DDoS攻击过程特征提取详解

1、DDoS攻击过程特征提取详解1渗透扫描先进行IP扫描，看哪些IP是存活的，再进行端口扫描提取出来的计算特征：（1）目的IP点分格式时四个域的标准差分布（2）目的IP十进制时相邻IP的差值是否相等（3）当前源IP对应所有目标IP的中位数（4）当前源IP对应所有目标IP的平均值（5）目的IP点分格式时的差分特征（6）当前源和目的IP对应所有目的端口的平均值（7）当前源和目的IP对应所有目的端口的中位数（8）具体的ACK、SYN、FIN扫描方式等用具体的标志位判断（9）异常流量检测（针对随机生成的）（10）IP包头检测（针对特定字段）（11）当前源IP单位时间内的发包数量（12）单位时间当前源IP对

2、应的所有目的IP的数量（13）单位时间下行流量（14）单位时间下行数据包数量1.1IP扫描特征iiiip扫描总特征ip扫描（单一扫描源）时ip的分布特征为一对多，源ip固定，目的ip特征如下:（1）目的IP随机生成；（2）目的IP逐个递增；（3）目的IP集中在某一片网络区域；（4）目的IP点分格式时呈现特殊格式，如相邻域之间的差值相等；（5）端口分布通过端口扫描特征部分分析；（6）异常的IP包头(HeaderLength和IPOptions)；（7）IP头中设置无效错误的字段值；8)Icmp.type=8的扫描；1.2端口扫描特征1.2.1端口扫描总特征：当确定该IP被扫描后，根据具体的协议再

3、分析oTCP扫描根据FIN、SYN、ACK等标志位的值确定扫描类型，UDP扫描根据UDP扫描的特征确定。（1）目的端口随机生成；（2）目的端口逐渐递增。1.2.2 TCPACK扫描特征:4 21.211016-U93l3j6E.0I.関5 21.213059.192.15B.0.95192.165力.1射1192.165.0.193192.163.0.195192.168.0.1&3TCPTCPTCPTCPM汨弓的f119ACK名鬥1Ark-lUln-10-24S33B5B3弋d43flCKS&l-lfick-lH"-l脱血Len-038563虫21i-CK5eq-l

4、fek-1Win-1024Len-021.21313A.192.168.0.9521.213171-1*92.166.0.$554dB5阳*30虹KSeq-1iXck-1Min-1024-Len-6r21.212.20a_192.0.95TCPS4aesisaf11A£KS«q-1ilck-1Min-19J4Lan-321.ZU23&.1-32.156.9,55l?Z,16S,9,lffiTCP3B5B3*25ACK5eq-lArCk-1W5.n-1®24Len-6W21.2132tG»192.16S.9.951?2.165.0.15TCP535

5、33*smkktsq-iak-iwm-1021Len-s1121.2133M192.1E.0.95192.163.0.10-5TCP岀3B5B3*g站iKKSeq-：1Ajck-1Win-1&24Len-0T121.113332-192.Ifi6.0.95192.16S.a.lB3TCP5436563*139ACKSBq=lArk=lHln=lftJ4L»n=013192.166.0.SGisn.i&s.e.iaaTCPS4*125iKtSeq-1Ark-lUin-124Lon胡14H.213W8.a152.16S.I»nl»192.168.0.5

6、5TCPM110"3S5B3R5I5eq>lHIMLen-fi11521.213W.292.168.0.103152.168.0.95TCPS0事弼闢3R5TT5d-l耳in岬Len«&1lb31.213927-152.J6B.0.103192.168.0.95TCP443*3B5B3RSrSeq-1tfin-0Len-011721.213927-192.163.0.95TCP21-33533|RSTS4q=lN>in=a<Lm曲LIfi21.112517-1S246S.站TCP32-站的工RiT3qlWln-ftLn&19H.213927

7、-lS2.16S.B.lffii192.IM.0.515TCP25*却闘E刘j5eflWln-ftLen-fl20-21.213927.192.36B.0.103192.163.0.95TCPE4亠3S5S3站口Seq-1厢旷®Len-0-2121.213927-112.36.0.103192.168.9.95TCP64993*38583RSFSeq-1bHn-9Leh-02221.21JaKi_1牡1£8血诵192.168.9.95TCP129*asssaRsrsoq-iyin-eLan-Q132,Z133Z71321阴乳1旳TCP135*365B3H5r5eq-lKln

