CN109302390A - A kind of leak detection method and device - Google Patents
A kind of leak detection method and device Download PDFInfo
- Publication number
- CN109302390A CN109302390A CN201811108276.6A CN201811108276A CN109302390A CN 109302390 A CN109302390 A CN 109302390A CN 201811108276 A CN201811108276 A CN 201811108276A CN 109302390 A CN109302390 A CN 109302390A
- Authority
- CN
- China
- Prior art keywords
- address
- ntp server
- ntp
- server
- response bag
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the present application discloses a kind of leak detection method and device, first obtain the IP address of Network Time Protocol ntp server, further according to the IP address of ntp server, attack load is sent to ntp server, it include destination address in target load, if destination address receives the response bag of ntp server transmission, and the memory space that response bag occupies is greater than or equal to preset byte, then illustrate that ntp server performs the instruction in attack load, the response bag of preset byte is generated and is greater than or equal to the memory space that destination address has sent occupancy according to attack load, that is, ntp server is not detected or does not filter the attack load, at this time it is believed that ntp server there are loopholes.Therefore in the embodiment of the present application, it can be automatically performed the detection to the loophole of ntp server, do not need to detect manually, improve Hole Detection efficiency and accuracy.
Description
Technical field
The present invention relates to field of computer technology, more particularly to a kind of leak detection method and device.
Background technique
Network Time Protocol (Network Time Protocol, NTP) is one of the standard of time synchronization in internet,
Ntp server can send the NTP message including current time to client, so that other equipment are after receiving NTP message
The adjustment of time is carried out, realizes the time synchronization of client and ntp server.
Standard NTP service provides monlist query function, is also known as MON_GETLIST, which can be used for supervising
Control the service status of ntp server.When client, which sends monlist to ntp server, inquires, ntp server can be to visitor
Family end returns to recent service status, specifically, ntp server is after receiving monlist inquiry request, it is available with
Ntp server carried out Internet protocol (the Internet Protocol of last 600 clients of time synchronization
Address, IP) address, these IP address are split, multiple response bags are formed, return to these response bags, example to client
It may include 6 IP address in each response bag if the quantity of response bag can be 100.
NTP service is based on User Datagram Protocol (User Datagram Protocol, UDP), is a kind of connectionless
Transport layer protocol, udp protocol is to provide the agreement of the simple unreliable information transmission service towards affairs, therefore, attacker
The source IP address for easier forging NTP request sends monlist inquiry to ntp server by the source IP address of forgery and asks
It asks.
However, these source IP address forged cannot be filtered or be screened there are when loophole in ntp server, because
This, can send a large amount of response bag to the source IP address being forged according to source address IP, such as can to the source IP being forged
Location sends 100 UDP message packets.In this way, attacker can by sending lesser request packet, ntp server to
A large amount of response bags that one true source IP address is sent will lead to when serious to occupy the bandwidth resources of the source IP address
Network congestion realizes the NTP amplification attack to true source IP address.
It, can be by the way that manually Hole Detection can be carried out to ntp server, if ntp server in order to avoid such case
There is no loopholes, then illustrate the risk that do not attacked, if ntp server there are loophole, there is the risk attacked.However,
The efficiency of artificial detection is lower, and is easy error.
Summary of the invention
In order to solve the above technical problems, the embodiment of the present application provides a kind of leak detection method and device, in Web application nothing
When echo, Hole Detection efficiency is improved.
The embodiment of the present application provides a kind of leak detection method, which comprises
Obtain the internet protocol address of Network Time Protocol ntp server;
According to the IP address, attack load is sent to the ntp server;
If destination address receives the response bag that the ntp server is sent, and the memory space that the response bag occupies
More than or equal to preset byte, then judge the ntp server there are loophole, the response bag be the ntp server according to
It is described attack load generate and to destination address send.
Optionally, the IP address for obtaining Network Time Protocol ntp server, comprising:
File destination is read, the IP address of the ntp server in the file destination is obtained;Or,
It scans to obtain ntp server by scanning tools, obtains the IP address for the ntp server that scanning obtains;Or,
It searches for obtain ntp server by search engine, obtains the IP address for the NTP that search obtains.
