CN112398781B

CN112398781B - Attack testing method, host server and control server

Info

Publication number: CN112398781B
Application number: CN201910749235.3A
Authority: CN
Inventors: 何瑞平; 张卫国
Original assignee: Datang Mobile Communications Equipment Co Ltd
Current assignee: Datang Mobile Communications Equipment Co Ltd
Priority date: 2019-08-14
Filing date: 2019-08-14
Publication date: 2022-04-08
Anticipated expiration: 2039-08-14
Also published as: CN112398781A

Abstract

The invention provides an attack test method, a host server and a control server, which solve the problem of how to carry out attack test on a core network service plane. The method of the invention comprises the following steps: when a distributed denial of service (DDoS) test is carried out, first test control information is obtained, wherein the first test indication information is information used for indicating attack test; generating attack flow according to the first test control information; and sending the attack traffic to a service plane network element. Because the virtual host is controlled by the control server in the embodiment of the invention, the large-scale DDoS attack can be safely and effectively simulated without considering the spreading threat of a backdoor program and the harm brought by a botnet.

Description

Attack testing method, host server and control server

Technical Field

The present invention relates to the field of communications applications, and in particular, to an attack testing method, a host server, and a control server.

Background

With the coming of the business footage of the fifth Generation mobile communication technology (5th-Generation, 5G), the network security problem of 5G is more and more important; aiming at three application scenes of mobile broadband enhancement, low power consumption, large connection and low time delay and high reliability, 5G is not only higher in speed and lower in time delay, but also can permeate into various fields of all things interconnection, such as remote medical treatment, industrial control, intelligent traffic and the like, and the cloud and the mobile infrastructure gradually become a new platform for botnet activities. Network security becomes especially important;

in order to test the Network security performance, bandwidth and load capacity of the 5G Network infrastructure, especially to verify the capability of the 5G Network service plane to prevent Distributed denial of service Anti-DDOS attack, it is necessary to simulate the Distributed denial of service attack (DDOS) attack traffic at the Access Network (RAN) side and the internet side. At present, most DDoS pressure measurement schemes are mainly safe for fixed network and internet application, and no corresponding pressure measurement scheme exists in the 5G core network direction.

Disclosure of Invention

The invention aims to provide an attack test method, a host server and a master control server, which are used for solving the problem of how to carry out attack test on a core network service plane.

In order to achieve the above object, the present invention provides an attack testing method, applied to a host server, where the host server includes a virtual host, the method including:

when a distributed denial of service (DDoS) test is carried out, first test control information is obtained, wherein the first test indication information is information used for indicating attack test;

generating attack flow according to the first test control information;

and sending the attack traffic to a service plane network element.

Before the obtaining of the first test control information, the method further includes:

receiving second test control information sent by a control server, wherein the second test control information is used for requesting to acquire attribute information of the virtual host;

and sending attribute information of the virtual host to a control server according to the second test control information, wherein the attribute information comprises at least one of an Internet Protocol (IP) address, an operating system type, Central Processing Unit (CPU) information, memory information, network card load and system state information.

Generating attack traffic according to the first test control information, including:

under the condition that the command type in the first test control information is attack starting, analyzing the test control information to obtain attack parameters, wherein the attack parameters comprise: at least one of IP of the tested attack object, created thread number, attack duration, attack mode, type of attack flow and constructed direction of attack flow;

and generating attack flow according to the attack parameters.

Generating attack flow according to the attack parameters, wherein the generating of the attack flow comprises the following steps:

calling a Scapy library of python to construct an attack data packet according to the attack parameters;

and developing a DPDK suite based on a Linux protocol stack, an Open Virtual Switch (OVS) and a data plane, and processing the attack data packet to generate attack traffic.

Wherein, obtaining the first test control information comprises:

and acquiring first test control information through a hypertext transfer HTTP interactive protocol.

When the attack traffic is uplink attack traffic, an outer layer source IP in the attack traffic is a base station IP, a target IP is an N3 port IP of a service plane network element, and after encapsulation of a GTP-U protocol of encapsulated user data, an inner layer source IP in the attack traffic is a terminal IP and the target IP is a public network IP;

and when the attack traffic is downlink attack traffic, a source IP in the attack traffic is a public network IP, and a target IP is a terminal IP.

In order to achieve the above object, an embodiment of the present invention further provides an attack testing method, applied to a control server, where the control server is in communication connection with at least one virtual host, and the attack testing method includes:

determining a test type;

when the test type is a distributed denial of service (DDoS) test, sending first test control information to a virtual host, wherein the first test indication information is information for indicating to perform an attack test;

and when the test type is the distributed reflection denial service (DRDoS) test, sending a service request message to a target server cluster, and generating a request response message by the target server cluster according to the service request message and sending the request response message to a service plane network element.

