网络拒绝服务

Sub-techniques (3)

ID	Name
T1498.001	分布式反射放大攻击
T1498.002	低频脉冲攻击
T1498.003	协议模拟攻击

网络拒绝服务（DDoS）通过耗尽目标系统的网络带宽或服务资源实现服务可用性破坏，攻击手段包括但不限于流量洪泛、协议漏洞利用、资源耗尽等。传统防御依赖于流量基线分析、协议异常检测、源IP信誉库等技术，通过识别异常流量峰值、非法协议格式或已知攻击指纹进行缓解。缓解措施通常部署在网络边界设备或云清洗中心，采用流量整形、速率限制、SYN Cookie等机制过滤恶意流量。

为规避传统检测机制对持续大流量、固定攻击特征的识别能力，现代DDoS攻击逐步向低可观测性、动态自适应方向演进。攻击者通过协议层深度伪装、攻击节奏智能调控、反射节点多层跳转等策略，将攻击行为解构为合法协议交互、间歇脉冲序列或分布式反射流量，形成"形散神聚"的新型拒绝服务攻击范式。

当前DDoS匿迹技术的核心演进方向集中在三个维度：攻击特征的协议合规化、资源消耗的业务逻辑化、攻击节奏的时空离散化。分布式反射攻击通过滥用互联网公共服务协议，将攻击流量转化为合法服务响应，实现攻击源的动态隐匿与流量特征的协议合规；低频脉冲攻击利用防御系统采样周期盲区，将高强度攻击拆解为瞬态微脉冲，使单次攻击窗口短于检测响应时间；协议模拟攻击则通过逆向工程精确复现目标业务协议，在完全符合协议规范的前提下构造资源耗尽型请求。三类技术的共性在于突破传统流量层对抗模式，通过协议语义合规、业务交互仿真、攻击节奏自适应等手法，使恶意流量具备表面合法性，迫使防御方必须进行深度业务语义分析或资源消耗模式识别，极大提高了攻击检测的决策成本与响应时延。

匿迹技术的发展导致传统基于流量阈值告警、协议特征匹配的防御体系逐步失效，防御方需构建多维行为画像、协议状态机验证、资源消耗模式识别等高级检测能力，并结合边缘计算节点实施近源清洗，建立覆盖协议合规性检查与业务逻辑验证的多层防御体系。

ID: T1498

Sub-techniques: T1498.001, T1498.002, T1498.003

ⓘ

Tactic: 影响释放

ⓘ

Platforms: Containers, IaaS, Linux, Windows, macOS

ⓘ

Impact Type: Availability

Contributors: Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team

Version: 1.2

Created: 17 April 2019

Last Modified: 15 October 2024

匿迹效应

效应类型	是否存在
特征伪装	✅
行为透明	❌
数据遮蔽	✅
时空释痕	✅

特征伪装

攻击者通过精确模拟目标业务协议或标准网络协议（如HTTP/2、DNS），使DDoS流量在协议结构、交互时序、状态转换等维度与合法流量高度一致。例如协议模拟攻击中完全复现金融交易协议的加密握手过程，使得深度包检测设备难以区分恶意请求与正常业务交互。这种深度协议伪装使得攻击流量通过常规合规性检查，实现"形式合法化"的匿迹效果。

数据遮蔽

在部分高级DDoS攻击中，攻击者采用TLS加密或私有协议加密通信通道，如HTTPS Flood攻击中构造合法加密会话，使得中间防御设备无法通过内容解密识别攻击特征。加密机制不仅保护攻击控制指令的传输，更掩盖了攻击流量的协议载荷特征，迫使防御方仅能通过流量元数据或行为模式进行分析。

时空释痕

低频脉冲攻击通过将高强度攻击拆解为毫秒级瞬时脉冲序列，利用防御系统采样周期的时间盲区实现攻击特征的时间维度稀释。同时，分布式反射攻击通过全球分布的反射节点制造攻击流量的空间离散性，使目标系统面临的流量洪泛来自数千个地理分散的合法服务IP。时空双重稀释策略大幅降低了单点检测的有效性，迫使防御方必须建立长周期、跨地域的流量关联分析能力。

Procedure Examples

ID	Name	Description
G0007	APT28	In 2016, APT28 conducted a distributed denial of service (DDoS) attack against the World Anti-Doping Agency.^[1]
S0532	Lucifer	Lucifer can execute TCP, UDP, and HTTP denial of service (DoS) attacks.^[2]
S1107	NKAbuse	NKAbuse enables multiple types of network denial of service capabilities across several protocols post-installation.^[3]

Mitigations

ID	Mitigation	Description
M1037	Filter Network Traffic	When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.^[4] Depending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.^[4] As immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.^[4]

Mitigation

Description

M1037

Filter Network Traffic

When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.^[4]

Depending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.^[4]

As immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.^[4]

Detection

ID	Data Source	Data Component	Detects
DS0029	Network Traffic	Network Traffic Flow	Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.
DS0013	Sensor Health	Host Status	Detection of Network DoS can sometimes be achieved before the traffic volume is sufficient to cause impact to the availability of the service, but such response time typically requires very aggressive monitoring and responsiveness or services provided by an upstream network service provider. Monitor for logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)