Khai Quat Ve DRDOS

DRDoS-Distributed Reflection Denial of Service
Vo lc 2h sng ,11 thng ging nm 2002,GRC.com b ph hoi bi mt cuc tn cng t

chi dch v phn tn
C l lm ngc nhin hu ht cc kha cnh ca cuc tn cng ny l source b phi by mt
cch r rng bi hng trm core router ca internet ,web server thuc v yahoo.com ,v li
cn mt my vi a ch IP chuyn ti gary7.nsa.gov.C l chng ti ang nm trong mt
cuc tn cng mnh m v cc my tnh c kt ni hon chnh
Ngay lp tc chng ti xc nh r lm th no ch ng cuc tn cng ny v a trang
web hot ng tr li .1.072,519,399 gi b chn ng trc khi cuc tn cng kt thc
Trang ny cung cp cho ta mt s hng dn ngn gn ,trn thao tc ca giao thc TCP ca
mng ,km theo l s ging gii v thao tc truyn thng ca cc cuc tn cng t chi dch
v (DoS),t chi dch v phn tn (DDoS) ,t chi dch v phn x phn tn (DRoS)

S tn ph bng thng
iu ny ng cho cuc tn cng vo ngy 11 thng ging ,mt vi cuc tn cng phn tn
nh th thng tn cng tiu hu bng thng ,ni m s kt hp lin kt bng thng Internet
ca nhiu my tnh l tm im ,hoc hng ti,trn mt hoc mt vi my tnh .Mc d
nhng gi Internet ca cuc tn cng n c c th c mt kt thc v hi .s trn ngp ca
nhng gi nh th c th chn vi s kt ni mng ca my ch ,hoc x l cc ti nguyn
ca my khc .Kt qu l lu lng thng tin hp l khng th cch tranh vi s trn ngp tinh
vi,c mt s tnh c nh ginh c dch v c ch
ni thm nhng cuc tn tng tn ph bng thng bng DdoS,vui lng xem trang tho lun
trc ca nhiu cuc tn cng DdoS c ch huy bi mt thng nhc tinh qui mi ch 13 tui
Tuy nhin ,k t khi 2 cng ty ln v nh bt u gy nhiu phin mun v li cn c nguy c
ph sn -iu ny l mt v d c th tng t nh l kt qu ca vic trn ngp cc gi tinh vi
.Mt s hiu bit v chun on mt cch chnh xc phng php ca cuc tn cng sc so
thng gi ra mt cch hiu qu tm ra bin php i ph
Trc khi chng ta hc v hiu nhng cuc tn cng nh x phn tn .Chng ta cn phi hiu
s hot ng ca TCP ,dng kt ni iu khin cc my tnh trn mng

Kt ni TCP 101

Nh li mt vi nm v trc,trc khi Internet ra i ,vic trao i ln nhau gia hai my tnh
ch xy ra trn mng .K s phn cng nh l mt phn mm khn ngoan .Ti nh rng ,kt
ni ?.Lm th no c th kt ni gia hai my tnh vi nhau trn mt mng rng? (vt ra
ngoi mng cc b).Sau ti c hc rng hai my tnh c th c a ch v gi nhng
gi d liu cho nhau ,thng qua s m phn k ni .Kt qu l n thnh cng trong vic
thng mng v thit lp mt virtual TCP connection-kt ni TCP o
Nhng gi TCP ring l bao gm nhng c bits,mang thng tin cha ng ni dung v mc
ch c bi ca mi gi .V d,mt gi SYNvi c bit c thit lp bt u khi xng
mt kt ni t ngi gi n ngi nhn .Mt gi ACK vi c bit c thit lp tha nhn
thng tin ngi nhn n ngi gi .Mt gi FIN vi c bit c thit lp kt thc kt ni t
ngi gi n ngi nhn
S thit lp mt kt ni TCP tiu biu i hi s trao i ba gi cha ng thng tin trao i
gia hai my tnh trong mt s trao i ln nhau thng qua a bc bt tay TCP y l hnh
v minh ho