8、-9Len-61）源端口固定；2）目的端口随机生成；3）ACK字段为1，其余为0.1.2.3 TCPFIN扫描特征:25K-333jW_ig2.i6E.e_952£333261-192.166.0-9527S3-3羽加九L92.16B.S.95為25-333320192.16&._95152.168.0.103192.163.0.103192.163-0.1031S2.168-0.103192.168.0.103192.168,6.103192.16fl.0.103192.168.0.103TCPTCPTCPTCPTffTCPTCPTCP545644-443FIN“q=lWi

9、n=1024L&n=fl545£4£4-f554FIN5eq-lWin-li324Len-0545644-23Flfl5eq-lHin-1G24Len-054564«4-1025FINSaq-1Wirr-102JLen-B5i564W-SS88FlhlJSeq-1kln-1024L的D5456464*995FINSeq-1Wln-1024Len-545644-FINJScq=lkin=1024Lnn=0545t454-25FIMSaq=lHin=3024Lan=0K29J193摄L5029-B33913129-333423_.32M_S33455_192.

10、168.10-95192.16B.eB95192.166.6.951g2.i6E.e_953329_3334&6_192.166.0_95192.-16H.0.103TCP545C4S4-*2KFillJSieq-1Win-1024Lrn-0M29_3335LBmL91.1GS.B.95192.168-0.103TCP54564«4-110FINUln-124.Len-035291935&&.192.168.0-95192.168.0.103Tff5i564Wf587FINWln-1024Len-flM29却ML-192.168.0=95192.168,0.1

11、03TCP5456464+H3FINSeq-1Win坤24len-037m.lEB.0.95192.168,0.103TCP545t4S4*9彌FIN|Seq-1bdn-192Len-033?9-333fi45192.166.0-95192.16B.0.103TCP545454-+S0FIT1Saq=lriin=l&24Lan=e3929-33365-L192.166.0-103192.16B.0.95TCP60554-55464ItST,A£KSeq-35j：k-2Win-0Len-B402933«55-L92.158.0-l#5192.IBS.Q.95TCP64

12、43-*K464KT,A£IC)5eq-l趾Wln-0Lm-0412gi336M,.192.168.0-1#3192.16S.0.95TCP601635*5644KSTj«K5q-lftcK-2世"0Len-&42関M箱込.192.168.0-13152.168.0.55TCP開测时+564WPST,乂此Seq-1配H1ZL朋4433930梟巧192.168.0.1#3192.168,0.55TCP闘23*EZ&4RSTPMKSen-1Ack-2Hin-0Len-944K_333654_192.16E.e_1l#3192.168.0.95TCP60

13、256*56464KT,ATKScq=lJkk=2Win=ftLon=045K_333655_192.166.0-303192.168.0.95TCP66踽S3*56464fiST,A£K5eq-lCick-2h'in-0Len-G4£H-333655_192.166.0-103192.16B.0.95TCP60995*56464KT,A£K)Seq-3firk-2Win-0Len-B4723-333655-L92.26B.0-1#3192.IBS.95TCP025*5M64FSJ.A£K5e»-lAck-2Wlrt-0Left-01)

14、 源端口固定；2) 目的端口随机生成；3)Fin字段为1，其余为0。1.2.4 TCPNULL扫描特征:4墟諾弼KLLS2.168.0.55e.163TCP5AlUyes+443<Mone>5«q-lLen-051,451901,133.168.0.95192-163-6.163TCP54*$93<htone>込qlHin-lfr24Len-0Ej氐话询加一192-lS8.a.95192.163-0.103TCP&4447S&t25町£eqlhin-1624L<an®736.451036-1W-168.«B.

15、95192.36a_0.103TCP54447EB+?I95<hkm&>l3q=4Kin=34Lon=0fl16.451052-192-168.0.95192.163-B.1B3TCP54447BB*53|<Noie>Seq-1kin-1024Len-B*9lfi.45dQI72«192.15®.0a95192.1&8-0.103TCP54447&B*445<Mone>J5tq-ltfljn-l»24Len-9l&.d.510B7.BLg2B158.0,55192163.0.163TCF54076

16、8+1723OfcTHen5eq-lHln-1024.Len-011lfr45dl阳.L.LGS.6.95192.163,6,163：TCP544766*3366-<None>5eq-lNin-1924Len-61215.45*1111,92.168.05192,163H0,165TCP&444768*<none>5eq-lNin-1924Len-61336.451135-192-168.6.95192-3&3-0.103TCP54447EB+587<hhn>S<q=lliln=JGiJ4Lan=02416.4517E-L192.16S

