1. <i id="8kl0q"></i>

    ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

    譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

    數據來源:ATT&CK Matrices

    原文: https://attack.mitre.org/techniques/T1499

    術語表: /attack/glossary

    終端式拒絕服務 Endpoint Denial of Service

    攻擊者可能執行端點拒絕服務(DoS)攻擊,以降低或阻止用戶獲得服務??梢酝ㄟ^耗盡那些服務所在的系統資源或利用系統導致持續的崩潰狀況來執行端點DoS。示例服務包括網站,電子郵件服務,DNS和基于Web的應用程序。觀察到對手出于政治目的[1]并支持其他惡意活動,包括分散注意力[2],黑客行為和勒索,而進行DoS攻擊。[3]

    端點拒絕服務拒絕服務的可用性,而不會飽和用于提供對該服務訪問權限的網絡。攻擊者可以針對托管在用于提供服務的系統上的應用程序堆棧的各個層。這些層包括操作系統(OS),服務器應用程序(例如Web服務器,DNS服務器,數據庫)以及位于它們之上的(通常是基于Web的)應用程序。攻擊每一層需要不同的技術,以利用各個組件特有的瓶頸。DoS攻擊可能是由分布在Internet上的單個系統或多個系統生成的,通常稱為分布式DoS(DDoS)。

    為了對端點資源執行DoS攻擊,有幾個方面適用于多種方法,包括IP地址欺騙和僵尸網絡。

    攻擊者可能會使用攻擊系統的原始IP地址,也可能會欺騙源IP地址,從而使攻擊流量更難追溯到攻擊系統或進行反射。通過減少或消除通過網絡防御設備上的源地址進行過濾的有效性,這可能會增加防御者防御攻擊的難度。

    僵尸網絡通常用于對網絡和服務進行DDoS攻擊。大型僵尸網絡可以從遍布全球互聯網的系統中產生大量流量。攻擊者可能有足夠的資源來構建和控制自己的僵尸網絡基礎結構,也可以租用現有僵尸網絡上的時間進行攻擊。在DDoS的一些最壞情況下,使用了如此多的系統來生成請求,每個系統只需要發出少量流量即可產生足夠的容量來耗盡目標資源。在這種情況下,將DDoS流量與合法客戶端區分開變得非常困難。僵尸網絡已用于一些最引人注目的DDoS攻擊,例如2012年針對美國主要銀行的一系列事件。

    在使用流量操縱的情況下,全局網絡(例如高流量網關路由器)中可能會存在一些可以更改數據包的點,并使合法客戶端執行將網絡數據包大量定向到目標的代碼。以前,這種類型的功能用于網絡審查,其中客戶端HTTP流量已修改為包括對JavaScript的引用,該JavaScript生成了DDoS代碼以淹沒目標Web服務器。

    有關試圖使提供的網絡飽和的攻擊

    Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.[3]

    An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

    To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.

    Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

    Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.

    In cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.[5]

    For attacks attempting to saturate the providing network, see the Network Denial of Service Technique Network Denial of Service.

    OS Exhaustion Flood

    由于操作系統(OS)負責管理系統上的有限資源,因此它們可以成為DoS的目標。這些攻擊不需要耗盡系統上的實際資源,因為它們僅可以耗盡OS自我施加的限制,以防止整個系統因對其容量的過度要求而變得不堪重負。存在多種實現此目的的方法,包括TCP狀態耗盡攻擊,例如SYN泛洪和ACK泛洪。

    Since operating systems (OSs) are responsible for managing the finite resources on a system, they can be a target for DoS. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity. Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods

    SYN Flood

    使用SYN泛洪會發送過多的SYN數據包,但三向TCP握手永遠不會完成。因為每個OS都有允許的最大并發TCP連接數,所以這可能會很快耗盡系統接收TCP連接新請求的能力,從而阻止訪問服務器提供的任何TCP服務。