bmuht_fig.95954_326f1699d456370e1d350189beb01136/03/6/6002/daolpu/enilnoavh/ten.eniln
oavh.www//:ptth
1.SYN mt TCP client (nh l web browser ,tp client ,vv)bt u mt kt ni vi mt TCP
server bng cch gi mt gi SYN n server
Tng t biu bn trn , gi SYN ny thng c gi t s port client gia 1024 v 65535
ti port server,l s t 1- 1023.NHng chng trnh Client chy trn my client ng l vi h
iu hnh ang chy trn my client mt port ktt ni vi server.S port thuc phm vi trn
s c hiu nh clienthoc danh sch port danh chng b mt i .Tng t nh th Chng
trnh server chy trn my server ng k vi h iu hnh cho mt c quyn l lng nghe lu
lng thng tin i vo trn mt s cng c bit . y l danh sch port c bit n nh l
portt dch v .V d ,mt chng trnh web server tiu biu lng nghe nhng gi thng tin n
t port 80 cu my tnh v web browser client thng thng gi nhng gi thng tin thng qua
port 80 n server
Ch rng thm c t port my gi n port my nhn ,th mi gi phi bao gm a ch
IP ca my gi v a ch ca my m router s chuyn ti
2.SYN/ACK
khi gi SYN nhn c yu cu kt ni ti mt cng dch v TCP m.Hn thng server tr li li
vi mt s chp nhn kt ni gi SYN/ACK.
Mc d kt ni TCp l mt kt ni kp mi mt hng kt ni c thit lp v qun l mt
cch c lp .L do l ,s tr li ca TCP server n yu cu kt ni gi SYN ca client bi
ACKnowledginv gi SYN ca chnh n bt u mt kt ni trong nh hng tr li.Hai
thng bo kt hp vo trong mt mt gi tr li SYN/ACL n.
Gi SYN/ACK gi n SYN ca ngi nhn bi s trao i a ch IP gia my gi v my nhn
t gi SYN v t chng vo trong gi SYN/ACK tr li . y l s thit lp gi SYN/ACK ca
my nhn n a ch IP ca SYN. iu thtt chnh xc nh chng ta mong mun .
Ch rng,trong khi mgi ca client c gi n cng dch v ca server port 80 iu
chng ta bn phn trn .Nhng gi p li ca server th quay li t port dch v tng
ng .Trong phn k tip ,ch c a ch IP ca my gi v my nhn c thay i trong
nhng gi quay tr li .
S tip nhn ca client t gi SYN/ACK ca server p ng s chp nhn kt ni ca client.N
lun lun p ng cho client,v ng dn kh hi lun lun tn ti gia client v server .Nu
server khng th hoc khng bng lng kt ni TCP ca client,n s tr li vi mt gi RST/ACK
,hoc mt gi ICMP -cng khng th k ni c, bo tin cho client bit rng s tr li kt
ni b t chi
3.ACK:
Khi client nhn c thng bo v gi SYN/ACKca server cho s ch i kt ni ,n tr li vi
mtt gi ACK.
Client thng bo nhn c phn SYN t s tr li ca Server bng cch gi mt gi mt ACK
tr ngc li server .Ti thi im ny ,hai con ng kt ni TCP c thit lp gia client
v server ,v ti thi im ny d liu c th t do di chuyn trong c hai hng gia hai im
TCP cui
S tip nhn ca server t s chng thc gi ACK ca client n server ,m gi SYN/ACK c
th quay tr li n client .Ti thi im ny ,server cn nhc rng hai con ng kt ni TCP
c thit lp gia client v serverv d liu c th t do di chuyn trong c hai hng gia
hai im TCP cui
S lm dng TCP :Theo truyn thng trn ngp SYN
Mt vi nm trc ,mt nhc im trong s iu khin kt ni TCP ca nhiu h thng
c khm ph v khai thc bi nhiu hacker gii
Nh trnh by trong lc TCP trn ,s xc nhn ca server t mt gi SYN ca client
vi mc ch chun b cho mt kt ni .N l mt c th ch nh vng nh m cho vic gi
v nhn vic kt ni d liu v n ghi li chi tit nhiu th khc nhau t vic kt ni ca client
bao gm iu khin ip ca client v kt ni s port .Trong cch ny ,server s chun b chp
nhn m rng kt ni gi ACK ln cui ca client .Ngoi ra ,nu gi ACK ca client b li trn
ng i ,server s c th gi li ln na .Cho rng n c th b li hoc b ph hu trn gia
ng i
Ngm ngh li , iu ny c ngha rng b nh v nhng ti nguyn quan trng c ph phi
nh l mt kt qu ca mt cng thc.Thng minh nhng nhng hacker gii tnh rng c
mt gii hn s ca half openc th iu khin kt ni a TCP server
bmuht_fig.95954_570ea0c9b61d4d62da31d2824da6dd33/03/6/6002/daolpu/enilnoavh/ten.eniln
oavh.www//:ptth
Mc d s dng Raw sockets quay tr li a ch ca gi source IP ca gi c th b ghi v
b lm sai lch ,khi mt gi SYN vi mt source IP gi mo i n server ,n xut hin nh l
mt vi li ngh kt ni hp l .Server s cung cp cho b nh m cn thit ,ghi li nhng
thng tin v kt ni mi v gi mt s tr li li gi SYN/ACK n client .NHng t khi source
IP cha ng trong gi SYN b c gi mo SYN/Ack s gi mt IP ngu nhin trn Internet
.Nu gi tin c mt a ch IP hp l ,my tnh ti a ch IP ny c th tr li vi mt gi RST
cho php server bit rng n khng c yu cu mt kt ni .Nhng vi trn 4 t a ch
Internet , s khng c mt my no ti a ch v gi tin s b t chi
Vn y l server khng c cch no bit c rng s yu cu kt ni hon ho ca
client l mt s la o (gi mo ).V th n cn xem xt mt vi s ch i kt ni hp l
khc ,n cn phi ch trong mt khong thi gian cho client hon tt ba bc bt tay .Nu
ACK khng nhn c ,server cn phi gi li SYN/ACK vi s tin tng rng n c th b li
trn ng tr li client
Nh bn c th hnh dung ra ,tt c s qun l kt ni ny tiu th mt gi tr ln gii hn ti
nguyn trn server .Trong lc cuc tn cng vo TCP client tip tc bng ln nhng s gi
mo gi SYN ti server ,bt buc n tch lu lin tc nhng kt ni hng .Ti mt vi thi im
,server s khng th tch lu nhiu hn mt kt ni half open v nhng kt ni hp l s b
qun lng bi v kh nng ca server c th chp nhn bt c kt ni m s ph hu mt cch
tinh vi

Khng c s tiu hu bng thng

Trc khi h thng c h tr bi kh nng lm tng cao gim nh tc dng ca s trn
ngp SYN .Ngay c mt my tinh vi n s dng mt kt ni Dial-up chm cng c th lp y
v ph hu hng i kt ni ca server internet c kh nng thi hnh lnh vi tc cao .Mc
d c mt vi tin b trong s chng li s gi mo SYN c tnh cht nguy him ,mt vi gii
php c hiu qu c to ra
N l mt iu quan trng cn phi hiu l rt d dng nh la s tn cng ca source IP SYN
khng b nhng s tn cng ph hu bng thng .V bn cht d b tn thngca hu ht
TCP/IP ca h thng
Hn na hy ch rng tn cng t chi dch v th khng phn tn n l mt cuc tn cng
DoS,khng ging nh mt vi hnh thc tn cng DdoS . n c ,tinh vi ,my pht sinh SYN
, n n trong a ch Internet v c tnh ng sau s gi mo cc gi source IP SYN ,c th
lin h v down mt web site ln
Gii quyt vn gi mo

Nhng nh cung cp h thng phn ng li cc cuc tn cng gi mo gi SYN bng cch tng
cng TCP Protocol stacksca h bng nhng cch khc nhau .Hu ht s nng cp li h
thng th lm cho h thng t b tn thng hn ,nhng h khng loi tr bt c vn no

Din tin ca cc cuc tn cng bng thng

Nh mt s gi to ca cc hacker tinh vi c kinh nghim v nh l mt bng tm tt gi tr
ca s khng an ton v sn sng tho hip vi my ch kt ni Internet ,nhanh nh tn s
tn ph bng thng .Cc cuc tn cng t chi dch v phn tn (DdoS) tr nn rt tm
thng .Nh ti khm ph v c t liu minh chng vao thng 5 nm 2001 ,c tc ng
mnh , iu khin nhng cng c tn cng Internet th by gi chng tr nn d dng nh tr
tr con .Chng c vn dng ph v h thng phng th ca my tnh

Chuyn g xy ra trong xut qu trnh tn cng bng thng

Khng ging nh cuc tn cng theo phong cch DoS cch ny cho 1 t l thp cho vic chim
ot nhng gi SYN ,ph hu ,gy tn thng ti nguyn cu Server ,tn cng bng thng to
ra mt s trn ngp c sc tn ph mnh m ca nhng lu lng thng tin v ngha tinh vi
lm trn v ph hu server hoc bng thng . y l s cnh tranhlm trn ngp nhng gi
tinh vi v chn vi mi th ,lu lng thng tin hp l ca mng ,v th nhng gi cn nguyn
vn c kh nng rt thp c th tn ti qua c trn flood .Cc my phc v mng bt u
b nh vng ra khi mng v chng b t chi dch v

bmuht_fig.95954_b7ab5fe4cc5ede6f02ba4935fba9041f/03/6/6002/daolpu/enilnoavh/ten.enilno
avh.www//:ptth