Wherein the first test control information comprises at least one of:

attack mode, command type, IP of the tested attack object, type of attack traffic, created thread number, attack duration, ID of the virtual host receiving the test control information and constructed attack traffic direction.

Wherein the attack type is represented by a value corresponding to an attack vector.

Wherein, send first test control information to virtual host computer, include:

and sending first test control information to the virtual host through a hypertext transfer HTTP interactive protocol.

Wherein, send first test control information to virtual host computer, include:

sending second test control information to the virtual host, wherein the second test control information is used for requesting to acquire the attribute information of the virtual host;

acquiring attribute information sent by a virtual host, wherein the attribute information comprises at least one of an IP address, an operating system type, CPU (central processing unit) information, memory information, network card load and system state information;

and sending first test control information to the virtual host according to the attribute information.

In order to achieve the above object, an embodiment of the present invention further provides a host server, where the host server includes a virtual host, and further includes: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor, the processor implementing the steps when executing the program of:

generating attack flow according to the first test control information;

and sending the attack traffic to a service plane network element.

Before the step of executing the program for acquiring the first test control information, the processor is further configured to:

Wherein the step of the processor executing the program for generating the attack traffic according to the first test control information comprises:

and generating attack flow according to the attack parameters.

Wherein, the step of the processor executing the program for generating the attack flow according to the attack parameter comprises the following steps:

Wherein the step of the processor executing the program for acquiring the first test control information includes:

In order to achieve the above object, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the attack testing method applied to the host server as described above.

In order to achieve the above object, an embodiment of the present invention further provides a control server, where the control server is communicatively connected to at least one virtual host, and the control server includes: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor, the processor implementing the steps when executing the program of:

determining a test type;

Wherein the first test control information comprises at least one of:

Wherein the step of the processor executing the program for sending the first test control information to the virtual host includes:

In order to achieve the above object, an embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the steps of the attack testing method applied to the control server as described above.

In order to achieve the above object, an embodiment of the present invention further provides a host server, where the host server includes a virtual host, and further includes:

the device comprises a first acquisition module, a first processing module and a second acquisition module, wherein the first acquisition module is used for acquiring first test control information when a distributed denial of service (DDoS) test is carried out, and the first test indication information is used for indicating to carry out an attack test;

the generating module is used for generating attack flow according to the first test control information;

and the first sending module is used for sending the attack traffic to a service plane network element.

In order to achieve the above object, an embodiment of the present invention further provides a control server, where the control server is communicatively connected to at least one virtual host, and the control server includes:

the determining module is used for determining the test type;

a second sending module, configured to send first test control information to a virtual host when the test type is a distributed denial of service DDoS test, where the first test indication information is information used to indicate an attack test to be performed;

and the third sending module is used for sending a service request message to the target server cluster when the test type is the distributed reflection denial of service (DRDoS) test, and the target server cluster generates a request response message according to the service request message and sends the request response message to the service plane network element.

The embodiment of the invention has the following beneficial effects:

according to the technical scheme of the embodiment of the invention, when the distributed denial of service DDoS test is carried out, the test control information is obtained; generating attack flow according to the test control information; and sending the attack traffic to a service plane network element. Because the virtual host is controlled by the control server in the embodiment of the invention, the large-scale DDoS attack can be safely and effectively simulated without considering the spreading threat of a backdoor program and the harm brought by a botnet.

Drawings

FIG. 1 is a schematic flow chart of an attack testing method according to an embodiment of the present invention;

FIG. 2 is a block diagram of a test framework according to an embodiment of the present invention;

FIG. 3 is a second schematic diagram of a testing framework according to an embodiment of the present invention;

FIG. 4 is a block diagram of a virtual host according to an embodiment of the present invention;

FIG. 5 is a flowchart illustrating a virtual host according to an embodiment of the present invention;

FIG. 6 is a second flowchart illustrating an attack testing method according to an embodiment of the present invention;

FIG. 7 is a block diagram of a host server according to an embodiment of the present invention;

FIG. 8 is a block diagram of a host server according to an embodiment of the present invention;

fig. 9 is a block diagram of a control server according to an embodiment of the present invention.

Detailed Description

Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the invention are shown in the drawings, it should be understood that the invention can be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.

The terms first, second and the like in the description and in the claims of the present application are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. In the description and in the claims "and/or" means at least one of the connected objects.

The following description provides examples and does not limit the scope, applicability, or configuration set forth in the claims. Changes may be made in the function and arrangement of elements discussed without departing from the spirit and scope of the disclosure. Various examples may omit, substitute, or add various procedures or components as appropriate. For example, the described methods may be performed in an order different than described, and various steps may be added, omitted, or combined. In addition, features described with reference to certain examples may be combined in other examples.

