CN118713841A - A method and device for monitoring distributed denial of service attacks - Google Patents

Abstract

The present application provides a method for monitoring distributed denial of service attacks, including obtaining multiple types of DDoS zombie Trojan samples, analyzing each type of DDoS zombie Trojan sample, obtaining the address information and communication protocol information of the central control server corresponding to the botnet; establishing a communication connection with the central control server based on the address information and communication protocol information of the central control server; receiving the DDoS attack instructions sent by the central control server; analyzing the DDoS attack instructions to obtain DDoS attack information. The DDoS monitoring method provided in the present application simulates the communication between the zombie host and the central control server, extracts the DDoS attack instructions sent by the central control server, obtains the DDoS attack information by analyzing the attack instructions, and obtains the DDoS attack information before the DDoS attack traffic arrives, thereby improving the accuracy of DDoS attack monitoring.

Description

A method and device for monitoring distributed denial of service attacks

Technical Field

The present application relates to the field of communication technology, and in particular to a method and device for monitoring distributed denial of service attacks.

Background Art

A distributed denial of service (DDoS) attack is a malicious act that uses massive Internet traffic to overwhelm the target server or its surrounding infrastructure in order to disrupt the target server, service, or normal network traffic.

DDoS attacks use multiple compromised computer systems as the source of attack traffic to achieve the attack effect. The machines used can include computers, but also other networked resources (such as IoT devices).

In general, a DDoS attack can be likened to a traffic jam on a highway, preventing regular vehicles from reaching their intended destinations.

DDoS attacks are carried out through computer networks connected to the Internet. These networks consist of computers and other devices (such as IoT devices) that are infected with malware and thus remotely controlled by attackers. These individual devices are called zombies (or bots), and at least a group of zombies constitute a botnet.

Once a botnet is established, the attacker can launch an attack by sending remote commands to each "zombie". When the botnet targets the victim's server or network, each "zombie" will send requests to the target's IP address, which may cause the server or network to be overwhelmed, resulting in a denial of service for normal traffic.

Because each zombie is a legitimate Internet device, it can be difficult to distinguish attack traffic from normal traffic.

Summary of the invention

The embodiments of the present application provide a method and device for monitoring distributed denial of service attacks, which reduce the false alarm rate of DDoS attacks and improve the accuracy of DDoS attack monitoring.

In a first aspect, an embodiment of the present application provides a method for monitoring a distributed denial of service attack, comprising obtaining multiple types of DDoS zombie Trojan samples, analyzing each type of DDoS zombie Trojan sample, and obtaining address information and communication protocol information of a central control server corresponding to the zombie network; establishing a communication connection with the central control server based on the address information and communication protocol information of the central control server; receiving a DDoS attack instruction sent by the central control server; analyzing the DDoS attack instruction to obtain DDoS attack information; and monitoring DDoS attacks in the network based on the DDoS attack information.

There are many ways to obtain DDoS zombie Trojan samples, for example, obtaining DDoS zombie Trojan samples in large quantities through crawlers, intelligence purchase, etc.

The DDoS monitoring method provided by the present application obtains the central control server address and communication protocol corresponding to the botnet to which the DDoS botnet sample belongs by analyzing the DDoS botnet sample, simulates the communication between the bot host and the central control server according to the communication protocol, obtains the DDoS attack instructions issued by the central control server, obtains the DDoS attack information by analyzing the attack instructions, monitors the DDoS attacks in the network based on the DDoS attack information, and improves the accuracy of DDoS attack monitoring.

In one possible implementation, the specific implementation of establishing a communication connection with the central control server based on the address information and communication protocol information of the central control server is: determining a zombie host simulation program based on the address information and communication protocol information of the central control server; loading and running the zombie host simulation program, and establishing a communication connection with the central control server.

By analyzing the communication protocol information of the botnet and the address of the central control server obtained by the DDoS bot Trojan, the bot simulation program is determined, and a communication connection is established between the bot host and the central control server to facilitate the extraction of attack instructions.

In one possible implementation, the zombie host simulation program is loaded and run, and a communication connection is established with the central control server. The specific implementation is: the zombie host simulation program is plug-in processed to obtain a zombie host simulation plug-in; a first container image is constructed, the first container image includes an agent program, and the agent program loads the zombie host simulation plug-in; the first container image is run, and a communication connection is established with the central control server.

In this possible implementation, by making the zombie host simulation program a plug-in, it is convenient to load it into the program through dynamic loading, and the zombie host simulation program is containerized, which occupies less physical resources and starts faster.

In another possible implementation, the central control server address information includes the domain name and communication port of the central control server, or the IP address and communication port of the central control server.

In another possible implementation, the communication protocol information includes one or more of handshake information, heartbeat information, attack instruction information, and attack payload information.

In another possible implementation, the attack information includes one or more of attack target information, attack payload information, attack event information, and attack duration information.

In one example, the distributed denial of service attack monitoring method provided by the present application further includes determining the attack target node based on the attack target information, and sending a DDoS warning to the attack target node. That is, before the DDoS attack arrives, an attack warning is sent to the attack target so that the attack target can deal with the attack, thereby improving the response and handling efficiency of the DDoS attack.

In another possible implementation, the distributed denial of service attack monitoring method provided by the present application further includes: broadcasting a connection request based on communication protocol information; and determining a network node that responds to the connection request in accordance with the communication protocol as a central control server of the botnet.

Exemplarily, the communication protocol between the botnet and the central control server is used, such as the specific handshake and heartbeat protocols in the communication protocol, to try to connect to the public IP address and communication port on the Internet. If a response consistent with the protocol is obtained, the server that sends the response is determined to be a new central control server. In other words, the Internet address space is sniffed by sniffing the communication protocol, thereby discovering more central control servers and improving the detection rate of DDoS attacks.

In another possible implementation, the distributed denial of service attack monitoring method provided by the present application also includes: monitoring the traffic in the network based on the communication protocol information; and determining the network node corresponding to the traffic matching the communication protocol information as a zombie host.

