CN109302390A - A kind of leak detection method and device - Google Patents

A kind of leak detection method and device Download PDF

Info

Publication number
CN109302390A
CN109302390A CN201811108276.6A CN201811108276A CN109302390A CN 109302390 A CN109302390 A CN 109302390A CN 201811108276 A CN201811108276 A CN 201811108276A CN 109302390 A CN109302390 A CN 109302390A
Authority
CN
China
Prior art keywords
address
ntp server
ntp
server
response bag
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811108276.6A
Other languages
Chinese (zh)
Inventor
陈栋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhengzhou Yunhai Information Technology Co Ltd
Original Assignee
Zhengzhou Yunhai Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhengzhou Yunhai Information Technology Co Ltd filed Critical Zhengzhou Yunhai Information Technology Co Ltd
Priority to CN201811108276.6A priority Critical patent/CN109302390A/en
Publication of CN109302390A publication Critical patent/CN109302390A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the present application discloses a kind of leak detection method and device, first obtain the IP address of Network Time Protocol ntp server, further according to the IP address of ntp server, attack load is sent to ntp server, it include destination address in target load, if destination address receives the response bag of ntp server transmission, and the memory space that response bag occupies is greater than or equal to preset byte, then illustrate that ntp server performs the instruction in attack load, the response bag of preset byte is generated and is greater than or equal to the memory space that destination address has sent occupancy according to attack load, that is, ntp server is not detected or does not filter the attack load, at this time it is believed that ntp server there are loopholes.Therefore in the embodiment of the present application, it can be automatically performed the detection to the loophole of ntp server, do not need to detect manually, improve Hole Detection efficiency and accuracy.