In order to enable those skilled in the art to better understand the attack testing method of the embodiment of the present invention, the following description is made.

Denial Of Service (DoS) attacks, which attack target servers and web services in a one-to-one manner. Distributed Denial of Service (DDoS) is developed on the basis of DoS, and a cluster attack is adopted by controlling hundreds of client hosts (broilers), belonging to a many-to-one manner.

DDoS attacks are diverse in variety and form, and develop from initial DoS attacks (such as Ping of Death) aiming at system leak types to current flow type DDoS attacks (such as SYN Flood, UDP Flood, ICMP Flood, ACK Flood, and the like) and DoS attacks (such as Http Get Flood, connection exhaustion, CC, and the like) aiming at application layers, which are more and more frequently occurring, DDoS attacks launched on upper-layer protocols are more difficult to defend, and the situation faced by a defense system is more complicated because the protocols are more upper-layer and more associated with services. The attack mode is a positive attack, and various Reflection attacks, namely Distributed Reflection Denial of Service (DRDoS) Distributed Reflection Denial services (such as Domain Name System (DNS) Reflection, Network Time Protocol (NTP) Reflection attack, and the like) are evolved; an attacker does not directly attack a target service IP, but utilizes a server which is opened by some special services of the Internet to forge an IP address of the attacker and send a constructed request message to the server with the opened services, and the server can send reply data which is several times as much as the request message to the attacked IP, thereby indirectly forming DDoS attack on the server.

The DDoS has several aspects:

1) the large flow useless data is manufactured, network congestion to the attacked host computer is caused, and the attacked host computer can not normally communicate with the outside, such as Internet control message protocol Flood attack (ICMP Flood) and flow type attack (UDP Flood).

2) The attacked host can not process other normal requests in time, such as slowlores attack, Hash collision attack and the like, and can only appear under the condition of certain environmental mechanism coincidence.

3) The method not only utilizes the defects of protocols and systems, but also has massive flow; the method includes the steps that the defects are realized by using a service program or a transmission protocol provided by an attacked host, and by repeatedly sending malformed attack data, a large number of system resources are induced to be wrongly distributed to an attacked object, so that bandwidth resources of the attacked host, a server or a network are exhausted, and therefore the system stops responding and even breaks down, and normal service or resource access cannot be provided; such as denial of service attack (SYN Flood) and DNS Query attack (DNS Query Flood), are currently mainstream attacks.

The influence of large-scale DDoS attacks on a backbone network and a metropolitan area network core network is mainly shown in the following aspects:

1) a communication link of a core network is occupied by DDoS attack traffic;

2) DDoS attacks cause the load of network devices in a link to be too high;

3) the Quality of Service (QoS) of the client traffic affected by DDoS drops sharply.

Although the DDoS attack mode is flexible and the types are varied, the DDoS attack method initiates network bandwidth attack and connectivity attack substantially through large-flow impact or by utilizing loopholes and characteristics of a network communication protocol, so that a target computer or a network cannot provide normal service.

In order to simulate DDoS attack flow, a traditional DDoS pressure measurement tool is mostly simulated by adopting a professional instrument, such as the Avalanche of Spirent, and although the performance is stable and strong and the measurement precision is high, the problems of high purchase and lease equipment cost, high configuration difficulty, complex operation and the like exist; or the third party online performance pressure measurement platform is used for testing, although high concurrent pressure measurement flow can be simulated through a Content Delivery Network (CDN) node, the problems of inflexible test scene, short lease service time, high package price and the like exist. Or, by leasing a Virtual Private Server (VPS) and an Internet Data Center (IDC) hosting Server, manually building similar open source tools such as Trafgen, Hping3, LOIC and the like to simulate, the method has the problems of limited Internet Protocol (IP) resource number, small pressure measurement flow and the like. Or the DDoS service of the Web page end is purchased and leased through a hidden network and a grey product channel, but high legal risk and transaction risk, flow stability and IP resource number are difficult to guarantee.

At present, most DDoS pressure measurement schemes are mainly safe for fixed network and internet application, and no corresponding pressure measurement scheme exists in the 5G core network direction.

An embodiment of the present invention provides an attack testing method, which is applied to a host server, where the host server includes a virtual host, and the virtual host is virtualized on the host server by an application container engine Docker, as shown in fig. 1, the method includes:

step 101: when a distributed denial of service (DDoS) test is carried out, first test control information is obtained, and the first test indication information is information used for indicating attack test.

Specifically, the first test control information is acquired through a hypertext transfer protocol (HTTP) interaction protocol.