Loi b nhng gi tin

Biu trn gip chng ta lc ra hu qu ca cuc tn cng bng . y l Router c t ti
customer edge ca dch v mng ,ngi cung cp mng su tm v phn tn lung thng
tin t mt vi khch hng mng nh .Theo cch nhiu s kt ni bng thng yu c tp
hp li vo trong mt kt ni bng thng cao hn
Trong st qu trnh hot ng bnh thong ,lun thng tin n t Big pipes c phn loi
v y mnh ti nhng mng con c bng thng thp thuc v nhiu router khc nhau

DoS chng li DDoS

DoS :phong cch tn cng truyn thng ,l s dng mt nh mt tc l dng my tnh ca
mnh tn cng my khc ,c th thy c qua lc sau

[img]http:/bmuht_fig.95954_3db1d05ddc028cda250fe15e768a71c9/03/6/6002/daolpu/enilnoav
h/ten.enilnoavh.www//:ptth/> Nh chng ta thy c tn cng nh v lc trn ,nu
my tn cng c tn cng c tc kt ni Internet cao hn my ca victim ,th n c th
thnh cng trong vic lm trn bng thng mng ,theo cch my tn cng thc hin mt
kt ni hon ho v lin tc th c th flood khng t nhng my c kt ni tt lm cho
chng khng th vo mng
DDoS l mt cp cao hn nhiu ca cch thc lm trn bng thng c pht sinh bi s
tp trung bng thng ca nhiu my tnh hng ti mt my tnh n hoc mng

[img]http://www.hvaonlbmuht_fig.95954_e63f97ea4766cd6969a8d00ea5ba0578/03/6/6002/da
olpu/enilnoavh/ten.enilnoavh.www//:ptthbn trn hin th mt kin trc thng thng c s
dng trong cc cuc tn cng t chi dch v hot ng ca mt mng ,s tho hip ca cc
my tnh ,bao gm s iu khin t xa nhng chng trnh tn cng Zombie, c iu khin
v phi hp bi mt Zombie master-c quan iu khin trung tm .Khi mng ca Zombie
nhn c s hng dn t master,Mi mt Zombie ring bit bt u to ra mt trn flood
lu lng thng tin nguy him nhm vo mc tiu l my n ca victim hoc mng
y l mt t chc s dng nhiu cng c tn cng pht tn ph bin ,bao gm my ch
Windows Evilbots c iu khin bi thng nhc tinh qui 13 tui tn cng grc.com u
tin trong sut thng 5 nm 2001.Evilgoat Evilbots thu mt server IRC cng cng lm ni
chng tho lun v iu khin k thut tn cng .Zombie master ng nhp vo mt phng
chat IRC a ra phng n v thi gian thc hin cuc tn cng
Kt hp lu lng thng tin Zombie phn tn

Nhng lung ring bit ca lu lng thng tin vt qua mng t nhiu ngun ring bit
,Chng c kt hp bi nhiu Router mng to ra mt dng flood s

bmuht_fig.95954_1b0a8ff252555e17301d6d5a07dc5594/03/6/6002/daolpu/enilnoavh/ten.eniln
oavh.www//:ptth

Khi cuc chm trn flood kt thc ,ngi phn phi dch v mng tp hp router li , hu ht
lu lng thng tin ca mng b t chi(loi b),bi v router khng th phn bit chnh xc
t nhng lu lng thng tin khng cn tc dng n router-Tt c nhng gi tin u ging
nhau Lu lng mng hi75p l th lun b t chi mng thc s b outra khi Internet
Nh th , nhng li cp bn trn khng gy kh khn .By gi n s tr nn t hi
hn nhiu

nh x phn tn
Hnh thc tip theo ca phng thc tn cng DdoS

Vo lc 2h sng ,thng 1 nm 2002 ,trang grc.com b vng ra khi mng bi nhiu
cuc tn cng gy trn ngp khng khip y l mt cuc tn cng tin tin . y l mt hnh
thc mi ca s tn cng bng phng phpDDoS c th tm gi l Tn cng t chi dch v
nh x phn tn Distributed Reflection Denial of Service-DRDoS

Gi flood b n

Ti thc gic v lm vic vo lc 2h sng -thi im m cuc tn cng bt u xy ra ,th nn
ti c th nhanh chng bt u khc phc mt phn ca flood ,s tp trung router Verio c th
hn ch bt thng qua 2 thn T1.Lu lng thng tin Web server ca chng ti ra ngoi
gim xung bng 0 ,bi v trn thc t th nhng li yu cu t pha server ti mng khng cn
c p ng do khng th cnh tranh n vi trn flood .Chng ti ph cng v ch
Trong qua kh ,chng ti nh vo Evilbots bng nhng trn flood UDP v ICMP.Tht d
dng pht sinh cuc tn cng cho ngi iu khin , u cZombie,nhng my
Windows.Chng ti lun bc mnh v nhiu th flood ngun IP SYN gi mo .V th ti pht gic
ra mt iu l khi chng ti bt c nhng gi tn cng ,chng cho ti bit c ra mt iu
l chng ti b flood bi nhng gi SYN/ACK.Tt nhin , iu cng khng ni ln c ci g
ln lao lm .Nh chng ti m t c t rt sm trn trang ny ,mt gi SYN/ACK ch l
mt gi SYN vi mt c bit ACK c bt ln -tt hay xu l s thm mun ca nhng k
tn cng .V th mt k tn cng c th bt bt c c bit TCP no chng thch
Mt s ngc nhin n khi ti xem xt k lng ngun IP ca nhng gi flood

129.250. 28. 1--ge-6-2-0.r03.sttlwa01.us.bb.verio.net
129.250. 28. 3--ge-1-0-0.a07.sttlwa01.us.ra.verio.net
129.250. 28. 20--ge-0-1-0.a12.sttlwa01.us.ra.verio.net
129.250. 28. 33--ge-0-0-0.r00.bcrtfl01.us.bb.verio.net
129.250. 28. 49--ge-1-1-0.r01.bcrtfl01.us.bb.verio.net
129.250. 28. 98--ge-1-2-0.r00.sfldmi01.us.bb.verio.net
129.250. 28. 99--ge-1-0-0.a00.sfldmi01.us.ra.verio.net
129.250. 28.100--ge-1-2-0.r01.sfldmi01.us.bb.verio.net
129.250. 28.113--ge-1-1-0.a01.sfldmi01.us.ra.verio.net
129.250. 28.131--ge-0-3-0.a00.scrmca01.us.ra.verio.net
129.250. 28.142--ge-0-2-0.r00.scrmca01.us.bb.verio.net
129.250. 28.147--ge-1-2-0.a00.scrmca01.us.ra.verio.net
129.250. 28.158--ge-0-2-0.r01.scrmca01.us.bb.verio.net

129.250. 28.164--ge-1-0-0.a10.dllstx01.us.ra.verio.net
129.250. 28.165--ge-1-0-0.a11.dllstx01.us.ra.verio.net
129.250. 28.190--ge-6-0-0.r01.dllstx01.us.bb.verio.net
129.250. 28.200--ge-0-2-0.a00.snjsca03.us.ra.verio.net
129.250. 28.221--ge-2-1-0.r04.snjsca03.us.bb.verio.net
129.250. 28.254--ge-2-1-0.r01.snjsca03.us.bb.verio.net