Description

A kind of leak detection method and device
Technical field
The present invention relates to field of computer technology, more particularly to a kind of leak detection method and device.
Background technique
Network Time Protocol (Network Time Protocol, NTP) is one of the standard of time synchronization in internet, Ntp server can send the NTP message including current time to client, so that other equipment are after receiving NTP message The adjustment of time is carried out, realizes the time synchronization of client and ntp server.
Standard NTP service provides monlist query function, is also known as MON_GETLIST, which can be used for supervising Control the service status of ntp server.When client, which sends monlist to ntp server, inquires, ntp server can be to visitor Family end returns to recent service status, specifically, ntp server is after receiving monlist inquiry request, it is available with Ntp server carried out Internet protocol (the Internet Protocol of last 600 clients of time synchronization Address, IP) address, these IP address are split, multiple response bags are formed, return to these response bags, example to client It may include 6 IP address in each response bag if the quantity of response bag can be 100.
NTP service is based on User Datagram Protocol (User Datagram Protocol, UDP), is a kind of connectionless Transport layer protocol, udp protocol is to provide the agreement of the simple unreliable information transmission service towards affairs, therefore, attacker The source IP address for easier forging NTP request sends monlist inquiry to ntp server by the source IP address of forgery and asks It asks.
However, these source IP address forged cannot be filtered or be screened there are when loophole in ntp server, because This, can send a large amount of response bag to the source IP address being forged according to source address IP, such as can to the source IP being forged Location sends 100 UDP message packets.In this way, attacker can by sending lesser request packet, ntp server to A large amount of response bags that one true source IP address is sent will lead to when serious to occupy the bandwidth resources of the source IP address Network congestion realizes the NTP amplification attack to true source IP address.
It, can be by the way that manually Hole Detection can be carried out to ntp server, if ntp server in order to avoid such case There is no loopholes, then illustrate the risk that do not attacked, if ntp server there are loophole, there is the risk attacked.However, The efficiency of artificial detection is lower, and is easy error.
Summary of the invention
In order to solve the above technical problems, the embodiment of the present application provides a kind of leak detection method and device, in Web application nothing When echo, Hole Detection efficiency is improved.
The embodiment of the present application provides a kind of leak detection method, which comprises
Obtain the internet protocol address of Network Time Protocol ntp server;
According to the IP address, attack load is sent to the ntp server;
If destination address receives the response bag that the ntp server is sent, and the memory space that the response bag occupies More than or equal to preset byte, then judge the ntp server there are loophole, the response bag be the ntp server according to It is described attack load generate and to destination address send.
Optionally, the IP address for obtaining Network Time Protocol ntp server, comprising:
File destination is read, the IP address of the ntp server in the file destination is obtained;Or,
It scans to obtain ntp server by scanning tools, obtains the IP address for the ntp server that scanning obtains;Or,
It searches for obtain ntp server by search engine, obtains the IP address for the NTP that search obtains.
Optionally, the NTP is multiple, if then the destination address receives the response bag that the ntp server is sent, And the memory space that the response bag occupies is greater than or equal to preset byte, then judging the ntp server, there are loophole, packets It includes:
If destination address receives the response bag that multiple ntp servers are sent, and the storage that the response bag occupies Space is greater than or equal to preset byte and determines the server ip address then according to the server ip address in the response bag There are loopholes for corresponding ntp server.
Optionally, the attack load includes monlist inquiry request.
Optionally, the preset byte is 200 bytes.
The embodiment of the present application provides a kind of Hole Detection device, and described device includes:
Information acquisition unit, for obtaining the internet protocol address of Network Time Protocol ntp server;
Load transmission unit is attacked, for sending attack load to the ntp server according to the IP address;
Judging unit, if receiving the response bag that the ntp server is sent for destination address, and the response bag accounts for Memory space is greater than or equal to preset byte, then judges the ntp server there are loophole, the response bag is described What ntp server was sent according to the attack load generation and to destination address.
Optionally, the information acquisition unit, comprising:
First acquisition unit obtains the IP address of the ntp server in the file destination for reading file destination; Or,
Second acquisition unit, for obtaining ntp server by port scan tool scans, acquisition scanning obtains described The IP address of ntp server;Or,
Third acquiring unit obtains ntp server for searching for by port search engine, and acquisition search obtains described The IP address of NTP.
Optionally, the NTP is multiple, then the judging unit is specifically used for:
If destination address receives the response bag that multiple ntp servers are sent, and the storage that the response bag occupies Space is greater than or equal to preset byte and determines the server ip address then according to the server ip address in the response bag There are loopholes for corresponding ntp server.
Optionally, the attack load includes monlist inquiry request.
Optionally, the preset byte is 200 bytes.