When a DDOS test is carried out, a virtual host acquires first test control information sent by a control server, wherein the first test control information comprises at least one of the following items:

attack mode, command type, IP of the tested attack object, type of attack traffic, created thread number, attack duration, Identity Document (ID) of the virtual host receiving the test control information and constructed attack traffic direction.

Wherein, the attack mode comprises DDoS attack or DRDoS attack; the command type comprises attack starting, attack stopping or virtual host information acquisition, and the command type in the first test control information is specifically attack starting; the types of the attack traffic comprise syn flow, tcp flow, ack flow and http flow; the constructed attack traffic direction includes uplink attack traffic or downlink attack traffic.

When the attack traffic is uplink attack traffic, an outer source IP in the attack traffic is a base station IP, a target IP is an N3 port IP of a service plane network element, and after encapsulation of a GTP-U protocol of encapsulated user data, an inner source IP in the attack traffic is a terminal IP and the target IP is a public network IP;

As shown in table 1, the test control information is packaged in a Key-Value form through HTTP and is sent to the virtual host with a unique ID.

TABLE 1

As shown in table 2, the types of the attack traffic are determined by the values of the attack vectors, and parameters required by each type are uniformly distributed by the control server.

Attack vector	Protocol value
		Sync Flood	0x21
Tcp Flood	0x22
		Ack Flood	0x23
Http Flood	0x24
		Udp Flood	0x25
Cc Flood	0x26
		Gre Flood	0x27

TABLE 2

Step 102: and generating attack flow according to the first test control information.

The attack traffic is the attack traffic flowing to the service plane network element N3 or N6 port.

Step 103: and sending the attack traffic to a service plane network element.

In the embodiment of the present invention, as shown in fig. 2, the pressure test platform (virtual host and control server) may simulate a base station (e.g., a gNB) or a Public Network (PDN), generate uplink and downlink DDoS attack traffic to the service plane Network elements N3 and N6 of the 5G core Network, and perform bidirectional pressure test on a device under test or an Anti-DDoS system (DUT or SUT under test). Uplink User Equipment (UE) traffic passing through the gNB is simulated, and the traffic is forwarded to the PDN network through a User Plane Function (UPF) by pressurizing the service plane security system. And the downlink can simulate internet data, the internet data is filtered by an IDC (Internet data center) or a telecommunication cloud security system, the flow is transmitted to the UPF (uplink packet flow), and the message is sent to a 5G base station (gNB) after being added with the tunnel message. The pressure measurement platform can simulate single DDoS attack flow or simulate mixed real safe flow and DDoS flow in the flow aspect; therefore, the cleaning capacity and the traffic bearing capacity of the security equipment are tested. In fig. 2, the WAF is a Web Application Firewall (Web Firewall), the IDS is an Intrusion Detection System (Intrusion Detection Systems), and the IPS is an Intrusion Prevention System (Intrusion Detection Systems).

The attack testing method of the embodiment of the invention obtains the testing control information when the distributed denial of service DDoS test is carried out; generating attack flow according to the test control information; and sending the attack traffic to a service plane network element. Because the virtual host is controlled by the control server in the embodiment of the invention, the large-scale DDoS attack can be safely and effectively simulated without considering the spreading threat of a backdoor program and the harm brought by a botnet.

Further, before the obtaining the first test control information, the method further includes:

and receiving second test control information sent by the control server, wherein the second test control information is used for requesting to acquire the attribute information of the virtual host.

The second test control information includes a command type, which is specifically acquisition information.

Here, the virtual host sends the attribute information to the control server so that the control server determines the first test control information according to the attribute information of the virtual host.

Further, generating an attack traffic according to the first test control information, including:

and generating attack flow according to the attack parameters.

Specifically, according to the attack parameters, a Scapy library of python is called to construct an attack data packet; and developing a DPDK suite based on a Linux protocol stack, an Open Virtual Switch (OVS) and a data plane, and processing the attack data packet to generate attack traffic.

In the specific embodiment of the invention, a BotNet (BotNet) needs to be constructed first, wherein the BotNet refers to a BotNet formed by hackers using attacking and sinking machines (broiler chickens or botnets), and the hackers Control each distributed node through a Control Server (C & C Command and Control Server) to form a BotNet with a certain scale, and can send forged data packets or junk data packets to make a predetermined attack target paralyze and refuse to service. The BotNet is generally generated by a passive mode and an active mode, the passive mode mostly adopts the modes of junk mail, software cracking, trojan implantation, binding propagation, malicious website scripts, disguised shared files and the like to invade a host and implant a backdoor, and the malicious codes are automatically tried to be downloaded; the active mode is that an attacker uses a security scanning penetration tool, or a system, software, an overflow vulnerability and the like, and performs ssh and Telnet 'blasting' (brute force cracking) by matching with a user name/password dictionary through a brute force invasion mode, such as Structured Query Language (SQL) injection, or through special tools such as hydra, Nmap, Medusa and the like, and uploads a backdoor program after successfully invading a host of a victim. The method is mainly used in the fields of network recovery, encrypted currency mining and the like.