Optionally, the NTP is multiple, if then the destination address receives the response bag that the ntp server is sent,
And the memory space that the response bag occupies is greater than or equal to preset byte, then judging the ntp server, there are loophole, packets
It includes:
If destination address receives the response bag that multiple ntp servers are sent, and the storage that the response bag occupies
Space is greater than or equal to preset byte and determines the server ip address then according to the server ip address in the response bag
There are loopholes for corresponding ntp server.
Optionally, the attack load includes monlist inquiry request.
Optionally, the preset byte is 200 bytes.
The embodiment of the present application provides a kind of Hole Detection device, and described device includes:
Information acquisition unit, for obtaining the internet protocol address of Network Time Protocol ntp server;
Load transmission unit is attacked, for sending attack load to the ntp server according to the IP address;
Judging unit, if receiving the response bag that the ntp server is sent for destination address, and the response bag accounts for
Memory space is greater than or equal to preset byte, then judges the ntp server there are loophole, the response bag is described
What ntp server was sent according to the attack load generation and to destination address.
Optionally, the information acquisition unit, comprising:
First acquisition unit obtains the IP address of the ntp server in the file destination for reading file destination;
Or,
Second acquisition unit, for obtaining ntp server by port scan tool scans, acquisition scanning obtains described
The IP address of ntp server;Or,
Third acquiring unit obtains ntp server for searching for by port search engine, and acquisition search obtains described
The IP address of NTP.
Optionally, the NTP is multiple, then the judging unit is specifically used for:
If destination address receives the response bag that multiple ntp servers are sent, and the storage that the response bag occupies
Space is greater than or equal to preset byte and determines the server ip address then according to the server ip address in the response bag
There are loopholes for corresponding ntp server.
Optionally, the attack load includes monlist inquiry request.
Optionally, the preset byte is 200 bytes.
The embodiment of the present application provides a kind of leak detection method and device, first obtains Network Time Protocol ntp server
IP address send attack load to ntp server, in target load including target further according to the IP address of ntp server
Location, if destination address receives the response bag of ntp server transmission, and the memory space that response bag occupies is more than or equal to default
Byte then illustrates that ntp server performs the instruction in attack load, is generated according to attack load and had sent to destination address
The memory space of occupancy is greater than or equal to the response bag of preset byte, that is to say, that ntp server is not detected or did not had
Filter the attack load, at this time it is believed that ntp server there are loopholes.Therefore in the embodiment of the present application, can be automatically performed pair
The detection of the loophole of ntp server does not need to detect manually, improves Hole Detection efficiency and accuracy.
Detailed description of the invention
In order to more clearly explain the technical solutions in the embodiments of the present application, make required in being described below to embodiment
Attached drawing is briefly described, it should be apparent that, the accompanying drawings in the following description is only some implementations as described in this application
Example, for those of ordinary skill in the art, is also possible to obtain other drawings based on these drawings.
Fig. 1 is a kind of flow chart of leak detection method provided by the embodiments of the present application;
Fig. 2 is a kind of structural block diagram of Hole Detection device provided by the embodiments of the present application.
Specific embodiment
Inventor has found that standard NTP service provides monlist query function, specifically, ntp server
After receiving monlist inquiry request, available last 600 clients that time synchronization was carried out with ntp server
IP address, these IP address are split, multiple response bags are formed, return to these response bags to client.Such as it responds
The quantity of packet can be 100, may include 6 IP address in each response bag.
Attacker can forge the source IP address of NTP request, be sent by the source IP address of forgery to ntp server
Monlist inquiry request cannot be filtered or screen to these source IP address forged in ntp server there are when loophole,
Therefore, a large amount of response bag can be sent to true source IP address according to source IP address, such as can be to true source IP address
Send 100 UDP message packets.In this way, attacker can be by sending lesser request packet, and ntp server is to one
A large amount of response bags that a true source IP address is sent will lead to net to occupy the bandwidth resources of the source IP address when serious
Network congestion realizes the NTP amplification attack to true source IP address.