The embodiment of the present application provides a kind of leak detection method and device, first obtains Network Time Protocol ntp server IP address send attack load to ntp server, in target load including target further according to the IP address of ntp server Location, if destination address receives the response bag of ntp server transmission, and the memory space that response bag occupies is more than or equal to default Byte then illustrates that ntp server performs the instruction in attack load, is generated according to attack load and had sent to destination address The memory space of occupancy is greater than or equal to the response bag of preset byte, that is to say, that ntp server is not detected or did not had Filter the attack load, at this time it is believed that ntp server there are loopholes.Therefore in the embodiment of the present application, can be automatically performed pair The detection of the loophole of ntp server does not need to detect manually, improves Hole Detection efficiency and accuracy.
Detailed description of the invention
In order to more clearly explain the technical solutions in the embodiments of the present application, make required in being described below to embodiment Attached drawing is briefly described, it should be apparent that, the accompanying drawings in the following description is only some implementations as described in this application Example, for those of ordinary skill in the art, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of leak detection method provided by the embodiments of the present application;
Fig. 2 is a kind of structural block diagram of Hole Detection device provided by the embodiments of the present application.
Specific embodiment
Inventor has found that standard NTP service provides monlist query function, specifically, ntp server After receiving monlist inquiry request, available last 600 clients that time synchronization was carried out with ntp server IP address, these IP address are split, multiple response bags are formed, return to these response bags to client.Such as it responds The quantity of packet can be 100, may include 6 IP address in each response bag.
Attacker can forge the source IP address of NTP request, be sent by the source IP address of forgery to ntp server Monlist inquiry request cannot be filtered or screen to these source IP address forged in ntp server there are when loophole, Therefore, a large amount of response bag can be sent to true source IP address according to source IP address, such as can be to true source IP address Send 100 UDP message packets.In this way, attacker can be by sending lesser request packet, and ntp server is to one A large amount of response bags that a true source IP address is sent will lead to net to occupy the bandwidth resources of the source IP address when serious Network congestion realizes the NTP amplification attack to true source IP address.
It, can be by the way that manually Hole Detection can be carried out to ntp server, if ntp server in order to avoid such case There is no loopholes, then illustrate the risk that do not attacked, if there are loopholes for ntp server, there is the risk attacked.So And the efficiency of artificial detection is lower, and is easy error.
Based on this, the embodiment of the present application provides a kind of leak detection method and device, is carried out by penetration testing tool Hole Detection, penetration testing be in order to prove cyber-defence it is anticipated that plan operate normally and provide a kind of mechanism, it is popular For, it can be by the attack method of simulation malicious hackers, to assess the safety of computer network system.
Specifically, the IP address of Network Time Protocol ntp server is first obtained, further according to the IP address of ntp server, to Ntp server sends attack load, includes destination address in target load, if destination address receives ntp server transmission Response bag, and the memory space that response bag occupies is greater than or equal to preset byte, then illustrates that ntp server performs attack load In instruction, generated according to attack load and be greater than or equal to preset byte to the memory space that destination address has sent occupancy Response bag, that is to say, that ntp server is not detected or does not filter the attack load, at this time it is believed that ntp server is deposited In loophole.Therefore in the embodiment of the present application, it can be automatically performed the detection to the loophole of ntp server, do not need to examine manually It surveys, improves Hole Detection efficiency and accuracy.
With reference to the accompanying drawing, leak detection method and device provided by the embodiments of the present application are described in detail by embodiment Specific implementation.
A kind of flow chart of leak detection method provided by the embodiments of the present application, the execution of this method are shown with reference to Fig. 1 Main body can be user terminal, and this method may comprise steps of.
S101 obtains the IP address of Network Time Protocol ntp server.
Network Time Protocol (Network Time Protocol, NTP) is one of the standard of time synchronization in internet. During time synchronization, ntp server can send the NTP message including sending time to client, so that other set It is standby, according to the sending time in receiving time and NTP message, to carry out the adjustment of the time of client after receiving NTP message, To realize the time synchronization of client and ntp server.
The IP address of ntp server is that IP agreement is the logical address that ntp server provides.
As a kind of possible implementation, obtain the IP address of ntp server, can with specifically, read file destination, Obtain the IP address of the ntp server in file destination.The file destination can be user's importing, and format can be text (txt), for example, file destination server.txt may include ntp server IP address.It, can be by user certainly in which The IP address of ntp server is defined, to flexibly determine the ntp server detected.It is understood that target is literary It can also include the IP agreement port of ntp server in part.