In this possible implementation, a traffic monitoring model is generated by using the communication protocol between the discovered botnet and the central control server to monitor the traffic at the network boundary to discover the zombie hosts existing in the system.

In another possible implementation, the distributed denial of service attack monitoring method provided by the present application also includes: displaying the monitoring results, the monitoring results including the distribution location information of the central control server, the number of DDoS attacks, the botnet host information, the DDoS attack time information, the distribution location information of the attacked target, the owner information of the attacked target, the number of attacks on the attacked target, and the attack time information of the attacked target. By displaying the relevant information of the DDoS attack, the user can understand the monitored DDoS attack information.

Optionally, the distributed denial of service attack monitoring method provided in the present application can be implemented through one or more container instances to occupy as few physical resources as possible and start more quickly.

Of course, in some other examples, the distributed denial of service attack monitoring method provided in the present application can also be implemented by one or more physical machines, or one or more virtual machines, or by a combination of containers, physical machines and virtual machines.

In the second aspect, an embodiment of the present application provides a monitoring device for distributed denial of service attacks, including an acquisition module, a first analysis module, a communication module, and a second analysis module, wherein the acquisition module is used to acquire multiple types of DDoS zombie Trojan samples, the first analysis module is used to analyze the DDoS zombie Trojan samples to obtain the address information and communication protocol information of the central control server corresponding to the zombie network; the communication module is used to establish a communication connection with the central control server based on the address information and communication protocol information of the central control server; and receive DDoS attack instructions sent by the central control server; the second analysis module is used to analyze the DDoS attack instructions to obtain DDoS attack information.

In a possible implementation, the communication module is specifically used to: determine the zombie host simulation program based on the address information and communication protocol information of the central control server; load and run the zombie host simulation program, and establish a communication connection with the central control server.

In another possible implementation, loading and running the zombie host simulation program and establishing a communication connection with the central control server includes: plug-in-processing the zombie host simulation program to obtain a zombie host simulation plug-in; building a first container image, the first container image includes an agent program, and the agent program loads the zombie host simulation plug-in; running the first container image and establishing a communication connection with the central control server.

In another possible implementation, the central control server address information includes the domain name and communication port of the central control server, or the IP address and communication port of the central control server.

In another possible implementation, the communication protocol information includes one or more of handshake information, heartbeat information, attack instruction information, and attack payload information.

In another possible implementation, the attack information includes one or more of attacked target information, attack payload information, attack event information, and attack duration information.

In another possible implementation, the distributed denial of service attack monitoring device provided by the present application also includes a determination module and an early warning module. The determination module is used to determine the owner of the attacked target based on the attacked target information, and the early warning module is used to send a DDoS early warning to the owner of the attacked target.

In another possible implementation, the distributed denial of service attack monitoring device provided by the present application also includes a broadcast module, wherein the broadcast module is used to broadcast a connection request based on communication protocol information; the determination module is used to determine the network node that responds to the connection request in accordance with the communication protocol as the central control server of the botnet.

In another possible implementation, the distributed denial of service attack monitoring device provided by the present application also includes a monitoring module, which is used to monitor the traffic in the network based on the communication protocol information; the determination module is also used to determine the network node corresponding to the traffic matching the communication protocol information as a zombie host.

In another possible implementation, the distributed denial of service attack monitoring device provided by the present application also includes a display module, which is used to display the monitoring results, including one or more of the distribution location information of the central control server, the number of DDoS attacks, the botnet host information, the DDoS attack time information, the distribution location information of the attacked target, the owner information of the attacked target, the number of attacks on the attacked target, and the attack time information of the attacked target.

In one example, a method for monitoring a distributed denial of service attack is implemented through one or more container instances, or one or more physical hosts, or one or more virtual machines.

In a third aspect, an embodiment of the present application provides a computing device, including a memory and a processor, wherein the memory stores instructions, and when the instructions are executed by the processor, the method described in the first aspect is implemented.

In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium having a computer program stored thereon, and when the computer program is executed by a processor, the method described in the first aspect is implemented.

In a fifth aspect, an embodiment of the present application further provides a computer program or a computer program product, wherein the computer program or the computer program product comprises instructions, and when the instructions are executed, the computer is caused to execute the method described in the first aspect.

In a sixth aspect, an embodiment of the present application further provides a chip, comprising at least one processor and a communication interface, wherein the processor is used to execute the method described in the first aspect.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of a DDoS attack scenario;

FIG2 is a schematic diagram showing an implementation of DDoS attack monitoring of a DDoS attack monitoring device provided in an embodiment of the present application;

FIG3 is a flow chart of a method for monitoring a DDoS attack provided in an embodiment of the present application;

FIG4 is a schematic diagram of the structure of a DDoS attack monitoring device provided in an embodiment of the present application;

FIG5 is a schematic diagram of the structure of a computing device provided in an embodiment of the present application;

FIG6 is a schematic diagram of a computing device cluster provided in an embodiment of the present application;

FIG. 7 is a schematic diagram of an application scenario of the computing device cluster provided in FIG. 6 .

DETAILED DESCRIPTION

In order to better introduce the embodiments of the present application, the relevant concepts in the embodiments of the present application are first introduced below.

Zombie network: refers to hackers using self-written distributed denial of service attack programs to organize tens of thousands of compromised machines, commonly known as puppet machines (also called zombie hosts) or "zombie chickens" (also called meat machines), into command and control nodes to send forged false data packets or junk data packets, and achieve the purpose of paralyzing the predetermined attack target and "denying service".

Zombie host: commonly known as "zombie" or "puppet machine", refers to a computer that is connected to the Internet and infected with malware and controlled by hackers. It can launch a denial of service (DoS) attack or send spam at any time according to the instructions issued by the hacker's control node.

DDoS attack: Distributed denial of service attack. When hackers use two or more compromised computers on the network as "zombies" to launch a "denial of service" attack on a specific target, it is called a distributed denial of service attack.

Central control server: A server controlled by hackers that sends various types of control commands to zombie hosts.

