ATT&CK-CN V1.01 Last Update: 2019-11 [返回索引页]

译者: 林妙倩(清华大学网络研究院网络空间安全实习生)、戴亦仑(赛宁网安) 原创翻译作品,如果需要转载请取得翻译作者同意。

数据来源:ATT&CK Matrices

原文: https://attack.mitre.org/techniques/T1499

术语表: /attack/glossary

终端式拒绝服务 Endpoint Denial of Service

攻击者可能执行端点拒绝服务(DoS)攻击,以降低或阻止用户获得服务。可以通过耗尽那些服务所在的系统资源或利用系统导致持续的崩溃状况来执行端点DoS。示例服务包括网站,电子邮件服务,DNS和基于Web的应用程序。观察到对手出于政治目的[1]并支持其他恶意活动,包括分散注意力[2],黑客行为和勒索,而进行DoS攻击。[3]

端点拒绝服务拒绝服务的可用性,而不会饱和用于提供对该服务访问权限的网络。攻击者可以针对托管在用于提供服务的系统上的应用程序堆栈的各个层。这些层包括操作系统(OS),服务器应用程序(例如Web服务器,DNS服务器,数据库)以及位于它们之上的(通常是基于Web的)应用程序。攻击每一层需要不同的技术,以利用各个组件特有的瓶颈。DoS攻击可能是由分布在Internet上的单个系统或多个系统生成的,通常称为分布式DoS(DDoS)。

为了对端点资源执行DoS攻击,有几个方面适用于多种方法,包括IP地址欺骗和僵尸网络。

攻击者可能会使用攻击系统的原始IP地址,也可能会欺骗源IP地址,从而使攻击流量更难追溯到攻击系统或进行反射。通过减少或消除通过网络防御设备上的源地址进行过滤的有效性,这可能会增加防御者防御攻击的难度。

僵尸网络通常用于对网络和服务进行DDoS攻击。大型僵尸网络可以从遍布全球互联网的系统中产生大量流量。攻击者可能有足够的资源来构建和控制自己的僵尸网络基础结构,也可以租用现有僵尸网络上的时间进行攻击。在DDoS的一些最坏情况下,使用了如此多的系统来生成请求,每个系统只需要发出少量流量即可产生足够的容量来耗尽目标资源。在这种情况下,将DDoS流量与合法客户端区分开变得非常困难。僵尸网络已用于一些最引人注目的DDoS攻击,例如2012年针对美国主要银行的一系列事件。

在使用流量操纵的情况下,全局网络(例如高流量网关路由器)中可能会存在一些可以更改数据包的点,并使合法客户端执行将网络数据包大量定向到目标的代码。以前,这种类型的功能用于网络审查,其中客户端HTTP流量已修改为包括对JavaScript的引用,该JavaScript生成了DDoS代码以淹没目标Web服务器。

有关试图使提供的网络饱和的攻击

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes[1] and to support other malicious activities, including distraction[2], hacktivism, and extortion.[3]

An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target's resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.

In cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.[5]

For attacks attempting to saturate the providing network, see the Network Denial of Service Technique Network Denial of Service.

OS Exhaustion Flood

由于操作系统(OS)负责管理系统上的有限资源,因此它们可以成为DoS的目标。这些攻击不需要耗尽系统上的实际资源,因为它们仅可以耗尽OS自我施加的限制,以防止整个系统因对其容量的过度要求而变得不堪重负。存在多种实现此目的的方法,包括TCP状态耗尽攻击,例如SYN泛洪和ACK泛洪。

Since operating systems (OSs) are responsible for managing the finite resources on a system, they can be a target for DoS. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity. Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods

SYN Flood

使用SYN泛洪会发送过多的SYN数据包,但三向TCP握手永远不会完成。因为每个OS都有允许的最大并发TCP连接数,所以这可能会很快耗尽系统接收TCP连接新请求的能力,从而阻止访问服务器提供的任何TCP服务。

With SYN floods excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server

ACK Flood

ACK洪水利用了TCP协议的状态性质。大量ACK数据包发送到目标。这将迫使OS在其状态表中搜索已经建立的相关TCP连接。由于ACK数据包用于不存在的连接,因此OS将必须搜索整个状态表以确认不存在匹配项。当有必要对大量的数据包执行此操作时,由于必须执行此操作以消除恶意ACK数据包,因此计算要求可能会使服务器变得缓慢和/或无响应。这大大减少了可用于提供目标服务的资源

ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service

Service Exhaustion Flood

系统提供的不同网络服务以不同的方式针对DoS。攻击者通常以DNS和Web服务器为目标,但其他服务也以目标为目标。[6] Web服务器软件可以通过多种方法进行攻击,其中某些方法通常适用,而其他方法则特定于用于提供服务的软件。

Different network services provided by systems are targeted in different ways to conduct a DoS. Adversaries often target DNS and web servers, but other services have been targeted as well.Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service

Simple HTTP Flood

可以向Web服务器发出大量HTTP请求,以使其和/或在其之上运行的应用程序不堪重负。这种洪水依赖于原始数量来实现目标,耗尽了受害者软件提供服务所需的各种资源。

A large number of HTTP requests can be issued to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service

SSL Renegotiation Attack

SSL重新协商攻击利用SSL / TLS中的协议功能。SSL / TLS协议套件包括用于客户端和服务器协商用于后续安全连接的加密算法的机制。如果启用了SSL重新协商,则可以请求重新协商加密算法。在重新协商攻击中,对手建立SSL / TLS连接,然后继续进行一系列重新协商请求。因为密码重新协商在计算周期中具有可观的成本,所以当批量完成时,这可能对服务的可用性造成影响。

SSL Renegotiation Attacks take advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume

Application Exhaustion Flood

位于Web服务器堆栈顶部的Web应用程序可以作为DoS的目标。Web应用程序中的特定功能可能会占用大量资源。对这些功能的重复请求可能会耗尽资源并拒绝访问应用程序或服务器本身。

Web applications that sit on top of web server stacks can be targeted for DoS. Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust resources and deny access to the application or the server itself

应用程序或系统开发 Application or System Exploitation

存在软件漏洞,利用这些漏洞可能导致应用程序或系统崩溃,并剥夺用户的可用性。某些系统可能在发生崩溃时自动重新启动关键的应用程序和服务,但是可能会对其进行重新利用以导致持久性DoS状态。

Software vulnerabilities exist that when exploited can cause an application or system to crash and deny availability to users. Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition

程序示例

名称 描述
ZxShell ZxShell具有在主机上执行SYN Flood攻击的功能。 [13] [14]
Name Description
ZxShell ZxShell has a feature to perform SYN flood attack on a host. [13] [14]

缓解措施

缓解 描述
过滤网络流量 利用Content Delivery Network(CDN)或专门从事DoS缓解的提供商提供的服务来过滤服务上游的流量。通过阻止源地址来发起攻击,阻止目标端口或阻止用于传输的协议来过滤边界流量。为了防御SYN泛滥,请启用SYN Cookies。 [12]
Mitigation Description
Filter Network Traffic Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services. Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. To defend against SYN floods, enable SYN Cookies. [12]

检测

有时可以在效果足以对服务的可用性造成重大影响之前完成对端点DoS的检测,但是这种响应时间通常需要非常积极的监视和响应。典型的网络吞吐量监视工具(例如netflow,SNMP和自定义脚本)可用于检测电路利用率的突然增加。[15]对网络流量的实时,自动化和定性研究可以确定一种类型的协议中的突然激增,可用于检测攻击的开始。

除了网络级别的检测之外,端点日志记录和检测对于检测也很有用。针对Web应用程序的攻击可能会在Web服务器,应用程序服务器和/或数据库服务器中生成日志,这些日志可用于识别攻击类型,甚至可能在受到影响之前就已确定。

外部监视端点DoS可能针对的服务的可用性。

Detection of Endpoint DoS can sometimes be achieved before the effect is sufficient to cause significant impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness. Typical network throughput monitoring tools such as netflow, SNMP, and custom scripts can be used to detect sudden increases in circuit utilization.[15] Real-time, automated, and qualitative study of the network traffic can identify a sudden surge in one type of protocol can be used to detect an attack as it starts.

In addition to network level detections, endpoint logging and instrumentation can be useful for detection. Attacks targeting web applications may generate logs in the web server, application server, and/or database server that can be used to identify the type of attack, possibly before the impact is felt.

Externally monitor the availability of services that may be targeted by an Endpoint DoS.