<noframes id="vfxvr">

    <track id="vfxvr"></track>

      <span id="vfxvr"></span>

          ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引頁]

          譯者: 林妙倩(清華大學網絡研究院網絡空間安全實習生)、戴亦侖(賽寧網安) 原創翻譯作品,如果需要轉載請取得翻譯作者同意。

          數據來源:ATT&CK Matrices

          原文: https://attack.mitre.org/techniques/T1498

          術語表: /attack/glossary

          網絡拒絕服務

          攻擊者可能執行網絡拒絕服務(DoS)攻擊,以降低或阻止目標資源對用戶的可用性。網絡DoS可以通過耗盡服務所依賴的網絡帶寬來執行。示例資源包括特定的網站,電子郵件服務,DNS和基于Web的應用程序。觀察到對手出于政治目的[1]并支持其他惡意活動,包括分散注意力[2],黑客行為和勒索,而進行網絡DoS攻擊。[3]

          當針對該資源或該資源所依賴的網絡連接和網絡設備的惡意流量很大時,當與系統的網絡連接的帶寬容量耗盡時,將發生網絡DoS。例如,一個對手可能會向服務器托管的服務器發送10Gbps的流量,該服務器由與互聯網建立1Gbps連接的網絡托管。此流量可以由遍布Internet的單個系統或多個系統生成,通常稱為分布式DoS(DDoS)。已經觀察到實現這種網絡飽和的許多不同方法,但是大多數方法可分為兩大類:直接網絡泛洪和反射放大。

          要執行網絡DoS攻擊,有幾個方面適用于多種方法,包括IP地址欺騙和僵尸網絡。

          攻擊者可能會使用攻擊系統的原始IP地址,也可能會欺騙源IP地址,從而使攻擊流量更難追溯到攻擊系統或進行反射。通過減少或消除通過網絡防御設備上的源地址進行過濾的有效性,這可能會增加防御者防御攻擊的難度。

          僵尸網絡通常用于對網絡和服務進行DDoS攻擊。大型僵尸網絡可以從遍布全球互聯網的系統中產生大量流量。攻擊者可能有足夠的資源來構建和控制自己的僵尸網絡基礎結構,也可以租用現有僵尸網絡上的時間進行攻擊。在DDoS的一些最壞情況下,使用了太多的系統來生成洪災,每個系統僅需要發出少量流量即可產生足夠的流量來使目標網絡飽和。在這種情況下,將DDoS流量與合法客戶端區分開變得非常困難。僵尸網絡已用于一些最引人注目的DDoS攻擊,例如2012年針對美國主要銀行的一系列事件。[4]

          對于直接針對托管系統的DoS攻擊。

          Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.

          A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS). Many different methods to accomplish such network saturation have been observed, but most fall into two main categories: Direct Network Floods and Reflection Amplification.

          To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.

          Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

          Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks. For DoS attacks targeting the hosting system directly, see Endpoint Denial of Service.

          Direct Network Flood 泛洪

          直接網絡泛洪是指使用一個或多個系統向目標服務的網絡發送大量網絡數據包時。幾乎任何網絡協議都可以用于直接網絡泛洪。通常使用無狀態協議(例如UDP或ICMP),但也可以使用有狀態協議(例如TCP)。

          Direct Network Floods are when one or more systems are used to send a high-volume of network packets towards the targeted service's network. Almost any network protocol may be used for Direct Network Floods. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.

          Reflection Amplification 反射

          攻擊者可以使用Reflection來擴大攻擊流量。這種類型的網絡DoS利用托管并會響應給定欺騙源IP地址的第三方服務器中介的優勢。該第三方服務器通常稱為反射器。攻擊者通過將具有受害者地址欺騙的數據包發送到反射器來完成反射攻擊。與直接網絡洪水類似,可以使用多個系統來進行攻擊,也可以使用僵尸網絡。同樣地,可以使用一個或多個反射器將交通聚焦在目標上。[5]

          反射攻擊通常利用具有比請求更大響應的協議的優勢來放大其流量,通常稱為反射放大攻擊。攻擊者可能能夠使攻擊流量的增加量大于發送給放大器的請求的數量級。這種增加的程度將取決于許多變量,例如所討論的協議,所使用的技術以及實際上在攻擊量方面產生放大作用的放大服務器。DNS [6]和NTP [7]是啟用反射放大泛洪的兩個主要協議,盡管已記錄了在野外使用其他幾個協議的情況。[8] 尤其是,memcache協議顯示自己是一個強大的協議,其放大大小高達請求數據包的51,200倍。[9]

          Adversaries may amplify the volume of their attack traffic by using Reflection. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.

          Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS and NTP, though the use of several others in the wild have been documented.[8] In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.

          標簽

          ID編號: T1498

          策略: 影響

          平臺: Linux,macOS,Windows

          數據源: Sensor health and status ,網絡協議分析,Netflow/Enclave netflow,網絡入侵檢測系統,網絡設備日志

          影響類型: 可用性

          緩解措施

          緩解 描述
          過濾網絡流量 當洪水量超過目標網絡連接的容量時,通常有必要攔截上游的傳入流量,以從合法流量中過濾出攻擊流量。此類防御措施可以由托管Internet服務提供商(ISP)或第三方(例如內容分發網絡(CDN))或專門從事DoS緩解措施的提供商提供。根據洪水量,可以通過阻止源地址發起攻擊,阻止目標端口或阻止用于傳輸的協議來進行本地過濾。由于立即響應可能需要第三方迅速參與,因此分析與受到網絡DoS攻擊影響的關鍵資源相關的風險,并創建災難恢復計劃/業務連續性計劃以響應事件。
          Mitigation Description
          Filter Network Traffic When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.Depending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.As immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents. [10] [10] [10]

          檢測

          有時可以在流量足以影響服務可用性之前實現網絡DoS的檢測,但是這種響應時間通常需要非常積極的監視和響應,或者上游網絡服務提供商所提供的服務。典型的網絡吞吐量監視工具,例如netflow ,SNMP和自定義腳本可用于檢測網絡或服務利用率的突然增加。對網絡流量的實時,自動和定性研究可以確定一種協議中的突然激增,該協議可以用來檢測網絡DoS事件開始時的狀態。通常,前置時間可能會很小,并且網絡或服務的事件可用性指標會下降。然后,可以使用上述分析工具來確定導致中斷的DoS類型,并幫助進行補救 。

          Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in network or service utilization. Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an Network DoS event as it starts. Often, the lead time may be small and the indicator of an event availability of the network or service drops. The analysis tools mentioned can then be used to determine the type of DoS causing the outage and help with remediation.

          欧美日韩国产亚洲,天天射影院,大芭蕉天天视频在线观看,欧美肥老太牲交大片,奇米色888,黄三级高清在线播放,国产卡一卡二卡三卡四,亚洲第一黄色视频 日韩中文字幕中文有码,日本A级作爱片一,奇米第四,三级片短片视频免费在线观看,奇米网狠狠网,影音先锋色AV男人资源网,日本丰满熟妇hd 日本日韩中文字幕无区码,涩 色 爱 性,天天射影视,中文字幕制服丝袜第57页,777米奇影院奇米网狠狠,尤物TV国产精品看片在线,欧洲女同牲恋牲交视频 久久AV天堂日日综合,亚洲性爱影院色yeye,日韩亚洲欧美Av精品,十八禁全身裸露全彩漫画,奇米网影视,人人爽人人澡人人人妻,动漫AV专区,天天色综合影院 日韩精品中文字幕,特级无码毛片免费视频,人妻少妇不卡无码视频,制服丝袜有码中文字幕在线,深爱激动情网婷婷,影音先锋全部色先锋,香港三级日本三级韩级人妇 日韩欧美亚洲综合久久在线视频,2021XX性影院,玖玖资源站最稳定网址,日韩亚洲制服丝袜中文字幕,国产超碰人人模人人爽人人喊,先锋色熟女丝袜资源 很黄特别刺激又免费的视频,2021一本久道在线线观看,色中娱乐黄色大片,日本高清不卡在线观看播放,97国产自在现线免费视频,国产在线精品亚洲第一区 免费中文字幕精品一区二区 视频,狠狠爱俺也色,天天好逼网,日韩制服丝袜,国产女人大象蕉视频在线观看,国产 精品 自在 线免费,午夜时刻在线观看