http://www.thenewslens.com/post/144232/ 这是原文介绍,可能国内要用网络加速器才能查看。
以下是国外的一些文档介绍:Cyberspace Administration of China DDoS Attack Forensics.pdf
or How the Great Fire Anti Censorship PRojectand Amazon's Cloud Front are under Denial of Service attack.25th March 2015
The Greatfire.org's Internet Project has successfully unblocked websites inside China bydeploying a set of online mirror sites hosted in large Content Distribution Networks(CDNs) such as Amazon's Cloud Front.The 18th of March 2015, the project reported on their website that they were suffering froma large Denial of Service attack that started the day before. This document summarizesour technical findings and describes in detail how the largest application layer attack everseen has been implemented.
The attackers have implemented a sneaky mechanism that allows them to manipulate apart of the “legitimate traffic” from inside and outside China to launch and steer Denial ofService attacks against Cloudfront and the Greatfire.org's anti censorship project.Our work reveals• That global readers visiting thousand of websites hosted inside China are randomlyreceiving malicious code that will force them to launch cyber attacks.• That malicious code is sent when normal readers load resources from Baidu's serversas Javascript files are hosted in dup.baidustatic.com, ecomcbjs.jomodns.com,cbjs.e.shifen.com, hm.baidu.com, eclick.baidu.com, pos.baidu.com,cpro.baidu.com and hm.e.shifen.com.• That Baidu's Analytics code (h.js) is one of the files replaced by malicious codetriggering the attacks.• That malicious code is sent to “any reader globally” without distinction ofgeographical location with the only purpose of launching a denial of service attacksagainst Greatfire.org and the Cloud Front infrastructure.• That the attacks are targeting not thousands, but millions of computers around theworld, which in their turn attack Amazon infrastructure.• That the tampering seems to take place when traffic coming from outside Chinareaches the Baidu's servers.
During the 18th of March 2015, we looked into the webserver logs of the attacked sites. TheGreatfire.org's project runs several mirror sites inside the Amazon infrastructure and dueto the large volume of logs (one single hour of log files is 33GB), we decided to focus onone single site “d19r410x06nzy6.cloudfront.net” during the period of one hour.Our research consisted in trying to find hints within the 500 log files, containing a total of100 million requests, on how the attack was carried out. A sample of a request from one ofthe log files is presented below.
2015-03-18 11:52:13 JFK1 66.65.x.xGET /?1425369133http://pos.baidu.com/wh/o.htm?ltr=https://www.google.com/&cf=uMozilla/5.0 (linux; Android 4.4.4; SM-N910V Build/KTU84P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.1092015-03-18 11:52:13 JFK1 71.175.x.xGET /?1425369133http://www.17k.com/chapter/471287/1 7884999.htmlMozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/4
The first request tells us that the 18th of March 2015, one computer with IP 66.65.x.x senta GET request with the content (?1425369133) as a redirection of the search request(https://www.google.com) in baidu.com. This request was routed by Amazon into Chinavia their servers in New York city (JFK1).The logs indicate that the attack was originated by computers distributed all around theworld, that were flooding the server with requests of the formGET /?142xxxxxxx-
More than ten million computers distributed all over the world where sending requests toGreatfire.org servers hosted behind Amazon's Cloud Front.Each computer involved in the attack was sending a relative small number of requests (1 –50 unique requests during one hour).The requests seemed to include a “timestamp”. The “timestamp” was included in allrequests to generate unique random queries against the attacked sites. After looking into100 million timestamps we concluded that those timestamps where somehow correlatedwith the timezone of the source of the traffic.
Amazon Web Services names their Edge Locations after the closest International AirportIATA Code. For example the code AMS1 is for Amsterdam or JFK for John F. Kennedyin New York. This piece of information in the logs helped us to understand the distributionof the computers that were launching the attack.We extracted all the airport codes of the logs and 70% of the requests were originated fromTPE50, HKG50 and HKG51. No surprise there! The surprising result is that the remaining30% was well distributed across 50 other edges around the world.
EDGE | % Traffic |
TPE50 | 28.21% |
HKG51 | 22.69% |
HKG50 | 18.11% |
SIN3 | 4.14% |
MNL50 | 2.91% |
SIN2 | 2.84% |
SYD2 | 2.82% |
ICN51 | 2.51% |
LH50 | 1.55% |
Image: Distribution of attack traffic across Cloud Front global infrastructure.
Image: Geo location of attack traffic (600 randomlychosenIPs
Another interesting aspect of the logs was that the attack seem ed to be generated when readers were visiting a myriadof different websites. But out of 9000 different websites,
38% included resources linked with one orseveral Baidu servers.
SITES | % |
pos.baidu.com | 37.14% |
tieba.baidu.com | 2.42% |
www.dm5.com | 1.83% |
www.7k7k.com | 1.54% |
|
学习交流
热门图片
猜你喜欢的新闻
新闻热点  2024-04-27 13:35:46
 2024-04-27 13:33:47
 2024-04-24 22:53:44
 2024-04-23 19:32:50
 2024-04-23 19:25:50
 2024-04-23 19:13:19
疑难解答 |