Attack payload: The meaning of attack payload is slightly different in different scenarios. In DDoS attack botnets, attack payload refers to the attack method used on the target contained in the attack instructions issued by the central control, such as SYN message type flood attack (syn flood), UDP message type flood attack (udp flood), etc.

Container: It is a lightweight virtualization technology used to share server resources. Container technology can provide a virtual execution environment for a process. A container provides a virtual execution environment that can bind a specific central processing unit (CPU) and memory node, allocate a specific proportion of CPU time and input output (IO) time, limit the size of available memory, and provide device access control. Compared with virtual machines, containers are lighter, easier to distribute, have higher performance, and less loss.

Container image: Provides the programs, libraries, resources and configurations required for container runtime. It does not contain any dynamic data and is a special read-only file. The container image includes one or more of the following information: user information, applications and drivers. The container image is a layered structure, including multiple layers of read-only data, including one or more of the following layers: base image layer, application layer and user customization. Multiple read-only layers can be integrated into a container image through the unified file system (UFS) technology.

A container is an instance created based on a container image. The instance is an object that includes the user configuration and runtime configuration required to implement the functions of the container image. Issuing a container based on a container image can add a read-write layer to the read-only layer of the container image, and can integrate the multiple read-only layers and read-write layers into one container through the union mount (UM) technology.

Related technologies often use data statistical detection solutions, which set a threshold range for acceptable data types through statistical analysis of data accessed through the network. Data that exceeds the threshold range may be judged as a DDoS attack.

For example, the data packets accessing the network are intercepted and analyzed to obtain information such as the packet type, IP address, port, etc., and then the obtained information is counted to calculate the proportion of various types of data in the total data volume per unit time, and an acceptable threshold range for each type of data is established. When the data exceeds the threshold range, the data is submitted to the attack analysis module, and even a DDoS attack warning is issued.

However, the detection method based on data statistics requires a lot of time to learn, and it is difficult to ensure that the learning data contains attack data, and the obtained threshold may be inaccurate. Secondly, the type of traffic is highly correlated with the business, and it is difficult to form a universal detection method. Thirdly, the error rate of DDoS attack detection based on data statistics is relatively high.

In response to the above problems, an embodiment of the present application provides a method for monitoring distributed denial of service attacks. By analyzing DDoS zombie Trojan samples, the address information and communication protocol information of the central control server corresponding to the botnet are obtained; based on the address information and communication protocol information of the central control server, the communication between the zombie host and the central control server is simulated, and the DDoS attack instructions issued by the central control server are obtained. The DDoS attack information is obtained by analyzing the attack instructions, and the DDoS attacks in the network are monitored based on the DDoS attack information, thereby improving the accuracy of DDoS attack monitoring.

The technical solution of the present application is further described in detail below through the accompanying drawings and embodiments.

Figure 1 is a schematic diagram of a DDoS attack scenario. As shown in Figure 1, an attacker (such as a hacker) uses a DDoS attack program written by himself to infect multiple computing devices in the network, such as but not limited to computers, smart phones, smart wearable devices, etc. on the Internet into zombie hosts (also known as "zombies" or "puppet machines"). Multiple infected zombie hosts form a zombie network. The attacker uses the central control server to issue attack instructions to multiple zombie hosts. Multiple zombie hosts send attack traffic to the attack target (i.e., the attacked device in the figure) according to the attack instructions, paralyzing the attacked device to achieve the purpose of "denial of service".

The DDoS attack monitoring method and device provided in the embodiments of the present application are applied to monitoring attack traffic in a network, so as to monitor DDoS attacks in real time, and even perceive DDoS attacks in advance at the minute level, and the accuracy of the monitored DDoS attacks is very high, for example, the accuracy rate reaches 100%.

FIG2 shows a schematic diagram of the implementation of DDoS attack monitoring of a DDoS attack monitoring device provided by an embodiment of the present application. As shown in FIG2, the DDoS attack monitoring device first collects zombie samples (i.e., the abbreviation of zombie Trojan samples) to obtain multiple types of zombie samples (i.e., samples of multiple zombie families), and then reversely analyzes each zombie sample to obtain the central control server address information and communication protocol information of the zombie network corresponding to each zombie sample. Based on the central control server address information and communication protocol information of the zombie network corresponding to each zombie sample, a corresponding zombie host simulation program is developed, and different zombie host simulation programs are used to communicate with the corresponding central control server to disguise the zombie host. When the central control server of the zombie network issues a DDoS attack command, DDoS attack intelligence is obtained, and the DDoS attack in the network is monitored based on the DDoS attack intelligence, so as to improve the accuracy of DDoS attack monitoring and achieve real-time or before DDoS traffic arrives. Obtain DDoS attack intelligence.

FIG3 is a flow chart of a method for monitoring a DDoS attack provided in an embodiment of the present application. The method can be executed in the monitoring device for a DDoS attack shown in FIG2 , and the monitoring device for a DDoS attack can be any device, equipment, platform or device cluster with computing capabilities. The present application does not specifically limit the specific implementation device of the monitoring device for a DDoS attack, and a suitable computing device can be selected as needed. As shown in FIG3 , the method for monitoring a DDoS attack provided in an embodiment of the present application includes steps S301 to S305.

In step 301, multiple types of DDoS zombie Trojan samples are obtained.

In one example, multiple types of DDoS zombie Trojan samples are obtained, and multiple types of DDoS zombie Trojan samples can also be called multiple botnet families. Each type of DDoS zombie Trojan sample uses a specific communication protocol to communicate with a specific central control server.

There are many ways to obtain DDoS zombie Trojan samples. For example, use web crawler technology to crawl DDoS zombie Trojan samples from the Internet, such as regularly crawling DDoS zombie Trojan samples from open source samples or commercial sites such as VirusShare, Bazaar or VirusTotal; or, obtain DDoS zombie Trojan samples through service purchase; or, obtain DDoS zombie Trojan samples through exchanges with friendly manufacturers; or, obtain existing network DDoS zombie Trojan samples through cloud services. The embodiments of this application do not limit the specific method of obtaining DDoS zombie Trojan samples.