    With SYN floods excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server

    ACK Flood

    ACK洪水利用了TCP協議的狀態性質。大量ACK數據包發送到目標。這將迫使OS在其狀態表中搜索已經建立的相關TCP連接。由于ACK數據包用于不存在的連接,因此OS將必須搜索整個狀態表以確認不存在匹配項。當有必要對大量的數據包執行此操作時,由于必須執行此操作以消除惡意ACK數據包,因此計算要求可能會使服務器變得緩慢和/或無響應。這大大減少了可用于提供目標服務的資源

    ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service

    Service Exhaustion Flood

    系統提供的不同網絡服務以不同的方式針對DoS。攻擊者通常以DNS和Web服務器為目標,但其他服務也以目標為目標。[6] Web服務器軟件可以通過多種方法進行攻擊,其中某些方法通常適用,而其他方法則特定于用于提供服務的軟件。

    Different network services provided by systems are targeted in different ways to conduct a DoS. Adversaries often target DNS and web servers, but other services have been targeted as well.Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service

    Simple HTTP Flood

    可以向Web服務器發出大量HTTP請求,以使其和/或在其之上運行的應用程序不堪重負。這種洪水依賴于原始數量來實現目標,耗盡了受害者軟件提供服務所需的各種資源。

    A large number of HTTP requests can be issued to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service

    SSL Renegotiation Attack

    SSL重新協商攻擊利用SSL / TLS中的協議功能。SSL / TLS協議套件包括用于客戶端和服務器協商用于后續安全連接的加密算法的機制。如果啟用了SSL重新協商,則可以請求重新協商加密算法。在重新協商攻擊中,對手建立SSL / TLS連接,然后繼續進行一系列重新協商請求。因為密碼重新協商在計算周期中具有可觀的成本,所以當批量完成時,這可能對服務的可用性造成影響。

    SSL Renegotiation Attacks take advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume

    Application Exhaustion Flood

    位于Web服務器堆棧頂部的Web應用程序可以作為DoS的目標。Web應用程序中的特定功能可能會占用大量資源。對這些功能的重復請求可能會耗盡資源并拒絕訪問應用程序或服務器本身。

    Web applications that sit on top of web server stacks can be targeted for DoS. Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust resources and deny access to the application or the server itself

    應用程序或系統開發 Application or System Exploitation

    存在軟件漏洞,利用這些漏洞可能導致應用程序或系統崩潰,并剝奪用戶的可用性。某些系統可能在發生崩潰時自動重新啟動關鍵的應用程序和服務,但是可能會對其進行重新利用以導致持久性DoS狀態。

    Software vulnerabilities exist that when exploited can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition

    程序示例

    名稱 描述
    ZxShell ZxShell具有在主機上執行SYN Flood攻擊的功能。 [13] [14]
    Name Description
    ZxShell ZxShell has a feature to perform SYN flood attack on a host. [13] [14]

    緩解措施

    緩解 描述
    過濾網絡流量 利用Content Delivery Network(CDN)或專門從事DoS緩解的提供商提供的服務來過濾服務上游的流量。通過阻止源地址來發起攻擊,阻止目標端口或阻止用于傳輸的協議來過濾邊界流量。為了防御SYN泛濫,請啟用SYN Cookies。 [12]
    Mitigation Description
    Filter Network Traffic Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services. Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. To defend against SYN floods, enable SYN Cookies. [12]

    檢測

    有時可以在效果足以對服務的可用性造成重大影響之前完成對端點DoS的檢測,但是這種響應時間通常需要非常積極的監視和響應。典型的網絡吞吐量監視工具(例如netflow,SNMP和自定義腳本)可用于檢測電路利用率的突然增加。[15]對網絡流量的實時,自動化和定性研究可以確定一種類型的協議中的突然激增,可用于檢測攻擊的開始。

    除了網絡級別的檢測之外,端點日志記錄和檢測對于檢測也很有用。針對Web應用程序的攻擊可能會在Web服務器,應用程序服務器和/或數據庫服務器中生成日志,這些日志可用于識別攻擊類型,甚至可能在受到影響之前就已確定。

    外部監視端點DoS可能針對的服務的可用性。

    Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.[15] Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.

    In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.