The generation of the attack flow is mainly realized according to the BotNet, a C/S mode is adopted to construct a BotNet, the transmission and the infectivity of the BotNet of the virtual host are cancelled, only a background program (Malware) without infectivity is deployed in a single virtual host Docker, the virtual hosts are safely isolated, a tester issues a test task through a C & C server (BotMaster), and a forward DDoS test or a reflective DRDoS test can be selected. A specific block diagram is shown in fig. 3.

When a DDoS test is carried out, parameters such as an attack mode, an attack bandwidth, a test duration and the like can be configured through a Web control console of a control server, the parameters are converted into command control words, and push is pushed to each virtual host in the botnet through an HTTP (hyper text transport protocol) interaction protocol; the virtual host may then launch upstream attack traffic directed to N3, which may be directed to downstream attack traffic directed to N6 port.

When DRDoS test is carried out, cluster attack is not needed to be carried out by relying on a zombie network, service requests such as DNS/NTP/SSDP and the like can be directly simulated through the control server, a source IP (Src _ IP) can be constructed into an IP (such as UPF N6 port IP) of an attacked person when a service request message is constructed, after the service server receives the request, a large amount of response messages can be made to an IP address source to generate DDoS attack, and attack effects are amplified by utilizing various protocol loopholes in the method.

In the testing process, the control server acquires (pull mode) an IP address, an operating system type, CPU information, memory information, network card load, state information and the like in real time through the information acquisition module of each virtual host.

Each virtual Host in the BotNet is virtualized in the Host (Host server) through a Docker container, so that a large number of hosts can be emulated. As shown in fig. 4, the Malware carried by each vm includes the following modules:

an information acquisition module: the system is used for acquiring and reporting system state, running information and the like of the virtual host;

the updating module is used for upgrading the botnet in batches at the control server end;

the communication module is used for interacting with the control server through open interfaces such as 443/80 and analyzing command control words sent by the main control BotMaster;

the main control module is used for coordinating the creation and management of processes and threads among programs;

the attack module is used for configuring a destination IP address, a port, thread number, attack packet size, attack duration, whether a source IP is forged, which attack mode is adopted and the like, determining the uplink and downlink directions of the flow, calling a Scapy library of python at the bottom layer to construct an attack data packet, and generating and sending real attack flow by matching with a Linux protocol stack and an OVS + DPDK suite.

Any flow can be generated through the Scapy module group package, any message field can be modified, and the package sending rule is flexible; by adopting the DPDK + OVS scheme, the method can ensure that the total bandwidth, the connection number and the performance efficiency after flow superposition are highest after each Bot host passes through a single Network Interface Controller (NIC), and has reliable effectiveness and stability.

The following describes the work flow of the virtual host in detail with reference to fig. 4.

As shown in fig. 5, the workflow includes:

step 501: add the self-starting item.

Step 502: and generating a plurality of sub-processes.

Step 503: a back door thread is created.

Step 504: the thread Sendinfo sends infected host information and sends heartbeat information.

The heartbeat information is used for monitoring whether the virtual host works normally.

Step 505: the communication module waits for a command control word of the control server.

Step 506: the communication module receives master control information.

The main control information contains command control words.

Step 507: and carrying out message or instruction decryption processing and analyzing DDOS attack parameters.

Step 508: and determining the attack task as an instant attack task or a timing attack task.

Step 509: and the Scapy packet module is used for packaging the attack traffic.

Step 510: the execution mode starts attacks or stops statistics.

In the specific embodiment of the present invention, for the uplink and downlink attack traffic for UPF, the traffic needs to be customized according to the 5G core network service plane protocol specification, and after the signaling plane is opened, the Scapy attack flow can be constructed according to the following encapsulation format, where UE _ IP, tunnel endpoint identifier Teid, QFI, gNB _ IP, UPF _ IP, GTPu protocol version number, etc. need to be obtained and filled from the core network manager.

When the BotNet of the pressure measurement platform simulates the gNB to initiate a plurality of uplink attack flows, the outer-layer Src _ IP is the gNB _ IP, the target IP is the UPF _ IP, and after the gNB is packaged by the gtpu protocol, the inner-layer Src _ IP is the UE _ IP and the Dst _ IP is the PDN _ IP. Therefore, after the attack flow passes through UF and the GTP head is removed, the attack flow can smoothly reach the PDN side.