In step S302, the DDoS zombie Trojan sample is analyzed to obtain the address information and communication protocol information of the central control server corresponding to the zombie network.

Analyze each type of DDoS zombie Trojan sample to obtain the address information and communication protocol information of the central control server corresponding to the botnet.

For example, the address information of the central control server of the botnet and the communication protocol information between the botnet and the central control server (ie, the communication protocol information between the zombie hosts in the botnet and the central control server) are obtained by reverse analysis.

Alternatively, the address information of the botnet's central control server and the communication protocol information between the botnet and the central control server can be obtained through automated analysis. For example, there are many types of botnets, and some samples from different families have the same communication protocol but may have different central control servers. The addresses of different central control servers are encrypted in the same location using the same encryption method. The data segment where the address of the central control server is located can be automatically taken out and automatically decrypted to obtain the address information of the central control server. Therefore, the address information of the central control server can be obtained by writing an automatic analysis script.

Optionally, the address information of the central control server of the botnet corresponding to the DDoS bot Trojan sample obtained through analysis includes the domain name and communication port of the central control server, or the IP address and communication port of the central control server.

It should be noted that the address information of the central control server described in the embodiment of the present application is only a specific example. In actual applications, the address information of the central control server may also include other more information, such as the physical address information of the IP address (i.e., the geographical location, such as a computer room at a certain street in a certain city), the institution or organization information to which the IP address belongs (such as Huawei Cloud, Alibaba Cloud or the IP address of an individual).

The communication protocol information between the botnet and the central control server includes the protocol type and the specific information of the protocol. The protocol type includes, for example, the transmission control protocol (TCP), the user datagram protocol (UDP), and the internet control message protocol (ICMP). The specific information of the TCP protocol includes one or more of the meaning of different fields, handshake information, heartbeat information, attack instruction information, and attack payload information.

In step S303, a communication connection is established with the central control server based on the address information and communication protocol information of the central control server.

The address information and communication protocol information of the central control server of the botnet are obtained through step S302, and then a communication connection is established with the central control server based on the address information and communication protocol information of the central control server.

Exemplarily, a zombie host simulation program is developed through the address information and communication protocol information of the central control server, and the zombie simulation program is loaded and run to simulate the zombie host to establish a communication connection with the central control server. For example, the computing device that loads and runs the zombie simulation program will simulate the behavior of the zombie host, and actively contact the central control server using the specific communication protocol between the botnet and the central control service. For example, a specific handshake packet is sent to the central control server to enable the central control server to determine that a zombie host under its control has contacted it, and a heartbeat packet is sent to the central control server at specific intervals to enable the central control server to determine that the zombie host is still "alive", so as to facilitate the subsequent "tricking" of the central control server to send DDoS attack instructions to the zombie host.

There are many ways to implement the zombie host simulation program. For example, the containerized implementation method is to build a container image, including the zombie host simulation program, run the container image to create a container instance of the zombie host simulation program, simulate the behavior of the zombie host, establish a communication connection with the central control server, and then obtain DDoS attack instructions. For another example, the zombie host simulation program is deployed on a virtual machine or physical machine, loaded and run, simulates the behavior of the zombie host, establishes a communication connection with the central control server, and then obtains DDoS attack instructions.

In another example, the zombie host simulation program can also be processed as a plug-in to obtain a zombie host simulation plug-in, which is convenient for loading the zombie host simulation plug-in into the program to simulate the behavior of the zombie host, establish a communication connection with the central control server, and then obtain DDoS attack instructions. For example, a container image including an agent program is constructed, the agent program loads the zombie host simulation plug-in, and the container image is run to create a container instance of the zombie host simulation program, so as to simulate the behavior of the zombie host and establish a communication connection with the central control server.

In step S304, a DDoS attack instruction sent by the central control server is received.

The computing device or virtual instance running the zombie host simulation program, after the simulated zombie host establishes a connection with the central control server, the central control server will identify it as a zombie host and send a DDoS attack instruction to it, receive the DDoS attack instruction sent by the central control server, and obtain the DDoS attack instruction sent by the central control server. The DDoS attack instruction will instruct the zombie host to launch an attack on the target with a specific attack payload, attack event, and attack time.

In step S305, the DDoS attack instruction is analyzed to obtain DDoS attack information.

The DDoS attack instructions sent by the central control server are analyzed to obtain DDoS attack information, where the DDoS attack information includes but is not limited to one or more of attacked target information, attack payload information, attack event information, and attack duration information.

The target information includes one or more of the target's domain name and communication port, IP address and communication port, physical address information of the IP address (i.e., geographic location, such as a computer room at a certain street in a certain city), and information about the institution or organization to which the IP address belongs (such as Huawei Cloud, Alibaba Cloud, or an individual's IP address).

The attack payload information indicates the type of attack launched at the attack target, such as TCP flood attack, UDP flood attack, DNS flood attack, HTTP flood attack, ICMP flood attack, HTTPS flood attack, and SIP flood attack.

The attack event information indicates the number of attacks launched to the attack target, the time when the attack was launched, and the time when the attack ended.

The attack duration information indicates the duration of the attack on the target.

The DDoS attack information obtained in the embodiment of the present application can be sent to the subscriber as attack intelligence, so that the subscriber can make corresponding disposal according to the attack intelligence. For example, the DDoS attack target is analyzed, for example, the DDoS attack target is a communication port of a certain IP address in a certain computer room on a certain street in a certain city of Huawei Cloud; the attack load is a TCP flood attack, the attack event is to launch N attacks on the attack target, the launch time of each attack is ** time, and the attack ends at ** time; the attack duration is ** hours ** minutes ** seconds, and the information obtained by the analysis can be sent to the subscriber (such as an organization or individual) as attack intelligence, so that the subscriber can be informed of the DDoS attack intelligence before the DDoS attack arrives and make corresponding disposal.

