CN115022036A - Attack traffic generation method and system and network security test system - Google Patents
Attack traffic generation method and system and network security test system Download PDFInfo
- Publication number
- CN115022036A CN115022036A CN202210617301.3A CN202210617301A CN115022036A CN 115022036 A CN115022036 A CN 115022036A CN 202210617301 A CN202210617301 A CN 202210617301A CN 115022036 A CN115022036 A CN 115022036A
- Authority
- CN
- China
- Prior art keywords
- attack
- data
- data packet
- traffic
- behaviors
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention provides an attack traffic generation method, which comprises the steps of obtaining historical attack behaviors and constructing an attack knowledge base based on parameters of the historical attack behaviors; responding to a test requirement for generating an attack flow data packet, and generating a plurality of attack data packet templates based on attack behavior information contained in an attack model corresponding to the test requirement in a pre-constructed attack knowledge base, wherein each attack data packet template comprises default data and data to be filled, the default data is configuration data which is irrelevant to an attack and depends on a bottom layer protocol, and the data to be filled at least comprises an attack load relevant to an attack behavior; and concurrently filling the attack loads in all the generated attack data packet templates. Therefore, the method and the system can flexibly generate the attack flow of large-scale content dynamic change at high speed, and simulate various common network attack behaviors with higher authenticity.
Description
Technical Field
The present invention relates to the field of network communications, and in particular, to the field of network security testing in the field of network communications, and more particularly, to an attack traffic generation method, an attack traffic generation system, and a network security testing system.
Background
In recent years, internet technology is continuously developed, and various systems and devices need to perform network security tests to evaluate the resistance of the systems and devices to network attacks in order to prevent the network attacks. In the field of network security testing, generating attack flow to simulate network attack behavior is one of important testing means, and can be used for evaluating the resistance of equipment to be tested to attacks. The main advantages of generating attack traffic for network security testing are that the generalization performance is strong, and the simulation of most network attacks is supported. The technical scheme for generating the attack flow mainly comprises the following three types: firstly, generating attack flow based on an original attack data packet, and constructing new attack flow by inserting the attack data packet into normal flow or modifying the original attack data packet; constructing an attack data packet based on the explained and executed attack behavior model to generate attack flow, wherein the attack modeling mode comprises various modes such as an attack graph, an attack vector, an attack script and the like; and thirdly, learning an original attack data set to generate and judge attack characteristics by using a correlation technique for generating a countermeasure network (GAN) based on a machine learning mode, and further constructing attack flow for detecting and simulating the attack.
However, the attack traffic generated by the first technical solution is limited by the original traffic, and the types of simulatable attacks are limited; attack traffic or attack characteristics generated by the third scheme are generated by an algorithm, and the authenticity and the effectiveness of the simulated attack behavior are poor; compared with the three technical schemes for generating the attack traffic, the second technical scheme has better test effect on simulatable attack types and attack traffic, but the related work in the second technical scheme is influenced by a specific implementation mode at present, the problems of limited attack traffic generation rate and the like still exist, and the authenticity and the effectiveness of the test are influenced. Because the traditional attack traffic generation method and system cannot support the generation requirement of generating the ultra-large scale attack traffic at high speed, a new method needs to be designed to improve the generation rate of the attack traffic.
Disclosure of Invention
The present invention is directed to overcome the above-mentioned drawbacks of the prior art, and provides an attack traffic generation method, an attack traffic generation system, and a network security testing system.
The purpose of the invention is realized by the following technical scheme:
according to a first aspect of the present invention, there is provided an attack traffic packet generation method, including: receiving a test requirement for generating an attack traffic data packet; generating a plurality of attack data packet templates based on attack behavior information contained in an attack model corresponding to a test requirement in a pre-constructed attack knowledge base, wherein the attack knowledge base is constructed based on historical attack behaviors, each attack data packet template comprises default data and data to be filled, the default data is configuration data which is irrelevant to attacks and depends on a bottom layer protocol, and the data to be filled at least comprises attack loads relevant to the attack behaviors; and concurrently filling the attack loads in all the generated attack data packet templates.
In order to improve timeliness and extensibility of the attack knowledge base, preferably, the attack knowledge base includes a plurality of attack models, each attack model includes an attack database and an attack script file, and is constructed in the following manner: s1, obtaining parameters of historical attack behaviors in the open source vulnerability database; s2, analyzing and extracting the parameters of the historical attack behaviors in the open source vulnerability database according to a preset data attribute structure to obtain attack information, wherein the attack information comprises basic attack behavior information, key attack behavior attribute information and an attack behavior sequence, and the attack behavior sequence is the sequence of all attack data packets corresponding to the attack behaviors in time sequence; s3, storing the basic information of the attack behavior corresponding to all the attack behaviors into an attack database according to a preset data attribute structure, and performing format conversion on the attack behavior sequence corresponding to all the attack behaviors and the key attribute information of all the attack behaviors to obtain an attack script file.