205.171. 31. 1--iah-core-01.inet.qwest.net

206. 79. 9. 2--globalcrossing-px.exodus.net
206. 79. 9.114--exds-wlhm.gblx.net
206. 79. 9.210--telefonica-px.exodus.net

208.184.232. 13--core1-atl4-oc48-2.atl2.above.net
208.184.232. 25--core2-core1-oc48.atl2.above.net
208.184.232. 45--core1-core2-oc192.sfo1.above.net
208.184.232. 46--core2-core1-oc192.sfo1.above.net
208.184.232. 54--sfo1-sjc2-oc48-2.sfo1.above.net
208.184.232. 57--ord2-sea1-oc48-2.ord2.above.net
208.184.232. 58--sea1-ord2-oc48-2.sea1.above.net
208.184.232. 97--bos2-dca2-oc48.bos2.above.net
208.184.232. 98--dca2-bos2-oc48.dca2.above.net
208.184.232.101--bos2-dca2-oc48-2.bos2.above.net
208.184.232.102--dca2-bos2-oc48-2.dca2.above.net
208.184.232.109--core1-dfw3-oc48.dfw2.above.net
208.184.232.126--sfo1-sjc2-oc48.sfo1.above.net
208.184.232.133--dca2-dfw2-oc48-2.dca2.above.net
208.184.232.134--dfw2-dca2-oc48-2.dfw2.above.net
208.184.232.145--ord2-bos2-oc48.ord2.above.net
208.184.232.146--bos2-ord2-oc48.bos2.above.net
208.184.232.149--lga1-ord2-oc48.lga1.above.net
208.184.232.150--ord2-lga1-oc48.ord2.above.net
208.184.232.157--atl2-lga2-oc48.atl2.above.net
208.184.232.158--lga2-atl2-oc48.lga2.above.net
208.184.232.165--atl2-lga2-oc48-2.atl2.above.net
208.184.232.166--lga2-atl2-oc48-2.lga2.above.net
208.184.232.177--sjc3-pao1-oc12.above.net
208.184.232.189--bos2-lga2-oc48.bos2.above.net
208.184.232.190--lga2-bos2-oc48.lga2.above.net
208.184.232.193--bos2-lga2-oc48-2.bos2.above.net
208.184.232.194--lga2-bos2-oc48-2.lga2.above.net
208.184.232.197--core2-lga2-oc192.lga1.above.net
208.184.232.198--core2-lga1-oc192.lga2.above.net
208.184.233. 46--ord2-sjc2-oc48.ord2.above.net
208.184.233. 50--core2-sjc2-oc48.sjc3.above.net
208.184.233. 61--iad1-lga1-oc192-2.iad1.above.net
208.184.233. 62--lga1-iad1-oc192-2.lga1.above.net
208.184.233. 65--iad1-lga1-oc192.iad1.above.net
208.184.233. 66--lga1-iad1-oc192.lga1.above.net
208.184.233. 81--core1-main1colo56-oc48.sea2.above.net
208.184.233.101--core1-core2-oc192.sea2.above.net
208.184.233.105--core2-sea2-oc192.sea1.above.net
208.184.233.106--core2-sea1-oc192-2.sea2.above.net
208.184.233.121--core1-core2-oc192.dca2.above.net
208.184.233.126--iad1-dca2-oc192.iad1.above.net
208.184.233.129--dca2-iad1-oc192.dca2.above.net
208.184.233.130--iad1-dca2-oc192.iad1.above.net
208.184.233.134--dca2-sjc2-oc48.dca2.above.net
208.184.233.150--ord2-dfw2-oc48.ord2.above.net
208.184.233.174--globalcenter-above.iad2.above.net
208.184.233.189--sea1-nrt3-stm1.sea1.above.net
208.184.233.190--nrt3-sea1-stm1.nrt3.above.net
208.184.233.193--sea1-nrt3-stm1-3.sea1.above.net
208.184.233.194--nrt3-sea1-stm1-3.nrt3.above.net
208.184.233.197--core1-main1-oc12.nrt3.above.net
208.184.233.217--core2-core3-oc48.lga1.above.net
208.184.233.225--core2-v6core3-oc3.nrt3.above.net
208.184.233.237--core1-oc192-core2.bos2.above.net
208.184.233.238--core2-oc192-core1.bos2.above.net
208.185. 0. 25--core5-dlr-oc3.iad1.above.net
208.185. 0.113--core5-main1-oc48.iad1.above.net
208.185. 0.121--core4-iad4-oc48.iad1.above.net
208.185. 0.133--core5-iad4-oc48.iad1.above.net
208.185. 0.138--core4-core1-oc48.iad1.above.net
208.185. 0.165--core1-core2-oc48.lga3.above.net
208.185. 0.169--core1-lga3-oc12.lga1.above.net
208.185. 0.173--core1-core3-oc3-2.lga3.above.net
208.185. 0.189--core1-core3-oc48.ord2.above.net
208.185. 0.193--core2-core3-oc48.ord2.above.net
208.185. 0.197--core1-ord1-oc48.ord2.above.net
208.185. 0.202--core2-ord1-oc48.ord2.above.net
208.185. 0.221--core1-core3-oc48.atl2.above.net
208.185. 0.225--core2-core3-oc48.atl2.above.net
208.185. 0.229--dca2-atl2-oc48-2.dca2.above.net
208.185. 0.230--atl2-dca2-oc48-2.atl2.above.net
208.185. 0.249--core1-dfw2-oc48.atl2.above.net
208.185. 0.250--core1-atl2-oc48.dfw2.above.net
208.185.156. 2--core2-lhr1-stm16.lhr3.above.net
208.185.156. 65--core3-core5-oc48.sjc2.above.net
208.185.156.157--ord2-lga1-oc48-2.ord2.above.net
208.185.156.158--lga1-ord2-oc48-2.lga1.above.net
208.185.156.189--core3-main1colo7-oc12.sjc2.above.net
208.185.175. 90--ord2-sea1-oc48.ord2.above.net
208.185.175. 93--core3-core4-oc3.sea1.above.net
208.185.175.114--earthlink-above.lax.above.net
208.185.175.145--core1-core2-oc192.sjc3.above.net
208.185.175.146--core2-core1-oc192.sjc3.above.net
208.185.175.149--core2-sjc4-oc192.sjc3.above.net
208.185.175.158--core1-sjc2-oc48.sjc3.above.net
216.200.127. 9--core4-iad5-oc48.iad1.above.net
216.200.127. 13--core5-iad5-oc48.iad1.above.net
216.200.127. 26--sjc2-iad1-oc48.sjc2.above.net
216.200.127. 29--core4-epe1-oc3.iad1.above.net
216.200.127. 33--core5-epe1-oc3.iad1.above.net
216.200.127. 45--core1-epe1-oc3.lga1.above.net
216.200.127. 49--core2-epe1-oc3.lga1.above.net
216.200.127. 61--iad1-lga1-oc48-2.iad1.above.net
216.200.127. 62--lga1-iad1-oc48-2.lga1.above.net
216.200.127. 65--lga1-sea1-oc48.lga1.above.net
216.200.127. 66--sea1-lga1-oc48.sea1.above.net
216.200.127. 69--lga1-lhr1-stm4-3.lga1.above.net
216.200.127.118--sea1-sjc2-oc48.sea1.above.net
216.200.127.153--core1-main1colo45-oc48.lga2.above.net
216.200.127.189--core1-main1-oc48.lga1.above.net
216.200.127.205--dfw2-dca2-oc48.dfw2.above.net
216.200.127.206--dca2-dfw2-oc48.dca2.above.net
216.200.127.209--core1-core2-oc192.dfw2.above.net
216.200.127.225--atl2-dfw2-oc48.atl2.above.net
216.200.127.226--dfw2-atl2-oc48.dfw2.above.net