The embodiment of the present application simulates a zombie host to establish a communication connection with the central control server of the zombie network, extracts the DDoS attack command sent by the central control server, and then obtains accurate DDoS attack information. It can obtain DDoS attack information before the attack arrives, and use the obtained DDoS attack information to monitor the traffic of the attack target, so as to accurately obtain DDoS attack messages and achieve 100% DDoS attack detection accuracy. At the same time, by obtaining DDoS attack information in advance, it is also possible to respond to DDoS attacks in advance or in real time, which solves the problem that the related technology cannot make real-time detection and advance or real-time response based on post-analysis, avoids the harm of DDoS attacks to network security, and makes network communication more secure.

In another example, the DDoS attack monitoring method provided in the embodiment of the present application further includes determining the owner of the attacked target based on the attacked target information, and sending a DDoS warning to the owner of the attacked target. Before the DDoS attack arrives, an attack warning is sent to the owner of the attacked target so that the owner of the attacked target can be informed of the DDoS attack intelligence in advance, make a plan for handling the DDoS attack in advance, and improve the efficiency of responding to and handling the DDoS attack.

For example, the information of the attacked target includes the IP address and communication port of the attacked target. The attacked server can be determined through the IP address and communication port of the attacked target. The owner of the attacked target can be obtained by searching the mapping table that pre-stores the mapping relationship between subscribers and server assets, and an attack warning is sent to the owner of the attacked target, so that the owner of the attacked target can be informed in advance that his server will be attacked by DDoS, make a plan in advance, and avoid losses.

For example, if the target is known to be a server asset of company **, a DDoS attack warning will be sent to the company.

The central control servers of the botnet can be found by analyzing bot samples. However, due to the limited number of bot samples (it is almost impossible to find bot samples that exist in the entire network), the number of central control servers found is also limited. You can use protocol sniffing to sniff the addresses in the open network space using the communication protocol of the botnet obtained by analyzing bot samples to find more central control servers.

That is, based on the communication protocol information, a connection request is broadcasted; and the network node that responds to the connection request is determined to be the central control server of the botnet.

For example, by analyzing multiple types of zombie Trojan samples, the communication protocols of multiple botnets are obtained, and connection requests are broadcast with multiple communication protocols, that is, different handshake and heartbeat protocols are used to try to connect to the public IP and communication ports on the Internet. If a response is obtained, the responding node is determined as a new central control server, and the address information of the newly discovered central control server is recorded. In this way, the central control servers of potential botnets in the network are discovered, so as to cover more central control servers and discover more DDoS attack instructions, thereby improving the detection rate of DDoS attacks monitored.

By analyzing zombie Trojan samples or the central control server discovered through protocol sniffing, we can prepare for attack tracing, find out the source of the DDoS attack, and then learn the information of the initiator of the DDoS attack.

In another example, the DDoS attack monitoring method provided in the embodiment of the present application also includes monitoring the traffic in the network based on the communication protocol information; and determining the network node corresponding to the traffic matching the communication protocol information as a zombie host.

That is to say, the embodiments of the present application can also discover zombie hosts in the network through the communication protocol of the zombie network, and then obtain the topology information of the zombie network.

For example, if the communication protocol information of the botnet is TCP and it communicates with the central control server with specific handshake information and heartbeat information, the host that sends specific handshake information and heartbeat information to the central control server in the network can be monitored and identified as a zombie host.

Zombie hosts can also be discovered through interactive collaboration with other devices, for example, the communication protocols of each botnet are sent to an intrusion prevention system (IPS) or an intrusion detection system (IDS). IPS/IDS discovers zombie hosts through the communication protocols of each botnet.

In one example, the IP address of the zombie host can also be used as a parameter in the DDoS attack information to further increase the monitoring efficiency of the DDoS attack. For example, the IP address of the initiator of the traffic is analyzed, and the traffic whose initiator IP address is consistent with the IP address of the zombie host and other parameters match successfully is determined as DDoS attack traffic.

In another example, after a DDoS attack is detected, subsequent processing of the DDoS attack is also included, such as attack countermeasures, or sending the detected DDoS attack information to a protection device so that the protection device processes the DDoS attack.

Protection devices include but are not limited to firewalls, security gateways (such as routers or switches), IDS devices, IPS devices, unified threat management (UTM) devices, anti-virus (AV) devices, anti-distributed denial of service attack (anti-DDoS) devices, and the integration of one or more of the next generation firewall (NGFM).

The DDoS attack monitoring method provided in the embodiment of the present application also includes displaying the monitoring results, which include one or more of the distribution location information of the central control server, the number of DDoS attacks, the botnet host information, the DDoS attack time information, the distribution location information of the attacked target, the owner information of the attacked target, the number of attacks on the attacked target, and the attack time information of the attacked target.

The distribution location information of the central control servers includes the geographical location distribution of the central control servers that initiate the monitored DDoS attacks. For example, the central control servers corresponding to the monitored DDoS attacks are N distributed in Beijing, M distributed in Guangzhou, K distributed in Xiamen, etc.

The DDoS attack quantity information includes the number of monitored DDoS attacks, for example, the total number of monitored DDoS attacks, the cumulative number of DDoS attacks on a certain attack target, and the number of DDoS attacks on the day.

The botnet host information includes the topology information of the monitored botnet hosts.

The DDoS attack time information includes the DDoS attack information monitored in each time period.

The distribution location information of the attacked targets includes the distribution locations of the devices that are monitored to be attacked by DDoS. For example, if n servers in North China, m servers in South China, and k servers in East China are monitored to be attacked by DDoS, the monitoring results will show that n attacked targets are distributed in North China, m in South China, and k in East China.

The owner information of the attacked target indicates the owner of the attacked target. For example, if it is monitored that a server of Company X is attacked by DDoS, the monitoring result shows that the owner of the attacked target is Company X.

The attack count information of the attacked target indicates the number of times the attacked target is attacked by DDoS.

The attack time information of the attacked target indicates the duration of the DDoS attack on the target. For example, if a server is monitored to be under DDoS attack from 9:00 to 17:00, the monitoring result shows that the server was attacked for 8 hours.