17、.0.303192.3M-0.95TCPW445*447SBR5T?ACKjSeq-1Ack-1Nin-4Lefi-B1516-451764».丄亚止趴ELW3192.1&3.B.95TCP風445*447SBRST,Seq-1Ack-lWlrt-frLai-fi1516,151764,.L92.16S.0.W31M.16S.0.95TCPWWi->J47S3R5TPACK5eq-lAck-1Nln-frLmT171frni51764.1S2.168.9.1&3192.168.0.55TCP&&25>.U7fi8ASTj&CK5eq

18、-l耐ULeZ181灵话H&4斤192r168.0Pl&9TCP&&1723-*HST,A£KSeq-1Ack-1Win-9Len-«1#16.451764-ig2-lfi8.e.W3192.363-0.95TCPW9954478EfiSTjACKStq=lAck=liJin=&L«i=B2*SC.451764-192-166.0.303192.363-0.95TCP6G3加百-*447BBHST,JuCKjSeq-1Arlc-lWin-flLen-421i£-451764L92.168.0-IM192.163.0

19、.95TCP6*53*04TBS(RSTjACKSeq-1Ack-1Uin-BLwB2216-451764192.165.0.103192-1&S-B.95TCP阴阳翻*447B8R5T.ftCK5eq-LAjck-1Wln-lLen-&23偏亦192.168.13.1091-168.0.95TCP黒&87卡i4786RST.ACK5eq-lAck-1Win-frLw弋1)源端口固定；2)目的端口随机生成；3) 所有标志位均为0。1.2.5 TCPSYN扫描特征:1)源端口依次增加；2)目的端口随机生成；3)Syn标志位为1，其余为0。1.2.6UDP扫描特征:1000

20、00000.2 0.00B0E12-192.163.0.953 192.18.554 0.0091W9-192.16S.0-95192166.0.1&3192.IBS.0.103192r16B.0.10-3192.1BS.0.JJB0192r166.0.10-31B2-16E.0.1&3192.16B.0.1&3192.166,0.10-3UOPUDPUDPUDPUDPUOPUOPUDPUDPUDPUS39-18峠2133.3425394E*29243425394B-1677942539aB45SLS42巧940*100KL425394B严16S03425394E-49

21、19642 S59d8沖512143 5汨輻f214B425394B-21603Len-0Len-0Len-0Len=0Leri-Lan=0心总Len-0Len-05 0-00017446 0.0026S7 0.00025528»9002672.g0.0002976-ioe.eee3275L192.1.&,95152.1.95192.163.0.95192.1$fi.&n9S192.163.0.95192.1$8,e,SI5110.0098S861S2.16S.103192.168.0.95ICMP旳Destinationunred£h-able(Portu

22、nreachable)120-0024537192.1.0,95UDP4253946*3B994Len=0130.00216-192.16fl.&-35192.1&B.0.1&3UOP425398-*27707Leri-141.1026266-192.163.0.95192-1&B.0.1&3UOP4253949*277B7Lan=01511027416-192166.0.1&3UOPd2枯如9峠16994Len-0161.1027741-192.163.0.95192-1&8.0.193UOP4253949+21803171.12B03

23、7-192.18,&,55192r16B.0.10-3UDP4253949-2148Len-0IB1.1028327-142.1J&G.0.9S192,i£3.0.U»3UOP42S3949&121如1.1026614,192.1.&,95192r166.0.1&3UDP42舅9阳-49190Len=01.102BB&6-192.16S.&-9S192.1&S.0.iggUOP42S3949-r16S03Lem-0111Qt-1占幻AQE：nai£L4linnAl口TRHR-11EA1）源端口固定；2

24、）目的端口随机生成；3）数据包内容为空。2木马植入2.1提取的计算特征（1）流速（2）传输数据长度（3）单个源IP与目的IP之间的数据包数量（4）单位时间下行流量（5）特殊字段的特征值匹配2.2木马植入过程的特征一台主机被成功扫描之后会有相应的目标机对其进行木马植入，使其感染病毒继而才能传播病毒给其他主机，木马植入的特征如下：（1）被扫描的基础上，一对一的流速异常；（2）传输数据长度特征（缓冲区溢出）；（3）目标IP属地特征（4）数据包的载荷区通过对数十款主流木马通信数据的分析发现，绝大多数木马为了保证通信质量和效率，通信两端的交互信息都是通过数据包载荷区（data）传输的，因此特征提取的主要硏究对象就是数据包的载荷区3传播&CC3.1提取的计算特征（1）流速，报文传输速率（2）单位时间内的总数据包数量（3）多个数据包长度分布（4）单个目的IP单位时间接收数据包的数量（5）信息散度(PktLen&&(DstlP|SrclP)（6）单个IP单位时间内TC