It, can be by the way that manually Hole Detection can be carried out to ntp server, if ntp server in order to avoid such case
There is no loopholes, then illustrate the risk that do not attacked, if there are loopholes for ntp server, there is the risk attacked.So
And the efficiency of artificial detection is lower, and is easy error.
Based on this, the embodiment of the present application provides a kind of leak detection method and device, is carried out by penetration testing tool
Hole Detection, penetration testing be in order to prove cyber-defence it is anticipated that plan operate normally and provide a kind of mechanism, it is popular
For, it can be by the attack method of simulation malicious hackers, to assess the safety of computer network system.
Specifically, the IP address of Network Time Protocol ntp server is first obtained, further according to the IP address of ntp server, to
Ntp server sends attack load, includes destination address in target load, if destination address receives ntp server transmission
Response bag, and the memory space that response bag occupies is greater than or equal to preset byte, then illustrates that ntp server performs attack load
In instruction, generated according to attack load and be greater than or equal to preset byte to the memory space that destination address has sent occupancy
Response bag, that is to say, that ntp server is not detected or does not filter the attack load, at this time it is believed that ntp server is deposited
In loophole.Therefore in the embodiment of the present application, it can be automatically performed the detection to the loophole of ntp server, do not need to examine manually
It surveys, improves Hole Detection efficiency and accuracy.
With reference to the accompanying drawing, leak detection method and device provided by the embodiments of the present application are described in detail by embodiment
Specific implementation.
A kind of flow chart of leak detection method provided by the embodiments of the present application, the execution of this method are shown with reference to Fig. 1
Main body can be user terminal, and this method may comprise steps of.
S101 obtains the IP address of Network Time Protocol ntp server.
Network Time Protocol (Network Time Protocol, NTP) is one of the standard of time synchronization in internet.
During time synchronization, ntp server can send the NTP message including sending time to client, so that other set
It is standby, according to the sending time in receiving time and NTP message, to carry out the adjustment of the time of client after receiving NTP message,
To realize the time synchronization of client and ntp server.
The IP address of ntp server is that IP agreement is the logical address that ntp server provides.
As a kind of possible implementation, obtain the IP address of ntp server, can with specifically, read file destination,
Obtain the IP address of the ntp server in file destination.The file destination can be user's importing, and format can be text
(txt), for example, file destination server.txt may include ntp server IP address.It, can be by user certainly in which
The IP address of ntp server is defined, to flexibly determine the ntp server detected.It is understood that target is literary
It can also include the IP agreement port of ntp server in part.
As alternatively possible implementation, the IP address of ntp server is obtained, it can be specifically, passing through scanning work
Tool scanning obtains ntp server, obtains the IP address for the ntp server that scanning obtains.When it is implemented, can be by sweeping
It retouches tool to be scanned the port of the network equipment, ntp server is identified according to the port type that scanning obtains, then obtain and sweep
The IP address for the ntp server retouched, scanning tools for example can be Masscan tool.Specifically, IP can be preset
Address range and/or port range, to obtain the IP address of the NTP within the scope of this by scanning tools.It, can be fast in which
Speed obtains the IP address of multiple ntp servers, and by the customized IP address range of user and/or port range, it can be quick
And accurately determine the ntp server for needing to detect.
As another possible implementation, IP address and the port of ntp server are obtained, it can be specifically, passing through
Search engine is searched for obtain ntp server, obtains the IP address for the NTP that search obtains.When it is implemented, can be by searching
Ntp server is identified according to the port type that search obtains, then is obtained in the port of the online network equipment of rope engine search
The IP address of the ntp server arrived, search engine for example can be Shodan search engine.Specifically, Shodan search engine
Network address application programming interface can be provided, for obtaining all data of the website Shodan.In which, it can pass through
Preset search condition, the data obtained are wanted in automation search, such as can preset the type of search, so that automation obtains
Take the IP address of ntp server.
In the embodiment of the present application, the IP address of available multiple ntp servers, to realize multiple ntp servers
Batch detection.
S102 sends attack load to ntp server according to the IP address of ntp server.
The operation that attack load correspondence system executes after being captured, attack load can be distributed together with other requests,
It can individually send, so that system executes corresponding operation according to attack load.Attack load can exist in a text form,
Such as payloads.txt.