Chng ti ang ng dI cuc tn cng ca hn hai trm router

Chuyn g xy ra tip theo?

Trong c v nh chng ti b flood bI Verio,Qwest v Above.net bI v chng c mt c
trng ring nn chng ti c th nhn ra c .Ti thy chng xut hin hon ton ph hp
tr lI cho nhng gi ACK ca ngun TCP co port l 179.Theo cch khc ,ch nhng gi d liu
ca web server s quay tr lI t port 80 ,nhng gi ny quay tr lI t BGP port 179
BGP Border Gateway Protocol c h tr bI nhng router trung gian .Nhng router s
dng BGP giao tip vI nhng router khc bn cnh chng thay I bng nh tuyn ca
chng m thng bo cho nhau loI IP m router c th forward tI
Chi tit ca BGP khng quan trng .Ci quan trng l trn thc t l hu nh tt c nhng
router trung gian ca kt nI Internet nhanh (bng thng rng ) th s chp nhn kt nI TCP
trn port 179 .Mt gi SYN i n port 179 ca mt router Internet s p lI gi SYN/ACK

Ti bt cht hiu ra chuyn g xy ra

bmuht_fig.95954_5545ab62f9e142d0679d590d1a06bdd5/03/6/6002/daolpu/enilnoavh/ten.eniln
oavh.www//:ptth

y khng c nhiu s la chn,hoc l nhiu phng cch chc chn ,ca hng trm router
b tn thng ,hc b tiu nhim bI mt vi phn ca Zombie.Ti thy r rng chng
ch l iu bnh thng ,v hI ,TCP server vn ang lm nhng cng vic m chng c ch
nh lm .Chng gI nhng gi SYN/ACK n grc.com trong mt s tin tng rng chng ti
mun m mt kt nI TCP c ci t sn trong BGP server ca chng
Trong mt cch khc , hacker tinh vi xc nh c mt vi ni khc trn Internet m cc
router internet b SYN flood vI nhng gi TCP yu cu kt nI SYN .Nhng gi SYN mang
nhng ngun IP gi mo thuc grc.com.V th ,cc router tin rng nhng gi SYN c ngun
gc t chng ti ,v h p lI bng cch tr lI lI vI nhng gi SYN/ACK nh l giai on
th hai ca chun ba bc bt tay ca TCP
Nhng gi SYN tinh vi bt u nh x lI s khng c hi ti TCP server.Nhng
gi SYN/ACK p lI bng cch dng nhng trn flood v tn cng bng thng ca
chng ti
Mt kiu tn cng mI

Tht l hp dn ,t mt quan im khng thc t grc.com b nh sp bI hng trm router
Internet .S ginh c nhng gi hp php ang c thc hin .Quyn u tin ca ti l
a ti tr lI trn mng
Ti khng bit tI sao chng ti l tm im ca cuc tn cng ny .C l y l dp th
nghim phng thc tn cng mI chng ..

Ny ,hy tn ph Gibson v chng mt xem anh ta lm g chng ta

Chng ta s xem bn dI ,du hiu cho bit rng sau cuc tn cng lc u vo chng ti
,mt hay nhiu phng cch tn cng c s dng thng xuyn-y l mt trong nhng l
do m nhng hacker giI thch s dng phng php tn cng theo kiu tn cng nh x
phn tn gn ging nh k thut flood phn tn theo kiu truyn thng
Ti khng mun lo lng v Verio ,nh cung cp dch v ca chng ti ,nu cuc tn cng kt
thc vo lc ny ,ti s gI k thut n .V th ti theo di cc tn cng v ch I n 2 gi
.Lc 4 gi sng,cuc tn cng vn cha c du hiu yu i .Ban mai nc M thng xut
hin sm ,v th ti gI cho trung tm giI quyt s c mng 24/7ca Verio.Ti tng kt lI vn
v lm cho trung tm giI quyt s c tin rng chng ti ang b tn cng v cn c gip
ngay lp tc .Ti vui mng khi nhn vin bo mt ang cn trong tnh trng ngi ng gI
lI cho ti khi vn v Verio c ti gI i cha tI hai gi
Kho cuc tn cng nh x li

Tin mI nhn l ,cuc tn cng xut hin tng I d dng block lI .K t lc chng ti
khng c nh cung cp dch v cho chnh mnh ,Chng ti khng cn phI trang b kt nI t
xa vI BGP router .V th ,chng ti yu cu Verio block lI nhng lu lng thng tin i vo t
dch v BGP port 179.BI v nhng gi SYN tinh vi ca hacker nhm vo gia router c port
179,mt vi nhng gi nh x s bt ngun t port ny
K thut ca Verio thm b lc vo tp trung bo qun nhng router kt nI Internet ca
chng ti block nhng gi xut pht t chng ti n port 179.Nhng gi flood n t port
179 ngay lp tc b block lI

Nhng chng ti vn cha th quay tr li mng

Mt gi mI tm c tit l rng chng ti b tn cng mt cch tch cc bI mt server
hon ton mI ,Bi v sau khi lu lng tin th hai tp hp ch xut hin sau khi lu lng
thng tin router port 179 b block .N xut hin nh con sng th hai ca vic nh x lu lng
thng tin khng th cnh tranh vI flood router
VI nhng lu lng thng tin ca nhng router b block ,chng ti bt u b flood tip bI
bI nhng gi SYN/ACK nh trt nc t port 22( bo mt shell)23(telnet)53(DNS)v
80(http/web).V mt vi gi n t port 4001(port ca proxy server) v 6668(IRC chat)
Ti qu I ngc nhin khi cuc flood th hai thnh lnh xy ra .Ti l l khng tm
chng lI ,gi lI mt cch trn vn v ly mu mt cch chnh xc nhng lu lng thng tin
flood khng phI l BGP.Tuy nhin ,log file ca ti tm c mt vi SYN/ACK , c pht
hin khng phI l BGP.Th nn ti c mt vi ghi chp ca n