In order to increase the generation rate of the attack traffic, preferably, based on the attack behavior information included in the attack model corresponding to the pre-constructed attack knowledge base and the test requirement, a plurality of attack data packet templates are generated in the following manner: t1, acquiring configuration parameters corresponding to the test requirements; t2, acquiring basic attack behavior information in a pre-constructed attack knowledge base according to the configuration parameters corresponding to the test requirements; and T3, generating a standard data packet template corresponding to each attack data packet in the attack behavior sequence according to the acquired attack basic information to form an attack data packet template sequence.
Preferably, the step T3 includes: t31, determining a bottom layer protocol of the attack traffic according to the acquired basic attack information; and T32, constructing headers of a link layer, a network layer and a transmission layer according to the bottom layer protocol of the attack traffic, filling the headers into each attack data packet template as default data, and pre-filling the fields in the data to be filled in each attack data packet template to be 0.
In order to further increase the generation rate of the attack traffic and reduce the overall time of the attack traffic generation method, preferably, the attack loads in all generated attack packet templates are concurrently filled in the following manner: determining the attack protocol type according to the configuration parameters and determining the offset of the field in the data to be filled in each attack data packet template in the Ethernet frame according to the attack protocol type information; and creating a plurality of concurrently executed threads, respectively acquiring the attack load corresponding to each attack data packet template in an attack load dataset, and then filling the attack load into the attack data packet template according to the offset of the field of the data to be filled in the Ethernet.
In order to flexibly generate attack traffic with variable content, preferably, the method further includes: creating a shared pointer and associating the shared pointer with the attack payload data set.
Further, all threads access the attack load data set through the shared pointer to obtain the attack load.
According to a second aspect of the present invention, there is provided an attack traffic generation system based on the method of the first aspect of the present invention, the system comprising: the attack information module is used for acquiring historical attack behaviors and constructing an attack knowledge base based on parameters of the historical attack behaviors; the attack knowledge base is used for storing a plurality of pre-constructed attack models, and each attack model comprises attack behavior information; the main control module is used for responding to a test requirement for generating an attack flow data packet, generating a plurality of attack data packet templates based on attack behavior information contained in an attack model corresponding to the test requirement in an attack knowledge base, wherein each attack data packet template comprises default data and data to be filled, the default data is configuration data which is irrelevant to an attack and depends on a bottom layer protocol, the data to be filled at least comprises attack loads relevant to the attack behaviors, and the main control module is used for concurrently filling the attack loads in all the generated attack data packet templates.
According to a third aspect of the present invention, there is provided a network security testing system for generating an attack traffic packet to perform security testing on a target device, the system comprising: the attack traffic generation system according to the second aspect of the present invention is configured to generate an attack traffic; the DPDK unit is used for providing an interface for sending an attack traffic data packet to the target equipment; and the group package module is used for receiving the attack traffic, generating an attack data packet and calling an interface corresponding to the attack data packet in the DPDK unit to send the attack data packet to the target equipment.
In order to improve the operability of the network security testing system, the network security testing system further comprises: and the front-end interface is used for providing an operation interface for a user to issue a configuration instruction and a test requirement to the attack traffic generation system.
According to the invention, the attack behavior is described by constructing the attack knowledge base, so that the applicability of data corresponding to the attack behavior can be improved, data support is further provided for the generation of the attack flow data packet, and data support can be provided for the subsequent concurrent filling of the attack load. The invention can improve the generation rate of the attack traffic by filling the attack load in batch. Therefore, the method and the system can generate the attack flow of large-scale content dynamic change at high speed and flexibly, and simulate various common network attack behaviors with higher authenticity, thereby supporting the safety test of systems and equipment under different network environments such as the traditional internet, the industrial internet, the mobile internet and the like.