Since NTP service provides monlist query function, it is also known as MON_GETLIST, which can be used for supervising
The service status of ntp server is controlled, therefore, attack load for example can be monlist inquiry request, for inquiring NTP service
The recent service status of device, such as the IP for last 600 clients that time synchronization was carried out with ntp server can be inquired
Location.Attacking in load may include destination address, is used to indicate ntp server to destination address and sends monlist inquiry request
Response bag.
According to the IP address of ntp server, attack load can be sent, to ntp server to carry out to ntp server
Hole Detection.It is, of course, also possible to send attack load to ntp server according to the IP address of ntp server and port.
After ntp server receives the inquiry of the monlist including destination address, recent clothes can be returned to destination address
Business situation.Specifically, the IP of available last 600 clients for carrying out time synchronization with ntp server of ntp server
These IP address are split by address, form multiple response bags, return to these response bags, the number of response bag to destination address
Amount can for example be 100, may include 6 IP address in each response bag.
S103, if destination address receives the response bag of ntp server transmission, and the memory space that response bag occupies is greater than
Or be equal to preset byte, then judge that there are loopholes for ntp server.
IP address and port in the IP address according to ntp server, or according to ntp server are sent to ntp server
After attacking load, if loophole is not present in ntp server, attack load can be detected and be filtered, therefore be not carried out and attack
Hit the operation in load.Specifically, attack load is when being monlist inquiry request, ntp server will not generate response bag or
It generates and occupies the simultaneously destination address transmission of the lesser response bag of memory space, such as ntp server is generated and sent to destination address
Occupy 60~90 bytes response bag, illustrate that ntp server handles the attack load after accordingly, at this time it is believed that
NTP amplification attack loophole is not present in ntp server.
On the contrary, if ntp server there are loophole, cannot detect to attack load or cannot filter the filtering load, because
This can execute the corresponding operation of attack load, specifically, ntp server can basis when attack load is monlist inquiry request
Monlist inquiry request forms and sends the larger response bag of multiple occupancy memory spaces to destination address.Specifically, NTP is serviced
The IP address of the available last multiple client that time synchronization was carried out with ntp server of device, such as 600 clients
Address, and be split and be packaged, to form 100 response bags, the memory space that each response bag occupies is larger, such as
480 bytes send the response bag of this 100 480 bytes of occupancy to destination address.Therefore, if destination address receives NTP service
The response bag that device is sent, and the memory space that response bag occupies is greater than or equal to preset byte, illustrates that ntp server has leakage
There is the risk attacked in hole, when being attacked, be easy to cause resource occupying, even result in network congestion.
Since the response bag that ntp server generates and sends in response to monlist inquiry request is larger, it can be with
Whether the memory space for judging that the response bag that destination address receives occupies is greater than or equal to preset byte, to judge the response
Whether packet generates according to monlist inquiry request, if so, judging ntp server, there are loopholes.Wherein, preset byte can be with
It is 200 bytes.
In specific implementation, it can be attacked simultaneously according to the IP address of multiple ntp servers to the transmission of multiple ntp servers
Load is hit, therefore, destination address can receive the response bag that multiple NTP are sent, at this point it is possible to first judge whether response bag is big
In or be equal to preset byte, if so, determining that the server ip address is corresponding further according to the server ip address in response bag
There are loopholes for ntp server.Certainly, when it is implemented, the IP address that the ntp server of loophole can also will be present is stored to text
In this document, to carry out follow-up maintenance to ntp server.
The embodiment of the present application provides a kind of leak detection method, with first obtaining the IP of Network Time Protocol ntp server
Location sends attack load to ntp server, includes destination address in target load further according to the IP address of ntp server, if
Destination address receives the response bag of ntp server transmission, and the memory space that response bag occupies is greater than or equal to preset byte,
Then illustrate that ntp server performs the instruction in attack load, is generated according to attack load and have sent occupancy to destination address
Memory space be greater than or equal to preset byte response bag, that is to say, that ntp server be not detected or without filtering should
Attack load, at this time it is believed that ntp server there are loopholes.Therefore in the embodiment of the present application, it can be automatically performed and NTP is taken
The detection of the loophole of business device, does not need to detect manually, improves Hole Detection efficiency and accuracy.
