Traffic characteristics are too obvious
hktalent opened this issue · 2 comments
@ehsandeep
Sorry, I found during my research on nuclei scanning defense that its traffic characteristics are very obvious and easy to identify and intercept. I wonder if there are any further measures to improve this issue, such as confusion? Do not use fixed headers?
sample
http/exposures/backups/zip-backup-files.yaml
GET /web.tar.bz2 HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.0 Safari/537.36
connection: close
accept: */*
accept-language: en
accept-encoding: gzip
http/exposures/configs/zend-config-file.yaml
GET /radio/application/configs/application.ini HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
connection: close
accept: */*
accept-language: en
accept-encoding: gzip
http/exposures/backups/zip-backup-files.yaml
GET /webapps.7z HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.2309.372 Safari/537.36
connection: close
accept: */*
accept-language: en
accept-encoding: gzip
http/exposures/backups/zip-backup-files.yaml
GET /web.z HTTP/1.1
host: 127.0.0.1:8080
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/4E423F
connection: close
accept: */*
accept-language: en
accept-encoding: gzip
And then you realize that the user agent is random, which is exactly what we expected
But by default
connection
accept
accept-language
accept-encoding
Their order and values are the same, making it easy to identify and intercept them
And there has been no introduction of AI technology yet
@ehsandeep
There are some suggestions, such as "/web. z" and "/radio/application/configurations/application. ini", to use some random encoding to ensure its dynamism
1. Randomly select characters for% xx forced encoding
/web.%7A
2. Randomly add some useless parameters, such as? xxx=random
/web.z?xx=3424
3. Randomly add # hash, for example: # abcxxx348
/web.z?xx=3424#abc3233
/web.z#abcsdfsfsf
4、Randomly add some useless headers
k1:3232ww3
x3:3988
This may become interference for AI recognition scanning and attacks
Of course, I know that with such encoding, it is not difficult to identify attacks (scans), indeed
At present, I haven't thought of any better way,
Perhaps we can try to infiltrate all scanning traffic into HTTP Smuggling, which can alleviate attack identification, WAF identification, and interception