Drawings
Embodiments of the invention are further described below with reference to the accompanying drawings, in which:
fig. 1 is a schematic flow chart of an attack traffic generation method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a construction process of an attack knowledge base according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an attack traffic generation system according to an embodiment of the present invention;
FIG. 4 is a block diagram of a network security test system according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a network security testing system according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is further described in detail by the following embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As mentioned in the background section, the second technical solution for generating the attack traffic (generating the attack traffic by constructing the attack data packet based on the interpretation and execution of the attack behavior model) is affected by the specific implementation manner, and the problems of limited generation rate of the attack traffic and the like still exist, which affect the authenticity and effectiveness of the test. In order to solve the above problem, the present invention provides an attack traffic generation method, as shown in fig. 1, the method uses a scheme that at least includes constructing an attack knowledge base (attack behavior modeling), generating a plurality of attack data packet templates corresponding to test requirements, and concurrently filling attack loads in all generated attack data packet templates to generate attack traffic. Specifically, the attack traffic generation method of the present invention includes the steps of: receiving a test requirement for generating an attack traffic data packet, and generating a plurality of attack data packet templates based on attack behavior information contained in an attack model corresponding to the test requirement in a pre-constructed attack knowledge base, wherein the attack knowledge base is constructed based on historical attack behaviors, each attack data packet template comprises default data and data to be filled, the default data is configuration data which is irrelevant to an attack and depends on a bottom layer protocol, and the data to be filled at least comprises an attack load relevant to the attack behavior; and then, concurrently filling the attack loads in all the generated attack data packet templates to obtain the attack traffic corresponding to the test requirement. The invention constructs the attack knowledge base in advance before executing the generation of the traffic so as to provide data support for constructing the attack data packet template. After the attack knowledge base is constructed, according to the test requirements and the attack models in the attack knowledge base, a plurality of attack data packet templates corresponding to the test requirements and relevant to attack behaviors are generated, and then attack loads in all the generated attack data packet templates are filled in a concurrent mode. The following is a detailed description of the construction of the attack knowledge base, the construction of the attack data packet template, and the generation of the attack traffic, respectively, in conjunction with a specific embodiment.
First, construction of attack knowledge base
The attack knowledge base is constructed by acquiring historical attack behaviors and constructing the attack knowledge base based on parameters of the historical attack behaviors. According to an embodiment of the present invention, as shown in fig. 2, the present invention implements a construction method of an attack knowledge base by performing steps S1, S2, S3, each of which is described in detail below:
in step S1, obtaining parameters of historical attack behavior in the open source vulnerability database; according to one embodiment of the invention, the parameters of the historical attack behavior are obtained as follows: acquiring homepage websites of mainstream vulnerability libraries such as a national vulnerability library (NVD), a Chinese national information security vulnerability library (CNNVD), a Chinese vulnerability information library (CVE), an open source vulnerability information library (OSVDB) and a vulnerability submission platform (Exploit-DB) facing hackers all over the world; and generating a batch target page list from the main page website of the main flow vulnerability library by analyzing the relation of the main page website of the main flow vulnerability library on the website of the vulnerability information page. In this embodiment, the target page list is preferably a vulnerability information page website list, and according to an embodiment of the present invention, a vulnerability information page website of an explicit-DB library is first input into a browser: "https:// www.exploit-db. com/remote/? Is order _ by? "; then modifying the last page number parameter in the website to realize batch generation of a vulnerability information page website list; then, establishing a mapping relation between a preset data attribute structure and parameters of historical attack behaviors by adopting HTML codes; and finally, automatically crawling page codes recorded in the vulnerability information page website list by using a developer tool of the browser, and analyzing corresponding page contents to obtain key tag contents, such as attack categories, related numbers and the like.
In step S2, analyzing and extracting parameters of historical attack behaviors in the open source vulnerability database according to a preset data attribute structure to obtain attack information, where the attack information includes basic attack behavior information, key attack behavior attribute information, and an attack behavior sequence, and the attack behavior sequence is a sequence of all attack data packets corresponding to the attack behaviors in a time sequence;
in step S3, the basic information of the attack behavior corresponding to all the attack behaviors is stored in the attack database according to the preset data attribute structure, and the attack behavior sequence corresponding to all the attack behaviors and the key attribute information of all the attack behaviors are subjected to format conversion to obtain the attack script file. According to one embodiment of the invention, the attack information is obtained by analyzing and extracting the parameters of the historical attack behavior according to a preset data attribute structure in the following way: the method comprises the steps of extracting key tag content in page content by adopting a Beautiful Soup library, and then recording a corresponding attack behavior sequence in the page content by using an xml file, wherein the Beautiful Soup library is an effective means for analyzing HTML codes, and the HTML codes can be searched according to a preset data attribute structure to obtain the key tag content. Each step is described in detail below: firstly, crawling a webpage corresponding to the historical attack behavior obtained in the step S1 by using a Beautiful Soup library of python to obtain page content, and analyzing and extracting according to a preset data attribute structure to obtain attack information, wherein the preset data attribute structure comprises an attack behavior basic attribute, an attack behavior key attribute and an attack behavior sequence attribute, the attack information comprises the attack behavior basic information, the attack behavior key attribute information and an attack behavior sequence, and the attack behavior sequence is a sequence of all attack data packets corresponding to the attack behavior in a time sequence and is used for describing a data packet interaction condition in an attack process; secondly, storing key attribute information such as attack names, protocol types, attack loads, attack launching modes and the like under different tags respectively for calling; furthermore, the sequence of attack behaviors is described using a scripting language and stored in a CDATA section that is not parsed by the xml parser. Thus, a model for describing the attack, namely an attack knowledge base is constructed.