The DDoS attack monitoring method provided in the embodiment of the present application can be implemented by means of a virtual instance, such as containerization, building one or more container images, loading and running one or more container images to obtain the DDoS attack monitoring method mentioned above.

For example, DDoS zombie Trojan samples are regularly crawled from open source samples or commercial sites such as VirusShare, Bazaar or VirusTotal. The DDoS zombie Trojan samples are reverse analyzed to extract the communication protocol and the central control server of the botnet. A DDoS zombie host simulation program is developed based on the central control server and communication protocol of the botnet. For example, based on a base class of a DDoS zombie Trojan sample, various behaviors of the DDoS zombie Trojan sample are defined, such as connection, handshake, heartbeat, receiving data analysis, etc. For different DDoS zombie Trojan samples, specific DDoS zombie Trojan samples are derived from this base class, and different behaviors are implemented according to their protocols. These derived DDoS zombie Trojan samples (i.e., DDoS zombie host simulation programs) are made into program plug-ins, which are convenient for loading into the program through dynamic loading.

Build a container image, including an agent program, which accepts the scheduling of a task scheduling module and uses a specific zombie Trojan plug-in to connect to a specific central control server according to the allocation. Build a container image, including a task scheduling program, which allocates the central control servers in the database to different agents for the purpose of load balancing. Build a container image, including a database, which stores the central control server address information of the DDoS botnet, the family information of the DDoS zombie Trojan sample, the attacked IP information, the physical address information of the IP address, etc. Build a container image, including an IP address and domain name analysis program, which obtains the central control server, the physical address information of the attacked IP address, the belonging information, etc. Build a container image, including an attack instruction handling program, which polls the database, obtains the latest DDoS instructions from it, and sends them to the subscriber. Build a container image, including a communication protocol sniffer program, loads the DDoS zombie host simulation plug-in, sniffs the open Internet, and discovers unknown central control servers. According to the resource situation, through containerized deployment, the agent and communication protocol sniffing instances are multi-instantiated.

The DDoS attack monitoring method provided by the embodiment of the present application can provide threat intelligence services, obtain DDoS attack intelligence in real time, and serve cloud platforms, tenants, enterprise portals, etc. Alternatively, it can provide network space mapping services to discover the central control servers of potential botnets on the Internet.

In order to implement the DDoS attack monitoring method provided in the embodiment of the present application, the embodiment of the present application also provides a DDoS attack monitoring device, which can deploy a server, which can be a hardware server or embedded in a virtualized environment. For example, the server involved in this solution can be a virtual machine executed on a hardware server including one or more other virtual machines. The DDoS attack monitoring device can also be integrated and deployed in a network protection device.

Figure 4 is a schematic diagram of the structure of a DDoS attack monitoring device provided by an embodiment of the present application. As shown in Figure 4, the DDoS attack monitoring device 400 includes an acquisition module 401, a first analysis module 402, a communication module 403, and a second analysis module 404, wherein the acquisition module 401 is used to acquire multiple types of DDoS zombie Trojan samples; the first analysis module 402 is used to analyze each type of DDoS zombie Trojan sample to obtain the address information and communication protocol information of the central control server corresponding to the botnet; the communication module 403 is used to establish a communication connection with the central control server based on the address information and communication protocol information of the central control server; and receive the DDoS attack instruction sent by the central control server; the second analysis module 404 is used to analyze the DDoS attack instruction to obtain DDoS attack information.

Among them, the acquisition module 401, the first analysis module 402, the communication module 403 and the second analysis module 404 can all be implemented by software, or can be implemented by hardware. Exemplarily, the implementation of the acquisition module 401 is described below by taking the acquisition module 401 as an example. Similarly, the implementation of the first analysis module 402, the communication module 403 and the second analysis module 404 can refer to the implementation of the acquisition module 401.

As an example of a software functional unit, the acquisition module 401 may include code running on a computing instance. Among them, the computing instance may include at least one of a physical host (computing device), a virtual machine, and a container. Further, the above-mentioned computing instance may be one or more. For example, the acquisition module 401 may include code running on multiple hosts/virtual machines/containers. It should be noted that the multiple hosts/virtual machines/containers used to run the code may be distributed in the same region (region) or in different regions. Furthermore, the multiple hosts/virtual machines/containers used to run the code may be distributed in the same availability zone (AZ) or in different AZs, each AZ including a data center or multiple data centers with close geographical locations. Among them, usually a region may include multiple AZs.

Similarly, multiple hosts/virtual machines/containers used to run the code can be distributed in the same virtual private cloud (VPC) or in multiple VPCs. Usually, a VPC is set up in a region. For cross-region communication between two VPCs in the same region and between VPCs in different regions, a communication gateway needs to be set up in each VPC to achieve interconnection between VPCs through the communication gateway.

As an example of a hardware functional unit, the acquisition module 401 may include at least one computing device, such as a server, etc. Alternatively, the acquisition module 401 may also be a device implemented using an application-specific integrated circuit (ASIC) or a programmable logic device (PLD). The PLD may be a complex programmable logical device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL) or any combination thereof.

The multiple computing devices included in the acquisition module 401 can be distributed in the same region or in different regions. The multiple computing devices included in the acquisition module 401 can be distributed in the same AZ or in different AZs. Similarly, the multiple computing devices included in the acquisition module 401 can be distributed in the same VPC or in multiple VPCs. The multiple computing devices can be any combination of computing devices such as servers, ASICs, PLDs, CPLDs, FPGAs, and GALs.

It should be noted that, in other embodiments, the acquisition module 401 can be used to execute any step in the DDoS attack monitoring method, the first analysis module 402 can be used to execute any step in the DDoS attack monitoring method, the communication module 403 can be used to execute any step in the cloud resource access control method based on cloud computing technology, and the second analysis module 404 can be used to execute any step in the DDoS attack monitoring method; the steps that the acquisition module 401, the first analysis module 402, the communication module 403 and the second analysis module 404 are responsible for implementing can be specified as needed, and the acquisition module 401, the first analysis module 402, the communication module 403 and the second analysis module 404 respectively implement different steps in the DDoS attack monitoring method to achieve all the functions of the DDoS attack monitoring device.