During downlink attack, BotNet simulates PDN, so that Src _ IP is PDN, and Dst _ IP is UE terminal, and is packaged according to the following format.

The format of the service plane stop attack message is as follows:

isolation is adopted among the Bot hosts in the Docker virtual machine, and each Bot host task is issued by the BotMaster. Each Bot host ensures that host physical CPU core and large page memory are monopolized by using a multi-core multi-queue technology of Data Plane Development (DPDK); and decoupling the container and the NIC by adopting Openvswitch (OVS) in the Host, thereby ensuring that the superposition performance of the attack flow constructed by each Bot Host reaches the optimum and the packet sending efficiency is highest.

As shown in fig. 6, an embodiment of the present invention further provides an attack testing method, which is applied to a control server, where the control server is in communication connection with at least one virtual host, and the method includes:

step 601: the test type is determined.

The test type includes DDoS test or DRDoS.

Step 602: and when the test type is a distributed denial of service (DDoS) test, sending first test control information to the virtual host, wherein the first test indication information is information for indicating to perform an attack test.

The first test control information includes at least one of:

attack mode, command type, IP of the tested attack object, type of attack traffic, created thread number, attack duration, ID of the virtual host receiving the test control information and constructed attack traffic direction. The attack type is represented by the value corresponding to the attack vector. See in particular tables 1 and 2.

Step 603: and when the test type is a distributed reflection denial service (DRDoS) test, sending a service request message to a target server cluster, and generating a request response message by the target server cluster according to the service request message and sending the request response message to a service plane network element.

The target server cluster may be specifically a third party public network server cluster (DNS/NTP/SSDP/Memcached/charge).

As shown in fig. 3, when performing a DDoS test, parameters such as an attack mode, an attack bandwidth, a test duration, and the like may be configured by a Web console of a control server, the parameters are converted into command control words, and push is pushed to each virtual host in a botnet through an HTTP interaction protocol; the virtual host may then launch upstream attack traffic directed to N3, which may be directed to downstream attack traffic directed to N6 port.

Further, sending the first test control information to the virtual host, including:

The specific interaction process between the control server and the virtual host is described in detail in the attack test method applied to the virtual host, and is not described herein again.

In the embodiment of the invention, the test type is determined; when the test type is a distributed denial of service (DDoS) test, sending first test control information to a virtual host, wherein the first test indication information is information for indicating to perform an attack test; and when the test type is a distributed reflection denial service (DRDoS) test, sending a service request message to a target server cluster, and generating a request response message by the target server cluster according to the service request message and sending the request response message to a service plane network element. The embodiment of the invention can carry out single violence test on DRDDoS or DDoS attack flow, and can also carry out Anti-DDoS safety pressure test on mixed flow of normal service flow and attack flow.

The attack testing method of the embodiment of the invention has low overall cost, only needs to control a server, a universal X86 server, a gigabit/ten-gigabit network card and a plurality of optical fibers, and can simulate hundreds of zombie hosts by matching with a Docker virtualization scheme to form a DDoS attack cluster.

As shown in fig. 7, an embodiment of the present invention further provides a host server, including a virtual host, further including: a transceiver, a memory, a processor, and a computer program stored on the memory and executable on the processor, the processor implementing the following steps when executing the computer program:

generating attack flow according to the first test control information;

and sending the attack traffic to a service plane network element.

Where in fig. 7, the bus architecture may include any number of interconnected buses and bridges, with various circuits being linked together, particularly one or more processors represented by processor 700 and memory represented by memory 720. The bus architecture may also link together various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. The bus interface provides an interface. The transceiver 710 may be a number of elements including a transmitter and a transceiver providing a means for communicating with various other apparatus over a transmission medium. The processor 700 is responsible for managing the bus architecture and general processing, and the memory 720 may store data used by the processor 700 in performing operations.

Optionally, before the step of executing the program for acquiring the first test control information, the processor 700 is further configured to:

Optionally, the step of executing, by the processor 700, a program for generating an attack traffic according to the first test control information includes:

and generating attack flow according to the attack parameters.

Optionally, the step of executing, by the processor 700, a program for generating an attack traffic according to the attack parameter includes:

Optionally, the step of executing the program for acquiring the first test control information by the processor 700 includes:

Optionally, when the attack traffic is uplink attack traffic, an outer layer source IP in the attack traffic is a base station IP, a target IP is an N3 port IP of a service plane network element, and after being encapsulated by an encapsulation user data GTP-U protocol, an inner layer source IP in the attack traffic is a terminal IP, and the target IP is a public network IP;

The host server of the embodiment of the invention obtains the test control information when carrying out the distributed denial of service DDoS test; generating attack flow according to the test control information; and sending the attack traffic to a service plane network element. Because the virtual host is controlled by the control server in the embodiment of the invention, the large-scale DDoS attack can be safely and effectively simulated without considering the spreading threat of a backdoor program and the harm brought by a botnet.

The host server of the embodiment of the invention can realize all the implementation modes in the attack testing method applied to the host server side, and can achieve the same technical effect, and the details are not repeated here in order to avoid repetition.

In some embodiments of the invention, there is also provided a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of:

generating attack flow according to the first test control information;

and sending the attack traffic to a service plane network element.

When being executed by the processor, the program can realize all the implementation modes in the attack testing method embodiment applied to the virtual host side, and can achieve the same technical effect, and in order to avoid repetition, the details are not repeated here.

As shown in fig. 8, an embodiment of the present invention further provides a host server, where the host server includes a virtual host, and further includes:

a first obtaining module 801, configured to obtain first test control information when performing a distributed denial of service (DDoS) test, where the first test indication information is information used to indicate that an attack test is performed;

a generating module 802, configured to generate an attack traffic according to the first test control information;

a first sending module 803, configured to send the attack traffic to a service plane network element.

The host server of the embodiment of the invention further comprises:

a receiving module, configured to receive second test control information sent by a control server before a first obtaining module obtains first test control information, where the second test control information is used to request to obtain attribute information of a virtual host;

and the fourth sending module is used for sending the attribute information of the virtual host to a control server according to the second test control information, wherein the attribute information comprises at least one of an Internet Protocol (IP) address, an operating system type, Central Processing Unit (CPU) information, memory information, network card load and system state information.

In the host server of the embodiment of the present invention, the generating module includes:

a first obtaining sub-module, configured to, when a command type in the first test control information is attack start, perform parsing on the test control information to obtain an attack parameter, where the attack parameter includes: at least one of IP of the tested attack object, created thread number, attack duration, attack mode, type of attack flow and constructed direction of attack flow;

and the generation submodule is used for generating attack flow according to the attack parameters.

In the host server of the embodiment of the present invention, the generating sub-module includes:

the calling unit is used for calling the Scapy library of python to construct an attack data packet according to the attack parameters;

and the generating unit is used for developing a DPDK suite based on a Linux protocol stack, an Open Virtual Switch (OVS) and a data plane, processing the attack data packet and generating attack traffic.

In the host server according to the embodiment of the present invention, the first obtaining module is configured to obtain the first test control information through a hypertext transfer HTTP interaction protocol.

In the host server of the embodiment of the present invention, when the attack traffic is uplink attack traffic, an outer source IP in the attack traffic is a base station IP, a destination IP is an N3 port IP of a service plane network element, and after being encapsulated by an encapsulating user data GTP-U protocol, an inner source IP in the attack traffic is a terminal IP, and the destination IP is a public network IP;

An embodiment of the present invention further provides a control server, where the control server is communicatively connected to at least one virtual host, and the structure of the control server is the same as that of the host server shown in fig. 7, and the control server includes: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor, the processor implementing the steps when executing the program of:

determining a test type;

Optionally, the first test control information includes at least one of:

Optionally, the attack type is represented by a value corresponding to the attack vector.

Optionally, the step of the processor 700 executing the program for sending the first test control information to the virtual host includes:

The control server of the embodiment of the invention can carry out single violence test on DRDDoS or DDoS attack flow, and can also carry out Anti-DDoS safety pressure test on mixed flow of normal service flow and attack flow.

The control server of the embodiment of the present invention can implement all the implementation manners in the attack testing method applied to the control server side, and can achieve the same technical effect, and for avoiding repetition, details are not repeated here.

determining a test type;

When being executed by the processor, the program can realize all the implementation modes in the attack testing method embodiment applied to the control server side, and can achieve the same technical effect, and in order to avoid repetition, the details are not repeated here.

As shown in fig. 9, an embodiment of the present invention further provides a control server, where the control server is communicatively connected to at least one virtual host, and the control server includes:

a determining module 901, configured to determine a test type;

a second sending module 902, configured to send first test control information to a virtual host when the test type is a distributed denial of service DDoS test, where the first test indication information is information used to indicate to perform an attack test;

a third sending module 903, configured to send a service request packet to a target server cluster when the test type is a distributed reflection denial of service (DRDoS) test, where the target server cluster generates a request response message according to the service request packet and sends the request response message to a service plane network element.

In the control server according to the embodiment of the present invention, the first test control information includes at least one of:

In the control server of the embodiment of the present invention, the attack type is represented by a value corresponding to the attack vector.

In the control server of the embodiment of the present invention, the second sending module is configured to send the first test control information to the virtual host through a hypertext transfer HTTP interaction protocol.