In summary, the invention uses the preset data attribute structure to describe the attack to form the attack knowledge base, the attack knowledge base is composed of the database and the xml attack script file stored on the disk in form, the basic information of the attack behavior is recorded in the database, the xml attack script file records the attack behavior sequence and all the key attribute information of the attack behavior, and the actual interactive process of the network attack can be simulated by explaining and executing the xml attack script file. The main reason for describing the network attack behavior by using the XML language is that the flexible data structure can be conveniently transferred, and the applicability of the attack behavior and the expandability of the knowledge base can be improved. When network attack is simulated, the flow in the attack interaction process can be generated by explaining and executing the attack knowledge base, and the method can adapt to the actual situation that objective requirements of customized design attack test cases exist and new varieties of attack behaviors continuously appear under diversified network security test scenes.
Second, construction of attack data packet template
The invention mainly generates a plurality of attack data packet templates through attack behavior information contained in an attack model corresponding to the test requirement in a pre-constructed attack knowledge base. According to one embodiment of the invention, a plurality of attack packet templates are generated by: t1, acquiring configuration parameters corresponding to the test requirements; the configuration parameters comprise attack traffic generation duration, maximum rate, attack types and the like; t2, acquiring basic attack behavior information in a pre-constructed attack knowledge base according to the configuration parameters corresponding to the test requirements; and T3, generating a standard data packet template corresponding to each attack data packet in the attack behavior sequence according to the acquired attack basic information to form an attack data packet template sequence. Specifically, reading corresponding attack behavior basic information in an attack knowledge base according to configuration parameters corresponding to test requirements, and extracting attack load and an attack behavior sequence of an attack behavior stored in a CDATA section in an xml attack script file; and then determining the sending sequence of the attack data packets and the data volume of the attack data packets in the attack interaction process according to the attack behavior sequence, and then determining the sequence and the number of the attack data packet templates according to the attack data packets to form an attack data packet template sequence, wherein the attack data packet template is a priori knowledge set which comprises a protocol header and data to be filled.
According to an embodiment of the present invention, the step T3 includes the following steps: t31, determining a bottom layer protocol of the attack traffic according to the acquired basic attack information; and T32, constructing headers of a link layer, a network layer and a transmission layer according to the bottom layer protocol of the attack traffic, filling the headers into each attack data packet template as default data (such as ip version, TTL and flag bit), and pre-filling the field in the data to be filled in each attack data packet template to be 0.
Third, generation of attack flow
The invention generates attack flow at high speed mainly by filling the attack load in all generated attack data packet templates concurrently. According to one embodiment of the invention, attack traffic is generated by: determining the type of an attack protocol according to the configuration parameters and determining the offset of a field in the to-be-filled data in each attack data packet template in the Ethernet frame according to the type information of the attack protocol, wherein specifically, the offset of the field in the to-be-filled data in the Ethernet frame is the length of the frame between the field in the to-be-filled data and a protocol header used by the field in the to-be-filled data plus the length of a frame of each protocol header of a protocol bottom layer used by the to-be-filled data; creating a plurality of concurrently executed threads, respectively obtaining the attack load corresponding to each attack data packet template in an attack load dataset, and then filling the attack load into the attack data packet templates according to the offset of the field of the data to be filled in the Ethernet, wherein each attack data packet template is distributed to each created concurrently executed thread as a task to fill different attack loads.
It should be noted that the computational complexity of generating the attack traffic by using the attack data packet template is far lower than that of layer-by-layer packet of the kernel protocol stack, and the time occupation is extremely short; the field of the data to be filled in the attack data packet template occupies a lower proportion in the data packet, and the calculation overhead is further reduced by calculating the position offset in advance. Therefore, the attack traffic generation of the invention has smaller overall time cost and can realize high-speed generation of the attack traffic.
Optionally, after the data packet is constructed, an API interface of a Data Plane Development Kit (DPDK) is called to transmit the data packet to the network card.