The present application also provides a computing device 500. As shown in FIG5 , the computing device 500 includes: a bus 502, a processor 504, a memory 506, and a communication interface 508. The processor 504, the memory 506, and the communication interface 508 communicate with each other through the bus 502. The computing device 500 can be a server or a terminal device. It should be understood that the present application does not limit the number of processors and memories in the computing device 500.

The bus 502 may be a peripheral component interconnect (PCI) bus or an extended industry standard architecture (EISA) bus, etc. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of representation, FIG. 5 is represented by only one line, but does not mean that there is only one bus or one type of bus. The bus 502 may include a path for transmitting information between various components of the computing device 500 (e.g., the memory 506, the processor 504, and the communication interface 508).

The processor 504 may include any one or more of a central processing unit (CPU), a graphics processing unit (GPU), a microprocessor (MP), or a digital signal processor (DSP).

The memory 506 may include a volatile memory, such as a random access memory (RAM). The processor 504 may also include a non-volatile memory, such as a read-only memory (ROM), a flash memory, a hard disk drive (HDD), or a solid state drive (SSD).

The memory 506 stores executable program codes, and the processor 504 executes the executable program codes to respectively implement the functions of the acquisition module 401, the first analysis module 402, the communication module 403, and the second analysis module 404, thereby implementing the DDoS attack monitoring method. That is, the memory 506 stores instructions for executing the DDoS attack monitoring method.

The communication interface 508 uses a transceiver module such as, but not limited to, a network interface card or a transceiver to implement communication between the computing device 500 and other devices or a communication network.

The embodiment of the present application also provides a computing device cluster. The computing device cluster includes at least one computing device. The computing device can be a server, such as a central server, an edge server, or a local server in a local data center. In some embodiments, the computing device can also be a terminal device such as a desktop computer, a laptop computer, or a smart phone.

As shown in Fig. 6, the computing device cluster includes at least one computing device 500. The memory 506 in one or more computing devices 500 in the computing device cluster may store the same instructions for executing the DDoS attack monitoring method.

In some possible implementations, the memory 506 of one or more computing devices 500 in the computing device cluster may also store partial instructions for executing the DDoS attack monitoring method. In other words, the combination of one or more computing devices 500 may jointly execute the instructions for executing the DDoS attack monitoring method.

It should be noted that the memory 506 in different computing devices 500 in the computing device cluster can store different instructions, which are respectively used to execute part of the functions of the DDoS attack monitoring device. That is, the instructions stored in the memory 506 in different computing devices 500 can implement the functions of one or more modules of the acquisition module 401, the first analysis module 402, the communication module 403 and the second analysis module 404.

In some possible implementations, one or more computing devices in the computing device cluster may be connected via a network. The network may be a wide area network or a local area network, etc. FIG. 7 shows a possible implementation. As shown in FIG. 7 , two computing devices 500A and 500B are connected via a network. Specifically, the network is connected via a communication interface in each computing device. In this type of possible implementation, the memory 506 in the computing device 500A stores instructions for executing the functions of the acquisition module 401 and the first analysis module 402. At the same time, the memory 506 in the computing device 500B stores instructions for executing the functions of the communication module 403 and the second analysis module 404.

It should be understood that the functions of the computing device 500A shown in FIG7 may also be completed by multiple computing devices 500. Similarly, the functions of the computing device 500B may also be completed by multiple computing devices 500.

The embodiment of the present application also provides a computer program product including instructions. The computer program product may be software or a program product including instructions that can be run on a computing device or stored in any available medium. When the computer program product is run on at least one computing device, the at least one computing device executes a method for monitoring a DDoS attack.

The embodiment of the present application also provides a computer-readable storage medium. The computer-readable storage medium can be any available medium that can be stored by a computing device or a data storage device such as a data center containing one or more available media. The available medium can be a magnetic medium (e.g., a floppy disk, a hard disk, a tape), an optical medium (e.g., a DVD), or a semiconductor medium (e.g., a solid-state hard disk). The computer-readable storage medium includes instructions that instruct the computing device to execute a method for monitoring a DDoS attack.

In the above embodiments, the description of each embodiment has its own emphasis. For parts that are not described or recorded in detail in a certain embodiment, reference can be made to the relevant descriptions of other embodiments.

The basic principles of the present application are described above in conjunction with specific embodiments. However, it should be pointed out that the advantages, strengths, effects, etc. mentioned in the present application are only examples and not limitations, and it cannot be considered that these advantages, strengths, effects, etc. are required by each embodiment of the present disclosure. In addition, the specific details disclosed above are only for the purpose of illustration and ease of understanding, rather than limitation, and the above details do not limit the present disclosure to the necessity of adopting the above specific details to be implemented.

The block diagrams of the devices, equipment, and systems involved in this disclosure are only illustrative examples and are not intended to require or imply that they must be connected, arranged, and configured in the manner shown in the block diagrams. As will be appreciated by those skilled in the art, these devices, devices, equipment, and systems can be connected, arranged, and configured in any manner. Words such as "including", "comprising", "having", etc. are open words, referring to "including but not limited to", and can be used interchangeably with them. The words "or" and "and" used here refer to the words "and/or" and can be used interchangeably with them, unless the context clearly indicates otherwise. The word "such as" used here refers to the phrase "such as but not limited to", and can be used interchangeably with it.

It should also be noted that in the apparatus, device and method of the present disclosure, each component or each step can be decomposed and/or recombined. Such decomposition and/or recombination should be regarded as equivalent solutions of the present disclosure.

The above description has been given for the purpose of illustration and description. In addition, this description is not intended to limit the embodiments of the present disclosure to the forms disclosed herein. Although multiple example aspects and embodiments have been discussed above, those skilled in the art will recognize certain variations, modifications, changes, additions and sub-combinations thereof.