In the control server of the embodiment of the present invention, the second sending module includes:

the first sending submodule is used for sending second test control information to the virtual host, and the second test control information is used for requesting to acquire the attribute information of the virtual host;

the second obtaining submodule is used for obtaining attribute information sent by the virtual host, wherein the attribute information comprises at least one item of IP address, operating system type, CPU information, memory information, network card load and system state information;

and the second sending submodule is used for sending the first test control information to the virtual host according to the attribute information.

The control server of the embodiment of the present invention can implement all the implementation manners in the above attack testing method applied to the control server side, and can achieve the same technical effect, and for avoiding repetition, details are not repeated here.

In various embodiments of the present invention, it should be understood that the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation on the implementation process of the embodiments of the present invention.

While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.

Claims

1. An attack testing method is applied to a host server, the host server comprises a virtual host, and the method is characterized by comprising the following steps:

when a distributed denial of service (DDoS) test is carried out, first test control information is obtained, wherein the first test control information is used for indicating to carry out an attack test;

generating attack flow according to the first test control information;

sending the attack traffic to a service plane network element;

2. The method of claim 1, wherein before obtaining the first test control information, further comprising:

3. The method of claim 1, wherein generating attack traffic based on the first test control information comprises:

and generating attack flow according to the attack parameters.

4. The method of claim 3, wherein generating attack traffic based on the attack parameters comprises:

5. The method of claim 1, wherein obtaining first test control information comprises:

6. An attack testing method is applied to a control server, the control server is in communication connection with at least one virtual host, and the attack testing method is characterized by comprising the following steps:

determining a test type;

when the test type is a distributed denial of service (DDoS) test, sending first test control information to a virtual host, wherein the first test control information is information for indicating attack test;

when the test type is a distributed reflection denial service (DRDoS) test, sending a service request message to a target server cluster, generating a request response message by the target server cluster according to the service request message and sending the request response message to a service plane network element;

when the attack flow corresponding to the attack test is the uplink attack flow, the outer layer source IP in the attack flow is a base station IP, the target IP is an N3 port IP of a service plane network element, and after being packaged by a GTP-U protocol, the inner layer source IP in the attack flow is a terminal IP and the target IP is a public network IP;

and when the attack flow corresponding to the attack test is downlink attack flow, a source IP in the attack flow is a public network IP, and a target IP is a terminal IP.

7. The method of claim 6, wherein the first test control information comprises at least one of:

8. The method of claim 7, wherein the type of attack traffic is represented by values corresponding to attack vectors.

9. The method of claim 6, wherein sending the first test control information to the virtual host comprises:

10. The method of claim 6, wherein sending the first test control information to the virtual host comprises:

11. A host server, the host server comprising a virtual host, further comprising: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of:

generating attack flow according to the first test control information;

sending the attack traffic to a service plane network element;

12. The host server of claim 11, wherein the processor, before performing the step of obtaining the first test control information, is further configured to perform:

13. The host server of claim 11, wherein the processor executing the program that generates attack traffic based on the first test control information comprises:

and generating attack flow according to the attack parameters.

14. The host server of claim 13, wherein the processor executing the program that generates attack traffic based on the attack parameters comprises:

15. The host server of claim 11, wherein the processor executing the program for obtaining the first test control information comprises:

16. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the attack testing method according to any one of claims 1 to 5.

17. A control server communicatively coupled to at least one virtual host, comprising: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor, wherein the processor when executing the program performs the steps of:

determining a test type;

18. The control server of claim 17, wherein the first test control information comprises at least one of:

19. The control server of claim 18, wherein the type of attack traffic is represented by values corresponding to attack vectors.

20. The control server of claim 17, wherein the step of the processor executing the program for sending the first test control information to the virtual host comprises:

21. The control server of claim 17, wherein the step of the processor executing the program for sending the first test control information to the virtual host comprises:

22. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the attack testing method according to any one of claims 6 to 10.

23. A host server, the host server comprising a virtual host, further comprising:

the device comprises a first acquisition module, a second acquisition module and a third acquisition module, wherein the first acquisition module is used for acquiring first test control information when a distributed denial of service (DDoS) test is carried out, and the first test control information is used for indicating to carry out an attack test;

the first sending module is used for sending the attack traffic to a service plane network element;

24. A control server communicatively coupled to at least one virtual host, comprising:

the determining module is used for determining the test type;

a second sending module, configured to send first test control information to a virtual host when the test type is a distributed denial of service DDoS test, where the first test control information is information used to instruct to perform an attack test;

a third sending module, configured to send a service request message to a target server cluster when the test type is a distributed reflection denial of service (DRDoS) test, where the target server cluster generates a request response message according to the service request message and sends the request response message to a service plane network element;