Mt s ly mu nh ca web server biu hin rng chng flood chng ti bng SYN/ACK t
http(web) port 80 ca h

64.152. 4. 80--www.wwfsuperstars.com
128.121.223.161--veriowebsites.com
131.103.248.119--www.cc.rapidsite.net
164.109. 18.251--whalenstoddard.com
171. 64. 14.238--www4.Stanford.EDU
205.205.134. 1--shell1.novalinktech.net
206.222.179.216--forsale.txic.net
208. 47.125. 33--gary7.nsa.gov
216. 34. 13.245--channelserver.namezero.com
216.111.239.132--www.jeah.net
216.115.102. 75--w3.snv.yahoo.com
216.115.102. 76--w4.snv.yahoo.com
216.115.102. 77--w5.snv.yahoo.com
216.115.102. 78--w6.snv.yahoo.com
216.115.102. 79--w7.snv.yahoo.com
216.115.102. 80--w8.snv.yahoo.com
216.115.102. 82--w10.snv.yahoo.com

Danh sch flood SYN/ACK port 80 khng hon chnh bn trn c mt vi ci quan tm .Cc
server c hp lI mt cch tha tht S xut hin ca n cho bit rng cc hacker giI nng
n cn nhc k khi la chn a ch IP cho tht hon ho v on chng chng c th kt nI
nhanh vI web server dng vo vic tn cng nh x .cc server web 7 thuc v yahoo.com
th rt hay s dng n ,nh l gary7.nsa.gov
Mt lc lng rng ln h tr thm vo trn flood ACK v s dng nhiu server Internet hn
l router internet . iu chng minh rng nhng hacker giI th c nhn thc tt v nhiu
chc nng kt nI ca TCP-S chp nhn server Internet c th c s dng nh l mt gi
server nh x .Trc chng ti cn lm nhng vic khc hn l ch n gin l block nhng
gi n t BGP port 179.Ti trnh by mt bin php hiu qu hn l giI phn no v
cuc tn cng ny .Trong phn tho lun bn dI ,sau khi phn tch v cuc tn cng c th
xy n v hu qu chng gy ra
Khi chng ti lc c cuc tn cng nh x ,chng ti ngay lp tc a chng ti (trang
web)tr lI Internet >mc d ti khng th quan st iu xy ra sau cng ca cuc tn cng
ng sau b lc ca chng ti . iu tht l lm cho ti n lnh ch thch rng ..
Vo lc cuc tn cng kt thc router Verio loI b nhiu hn mt t gi SYN/ACK tinh vi
(1,072,519,399)
Ti nhn con s chnh xc ny t Verio khi chng ti lin h vI h sau khi nhn thc r sai
lm ln th hai ca ti ,khng phii BGP, t sng ca cuc tn cng .Ti mun cu hnh li h
thng phng th ca ti cn nhc vic t chng ti vo trng hp chng ti b tn cng
t chi dch v ln na th ti c th thu thp c d liu ca cuc tn cng

S nh x trn cuc tn cng nh x

Xt t tnh hin nhin thu thp trong xut 1/11 cuc tn cng ,v du hiu khc ca mt s k
tn cng n sau ,mt vi nhm hoc nhiu nhm tn cng ,c s gia tng v s lng chng
ta s thy bn di -mt danh sch di ca nhng server Internet c bng thng rng ,tng
ng vi s port TCP.Nm trong s hng trm router khc nhau vi giao thc BGP(port 179) v
nhiu server khc lng nghe cc kt ni trn cc port chung nh SSH ,Telnet,DNS,HTTPv IRC

Xy dng v duy tr danh sch server nh x

T khi mt vi server Internet cng khai c kh nng d b nh hng nhserver nh x-mt
danh sch cc server c to ra mt cch d dng ,pht trin v duy tr .V d ,thng thng
lnh trace route internet cung cp a ch IP ca mi router Internet gia tracer v mt vi
a ch t xa Ngay c a ch khng tn ti .Nh chng ta thy , y c nhiu c hi tt
mt router Internet d b phi bi ra BGP server mt cch cng khai ,v n s c nhiu kt
ni bng thng cao .Mt on Script n gin c th c s dng thu thp s chuyn
quyn ln ca cc IP router Internet.Nhng ni cho thu web s nh yahoo.com th c th
mua c mt cch cng khai .Qut port n thng qua vng IP bng thng cao s thu c
hng ngn,nu khng l hng triu ca nhng TCP server cng khai .Mt vi cng c tm kim
Internet s a ra hng trm ,hng ngn tn min web site tim tn
Mt danh sch kt qu di s ca cc server nh x c th rt r rng v c duy tr tip
tc bi mt gi tr to ln ,khng c my gi mo SYN.Vi ctr l SYN/ACK s xc thc s c
mt ca my tnh v n sn sng khng c tnh tham gia vo cc cuc tn cng nh x
trong tng lai

S dng danh sch server nh x

Nhiu host c kh nng raw socket(Unix,linuxv windows 2000 v by gi l Windows XP) c
th thng c s dng nh l b phng cho s pht sinh cc tn cng flood syn nh x .S
host pht sinh SYN i hi pht ng mt cuc tn cng s c xc nh bi tng bng
thng flood yu cu c kh nng c th chn vi my ch hoc mng
iu khin mt danh sch di ca cc server nh x TCP khng b li ,mi host gi mo SYN
sprays-cc gi SYN u vt mi server nh x trn danh sch .Mt gi SYN gi mo s vt
qua cc server c port TCP m ,vi gi hn x nhm vo mng ca nn nhn khi c tn
cng
K t lc my flood SYN l Sprays ,nhng gi vt qua con s khng l ca cc server nh x
trung gian .Mi server nh x s tri qua mt cp thp SYN flux-lung SYNhn l cp
cao flood SYN

Ti sao chng ti lo lng?

Ti sao mt cuc tn cng nh x cao thng c cc host flood trc tip mnh m v tn cng
nn nhn cu h ?