Based on the above leak detection method, the embodiment of the present application also provides a kind of Hole Detection devices, with reference to Fig. 2 institute
Show, be a kind of structural block diagram of Hole Detection device provided by the embodiments of the present application, which includes:
Information acquisition unit 110, for obtaining the internet protocol address of Network Time Protocol ntp server;
Load transmission unit 120 is attacked, for sending attack load to the ntp server according to the IP address;
Judging unit 130, if receiving the response bag that the ntp server is sent, and the response for destination address
The memory space that packet occupies is greater than or equal to preset byte, then judges the ntp server there are loophole, the response bag is institute
State what ntp server was sent according to the attack load generation and to destination address.
Optionally, the information acquisition unit, comprising:
First acquisition unit obtains the IP address of the ntp server in the file destination for reading file destination;
Or,
Second acquisition unit, for obtaining ntp server by port scan tool scans, acquisition scanning obtains described
The IP address of ntp server;Or,
Third acquiring unit obtains ntp server for searching for by port search engine, and acquisition search obtains described
The IP address of NTP.
Optionally, the NTP is multiple, then the judging unit is specifically used for:
If destination address receives the response bag that multiple ntp servers are sent, and the storage that the response bag occupies
Space is greater than or equal to preset byte and determines the server ip address then according to the server ip address in the response bag
There are loopholes for corresponding ntp server.
Optionally, the attack load includes monlist inquiry request.
Optionally, the preset byte is 200 bytes.
The embodiment of the present application provides a kind of Hole Detection device, with first obtaining the IP of Network Time Protocol ntp server
Location sends attack load to ntp server, includes destination address in target load further according to the IP address of ntp server, if
Destination address receives the response bag of ntp server transmission, and the memory space that response bag occupies is greater than or equal to preset byte,
Then illustrate that ntp server performs the instruction in attack load, is generated according to attack load and have sent occupancy to destination address
Memory space be greater than or equal to preset byte response bag, that is to say, that ntp server be not detected or without filtering should
Attack load, at this time it is believed that ntp server there are loopholes.Therefore in the embodiment of the present application, it can be automatically performed and NTP is taken
The detection of the loophole of business device, does not need to detect manually, improves Hole Detection efficiency and accuracy.
" first " in the titles such as " first ... " mentioned in the embodiment of the present application, " first ... " is used only to do name
Word mark, does not represent first sequentially.The rule is equally applicable to " second " etc..
As seen through the above description of the embodiments, those skilled in the art can be understood that above-mentioned implementation
All or part of the steps in example method can add the mode of general hardware platform to realize by software.Based on this understanding,
The technical solution of the application can be embodied in the form of software products, which can store is situated between in storage
In matter, such as read-only memory (English: read-only memory, ROM)/RAM, magnetic disk, CD etc., including some instructions to
So that a computer equipment (can be the network communication equipments such as personal computer, server, or router) executes
Method described in certain parts of each embodiment of the application or embodiment.
All the embodiments in this specification are described in a progressive manner, same and similar portion between each embodiment
Dividing may refer to each other, and each embodiment focuses on the differences from other embodiments.Especially for method reality
For applying example and apparatus embodiments, since it is substantially similar to system embodiment, so describe fairly simple, related place ginseng
See the part explanation of system embodiment.Equipment and system embodiment described above is only schematical, wherein making
It may or may not be physically separated for the module of separate part description, the component shown as module can be
Or it may not be physical module, it can it is in one place, or may be distributed over multiple network units.It can be with
Some or all of the modules therein is selected to achieve the purpose of the solution of this embodiment according to the actual needs.The common skill in this field
Art personnel can understand and implement without creative efforts.
The above is only the preferred embodiment of the application, is not intended to limit the protection scope of the application.It should refer to
Out, for those skilled in the art, it under the premise of not departing from the application, can also make several improvements
And retouching, these improvements and modifications also should be regarded as the protection scope of the application.
