Research Of Scanning And DRDoS Attack Detection Based On Netflow

Distributed reflective denial-of-service(DRDoS) is becoming more popular in recent years. As a form of DDoS, it brings serious harm to the Internet's daily operation. On the other hand, scanning, a usual sniffing technique, is widely used on the Internet before a large number of attacks happen. This thesis aims to study DRDoS attack and scanning, and design algorithms to detect the hosts participating DRDoS attack and scanning in CERNET. Those algorithms are deployed on a IP flow based system NBOS (Network Behavior Observation System).In the study of DRDoS, this thesis analyzes the attack scenario of DRDoS based on UDP protocol. It gives the definition of DRDoS from the perspective of flow characteristics. On this basis, protocols of DRDoS are classified from the perspective of port usage during the attack:(1)single reflective port; (2)random reflective port; (3)port based on TCP service. Five common UDP-based protocols used for launching DRDoS are analyzed. The thesis choses five common UDP protocol that can cause DRDoS as the research object for further in-depth study. An algorithm for detecting attacking hosts is proposed based on the definition of DRDoS attack. During the deployment of the algorithm, defects of IP flows used for detection are found and the causes are analyzed, and two solutions are proposed to improve the detection effectiveness of the algorithm:(1)"port-address list"; (2)NBOS functions based on role. Finally, the algorithm is deployed on NBOS to detect hosts participating the DRDoS attacks in CERNET. According to the attack's principle, and an experiment is performed to verify the results' correctness by drafting attacking packets.On the basis of the previous research, this thesis studies the bandwidth amplification factor (BAF) which is used to describe the amplification degree of a host (amplifier) launching the attack. The rationality of BAF calculation method used in previous studies by other research is discussed and redefined. Experiments are designed to obtain data and calculate BAFs of amplifiers in this thesis. Those experiments' input is chosen from the hosting detected in this thesis's previous work. Statistical feature, stability, and clustering analyses are study of BAF after the experiments, which shows that:the stability of the amplifier of port 161 and port 1900 is higher, but the overall BAF is small; while the BAF of port 123 and port 19 is smaller, but the stability is lower.In the study of scanning, this thesis focuses on horizontal scanning. It discusses the feasibility of scanning detection based on the IP flow. Scanning definition and flow characteristics of scanning are proposed in this thesis. Based on the characteristics and port matching, an algorithm for detecting scanning is designed and deployed in the detection network. Finally, TCP SYN and UDP horizontal scanning behaviors are observed after the algorithm's deployment on NBOS. This result indicates:it is feasible to detect scanning based on sampling IP flow, and scanning is widely performed on the Internet.