S khuych tn ng dn gi

Mt thng li ln cho nhng k tn cng l mc cc ca s khuych tn ng dn gi
Packet path diffusionKhi lu lng tn cng c th vt ra qu mt s gii hn ca cc
server TCP trung gian .Lc sau s miu t ng dn ca lu lng thng tin gia k tn
cng v nn nhn :

bmuht_fig.95954_5b0b6b156343c7a1391121f48002a636/03/6/6002/daolpu/enilnoavh/ten.eniln
oavh.www//:ptth

T khi cc router Intetnet khng th gi li ng i ca cc gi trc y ,nhng gi rt
luit my ca nn nhn quay tr li vi my ca nhng k tn cng ,da vo tnh tin li ca
cc gi flood upstream-ngc dng thng thng t mt router tr ngc li mt router
trc

Khuych tn ng dn:

Trong mt hnh th vng chc v s lu thng gi tin mnh m, ng dn gi rt lui mt cch
kh khn v phng php thc hin rt tn thi gian .V th ,hy tng tng rng chuyn g
s xy ra khi mt s lng ln cc gi thuc cc server nh x c mt khp mi ni k c h
thng

[img]http:/bmuht_fig.95954_05601b336fe44883ee4c74e165cad9d1/03/6/6002/daolpu/enilnoav
h/ten.enilnoavh.www//:ptth/> y l lc gii thch ng i ca lu lng thng tin ,s
thm vo cc server nh x v hi v thc cht thay i hon ton bn cht ca cuc tn
cng .Chng li mt my tn cng ,nhng gi SYN tinh vi ngay lp tc b nh bt ra ngoi
.Khng thi gian ngm vo nn nhn ,nhng gi tn cng ng ra oc gi cho cc TCP
server xa .Nh chng ta bit ,cc server c kh nng xc nh v tr khp ni trn mng
.Ch mt vi router hopsth vt ra ngoi tm ca nhng k tn cng ,nhng lung thng tin
mnh m s khng mnh ti cc server bi v cc server ny c mt mi quan h
chc ch vi cc server khc bn cnh hn l theo sau mt ng dn n
V tr ti im kt thc th lun c s bin i quan trng hn l bt u cng kch bi nhng
lung thng tin ring l .T mi mt my tn cng ,nn nhn by gi ang phi hng chu
hng trm ,hng ngn ,thm ch hng triu cuc tn cng lm trn SYN/ACK .Mc d nhng
lung thng tin c pht ra mt cch ring bit v khng gy hi cho nn nhn (ch c mi
mt s v hi t server nh x ring bit ),s hi t cc gi n t khp ni thng xut khp
ni trong mng Internet s to ra mt cuc tn cng s nhn chm nn nhn trong trn flood

Victim c th lm g ?

Victim c th lm g ?mc d khng mun phi nm trong kh nng hng chu hng trm ,hng
ngn,thm ch hng triu cuc tn cng , i khi mi mt gi SYN/ACK hp l c gi i ring
bit cng c c may mng ca bn s c nhiu iu ng phi lo lng tht s v.

Vi mt bit thng minh hn t nhng k tn cng .n to ra mt s nguy him tht s
Thc hin cch s dng nh x

Nu trng thi tnh th bn trn khng qu xu ,thm vo la s thng minh hn ca nhng
ngi tn cng c th to ra nhiu th t hi hn .Chng tra d dng bt gp mt bng tm
tt di v cc server nh x kt ni mng nhanh c th ang hot ng v ang c qun l
.V trang vi mt vi mt bng tm tt server nh x c kh nng cao ,hy tip tc v bnh
tnh trc dng chy ca cc trn lm trn lu lng thng tin c th c tp trung vo
chng li mng ca Victim trong khi bng qua tp hp con ca ton b bng tm tt server nh
x . i lc ch mt phn nh ca ton b bng tm tt server nh x s c s dng
Thc hin cch s dng nh x s em n mt tc dng ca s bin i lin tip tt c nhng
ng dn tn cng ,thc hin v s dng chng mt cch ti u i khi chng bao gi lm
gim bt nhng cuc chng li mng
Do bi tnh cht ca s tay l ghi li s rt lui ca cuc tn cng ,theo sau nhng lng d liu
nh ring l l nhng dng flood to ln theo sau..Nhng khng c g kh chu hn l nhng
dng d liu nh ang chylin tc bng ngng ri tip tc chytip.Trong thc t ,vi
cng ngh router hin ti th n hu nh khng th xy ra

S khuch tn nh x

H qu quan trng khc ca vic s dng mt bng kim k server nh x ln l Khuch tn
nh x vi nhng k tn cng cc gi flood Syn bt u i ra ngoi sprayedv tri rng khp
phn ln nhng server nh x , khng c server nh x n no nhn c nhng s quy
ri t nhng gi SYN .T khi nhng kt ni half-open s b hu b trong vng mt n hai
pht,con s nhng nhng chng bao gi kt thc ,nhng kt ni TCp half-open s chng
bao gi pht tn ln hn c na .Bi v server s d dng thy c client hu b kt ni -
iu c th v xy ra thng trnh gia server v client - mt co thp ca s pht sinh
ra cc gi nh x tinh vi hu nh chc chn chng bao gi to ra s bo ng hu ht cc
server.Mc d mt nh iu hnh mng ch tm c th ngc nhin v s thu thp mt cch
lin tc ca s lun lun thay i cc kt ni half open.chc chn S c s nghi ng bi v
server b li do mt cch no

Nhn bng thng

Mt s thng minh v mt c im quan trng ca mt vi cch tn cng nh x TCP l s
pht ra cng lc nhiu cuc tn cng SYN/ACK t cc server nh x hn l gy ra mt lu
lng SYN.Bi v TCP t ng gi li cc gi hng ,cc server nh x s pht sinh ra cng lc
nhiu trn flood SYN/ACK ra ngoi hn l h nhn t cc host pht sinh SYN
Cho mi mt gi SYN nhn c bi server nh x TCP,cn n 4 gi SYN/ACK th server s gi
i . iu ny s xut hin bi v s tp trung router ca victim phn ln s b hu b v lu lg
flood i vo .Mt server nh x s nhn c s khng p li t gi SYN/ACK s tin tng
rng gi ny b hng dc ng v s gi li gi SYN/ACK hng trc khi gi li thng tin
hu b ktt ni
y l mt hin tng c kt qu th v ca s tn cng c mc ch phn b rng khp mng
vi thi gian ch mt vi pht

C th iu khin s ci tin

Theo cuc tn cng DdoS truyn thng s dng mt mng ln ca cc my tn cng cho hai
kt qu :Th nht l to ra mt khi flood ln v th hai l khuych tn ngun tn cng ca
h .Cho mt mc tiu ,l s kt hp tnh nhn ca bng thng v cp ln ca ng dn
khuych tn c cung cp bi cc cuc tn cng nh x phn tn ,theo mt cch truyn t
c ngha c bit lm bin i s host i hi cung cp mt yu cu lm trn bng thng v
c kh nng hu b ng dn quay tr li .Kt qu l s d dng hn trong vic lp rp v
bo dng mng cc host b cuc tn cng lm tn thng ,v s c nhiu c hi hn trong
vic khm ph bn cht v ni xut pht ca cuc tn cng

S ln lt

V b ngoi ln lt ca cuc tn cng ny l thjiu to ra mt vi lu lng backscatter .Cc
cuc tn cng nh x s khng xut hin trn mn hnh theo di .S gi mo ngun flood
Syn IP v hnh dng khc ca cc cuc tn cng gi mo IP.KHng ging nh cc cuc tn
cng gi mo IP truyn thng ,n to ra mt c trng tiu biu cc ngun IP mt cch ngu
nhin ,nhiu IP xut hin vi ci v b khc ca cuc tn cng nh x chuyn n mt my
thc t -mi mt server nh x hoc im tn cng .
Vi tt c nhng l do ,nhng cuc tn cng t chi dch v nh x phn tn c th d dng
to ra v sa cha chng v chng c mt sc thuyt phc mnh m