Further, in order to flexibly generate the attack traffic with variable content, the attack traffic generation method further includes: creating a shared pointer to a region for storing an attack load data set in a memory; and all threads access the attack load data set through the shared pointer to obtain the attack load. Specifically, the attack load data set is stored according to a set format, and a shared pointer points to a storage area of the attack load data set; and creating a plurality of working threads to acquire the attack load in the storage area of the attack load data set through the shared pointer access, and storing the acquired attack load to a field to be filled with data in the attack data packet template. The storage format of the attack load data set is a dictionary file divided by lines, and the attack load data set is prefetched to a memory before generating attack flow; the data content of the attack load depends on the specific attack category, taking DNS protocol query flooding attack as an example, the attack load data set is a top100 ten thousand hot domain name counted by Alex website. Creating a plurality of threads and executing the attack packet generation task, and setting thread affinity by using a pthread _ detail _ np () function, and binding the threads and the respective binding kernels to reduce the context switching overhead. In order to flexibly generate attack flow with variable content, the method fills variable attack load in batches based on the shared memory in the data packet construction process. And the thread uses the shared pointer to access an attack load pre-fetched from the disk to the memory to fill in the data packet template, updates the pointer pointing position according to a set rule, and points the shared pointer to new load content. When other threads use the shared pointer to access, the read attack load content is correspondingly changed due to the fact that the pointed position of the shared pointer is changed, and therefore overall dynamic change of the flow content is achieved. When the pointer points to the end of the shared memory area, the pointer automatically jumps to the initial position of the shared memory, and the generation of the attack data packets can be continuously carried out under the condition that the quantity of the attack load information is smaller than that of the data packets to be generated. In addition, considering the possible conflict situation that a plurality of threads move the shared pointer at the same time, the invention ensures the atomicity of the movement of the shared pointer through the mutual exclusion lock. In order to reduce the waiting time of other threads, after the current thread acquires the attack load, the pointer is firstly moved and the lock is released, and then the attack load is filled into the data packet according to the offset, so that the use right of the pointer can be acquired by other threads in the shortest time, and the overall execution efficiency is improved.
According to an embodiment of the present invention, there is provided an attack traffic generation system, referring to fig. 3, the system including: the system comprises a main control module, an attack information module and an attack knowledge base. The attack information module is used for acquiring historical attack behaviors and constructing an attack knowledge base based on parameters of the historical attack behaviors; the attack knowledge base is used for storing a plurality of pre-constructed attack models, and each attack model comprises attack behavior information; the main control module is used for responding to a test requirement for generating an attack flow data packet, and generating a plurality of attack data packet templates based on attack behavior information contained in an attack model corresponding to the test requirement in a pre-constructed attack knowledge base, wherein each attack data packet template comprises default data and data to be filled, the default data is configuration data which is irrelevant to an attack and depends on a bottom layer protocol, the data to be filled at least comprises attack loads relevant to an attack behavior, and the main control module is used for concurrently filling the attack loads in all generated attack data packet templates.
According to an embodiment of the present invention, there is provided a network security testing system for generating an attack traffic packet to perform security testing on a target device, referring to fig. 4, the system includes: the system comprises an attack traffic generation system, a DPDK unit and a group package module; the attack traffic generation system is used for generating attack traffic; the DPDK unit is used for providing an interface for sending an attack traffic data packet to target equipment; and the group package module is used for receiving the attack traffic, generating an attack data packet and calling an interface corresponding to the attack data packet in the DPDK unit to send the attack data packet to the target equipment.
According to an embodiment of the present invention, referring to fig. 5, the network security testing system further includes: a front end interface; the front-end interface is used for providing an operation interface for a user to issue a configuration instruction and a test requirement to the attack traffic generation system.
The following describes a process of generating attack traffic by using the method of the present invention by taking the selection of generating DNS protocol query flooding attack traffic as an example. The method for generating the DNS protocol query flooding attack flow mainly comprises the following steps: step 1) establishing a DNS protocol query flooding attack model, recording basic information such as an attack name, an attack type, a keyword, reference information, a Hash index value, a script file path and the like of the DNS protocol query flooding attack by using a database in an attack knowledge base, storing key attributes such as the attack name, the protocol type, an attack launching mode and the like by using an xml attack script file in the attack knowledge base and describing an attack behavior sequence in the DNS protocol query flooding attack process by using a script language; step 2) generating a DNS protocol query flooding attack data packet template based on the attack behavior sequence in the step 1, creating a preset message template to fill in header filling default data, loading an attack load data set (alpex top100W domain name data set) to a shared memory, calculating the offset of a filling field to be filled of the DNS protocol query flooding attack data template in an Ethernet frame, creating a plurality of threads to respectively read filling attack loads, and finally calling a DPDK interface to finish the transmission of a data packet.