    Externally monitor the availability of services that may be targeted by an Endpoint DoS.

    免费任你躁国语自产在线播放,午夜嘿嘿嘿在线观看,国语自产精品视频在线,女人本色完整版高清,大人片视频免费,国产综合有码无码中文字幕,日日摸日日碰夜夜爽无码 2020自拍偷区亚洲综合第一页,欧美色欧美亚洲日韩在线播放,偷拍中国熟妇牲交,久久99久久99久久综合,男女配种超爽免费视频,少妇被黑人4P到惨叫,国产成人午夜精品影院 我不卡影院免费观看,手机在线不卡一区二区,在线不卡日本v二区三区18,一日本道在线不卡视频,我不卡手机在线观看,国产欧美亚洲综合第一页,欧美顶级情欲片 午夜无码片在线观看影视,在线观看免费无码专区,成年肉动漫在线观看无码,99久久无色码中文字幕,久久SE精品一区二区,午夜无码片在线观看影视 偷柏自拍亚洲不卡综合在线,国产亚洲Av黄在线,久久精品五福影院,人人爽人人爽人人爽,99国产免费和视频,中文字幕无码日韩Av,中国美女牲交视频,国产女人牲交免费视频 日本高清在线无码视频,日本爽快片100色毛片,人与动杂交在线播放,欧美人与禽交片免播放,日本黄大片免费播放片,香港三香港日本三级在线理论最新高清无码专区 亚洲中文字幕系列第1页_欧美a级片_男女激烈性高爱潮视频,欧美激情第一欧美精品,最新国产AⅤ精品无码,亚洲 欧美 国产综合aⅴ,视频一区 二区 三区,台湾自拍偷区亚洲综合
    亚洲人成观看视频在线观看,亚洲人成网站视频,亚洲人成AV免费,强乱中文字幕在线播放不卡,强伦姧中文字幕在线观看,国产v片在线播放免费,亚洲一日韩欧美中文字幕在线 青青草伊人,洛洛色中文网最新版,五月丁香综合,亚洲另类色区欧美日韩,日本中文字幕有码在线视频,最新亚洲中文字幕一区在线,中国熟妇牲交视频,性欧美牲交在线视频 又色又黄18禁免费的网站,国产亚洲日韩在线播放不卡,亚洲欧美中文日韩在线V日本,成·人免费午夜无码视频,欧美毛片性情免费播放,免费欧洲美女牲交视频,国产美女牲交视频 少妇的丰满2中文字幕,色八区人妻在线视频,香港日本韩国免费三级,免费视频在线观看网站,免费高清视频,香港三香港日本三级在线播放,洛洛色中文网最新版 老司机午夜神器_两性色午夜视频_午夜男人免费福利视频,男人吃奶视频.男人女人强吻下面视频.无码av手机免费不卡在线观看.在线日本v二区不卡,一本到高清视频不卡dvd 成年av动漫网站18禁无码,亚洲AⅤ视频动漫在线,亚洲成年AV天堂动漫网站最新电影,在线视频免费播放动漫H片在线播放免费,国产 欧美 日产_国产欧美国日产_日产a在线播放 性抽插gif动态图,俺去啦_俺来也,女人张开腿让男人桶肌肌,床震未满十八禁止观看男女男,欧美Z0ZO人禽交免费观看,日本高清AV免费乱码专区,欧洲美女粗暴牲交 日本高清在线无码视频,日本爽快片100色毛片,人与动杂交在线播放,欧美人与禽交片免播放,日本黄大片免费播放片,香港三香港日本三级在线理论最新高清无码专区 免费网站看v片在线无遮挡,男女啪啪免费观看网站,大香大香伊人在钱线久久,日韩精品中文字幕高清在线,亚洲 国产 日韩 在线 一区,性欧美BBW性A片,黑粗硬大欧美在线视频 亚洲一日韩欧美中文字幕在线,大色堂撸撸看,欧美在线超清中文乱码一区,欧美肥老太交性视频,2020国产在视频线自在拍,日本牲交大片免费观看,日日摸夜夜添夜夜