Claims (10)
1. a kind of leak detection method, which is characterized in that the described method includes:
Obtain the internet protocol address of Network Time Protocol ntp server;
According to the IP address, attack load is sent to the ntp server, the attack load includes destination address;
If the destination address receives the response bag that the ntp server is sent, and the memory space that the response bag occupies
More than or equal to preset byte, then judge the ntp server there are loophole, the response bag be the ntp server according to
It is described attack load generate and to destination address send.
2. the method according to claim 1, wherein the IP for obtaining Network Time Protocol ntp server
Location, comprising:
File destination is read, the IP address of the ntp server in the file destination is obtained;Or,
It scans to obtain ntp server by scanning tools, obtains the IP address for the ntp server that scanning obtains;Or,
It searches for obtain ntp server by search engine, obtains the IP address for the NTP that search obtains.
3. the method according to claim 1, wherein the NTP be it is multiple, if then the destination address connects
The response bag that the ntp server is sent is received, and the memory space that the response bag occupies is greater than or equal to preset byte, then
Judge that there are loopholes for the ntp server, comprising:
If destination address receives the response bag that multiple ntp servers are sent, and the memory space that the response bag occupies
More than or equal to preset byte, then according to the server ip address in the response bag, determine that the server ip address is corresponding
Ntp server there are loopholes.
4. according to claim 1 to method described in 3 any one, which is characterized in that the attack load includes that monlist is looked into
Ask request.
5. according to claim 1 to method described in 3 any one, which is characterized in that the preset byte is 200 bytes.
6. a kind of Hole Detection device, which is characterized in that described device includes:
Information acquisition unit, for obtaining the internet protocol address of Network Time Protocol ntp server;
Load transmission unit is attacked, for sending attack load to the ntp server according to the IP address;
Judging unit, if the response bag of the ntp server transmission is received for destination address, and response bag occupancy
Memory space is greater than or equal to preset byte, then judges the ntp server there are loophole, the response bag is NTP clothes
It is engaged in what device was sent according to the attack load generation and to destination address.
7. device according to claim 6, which is characterized in that the information acquisition unit, comprising:
First acquisition unit obtains the IP address of the ntp server in the file destination for reading file destination;Or,
Second acquisition unit obtains the NTP that scanning obtains for obtaining ntp server by port scan tool scans
The IP address of server;Or,
Third acquiring unit obtains ntp server for searching for by port search engine, obtains the NTP that search obtains
IP address.
8. device according to claim 6, which is characterized in that the NTP be it is multiple, then the judging unit is specifically used
In:
If destination address receives the response bag that multiple ntp servers are sent, and the memory space that the response bag occupies
More than or equal to preset byte, then according to the server ip address in the response bag, determine that the server ip address is corresponding
Ntp server there are loopholes.
9. according to device described in claim 6 to 8 any one, which is characterized in that the attack load includes that monlist is looked into
Ask request.
10. according to device described in claim 6 to 8 any one, which is characterized in that the preset byte is 200 bytes.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811108276.6A CN109302390A (en) | 2018-09-21 | 2018-09-21 | A kind of leak detection method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811108276.6A CN109302390A (en) | 2018-09-21 | 2018-09-21 | A kind of leak detection method and device |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109302390A true CN109302390A (en) | 2019-02-01 |
Family
ID=65163723
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811108276.6A Pending CN109302390A (en) | 2018-09-21 | 2018-09-21 | A kind of leak detection method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109302390A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110995676A (en) * | 2019-11-22 | 2020-04-10 | 苏州浪潮智能科技有限公司 | Semantic attack type denial of service vulnerability detection method |