Thm chng c

Trong khi ti ang vit trang ny .Mt bi vit c tn l bugtraqxut hin trong danh sch
mail cu chng ti
Trong mt va ngy t ,ti s nhn c mt ci g tng t nh l cuc tn cng flood
SYN trn port 80 vt qua tt c nhng i ch IP trn mng cu ti .Tuy nhin,nu n l flood
,n s khng qu mnh .Nhng cu hnh bnh thng cng c th gi nhng lung m khng
gp bt c vn g ,nhng nhng gi Syn s chy mt cch u n . i ch ngun IP s lu
lI v khng thay I t mt n hai pht v sau th dng lI ,sau mt va i ch IP
khc bt u gI nhng dng SYN cu chnh n ,mc d thnh thong i khi c nhiu hn mt
host s gI lu lng thng tin trong thI gian ny .Cc i ch ngun l mt s a dng cu
mng ,nhng c v ph hp v mng dng dial up hoc nhng s kt nI n gin
N c v ging nh s c gng nhm vo cuc tn cng t chI dch v ,nhng tI sao n lI
ph trng ra ngoi qu nhiu i ch IP ch (Nhiu i ch khng c tht trn mng )Nhng
tI sao lI flood mt cch yu t v khng c bt c ci g gy nh hng thc t
Nu bn co theo di phn tho lun ny ,bn s nhn st rng l mt vn hon ton
ng ci m mt nh qun tr mng giI cu cc server nh x s thy rng khi server cu
hc tham gia vo trong cuc tn cng nh x .Anh ta hiu sai v du tch mt bit cu anh ta
,bI v anh ta khng c mt s hiu bit thu o rng server cu anh ta ang b s dng nh
l mt server nh x .Anh ta thy c mt s lu thng lin tc (m khng phI l flood )cu
nhng gi SYN n t mt s IP l ,n c th thnh lnh thay I v xut hin trong ngun cu
IP khc .Chng ti bit y l mt iu ng n thay I mc tiu tn cng
T mt vin cnh cu server nh x ,nhng ngun r rng cu cc gi SYN l mt mc tiu tn
cng thc t , m server cu anh ta c gI nhng lu lng cc gi SYN/ACK mt cch
nh nhng khng mnh m nh flood .Bng thng ra ngoi cu anh ta hu nh chc chn
nhiu hn gp 4 ln lu lng SYN i vo ,nh l mt s giI thch cho s tht v nhng kt
nI v ni r v tnh trng SYN_RECVD.. iu na c nghi l chng ch I s tr lI cu
client (ni m chng khng th n )v gI lI cc gi SYN/Ack , thc hin mt cuc tn
cng nhn bng thng
Nh bn thy ba vit bn trn .Ti ngay lp tc tr lI trong danh sch vI lI giI thch
cn k cu ti v ci m anh ta thy .Trc khi s p lI cu ti b loan truyn trong danh
sch mail cu mt vi nh qun tr mng tinh mt khc
Vng ,chng ta c th thy mt vi th y .N xut hin mt cch c nh hng rt ln khi
cuc tn cng l mt im tI subnet cng vI s chia s web server -vI nhi IP gi hn
mt va giao din .Th lun c gng s dng nh l mt h thng nh x flood cc i ch IP
c bit
Chng ti tng thy mt vi tnh hung tng t mt vi ngy trc .N din t mt
cuc tn cng chng lI mt cng ty IRC server.Ngun i ch b gi mo v s dng i ch
web cng khai cu chng ti nh l mt nh x
Vng chng ti cng thy chng y .Tt c tht l l lng
Chng ti bt u thng ba chng sm nht trong thng 2,kim tra phn u cn nguyn cu
file log hin th nhng hot ng sm nht vo ngy 15 thng 1 .Chng ta nhn c
thng ba rng chng c v nh n t mt phm vi giI hn cu cc IP .Nhiu i ch trong
s chng dng nh n t cc trng a hc .Sau khi thng bo mt vi i ch trong s
chng v nhn c s phn hI t phi nh cung cp dch v v h s block cc i ch IP
ny lI v h s tip tc iu tra cc i ch khc
Chng ti lun thy mt chuI cc con s miu t s kin bt u ging ht nhau cho cc gi
tin ln .Chng ti pht hin mt s lu lng thng tin co i ch IP n t Hn Quc v chng
gI hn 1,000,000 gi tin trong thI gian l mt gi ,c nghi l sp x 10,000 n 30,000 gi
trong vng mt gi
Chng ti lun nhn c thng bo cc gi c i ch ngun v ch u mang Port l 23
Chng ti gI n l cuc tn cng Stuttering SYN.S lo lng cu bn l iu u tin m
ti c th thy u tin V ti s fix n trong vng mt tun
Nn nh rng t khi nh qun tr mng thy c cc cuc tn cng nh x SYN,chuyn n
lu lng thng tin t mt phm vi giI hn cu cc IPc th l mt Dozen.Nhi trong s
chng c v nh n t trng I hc ,thc t c nghi l chng l mc tiu cu cuc tn
cng nh x ,Ni m server cu anh ta v tnh ng gp vo cuc tn cng nh x
Ti c hai web server trn hai mng khc nhau v nhn c nhng lu lng thng tin
nh th trong 2-3 tun .Mt va ngun ip nh c hai host trong mt thI gian trng nhau .
y l mt lu lng thng tin c t l thp v gi ACK pht sinh ra quay tr lI ch .Ti
m file log cu ti ra v c nhng hot ng trong v tm c mt vi thng tin (gi ).Ti
nghi ng rng c nhiu hn mt my tnh c t c s lm host nh x trong mt khong
thI gian khng c nh cu mt nga
Trn thc t hai server khc nhau ti nhng v tr khc nhau trn mng u nhn c cc gi
SYN cng lc t mt vi ngun IP gi mo cho bit rng cc my tnh trong hai vng IP khc
nhau th c hai u nm trn bng kim k server nh x v b tham gia mt cch v tnh vo
mt vi cuc tn cng
Chng ti c mt vi bng chng rng cc cng c gy ra cc cuc tn cng c th bt u
xut hin vo u thng 11 nm 2001.Chng ti khng c kh nng phn on rng ln ca
cc cuc tn cng nh x cho n khi cc nh qun tr mng bt u tm kim du hiu
nhn bit ra nhng trn flood SYN vi cng thp trong server ca h.

Khai Quat Ve DRDOS

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Khai Quat Ve DRDOS

Diunggah oleh

Hak Cipta:

Format Tersedia

DRDoS-Distributed Reflection Denial of Service

Vo lc 2h sng ,11 thng ging nm 2002,GRC.com b ph hoi bi mt cuc tn cng t

Anda mungkin juga menyukai