It should be understood that the various numerical numbers involved in the embodiments of the present application are only used for the convenience of description and are not used to limit the scope of the embodiments of the present application.

The specific implementation methods described above further illustrate the purpose, technical solutions and beneficial effects of the present application in detail. It should be understood that the above description is only the specific implementation method of the present application and is not intended to limit the scope of protection of the present application. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and principles of the present application should be included in the scope of protection of the present application.

Claims (24)

1. A method for monitoring a distributed denial of service attack, comprising:

obtaining DDoS zombie Trojan horse samples of a plurality of types;

Analyzing the DDoS bot samples of each type to obtain address information and communication protocol information of a central control server corresponding to the botnet;

establishing communication connection with the central control server based on the address information and the communication protocol information of the central control server;

receiving a DDoS attack instruction sent by the central control server;

and analyzing the DDoS attack instruction to obtain DDoS attack information.

2. The method of claim 1, wherein the establishing a communication connection with the central server based on address information and communication protocol information of the central server comprises:

determining a zombie host simulation program based on the address information and the communication protocol information of the central control server;

And loading and running the zombie host simulation program, and establishing communication connection with the central control server.

3. The method of claim 2, wherein the loading runs the zombie host simulation program to establish a communication connection with the central control server, comprising:

performing plug-in processing on the zombie host simulation program to obtain a zombie host simulation plug-in;

Constructing a first container image, wherein the first container image comprises an agent program, and the agent program loads the zombie host simulation plug-in;

and running the first container mirror image and establishing communication connection with the central control server.

4. A method according to any of claims 1-3, wherein the central server address information comprises a domain name and a communication port of the central server or an IP address and a communication port of the central server.

5. The method of any of claims 1-4, wherein the communication protocol information includes one or more of handshake information, heartbeat information, attack order information, and attack payload information.

6. The method of any of claims 1-5, wherein the attack information includes one or more of attack target information, attack payload information, attack event information, and attack duration information.

7. The method as recited in claim 6, further comprising:

determining an owner of the attacked target based on the attacked target information;

and sending a DDoS early warning to an owner of the attacked target.

8. The method of any one of claims 1-7, further comprising:

Broadcasting a connection request based on the communication protocol information;

And determining the network node which responds to the connection request and accords with the communication protocol as a central control server of the botnet.

9. The method according to any one of claims 1-8, further comprising:

Monitoring traffic in the network based on the communication protocol information;

And determining the network node corresponding to the traffic matched with the communication protocol information as a zombie host.

10. The method according to any one of claims 1-9, further comprising:

Displaying a monitoring result, wherein the monitoring result comprises one or more of distributed position information of the central control server, DDoS attack quantity information, botnet host information, DDoS attack time information, distributed position information of an attacked target, owner information of the attacked target, attacked times information of the attacked target and attacked time information of the attacked target.

11. The method of any of claims 1-10, wherein the method of monitoring for distributed denial of service attacks is implemented by one or more of a container instance, a physical host, and a virtual machine.

12. A monitoring device for a distributed denial of service attack, comprising:

The acquisition module is used for acquiring DDoS zombie Trojan horse samples of a plurality of types;

the first analysis module is used for analyzing the DDoS bot Trojan horse samples of each type to obtain address information and communication protocol information of a central control server corresponding to the botnet;

the communication module is used for establishing communication connection with the central control server based on the address information and the communication protocol information of the central control server;

receiving a DDoS attack instruction sent by the central control server

And the second analysis module is used for analyzing the DDoS attack instruction to obtain DDoS attack information.

13. The apparatus of claim 12, wherein the communication module is specifically configured to:

determining a zombie host simulation program based on the address information and the communication protocol information of the central control server;

And loading and running the zombie host simulation program, and establishing communication connection with the central control server.

14. The apparatus of claim 13, wherein the loading runs the zombie host simulation program to establish a communication connection with the central control server, comprising:

performing plug-in processing on the zombie host simulation program to obtain a zombie host simulation plug-in;

Constructing a first container image, wherein the first container image comprises an agent program, and the agent program loads the zombie host simulation plug-in;

and running the first container mirror image and establishing communication connection with the central control server.

15. The apparatus of any of claims 12-14, wherein the central server address information comprises a domain name and a communication port of the central server or an IP address and a communication port of the central server.

16. The apparatus of any of claims 12-15, wherein the communication protocol information comprises one or more of handshake information, heartbeat information, attack order information, and attack payload information.

17. The apparatus of any of claims 12-16, wherein the attack information includes one or more of attack target information, attack payload information, attack event information, and attack duration information.

18. The apparatus of claim 17, wherein the device comprises a plurality of sensors,

The apparatus further comprises:

A determining module for determining an owner of the attacked target based on the attacked target information;

And the early warning module is used for sending DDoS early warning to the owner of the attacked target.

19. The apparatus according to any one of claims 12-18, further comprising:

a broadcasting module for broadcasting a connection request based on the communication protocol information;

and the determining module is used for determining the network node which responds to the connection request and accords with the communication protocol as the central control server of the botnet.

20. The apparatus according to any one of claims 12-19, further comprising:

The monitoring module is used for monitoring the flow in the network based on the communication protocol information;

The determining module is further configured to determine a network node corresponding to the traffic matched with the communication protocol information as a zombie host.

21. The apparatus according to any one of claims 12-20, further comprising:

The display module is used for displaying a monitoring result, wherein the monitoring result comprises one or more of distributed position information of the central control server, DDoS attack quantity information, botnet host information, DDoS attack time information, distributed position information of an attacked target, owner information of the attacked target, attacked times information of the attacked target and attacked time information of the attacked target.

22. The apparatus of any of claims 12-21, wherein the method of monitoring for distributed denial of service attacks is implemented by one or more of a container instance, a physical host, and a virtual machine.

23. A computing device comprising a memory and a processor, wherein the memory has instructions stored therein that when executed by the processor cause the method of any of claims 1-11 to be implemented.

24. A computer readable storage medium, on which a computer program is stored which, when being executed by a processor, causes the method according to any one of claims 1-11 to be implemented.