CN114124531A (en) * | 2021-11-19 | 2022-03-01 | 北京灰度科技有限公司 | Network defense system risk assessment method based on bypass attack simulation |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104735075A (en) * | 2015-04-01 | 2015-06-24 | 河海大学 | Bandwidth amplification vulnerability detection method based on Web server |
CN105141647A (en) * | 2014-06-04 | 2015-12-09 | 中国银联股份有限公司 | Method and system for detecting Web application |
CN105681133A (en) * | 2016-03-14 | 2016-06-15 | 中国科学院计算技术研究所 | Method for detecting whether DNS server can prevent network attack |
CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
CN107786521A (en) * | 2016-08-30 | 2018-03-09 | 中兴通讯股份有限公司 | The method, apparatus and interchanger of defending distributed reflection denial service attack |
-
2018
- 2018-09-21 CN CN201811108276.6A patent/CN109302390A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105141647A (en) * | 2014-06-04 | 2015-12-09 | 中国银联股份有限公司 | Method and system for detecting Web application |
CN104735075A (en) * | 2015-04-01 | 2015-06-24 | 河海大学 | Bandwidth amplification vulnerability detection method based on Web server |
CN105681133A (en) * | 2016-03-14 | 2016-06-15 | 中国科学院计算技术研究所 | Method for detecting whether DNS server can prevent network attack |
CN107404465A (en) * | 2016-05-20 | 2017-11-28 | 阿里巴巴集团控股有限公司 | Network data analysis method and server |
CN107786521A (en) * | 2016-08-30 | 2018-03-09 | 中兴通讯股份有限公司 | The method, apparatus and interchanger of defending distributed reflection denial service attack |
Non-Patent Citations (3)
Title |
---|
佚名: "(转)如何发现 NTP 放大攻击漏洞", 《HTTP://WWW.JINGLINGSHU.ORG/?P=10795》 * |
佚名: "如何发现NTP放大攻击漏洞", 《HTTP://WWW.VOIDCN.COM/ARTICLE/P-FVJCADJC-BEA.HTML》 * |
佚名: "如何发现NTP放大漏洞-心伤的胖子", 《HTTP://WWW.VULN.CN/6831》 * |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110995676A (en) * | 2019-11-22 | 2020-04-10 | 苏州浪潮智能科技有限公司 | Semantic attack type denial of service vulnerability detection method |
CN114124531A (en) * | 2021-11-19 | 2022-03-01 | 北京灰度科技有限公司 | Network defense system risk assessment method based on bypass attack simulation |
CN114124531B (en) * | 2021-11-19 | 2023-03-10 | 北京灰度科技有限公司 | Network defense system risk assessment method based on bypass attack simulation, electronic equipment and storage medium |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110213212B (en) | Equipment classification method and device | |
US20100174829A1 (en) | Apparatus for to provide content to and query a reverse domain name system server | |
CN106656849B (en) | Message rate-limiting method and device | |
US11316948B2 (en) | Exit node benchmark feature | |
EP3125502A1 (en) | Method for providing access to a web server | |
EP3860095A1 (en) | Methods for information drainage, requesting transmission and communication acceleration, and drainage and node server | |
US20070079366A1 (en) | Stateless bi-directional proxy | |
WO2015143036A1 (en) | Method and system for testing cloud based applications in a production environment using fabricated user data | |
US20130091584A1 (en) | Distributed System and Method for Tracking and Blocking Malicious Internet Hosts | |
CN108848049A (en) | Proxy Method and device, the storage medium and processor of domain name analysis system | |
CN109474718A (en) | Domain name analytic method and device | |
CN108418780A (en) | Filter method and device, system, the dns server of IP address | |
CN109302390A (en) | A kind of leak detection method and device | |
CN102223266B (en) | Method and device for detecting protocol agent | |
US20190068635A1 (en) | Data processing method, apparatus, and system | |
CN104092751B (en) | A kind of Operational Visit method and apparatus | |
US20060159087A1 (en) | Method for identifying personal information on a network | |
JP6870386B2 (en) | Malware unauthorized communication countermeasure system and method | |
JP2003163681A (en) | Device and method for transferring packet and program | |
EP3151520B1 (en) | Quarantining an internet protocol address | |
CN107888651B (en) | Method and system for multi-profile creation to mitigate profiling | |
CN111818134A (en) | Data transmission method and device based on fog calculation in substation data center | |
CN110601993A (en) | Multi-outlet load balancing method and device | |
CN110677417A (en) | Anti-crawler system and method | |
CN112491791B (en) | Method and device for rapidly identifying HTTP proxy IP address and electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190201 |
|
RJ01 | Rejection of invention patent application after publication |