港日本三级在线理论最新高清无码专区 亚洲中文字幕系列第1页_欧美a级片_男女激烈性高爱潮视频,欧美激情第一欧美精品,最新国产AⅤ精品无码,亚洲 欧美 国产综合aⅴ,视频一区 二区 三区,台湾自拍偷区亚洲综合
    亚洲人成观看视频在线观看,亚洲人成网站视频,亚洲人成AV免费,强乱中文字幕在线播放不卡,强伦姧中文字幕在线观看,国产v片在线播放免费,亚洲一日韩欧美中文字幕在线 青青草伊人,洛洛色中文网最新版,五月丁香综合,亚洲另类色区欧美日韩,日本中文字幕有码在线视频,最新亚洲中文字幕一区在线,中国熟妇牲交视频,性欧美牲交在线视频 又色又黄18禁免费的网站,国产亚洲日韩在线播放不卡,亚洲欧美中文日韩在线V日本,成·人免费午夜无码视频,欧美毛片性情免费播放,免费欧洲美女牲交视频,国产美女牲交视频 少妇的丰满2中文字幕,色八区人妻在线视频,香港日本韩国免费三级,免费视频在线观看网站,免费高清视频,香港三香港日本三级在线播放,洛洛色中文网最新版 老司机午夜神器_两性色午夜视频_午夜男人免费福利视频,男人吃奶视频.男人女人强吻下面视频.无码av手机免费不卡在线观看.在线日本v二区不卡,一本到高清视频不卡dvd 成年av动漫网站18禁无码,亚洲AⅤ视频动漫在线,亚洲成年AV天堂动漫网站最新电影,在线视频免费播放动漫H片在线播放免费,国产 欧美 日产_国产欧美国日产_日产a在线播放 性抽插gif动态图,俺去啦_俺来也,女人张开腿让男人桶肌肌,床震未满十八禁止观看男女男,欧美Z0ZO人禽交免费观看,日本高清AV免费乱码专区,欧洲美女粗暴牲交 日本高清在线无码视频,日本爽快片100色毛片,人与动杂交在线播放,欧美人与禽交片免播放,日本黄大片免费播放片,香港三香港日本三级在线理论最新高清无码专区 免费网站看v片在线无遮挡,男女啪啪免费观看网站,大香大香伊人在钱线久久,日韩精品中文字幕高清在线,亚洲 国产 日韩 在线 一区,性欧美BBW性A片,黑粗硬大欧美在线视频 亚洲一日韩欧美中文字幕在线,大色堂撸撸看,欧美在线超清中文乱码一区,欧美肥老太交性视频,2020国产在视频线自在拍,日本牲交大片免费观看,日日摸夜夜添夜夜