The implementation of the above example is described in detail below: firstly, acquiring DNS protocol query flooding attack flow attack behaviors, constructing an attack model based on DNS protocol query flooding attack behavior parameters, optionally, storing DNS protocol query flooding attack parameters (shown in table 1) through a MySQL relational database, and then describing key attributes and attack behavior sequences of DNS protocol query flooding attacks by using an xml attack script file to obtain an attack knowledge base, wherein attack actions in a DNS protocol query flooding attack process are single steps, and a single DNS protocol query request data packet is sent in a circulating mode.
Table 1 DNS protocol contents of parameters for a query flooding attack
After a user issues a configuration instruction for generating DNS protocol query flooding attack flow through a front-end interface, an attack flow generation system firstly reads attack information related to DNS protocol query flooding attack in an attack database and an attack behavior sequence in an xml attack script file, and then creates a task queue (an attack data packet template sequence) for generating an attack data packet of DNS protocol query flooding. Since the attack action of the DNS protocol query flooding attack is a single step, only one task generating a DNS protocol query attack packet is in the task queue. When executing the attack data packet generation task, the method is implemented by the following steps:
1) creating a preset DNS protocol query message template, filling default data in the preset DNS protocol query message template into header fields of each layer of a bottom layer protocol TCP/IP, wherein the header fields comprise static data such as a target IP address, a port number, TTL (time to live) and the like;
2) loading a domain name data set serving as an attack load data set corresponding to DNS protocol query flooding attack to a shared memory and defining a shared pointer pointing to a region where the shared memory is located;
3) calculating the offset of a query domain name field in a preset DNS protocol query message template in an Ethernet frame; the offset is specifically the frame length of the head of the Ethernet frame, the frame length of the IP head, the frame length of the UDP head and the frame length of the DNS head;
4) creating a plurality of threads, setting thread affinity by using a pthread _ detail _ np () function, and binding the threads with the kernel respectively;
5) in each thread, the following operations are sequentially executed:
a) using a shared pointer pointing to the region of the shared memory to access and read the domain name in the domain name data set;
b) the read shared pointer is moved downwards to a preset position and points to a new domain name in the domain name data set;
c) filling the domain name read in the step a) into a domain name query field of a DNS protocol according to the offset calculated in the step 3) to obtain a complete DNS protocol query data packet;
6) and calling rte _ eth _ tx _ burst () interface of the DPDK to transfer the data packet to the network card for transmission.
After a DNS protocol query flooding attack traffic generation system starts to generate attack traffic, capturing packets by using tcpdump on a tested server, counting the number of the captured data packets and analyzing the content of the captured data packets by using wirehardk, wherein in the DNS protocol query flooding attack traffic generation system, the duration of the attack traffic generated by using the system set by tcpdump is 10s (the duration comprises the time on packets received by filter and network card). The result of counting the captured packets is: the network card receives 12993392 data packets (packets received by filter and network card), 69831921 data packets (packets dropped by interface) are discarded due to the limitation of processing capacity, the total number of the data packets is 82825313 data packets, and the average attack rate is about 828 ten million pps. The result of analyzing the captured packet content (source-destination IP address, protocol type, packet length, load information) is: the query domain name in the DNS protocol query packet is a dynamically changing state. Therefore, the capability of the attack traffic system for generating the attack traffic at high speed and the flexibility of the generated attack traffic are further verified by counting the result of the captured data packet and analyzing the result of the content of the captured data packet.
Therefore, in the generation example of the DNS protocol query flooding attack traffic, the method can generate the DNS protocol query flooding attack traffic with the dynamically changed domain name at a high speed, and can be used for detecting the resistance of the DNS server to DDoS attack.
It should be noted that although the present invention has been described by way of preferred embodiments, the present invention is not limited to the embodiments described herein, and includes various changes and modifications made without departing from the scope of the present invention.
Although the steps are described above in a particular order, it is not meant that the steps must be performed in the particular order described, and in fact some of the steps may be performed concurrently, even in varying orders, so long as the desired functionality is achieved.
The present invention may be a system, method and/or computer program product. The computer program product may include a computer-readable storage medium having computer-readable program instructions embodied therewith for causing a processor to implement various aspects of the present invention.
The computer readable storage medium may be a tangible device that retains and stores instructions for use by an instruction execution device. The computer readable storage medium may include, for example, but is not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a Static Random Access Memory (SRAM), a portable compact disc read-only memory (CD-ROM), a Digital Versatile Disc (DVD), a memory stick, a floppy disk, a mechanical coding device, such as punch cards or in-groove projection structures having instructions stored thereon, and any suitable combination of the foregoing.
