UDP反射DDoS攻击的BAF分析

UDP反射DDoS攻击由于实现简单、效果显著，已成为当前网络攻击的主要手段之一.带宽放大因子BAF（bandwidth amplification factor)是评价放射攻击放大能力的主要测度.在考虑了IP分片报文的条件下采用全报文负载修改了BAF的计算公式，使其能够更加准确地反映反射攻击的放大能力.利用NBOS（network behavior observation system)提供的CERNET（中国教育与科研计算机网)中有19、123、161、1900端口反射行为的主机信息，通过攻击实验获取BAF值.在此基础上，对获取的BAF数据进行了统计和稳定性方面的分析.分析结果表明，19与123端口的BAF总体比较大，但稳定性较差.利用分析的结果对所有放大器的危险程度进行了评价，危险程度高的放大器是在攻击防范中应该重点关注的对象.

BAF Analysis of UDP Reflection DDoS Attacks

UDP reflection DDoS attacks have become one of the primary means of network attack because of its simple realization and significant effect. BAF(bandwidth amplification factor) is the main measure to evaluate the ability of amplification. In this paper, considering the condition of IP slice message, the whole message load is used to modify the formula of BAF, so that it can more accurately reflect the amplification ability of reflection attacks. This paper obtains the hosts with 19, 161, 123, 1900 port reflection behavior in the CERNET (China Education and Research Computer Network) by NBOS (network behavior observation system) to implement the attack test to get the BAF data. On the basis of this, the BAF data are analyzed in terms of statistics and stability. Analysis results show that the BAF of 19 and 123 port is relatively large, but the stability is poor. The paper also uses the results of the analysis to evaluate the risk degree of all amplifiers. Amplifiers with high degree of risk are usually used by the attacker and should be the focus of attention in attack prevention.