As alternatively possible implementation, the IP address of ntp server is obtained, it can be specifically, passing through scanning work Tool scanning obtains ntp server, obtains the IP address for the ntp server that scanning obtains.When it is implemented, can be by sweeping It retouches tool to be scanned the port of the network equipment, ntp server is identified according to the port type that scanning obtains, then obtain and sweep The IP address for the ntp server retouched, scanning tools for example can be Masscan tool.Specifically, IP can be preset Address range and/or port range, to obtain the IP address of the NTP within the scope of this by scanning tools.It, can be fast in which Speed obtains the IP address of multiple ntp servers, and by the customized IP address range of user and/or port range, it can be quick And accurately determine the ntp server for needing to detect.
As another possible implementation, IP address and the port of ntp server are obtained, it can be specifically, passing through Search engine is searched for obtain ntp server, obtains the IP address for the NTP that search obtains.When it is implemented, can be by searching Ntp server is identified according to the port type that search obtains, then is obtained in the port of the online network equipment of rope engine search The IP address of the ntp server arrived, search engine for example can be Shodan search engine.Specifically, Shodan search engine Network address application programming interface can be provided, for obtaining all data of the website Shodan.In which, it can pass through Preset search condition, the data obtained are wanted in automation search, such as can preset the type of search, so that automation obtains Take the IP address of ntp server.
In the embodiment of the present application, the IP address of available multiple ntp servers, to realize multiple ntp servers Batch detection.
S102 sends attack load to ntp server according to the IP address of ntp server.
The operation that attack load correspondence system executes after being captured, attack load can be distributed together with other requests, It can individually send, so that system executes corresponding operation according to attack load.Attack load can exist in a text form, Such as payloads.txt.
Since NTP service provides monlist query function, it is also known as MON_GETLIST, which can be used for supervising The service status of ntp server is controlled, therefore, attack load for example can be monlist inquiry request, for inquiring NTP service The recent service status of device, such as the IP for last 600 clients that time synchronization was carried out with ntp server can be inquired Location.Attacking in load may include destination address, is used to indicate ntp server to destination address and sends monlist inquiry request Response bag.
According to the IP address of ntp server, attack load can be sent, to ntp server to carry out to ntp server Hole Detection.It is, of course, also possible to send attack load to ntp server according to the IP address of ntp server and port.
After ntp server receives the inquiry of the monlist including destination address, recent clothes can be returned to destination address Business situation.Specifically, the IP of available last 600 clients for carrying out time synchronization with ntp server of ntp server These IP address are split by address, form multiple response bags, return to these response bags, the number of response bag to destination address Amount can for example be 100, may include 6 IP address in each response bag.
S103, if destination address receives the response bag of ntp server transmission, and the memory space that response bag occupies is greater than Or be equal to preset byte, then judge that there are loopholes for ntp server.
IP address and port in the IP address according to ntp server, or according to ntp server are sent to ntp server After attacking load, if loophole is not present in ntp server, attack load can be detected and be filtered, therefore be not carried out and attack Hit the operation in load.Specifically, attack load is when being monlist inquiry request, ntp server will not generate response bag or It generates and occupies the simultaneously destination address transmission of the lesser response bag of memory space, such as ntp server is generated and sent to destination address Occupy 60~90 bytes response bag, illustrate that ntp server handles the attack load after accordingly, at this time it is believed that NTP amplification attack loophole is not present in ntp server.
On the contrary, if ntp server there are loophole, cannot detect to attack load or cannot filter the filtering load, because This can execute the corresponding operation of attack load, specifically, ntp server can basis when attack load is monlist inquiry request Monlist inquiry request forms and sends the larger response bag of multiple occupancy memory spaces to destination address.Specifically, NTP is serviced The IP address of the available last multiple client that time synchronization was carried out with ntp server of device, such as 600 clients Address, and be split and be packaged, to form 100 response bags, the memory space that each response bag occupies is larger, such as 480 bytes send the response bag of this 100 480 bytes of occupancy to destination address.Therefore, if destination address receives NTP service The response bag that device is sent, and the memory space that response bag occupies is greater than or equal to preset byte, illustrates that ntp server has leakage There is the risk attacked in hole, when being attacked, be easy to cause resource occupying, even result in network congestion.
Since the response bag that ntp server generates and sends in response to monlist inquiry request is larger, it can be with Whether the memory space for judging that the response bag that destination address receives occupies is greater than or equal to preset byte, to judge the response Whether packet generates according to monlist inquiry request, if so, judging ntp server, there are loopholes.Wherein, preset byte can be with It is 200 bytes.
In specific implementation, it can be attacked simultaneously according to the IP address of multiple ntp servers to the transmission of multiple ntp servers Load is hit, therefore, destination address can receive the response bag that multiple NTP are sent, at this point it is possible to first judge whether response bag is big In or be equal to preset byte, if so, determining that the server ip address is corresponding further according to the server ip address in response bag There are loopholes for ntp server.Certainly, when it is implemented, the IP address that the ntp server of loophole can also will be present is stored to text In this document, to carry out follow-up maintenance to ntp server.
The embodiment of the present application provides a kind of leak detection method, with first obtaining the IP of Network Time Protocol ntp server Location sends attack load to ntp server, includes destination address in target load further according to the IP address of ntp server, if Destination address receives the response bag of ntp server transmission, and the memory space that response bag occupies is greater than or equal to preset byte, Then illustrate that ntp server performs the instruction in attack load, is generated according to attack load and have sent occupancy to destination address Memory space be greater than or equal to preset byte response bag, that is to say, that ntp server be not detected or without filtering should Attack load, at this time it is believed that ntp server there are loopholes.Therefore in the embodiment of the present application, it can be automatically performed and NTP is taken The detection of the loophole of business device, does not need to detect manually, improves Hole Detection efficiency and accuracy.
Based on the above leak detection method, the embodiment of the present application also provides a kind of Hole Detection devices, with reference to Fig. 2 institute Show, be a kind of structural block diagram of Hole Detection device provided by the embodiments of the present application, which includes:
Information acquisition unit 110, for obtaining the internet protocol address of Network Time Protocol ntp server;
Load transmission unit 120 is attacked, for sending attack load to the ntp server according to the IP address;
Judging unit 130, if receiving the response bag that the ntp server is sent, and the response for destination address The memory space that packet occupies is greater than or equal to preset byte, then judges the ntp server there are loophole, the response bag is institute State what ntp server was sent according to the attack load generation and to destination address.
Optionally, the information acquisition unit, comprising:
First acquisition unit obtains the IP address of the ntp server in the file destination for reading file destination; Or,
Second acquisition unit, for obtaining ntp server by port scan tool scans, acquisition scanning obtains described The IP address of ntp server;Or,
Third acquiring unit obtains ntp server for searching for by port search engine, and acquisition search obtains described The IP address of NTP.
Optionally, the NTP is multiple, then the judging unit is specifically used for:
If destination address receives the response bag that multiple ntp servers are sent, and the storage that the response bag occupies Space is greater than or equal to preset byte and determines the server ip address then according to the server ip address in the response bag There are loopholes for corresponding ntp server.
Optionally, the attack load includes monlist inquiry request.
Optionally, the preset byte is 200 bytes.
The embodiment of the present application provides a kind of Hole Detection device, with first obtaining the IP of Network Time Protocol ntp server Location sends attack load to ntp server, includes destination address in target load further according to the IP address of ntp server, if Destination address receives the response bag of ntp server transmission, and the memory space that response bag occupies is greater than or equal to preset byte, Then illustrate that ntp server performs the instruction in attack load, is generated according to attack load and have sent occupancy to destination address Memory space be greater than or equal to preset byte response bag, that is to say, that ntp server be not detected or without filtering should Attack load, at this time it is believed that ntp server there are loopholes.Therefore in the embodiment of the present application, it can be automatically performed and NTP is taken The detection of the loophole of business device, does not need to detect manually, improves Hole Detection efficiency and accuracy.
" first " in the titles such as " first ... " mentioned in the embodiment of the present application, " first ... " is used only to do name Word mark, does not represent first sequentially.The rule is equally applicable to " second " etc..
As seen through the above description of the embodiments, those skilled in the art can be understood that above-mentioned implementation All or part of the steps in example method can add the mode of general hardware platform to realize by software.Based on this understanding, The technical solution of the application can be embodied in the form of software products, which can store is situated between in storage In matter, such as read-only memory (English: read-only memory, ROM)/RAM, magnetic disk, CD etc., including some instructions to So that a computer equipment (can be the network communication equipments such as personal computer, server, or router) executes Method described in certain parts of each embodiment of the application or embodiment.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for method reality For applying example and apparatus embodiments, since it is substantially similar to system embodiment, so describe fairly simple, related place ginseng See the part explanation of system embodiment.Equipment and system embodiment described above is only schematical, wherein making It may or may not be physically separated for the module of separate part description, the component shown as module can be Or it may not be physical module, it can it is in one place, or may be distributed over multiple network units.It can be with Some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment according to the actual needs.The common skill in this field Art personnel can understand and implement without creative efforts.
The above is only the preferred embodiment of the application, is not intended to limit the protection scope of the application.It should refer to Out, for those skilled in the art, it under the premise of not departing from the application, can also make several improvements And retouching, these improvements and modifications also should be regarded as the protection scope of the application.

Claims (10)

1. a kind of leak detection method, which is characterized in that the described method includes:
Obtain the internet protocol address of Network Time Protocol ntp server;
According to the IP address, attack load is sent to the ntp server, the attack load includes destination address;
If the destination address receives the response bag that the ntp server is sent, and the memory space that the response bag occupies More than or equal to preset byte, then judge the ntp server there are loophole, the response bag be the ntp server according to It is described attack load generate and to destination address send.
2. the method according to claim 1, wherein the IP for obtaining Network Time Protocol ntp server Location, comprising:
File destination is read, the IP address of the ntp server in the file destination is obtained;Or,
It scans to obtain ntp server by scanning tools, obtains the IP address for the ntp server that scanning obtains;Or,
It searches for obtain ntp server by search engine, obtains the IP address for the NTP that search obtains.
3. the method according to claim 1, wherein the NTP be it is multiple, if then the destination address connects The response bag that the ntp server is sent is received, and the memory space that the response bag occupies is greater than or equal to preset byte, then Judge that there are loopholes for the ntp server, comprising:
If destination address receives the response bag that multiple ntp servers are sent, and the memory space that the response bag occupies More than or equal to preset byte, then according to the server ip address in the response bag, determine that the server ip address is corresponding Ntp server there are loopholes.
4. according to claim 1 to method described in 3 any one, which is characterized in that the attack load includes that monlist is looked into Ask request.
5. according to claim 1 to method described in 3 any one, which is characterized in that the preset byte is 200 bytes.
6. a kind of Hole Detection device, which is characterized in that described device includes:
Information acquisition unit, for obtaining the internet protocol address of Network Time Protocol ntp server;
Load transmission unit is attacked, for sending attack load to the ntp server according to the IP address;
Judging unit, if the response bag of the ntp server transmission is received for destination address, and response bag occupancy Memory space is greater than or equal to preset byte, then judges the ntp server there are loophole, the response bag is NTP clothes It is engaged in what device was sent according to the attack load generation and to destination address.
7. device according to claim 6, which is characterized in that the information acquisition unit, comprising:
First acquisition unit obtains the IP address of the ntp server in the file destination for reading file destination;Or,
Second acquisition unit obtains the NTP that scanning obtains for obtaining ntp server by port scan tool scans The IP address of server;Or,
Third acquiring unit obtains ntp server for searching for by port search engine, obtains the NTP that search obtains IP address.
8. device according to claim 6, which is characterized in that the NTP be it is multiple, then the judging unit is specifically used In:
If destination address receives the response bag that multiple ntp servers are sent, and the memory space that the response bag occupies More than or equal to preset byte, then according to the server ip address in the response bag, determine that the server ip address is corresponding Ntp server there are loopholes.
9. according to device described in claim 6 to 8 any one, which is characterized in that the attack load includes that monlist is looked into Ask request.
10. according to device described in claim 6 to 8 any one, which is characterized in that the preset byte is 200 bytes.
CN201811108276.6A 2018-09-21 2018-09-21 A kind of leak detection method and device Pending CN109302390A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811108276.6A CN109302390A (en) 2018-09-21 2018-09-21 A kind of leak detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811108276.6A CN109302390A (en) 2018-09-21 2018-09-21 A kind of leak detection method and device

Publications (1)

Publication Number Publication Date
CN109302390A true CN109302390A (en) 2019-02-01

Family

ID=65163723

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811108276.6A Pending CN109302390A (en) 2018-09-21 2018-09-21 A kind of leak detection method and device

Country Status (1)

Country Link
CN (1) CN109302390A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995676A (en) * 2019-11-22 2020-04-10 苏州浪潮智能科技有限公司 Semantic attack type denial of service vulnerability detection method
CN114124531A (en) * 2021-11-19 2022-03-01 北京灰度科技有限公司 Network defense system risk assessment method based on bypass attack simulation

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104735075A (en) * 2015-04-01 2015-06-24 河海大学 Bandwidth amplification vulnerability detection method based on Web server
CN105141647A (en) * 2014-06-04 2015-12-09 中国银联股份有限公司 Method and system for detecting Web application
CN105681133A (en) * 2016-03-14 2016-06-15 中国科学院计算技术研究所 Method for detecting whether DNS server can prevent network attack
CN107404465A (en) * 2016-05-20 2017-11-28 阿里巴巴集团控股有限公司 Network data analysis method and server
CN107786521A (en) * 2016-08-30 2018-03-09 中兴通讯股份有限公司 The method, apparatus and interchanger of defending distributed reflection denial service attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105141647A (en) * 2014-06-04 2015-12-09 中国银联股份有限公司 Method and system for detecting Web application
CN104735075A (en) * 2015-04-01 2015-06-24 河海大学 Bandwidth amplification vulnerability detection method based on Web server
CN105681133A (en) * 2016-03-14 2016-06-15 中国科学院计算技术研究所 Method for detecting whether DNS server can prevent network attack
CN107404465A (en) * 2016-05-20 2017-11-28 阿里巴巴集团控股有限公司 Network data analysis method and server
CN107786521A (en) * 2016-08-30 2018-03-09 中兴通讯股份有限公司 The method, apparatus and interchanger of defending distributed reflection denial service attack

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
佚名: "(转)如何发现 NTP 放大攻击漏洞", 《HTTP://WWW.JINGLINGSHU.ORG/?P=10795》 *
佚名: "如何发现NTP放大攻击漏洞", 《HTTP://WWW.VOIDCN.COM/ARTICLE/P-FVJCADJC-BEA.HTML》 *
佚名: "如何发现NTP放大漏洞-心伤的胖子", 《HTTP://WWW.VULN.CN/6831》 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110995676A (en) * 2019-11-22 2020-04-10 苏州浪潮智能科技有限公司 Semantic attack type denial of service vulnerability detection method
CN114124531A (en) * 2021-11-19 2022-03-01 北京灰度科技有限公司 Network defense system risk assessment method based on bypass attack simulation
CN114124531B (en) * 2021-11-19 2023-03-10 北京灰度科技有限公司 Network defense system risk assessment method based on bypass attack simulation, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN110213212B (en) Equipment classification method and device
US20100174829A1 (en) Apparatus for to provide content to and query a reverse domain name system server
CN106656849B (en) Message rate-limiting method and device
US11316948B2 (en) Exit node benchmark feature
EP3125502A1 (en) Method for providing access to a web server
EP3860095A1 (en) Methods for information drainage, requesting transmission and communication acceleration, and drainage and node server
US20070079366A1 (en) Stateless bi-directional proxy
WO2015143036A1 (en) Method and system for testing cloud based applications in a production environment using fabricated user data
US20130091584A1 (en) Distributed System and Method for Tracking and Blocking Malicious Internet Hosts
CN108848049A (en) Proxy Method and device, the storage medium and processor of domain name analysis system
CN109474718A (en) Domain name analytic method and device
CN108418780A (en) Filter method and device, system, the dns server of IP address
CN109302390A (en) A kind of leak detection method and device
CN102223266B (en) Method and device for detecting protocol agent
US20190068635A1 (en) Data processing method, apparatus, and system
CN104092751B (en) A kind of Operational Visit method and apparatus
US20060159087A1 (en) Method for identifying personal information on a network
JP6870386B2 (en) Malware unauthorized communication countermeasure system and method
JP2003163681A (en) Device and method for transferring packet and program
EP3151520B1 (en) Quarantining an internet protocol address
CN107888651B (en) Method and system for multi-profile creation to mitigate profiling
CN111818134A (en) Data transmission method and device based on fog calculation in substation data center
CN110601993A (en) Multi-outlet load balancing method and device
CN110677417A (en) Anti-crawler system and method
CN112491791B (en) Method and device for rapidly identifying HTTP proxy IP address and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190201

RJ01 Rejection of invention patent application after publication