Having described embodiments of the present invention, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (12)
1. A method for generating attack traffic, the method comprising:
receiving a test requirement for generating an attack traffic data packet;
generating a plurality of attack data packet templates based on attack behavior information contained in an attack model corresponding to a test requirement in a pre-constructed attack knowledge base, wherein the attack knowledge base is constructed based on historical attack behaviors, each attack data packet template comprises default data and data to be filled, the default data is configuration data which is irrelevant to attacks and depends on a bottom layer protocol, and the data to be filled at least comprises attack load relevant to the attack behaviors;
and concurrently filling the attack loads in all the generated attack data packet templates.
2. The method of claim 1, wherein the attack knowledge base comprises a plurality of attack models, each attack model comprises an attack database and an attack script file, and an attack is constructed by:
s1, obtaining parameters of historical attack behaviors in the open source vulnerability database;
s2, analyzing and extracting the parameters of the historical attack behaviors in the open source vulnerability database according to a preset data attribute structure to obtain attack information, wherein the attack information comprises basic attack behavior information, key attack behavior attribute information and an attack behavior sequence, and the attack behavior sequence is the sequence of all attack data packets corresponding to the attack behaviors in time sequence;
s3, storing the basic information of the attack behavior corresponding to all the attack behaviors into an attack database according to a preset data attribute structure, and performing format conversion on the attack behavior sequence corresponding to all the attack behaviors and the key attribute information of all the attack behaviors to obtain an attack script file.
3. The method according to claim 2, wherein a plurality of attack data packet templates are generated based on attack behavior information contained in an attack model corresponding to the test requirement and a pre-constructed attack knowledge base in the following manner:
t1, acquiring configuration parameters corresponding to the test requirements;
t2, acquiring basic attack behavior information in a pre-constructed attack knowledge base according to the configuration parameters corresponding to the test requirements;
and T3, generating a standard data packet template corresponding to each attack data packet in the attack behavior sequence according to the acquired attack basic information to form an attack data packet template sequence.
4. The method according to claim 3, wherein said step T3 includes:
t31, determining a bottom layer protocol of the attack traffic according to the acquired basic attack information;
and T32, constructing headers of a link layer, a network layer and a transmission layer according to the bottom layer protocol of the attack traffic, filling the headers into each attack data packet template as default data, and pre-filling the fields in the data to be filled in each attack data packet template to be 0.
5. The method of claim 4, wherein the attack payload in all generated attack packet templates is concurrently filled in by:
determining the attack protocol type according to the configuration parameters and determining the offset of the field in the data to be filled in each attack data packet template in the Ethernet frame according to the attack protocol type information;
and creating a plurality of concurrently executed threads, respectively acquiring the attack load corresponding to each attack data packet template in an attack load dataset, and then filling the attack load into the attack data packet template according to the offset of the field of the data to be filled in the Ethernet.
6. The method of claim 5, further comprising:
a shared pointer is created and points to an area in memory where the attack payload data set is stored.
7. The method of claim 6, wherein all threads access the attack payload dataset to obtain the attack payload via a shared pointer.
8. An attack traffic generation system for use in the method according to any of claims 1-7, characterized in that the system comprises:
the attack information module is used for acquiring historical attack behaviors and constructing an attack knowledge base based on parameters of the historical attack behaviors;
the attack knowledge base is used for storing a plurality of pre-constructed attack models, and each attack model comprises attack behavior information;
the system comprises a main control module and an attack knowledge base, wherein the main control module is used for responding to a test requirement for generating an attack flow data packet and generating a plurality of attack data packet templates based on attack behavior information contained in an attack model corresponding to the test requirement in a pre-constructed attack knowledge base, each attack data packet template comprises default data and data to be filled, the default data is configuration data which is irrelevant to attack and depends on a bottom layer protocol, the data to be filled at least comprises attack load relevant to attack behavior, and the main control module is used for filling the attack load in all generated attack data packet templates concurrently.
9. A network security test system for generating attack traffic packets to perform security tests on target devices, the system comprising:
the attack traffic generating system according to claim 8, for generating attack traffic;
the DPDK unit is used for providing an interface for sending an attack traffic data packet to the target equipment;
and the group package module is used for receiving the attack traffic, generating an attack data packet and calling an interface corresponding to the attack data packet in the DPDK unit to send the attack data packet to the target equipment.
10. The network security test system of claim 9, further comprising:
and the front-end interface is used for providing an operation interface for a user to issue a configuration instruction and a test requirement to the attack traffic generation system.
11. A computer-readable storage medium, having stored thereon a computer program executable by a processor for performing the steps of the method of any one of claims 1 to 7.
12. An electronic device, comprising:
one or more processors;
storage means for storing one or more programs which, when executed by the one or more processors, cause the electronic device to carry out the steps of the method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210617301.3A CN115022036B (en) | 2022-06-01 | 2022-06-01 | Attack traffic generation method and system and network security test system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210617301.3A CN115022036B (en) | 2022-06-01 | 2022-06-01 | Attack traffic generation method and system and network security test system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115022036A true CN115022036A (en) | 2022-09-06 |
| CN115022036B CN115022036B (en) | 2023-04-07 |
Family
ID=83073611
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210617301.3A Active CN115022036B (en) | 2022-06-01 | 2022-06-01 | Attack traffic generation method and system and network security test system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115022036B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447991A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test device used for testing intrusion detection system and test method thereof |
| US20100138925A1 (en) * | 2007-05-24 | 2010-06-03 | Bikash Barai | Method and system simulating a hacking attack on a network |
| CN104219221A (en) * | 2014-05-30 | 2014-12-17 | 郭瑞 | Network security flow generating method and network security flow generating system |
| CN111385302A (en) * | 2020-03-06 | 2020-07-07 | 北京计算机技术及应用研究所 | Automatic load generation system |
| CN112422557A (en) * | 2020-11-17 | 2021-02-26 | 中国信息安全测评中心 | Attack testing method and device for industrial control network |
| CN113158390A (en) * | 2021-04-29 | 2021-07-23 | 北京邮电大学 | Network attack traffic generation method for generating countermeasure network based on auxiliary classification |
-
2022
- 2022-06-01 CN CN202210617301.3A patent/CN115022036B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100138925A1 (en) * | 2007-05-24 | 2010-06-03 | Bikash Barai | Method and system simulating a hacking attack on a network |
| CN101447991A (en) * | 2008-11-19 | 2009-06-03 | 中国人民解放军信息安全测评认证中心 | Test device used for testing intrusion detection system and test method thereof |
| CN104219221A (en) * | 2014-05-30 | 2014-12-17 | 郭瑞 | Network security flow generating method and network security flow generating system |
| CN111385302A (en) * | 2020-03-06 | 2020-07-07 | 北京计算机技术及应用研究所 | Automatic load generation system |
| CN112422557A (en) * | 2020-11-17 | 2021-02-26 | 中国信息安全测评中心 | Attack testing method and device for industrial control network |
| CN113158390A (en) * | 2021-04-29 | 2021-07-23 | 北京邮电大学 | Network attack traffic generation method for generating countermeasure network based on auxiliary classification |
Non-Patent Citations (1)
| Title |
|---|
| 吕诚,王轶骏,薛质: "基于PyExZ3的Web攻击流量的采集和分类", 《通信技术》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115022036B (en) | 2023-04-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108848092B (en) | Method and device for processing micro-service gray release based on call chain | |
| JP6626211B2 (en) | Method and apparatus for processing short link and short link server | |
| US9456019B2 (en) | Web page load time prediction and simulation | |
| EP1576487B1 (en) | Web server hit multiplier and redirector | |
| CN108259425A (en) | The determining method, apparatus and server of query-attack | |
| US20110238723A1 (en) | Systems and methods for web decoding | |
| CN106294094A (en) | The method of testing of game server, client, server and system | |
| CN107276842B (en) | Interface test method and device and electronic equipment | |
| CN104268229B (en) | Resource obtaining method and device based on multi-process browser | |
| CN109213948A (en) | Webpage loading method, intermediate server and webpage loading system | |
| CN111177519B (en) | Webpage content acquisition method, device, storage medium and equipment | |
| CN110365724B (en) | Task processing method and device and electronic equipment | |
| US9971636B2 (en) | Methods for implementing web services and devices thereof | |
| CN112154420A (en) | Automatic intelligent cloud service testing tool | |
| CN106599270B (en) | Network data capturing method and crawler | |
| CN107171889A (en) | Network application interface test method and device and electronic equipment | |
| CN115225707A (en) | Resource access method and device | |
| CN109947624A (en) | Method for monitoring state and device | |
| CN106371987A (en) | Test method and device | |
| US10242199B2 (en) | Application test using attack suggestions | |
| US10310962B2 (en) | Infrastructure rule generation | |
| CN115022036B (en) | Attack traffic generation method and system and network security test system | |
| CN104980511B (en) | A kind of game data access method, system and game web page server | |
| CN110633432A (en) | Method, device, terminal equipment and medium for acquiring data | |
| CN110177096A (en) | Client certificate method, apparatus, medium and calculating equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |