Vo lc 2h sng ,11 thng ging nm 2002,GRC.com b ph hoi bi mt cuc tn cng t
chi dch v phn tn C l lm ngc nhin hu ht cc kha cnh ca cuc tn cng ny l source b phi by mt cch r rng bi hng trm core router ca internet ,web server thuc v yahoo.com ,v li cn mt my vi a ch IP chuyn ti gary7.nsa.gov.C l chng ti ang nm trong mt cuc tn cng mnh m v cc my tnh c kt ni hon chnh Ngay lp tc chng ti xc nh r lm th no ch ng cuc tn cng ny v a trang web hot ng tr li .1.072,519,399 gi b chn ng trc khi cuc tn cng kt thc Trang ny cung cp cho ta mt s hng dn ngn gn ,trn thao tc ca giao thc TCP ca mng ,km theo l s ging gii v thao tc truyn thng ca cc cuc tn cng t chi dch v (DoS),t chi dch v phn tn (DDoS) ,t chi dch v phn x phn tn (DRoS)
S tn ph bng thng iu ny ng cho cuc tn cng vo ngy 11 thng ging ,mt vi cuc tn cng phn tn nh th thng tn cng tiu hu bng thng ,ni m s kt hp lin kt bng thng Internet ca nhiu my tnh l tm im ,hoc hng ti,trn mt hoc mt vi my tnh .Mc d nhng gi Internet ca cuc tn cng n c c th c mt kt thc v hi .s trn ngp ca nhng gi nh th c th chn vi s kt ni mng ca my ch ,hoc x l cc ti nguyn ca my khc .Kt qu l lu lng thng tin hp l khng th cch tranh vi s trn ngp tinh vi,c mt s tnh c nh ginh c dch v c ch ni thm nhng cuc tn tng tn ph bng thng bng DdoS,vui lng xem trang tho lun trc ca nhiu cuc tn cng DdoS c ch huy bi mt thng nhc tinh qui mi ch 13 tui Tuy nhin ,k t khi 2 cng ty ln v nh bt u gy nhiu phin mun v li cn c nguy c ph sn -iu ny l mt v d c th tng t nh l kt qu ca vic trn ngp cc gi tinh vi .Mt s hiu bit v chun on mt cch chnh xc phng php ca cuc tn cng sc so thng gi ra mt cch hiu qu tm ra bin php i ph Trc khi chng ta hc v hiu nhng cuc tn cng nh x phn tn .Chng ta cn phi hiu s hot ng ca TCP ,dng kt ni iu khin cc my tnh trn mng
Kt ni TCP 101
Nh li mt vi nm v trc,trc khi Internet ra i ,vic trao i ln nhau gia hai my tnh ch xy ra trn mng .K s phn cng nh l mt phn mm khn ngoan .Ti nh rng ,kt ni ?.Lm th no c th kt ni gia hai my tnh vi nhau trn mt mng rng? (vt ra ngoi mng cc b).Sau ti c hc rng hai my tnh c th c a ch v gi nhng gi d liu cho nhau ,thng qua s m phn k ni .Kt qu l n thnh cng trong vic thng mng v thit lp mt virtual TCP connection-kt ni TCP o Nhng gi TCP ring l bao gm nhng c bits,mang thng tin cha ng ni dung v mc ch c bi ca mi gi .V d,mt gi SYNvi c bit c thit lp bt u khi xng mt kt ni t ngi gi n ngi nhn .Mt gi ACK vi c bit c thit lp tha nhn thng tin ngi nhn n ngi gi .Mt gi FIN vi c bit c thit lp kt thc kt ni t ngi gi n ngi nhn S thit lp mt kt ni TCP tiu biu i hi s trao i ba gi cha ng thng tin trao i gia hai my tnh trong mt s trao i ln nhau thng qua a bc bt tay TCP y l hnh v minh ho
bmuht_fig.95954_326f1699d456370e1d350189beb01136/03/6/6002/daolpu/enilnoavh/ten.eniln oavh.www//:ptth 1.SYN mt TCP client (nh l web browser ,tp client ,vv)bt u mt kt ni vi mt TCP server bng cch gi mt gi SYN n server Tng t biu bn trn , gi SYN ny thng c gi t s port client gia 1024 v 65535 ti port server,l s t 1- 1023.NHng chng trnh Client chy trn my client ng l vi h iu hnh ang chy trn my client mt port ktt ni vi server.S port thuc phm vi trn s c hiu nh clienthoc danh sch port danh chng b mt i .Tng t nh th Chng trnh server chy trn my server ng k vi h iu hnh cho mt c quyn l lng nghe lu lng thng tin i vo trn mt s cng c bit . y l danh sch port c bit n nh l portt dch v .V d ,mt chng trnh web server tiu biu lng nghe nhng gi thng tin n t port 80 cu my tnh v web browser client thng thng gi nhng gi thng tin thng qua port 80 n server Ch rng thm c t port my gi n port my nhn ,th mi gi phi bao gm a ch IP ca my gi v a ch ca my m router s chuyn ti 2.SYN/ACK khi gi SYN nhn c yu cu kt ni ti mt cng dch v TCP m.Hn thng server tr li li vi mt s chp nhn kt ni gi SYN/ACK. Mc d kt ni TCp l mt kt ni kp mi mt hng kt ni c thit lp v qun l mt cch c lp .L do l ,s tr li ca TCP server n yu cu kt ni gi SYN ca client bi ACKnowledginv gi SYN ca chnh n bt u mt kt ni trong nh hng tr li.Hai thng bo kt hp vo trong mt mt gi tr li SYN/ACL n. Gi SYN/ACK gi n SYN ca ngi nhn bi s trao i a ch IP gia my gi v my nhn t gi SYN v t chng vo trong gi SYN/ACK tr li . y l s thit lp gi SYN/ACK ca my nhn n a ch IP ca SYN. iu thtt chnh xc nh chng ta mong mun . Ch rng,trong khi mgi ca client c gi n cng dch v ca server port 80 iu chng ta bn phn trn .Nhng gi p li ca server th quay li t port dch v tng ng .Trong phn k tip ,ch c a ch IP ca my gi v my nhn c thay i trong nhng gi quay tr li . S tip nhn ca client t gi SYN/ACK ca server p ng s chp nhn kt ni ca client.N lun lun p ng cho client,v ng dn kh hi lun lun tn ti gia client v server .Nu server khng th hoc khng bng lng kt ni TCP ca client,n s tr li vi mt gi RST/ACK ,hoc mt gi ICMP -cng khng th k ni c, bo tin cho client bit rng s tr li kt ni b t chi 3.ACK: Khi client nhn c thng bo v gi SYN/ACKca server cho s ch i kt ni ,n tr li vi mtt gi ACK. Client thng bo nhn c phn SYN t s tr li ca Server bng cch gi mt gi mt ACK tr ngc li server .Ti thi im ny ,hai con ng kt ni TCP c thit lp gia client v server ,v ti thi im ny d liu c th t do di chuyn trong c hai hng gia hai im TCP cui S tip nhn ca server t s chng thc gi ACK ca client n server ,m gi SYN/ACK c th quay tr li n client .Ti thi im ny ,server cn nhc rng hai con ng kt ni TCP c thit lp gia client v serverv d liu c th t do di chuyn trong c hai hng gia hai im TCP cui S lm dng TCP :Theo truyn thng trn ngp SYN Mt vi nm trc ,mt nhc im trong s iu khin kt ni TCP ca nhiu h thng c khm ph v khai thc bi nhiu hacker gii Nh trnh by trong lc TCP trn ,s xc nhn ca server t mt gi SYN ca client vi mc ch chun b cho mt kt ni .N l mt c th ch nh vng nh m cho vic gi v nhn vic kt ni d liu v n ghi li chi tit nhiu th khc nhau t vic kt ni ca client bao gm iu khin ip ca client v kt ni s port .Trong cch ny ,server s chun b chp nhn m rng kt ni gi ACK ln cui ca client .Ngoi ra ,nu gi ACK ca client b li trn ng i ,server s c th gi li ln na .Cho rng n c th b li hoc b ph hu trn gia ng i Ngm ngh li , iu ny c ngha rng b nh v nhng ti nguyn quan trng c ph phi nh l mt kt qu ca mt cng thc.Thng minh nhng nhng hacker gii tnh rng c mt gii hn s ca half openc th iu khin kt ni a TCP server bmuht_fig.95954_570ea0c9b61d4d62da31d2824da6dd33/03/6/6002/daolpu/enilnoavh/ten.eniln oavh.www//:ptth Mc d s dng Raw sockets quay tr li a ch ca gi source IP ca gi c th b ghi v b lm sai lch ,khi mt gi SYN vi mt source IP gi mo i n server ,n xut hin nh l mt vi li ngh kt ni hp l .Server s cung cp cho b nh m cn thit ,ghi li nhng thng tin v kt ni mi v gi mt s tr li li gi SYN/ACK n client .NHng t khi source IP cha ng trong gi SYN b c gi mo SYN/Ack s gi mt IP ngu nhin trn Internet .Nu gi tin c mt a ch IP hp l ,my tnh ti a ch IP ny c th tr li vi mt gi RST cho php server bit rng n khng c yu cu mt kt ni .Nhng vi trn 4 t a ch Internet , s khng c mt my no ti a ch v gi tin s b t chi Vn y l server khng c cch no bit c rng s yu cu kt ni hon ho ca client l mt s la o (gi mo ).V th n cn xem xt mt vi s ch i kt ni hp l khc ,n cn phi ch trong mt khong thi gian cho client hon tt ba bc bt tay .Nu ACK khng nhn c ,server cn phi gi li SYN/ACK vi s tin tng rng n c th b li trn ng tr li client Nh bn c th hnh dung ra ,tt c s qun l kt ni ny tiu th mt gi tr ln gii hn ti nguyn trn server .Trong lc cuc tn cng vo TCP client tip tc bng ln nhng s gi mo gi SYN ti server ,bt buc n tch lu lin tc nhng kt ni hng .Ti mt vi thi im ,server s khng th tch lu nhiu hn mt kt ni half open v nhng kt ni hp l s b qun lng bi v kh nng ca server c th chp nhn bt c kt ni m s ph hu mt cch tinh vi
Khng c s tiu hu bng thng
Trc khi h thng c h tr bi kh nng lm tng cao gim nh tc dng ca s trn ngp SYN .Ngay c mt my tinh vi n s dng mt kt ni Dial-up chm cng c th lp y v ph hu hng i kt ni ca server internet c kh nng thi hnh lnh vi tc cao .Mc d c mt vi tin b trong s chng li s gi mo SYN c tnh cht nguy him ,mt vi gii php c hiu qu c to ra N l mt iu quan trng cn phi hiu l rt d dng nh la s tn cng ca source IP SYN khng b nhng s tn cng ph hu bng thng .V bn cht d b tn thngca hu ht TCP/IP ca h thng Hn na hy ch rng tn cng t chi dch v th khng phn tn n l mt cuc tn cng DoS,khng ging nh mt vi hnh thc tn cng DdoS . n c ,tinh vi ,my pht sinh SYN , n n trong a ch Internet v c tnh ng sau s gi mo cc gi source IP SYN ,c th lin h v down mt web site ln Gii quyt vn gi mo
Nhng nh cung cp h thng phn ng li cc cuc tn cng gi mo gi SYN bng cch tng cng TCP Protocol stacksca h bng nhng cch khc nhau .Hu ht s nng cp li h thng th lm cho h thng t b tn thng hn ,nhng h khng loi tr bt c vn no
Din tin ca cc cuc tn cng bng thng
Nh mt s gi to ca cc hacker tinh vi c kinh nghim v nh l mt bng tm tt gi tr ca s khng an ton v sn sng tho hip vi my ch kt ni Internet ,nhanh nh tn s tn ph bng thng .Cc cuc tn cng t chi dch v phn tn (DdoS) tr nn rt tm thng .Nh ti khm ph v c t liu minh chng vao thng 5 nm 2001 ,c tc ng mnh , iu khin nhng cng c tn cng Internet th by gi chng tr nn d dng nh tr tr con .Chng c vn dng ph v h thng phng th ca my tnh
Chuyn g xy ra trong xut qu trnh tn cng bng thng
Khng ging nh cuc tn cng theo phong cch DoS cch ny cho 1 t l thp cho vic chim ot nhng gi SYN ,ph hu ,gy tn thng ti nguyn cu Server ,tn cng bng thng to ra mt s trn ngp c sc tn ph mnh m ca nhng lu lng thng tin v ngha tinh vi lm trn v ph hu server hoc bng thng . y l s cnh tranhlm trn ngp nhng gi tinh vi v chn vi mi th ,lu lng thng tin hp l ca mng ,v th nhng gi cn nguyn vn c kh nng rt thp c th tn ti qua c trn flood .Cc my phc v mng bt u b nh vng ra khi mng v chng b t chi dch v
Biu trn gip chng ta lc ra hu qu ca cuc tn cng bng . y l Router c t ti customer edge ca dch v mng ,ngi cung cp mng su tm v phn tn lung thng tin t mt vi khch hng mng nh .Theo cch nhiu s kt ni bng thng yu c tp hp li vo trong mt kt ni bng thng cao hn Trong st qu trnh hot ng bnh thong ,lun thng tin n t Big pipes c phn loi v y mnh ti nhng mng con c bng thng thp thuc v nhiu router khc nhau
DoS chng li DDoS
DoS :phong cch tn cng truyn thng ,l s dng mt nh mt tc l dng my tnh ca mnh tn cng my khc ,c th thy c qua lc sau
[img]http:/bmuht_fig.95954_3db1d05ddc028cda250fe15e768a71c9/03/6/6002/daolpu/enilnoav h/ten.enilnoavh.www//:ptth/> Nh chng ta thy c tn cng nh v lc trn ,nu my tn cng c tn cng c tc kt ni Internet cao hn my ca victim ,th n c th thnh cng trong vic lm trn bng thng mng ,theo cch my tn cng thc hin mt kt ni hon ho v lin tc th c th flood khng t nhng my c kt ni tt lm cho chng khng th vo mng DDoS l mt cp cao hn nhiu ca cch thc lm trn bng thng c pht sinh bi s tp trung bng thng ca nhiu my tnh hng ti mt my tnh n hoc mng
[img]http://www.hvaonlbmuht_fig.95954_e63f97ea4766cd6969a8d00ea5ba0578/03/6/6002/da olpu/enilnoavh/ten.enilnoavh.www//:ptthbn trn hin th mt kin trc thng thng c s dng trong cc cuc tn cng t chi dch v hot ng ca mt mng ,s tho hip ca cc my tnh ,bao gm s iu khin t xa nhng chng trnh tn cng Zombie, c iu khin v phi hp bi mt Zombie master-c quan iu khin trung tm .Khi mng ca Zombie nhn c s hng dn t master,Mi mt Zombie ring bit bt u to ra mt trn flood lu lng thng tin nguy him nhm vo mc tiu l my n ca victim hoc mng y l mt t chc s dng nhiu cng c tn cng pht tn ph bin ,bao gm my ch Windows Evilbots c iu khin bi thng nhc tinh qui 13 tui tn cng grc.com u tin trong sut thng 5 nm 2001.Evilgoat Evilbots thu mt server IRC cng cng lm ni chng tho lun v iu khin k thut tn cng .Zombie master ng nhp vo mt phng chat IRC a ra phng n v thi gian thc hin cuc tn cng Kt hp lu lng thng tin Zombie phn tn
Nhng lung ring bit ca lu lng thng tin vt qua mng t nhiu ngun ring bit ,Chng c kt hp bi nhiu Router mng to ra mt dng flood s
Khi cuc chm trn flood kt thc ,ngi phn phi dch v mng tp hp router li , hu ht lu lng thng tin ca mng b t chi(loi b),bi v router khng th phn bit chnh xc t nhng lu lng thng tin khng cn tc dng n router-Tt c nhng gi tin u ging nhau Lu lng mng hi75p l th lun b t chi mng thc s b outra khi Internet Nh th , nhng li cp bn trn khng gy kh khn .By gi n s tr nn t hi hn nhiu
nh x phn tn Hnh thc tip theo ca phng thc tn cng DdoS
Vo lc 2h sng ,thng 1 nm 2002 ,trang grc.com b vng ra khi mng bi nhiu cuc tn cng gy trn ngp khng khip y l mt cuc tn cng tin tin . y l mt hnh thc mi ca s tn cng bng phng phpDDoS c th tm gi l Tn cng t chi dch v nh x phn tn Distributed Reflection Denial of Service-DRDoS
Gi flood b n
Ti thc gic v lm vic vo lc 2h sng -thi im m cuc tn cng bt u xy ra ,th nn ti c th nhanh chng bt u khc phc mt phn ca flood ,s tp trung router Verio c th hn ch bt thng qua 2 thn T1.Lu lng thng tin Web server ca chng ti ra ngoi gim xung bng 0 ,bi v trn thc t th nhng li yu cu t pha server ti mng khng cn c p ng do khng th cnh tranh n vi trn flood .Chng ti ph cng v ch Trong qua kh ,chng ti nh vo Evilbots bng nhng trn flood UDP v ICMP.Tht d dng pht sinh cuc tn cng cho ngi iu khin , u cZombie,nhng my Windows.Chng ti lun bc mnh v nhiu th flood ngun IP SYN gi mo .V th ti pht gic ra mt iu l khi chng ti bt c nhng gi tn cng ,chng cho ti bit c ra mt iu l chng ti b flood bi nhng gi SYN/ACK.Tt nhin , iu cng khng ni ln c ci g ln lao lm .Nh chng ti m t c t rt sm trn trang ny ,mt gi SYN/ACK ch l mt gi SYN vi mt c bit ACK c bt ln -tt hay xu l s thm mun ca nhng k tn cng .V th mt k tn cng c th bt bt c c bit TCP no chng thch Mt s ngc nhin n khi ti xem xt k lng ngun IP ca nhng gi flood
Trong c v nh chng ti b flood bI Verio,Qwest v Above.net bI v chng c mt c trng ring nn chng ti c th nhn ra c .Ti thy chng xut hin hon ton ph hp tr lI cho nhng gi ACK ca ngun TCP co port l 179.Theo cch khc ,ch nhng gi d liu ca web server s quay tr lI t port 80 ,nhng gi ny quay tr lI t BGP port 179 BGP Border Gateway Protocol c h tr bI nhng router trung gian .Nhng router s dng BGP giao tip vI nhng router khc bn cnh chng thay I bng nh tuyn ca chng m thng bo cho nhau loI IP m router c th forward tI Chi tit ca BGP khng quan trng .Ci quan trng l trn thc t l hu nh tt c nhng router trung gian ca kt nI Internet nhanh (bng thng rng ) th s chp nhn kt nI TCP trn port 179 .Mt gi SYN i n port 179 ca mt router Internet s p lI gi SYN/ACK
y khng c nhiu s la chn,hoc l nhiu phng cch chc chn ,ca hng trm router b tn thng ,hc b tiu nhim bI mt vi phn ca Zombie.Ti thy r rng chng ch l iu bnh thng ,v hI ,TCP server vn ang lm nhng cng vic m chng c ch nh lm .Chng gI nhng gi SYN/ACK n grc.com trong mt s tin tng rng chng ti mun m mt kt nI TCP c ci t sn trong BGP server ca chng Trong mt cch khc , hacker tinh vi xc nh c mt vi ni khc trn Internet m cc router internet b SYN flood vI nhng gi TCP yu cu kt nI SYN .Nhng gi SYN mang nhng ngun IP gi mo thuc grc.com.V th ,cc router tin rng nhng gi SYN c ngun gc t chng ti ,v h p lI bng cch tr lI lI vI nhng gi SYN/ACK nh l giai on th hai ca chun ba bc bt tay ca TCP Nhng gi SYN tinh vi bt u nh x lI s khng c hi ti TCP server.Nhng gi SYN/ACK p lI bng cch dng nhng trn flood v tn cng bng thng ca chng ti Mt kiu tn cng mI
Tht l hp dn ,t mt quan im khng thc t grc.com b nh sp bI hng trm router Internet .S ginh c nhng gi hp php ang c thc hin .Quyn u tin ca ti l a ti tr lI trn mng Ti khng bit tI sao chng ti l tm im ca cuc tn cng ny .C l y l dp th nghim phng thc tn cng mI chng ..
Ny ,hy tn ph Gibson v chng mt xem anh ta lm g chng ta
Chng ta s xem bn dI ,du hiu cho bit rng sau cuc tn cng lc u vo chng ti ,mt hay nhiu phng cch tn cng c s dng thng xuyn-y l mt trong nhng l do m nhng hacker giI thch s dng phng php tn cng theo kiu tn cng nh x phn tn gn ging nh k thut flood phn tn theo kiu truyn thng Ti khng mun lo lng v Verio ,nh cung cp dch v ca chng ti ,nu cuc tn cng kt thc vo lc ny ,ti s gI k thut n .V th ti theo di cc tn cng v ch I n 2 gi .Lc 4 gi sng,cuc tn cng vn cha c du hiu yu i .Ban mai nc M thng xut hin sm ,v th ti gI cho trung tm giI quyt s c mng 24/7ca Verio.Ti tng kt lI vn v lm cho trung tm giI quyt s c tin rng chng ti ang b tn cng v cn c gip ngay lp tc .Ti vui mng khi nhn vin bo mt ang cn trong tnh trng ngi ng gI lI cho ti khi vn v Verio c ti gI i cha tI hai gi Kho cuc tn cng nh x li
Tin mI nhn l ,cuc tn cng xut hin tng I d dng block lI .K t lc chng ti khng c nh cung cp dch v cho chnh mnh ,Chng ti khng cn phI trang b kt nI t xa vI BGP router .V th ,chng ti yu cu Verio block lI nhng lu lng thng tin i vo t dch v BGP port 179.BI v nhng gi SYN tinh vi ca hacker nhm vo gia router c port 179,mt vi nhng gi nh x s bt ngun t port ny K thut ca Verio thm b lc vo tp trung bo qun nhng router kt nI Internet ca chng ti block nhng gi xut pht t chng ti n port 179.Nhng gi flood n t port 179 ngay lp tc b block lI
Nhng chng ti vn cha th quay tr li mng
Mt gi mI tm c tit l rng chng ti b tn cng mt cch tch cc bI mt server hon ton mI ,Bi v sau khi lu lng tin th hai tp hp ch xut hin sau khi lu lng thng tin router port 179 b block .N xut hin nh con sng th hai ca vic nh x lu lng thng tin khng th cnh tranh vI flood router VI nhng lu lng thng tin ca nhng router b block ,chng ti bt u b flood tip bI bI nhng gi SYN/ACK nh trt nc t port 22( bo mt shell)23(telnet)53(DNS)v 80(http/web).V mt vi gi n t port 4001(port ca proxy server) v 6668(IRC chat) Ti qu I ngc nhin khi cuc flood th hai thnh lnh xy ra .Ti l l khng tm chng lI ,gi lI mt cch trn vn v ly mu mt cch chnh xc nhng lu lng thng tin flood khng phI l BGP.Tuy nhin ,log file ca ti tm c mt vi SYN/ACK , c pht hin khng phI l BGP.Th nn ti c mt vi ghi chp ca n
Mt s ly mu nh ca web server biu hin rng chng flood chng ti bng SYN/ACK t http(web) port 80 ca h
Danh sch flood SYN/ACK port 80 khng hon chnh bn trn c mt vi ci quan tm .Cc server c hp lI mt cch tha tht S xut hin ca n cho bit rng cc hacker giI nng n cn nhc k khi la chn a ch IP cho tht hon ho v on chng chng c th kt nI nhanh vI web server dng vo vic tn cng nh x .cc server web 7 thuc v yahoo.com th rt hay s dng n ,nh l gary7.nsa.gov Mt lc lng rng ln h tr thm vo trn flood ACK v s dng nhiu server Internet hn l router internet . iu chng minh rng nhng hacker giI th c nhn thc tt v nhiu chc nng kt nI ca TCP-S chp nhn server Internet c th c s dng nh l mt gi server nh x .Trc chng ti cn lm nhng vic khc hn l ch n gin l block nhng gi n t BGP port 179.Ti trnh by mt bin php hiu qu hn l giI phn no v cuc tn cng ny .Trong phn tho lun bn dI ,sau khi phn tch v cuc tn cng c th xy n v hu qu chng gy ra Khi chng ti lc c cuc tn cng nh x ,chng ti ngay lp tc a chng ti (trang web)tr lI Internet >mc d ti khng th quan st iu xy ra sau cng ca cuc tn cng ng sau b lc ca chng ti . iu tht l lm cho ti n lnh ch thch rng .. Vo lc cuc tn cng kt thc router Verio loI b nhiu hn mt t gi SYN/ACK tinh vi (1,072,519,399) Ti nhn con s chnh xc ny t Verio khi chng ti lin h vI h sau khi nhn thc r sai lm ln th hai ca ti ,khng phii BGP, t sng ca cuc tn cng .Ti mun cu hnh li h thng phng th ca ti cn nhc vic t chng ti vo trng hp chng ti b tn cng t chi dch v ln na th ti c th thu thp c d liu ca cuc tn cng
S nh x trn cuc tn cng nh x
Xt t tnh hin nhin thu thp trong xut 1/11 cuc tn cng ,v du hiu khc ca mt s k tn cng n sau ,mt vi nhm hoc nhiu nhm tn cng ,c s gia tng v s lng chng ta s thy bn di -mt danh sch di ca nhng server Internet c bng thng rng ,tng ng vi s port TCP.Nm trong s hng trm router khc nhau vi giao thc BGP(port 179) v nhiu server khc lng nghe cc kt ni trn cc port chung nh SSH ,Telnet,DNS,HTTPv IRC
Xy dng v duy tr danh sch server nh x
T khi mt vi server Internet cng khai c kh nng d b nh hng nhserver nh x-mt danh sch cc server c to ra mt cch d dng ,pht trin v duy tr .V d ,thng thng lnh trace route internet cung cp a ch IP ca mi router Internet gia tracer v mt vi a ch t xa Ngay c a ch khng tn ti .Nh chng ta thy , y c nhiu c hi tt mt router Internet d b phi bi ra BGP server mt cch cng khai ,v n s c nhiu kt ni bng thng cao .Mt on Script n gin c th c s dng thu thp s chuyn quyn ln ca cc IP router Internet.Nhng ni cho thu web s nh yahoo.com th c th mua c mt cch cng khai .Qut port n thng qua vng IP bng thng cao s thu c hng ngn,nu khng l hng triu ca nhng TCP server cng khai .Mt vi cng c tm kim Internet s a ra hng trm ,hng ngn tn min web site tim tn Mt danh sch kt qu di s ca cc server nh x c th rt r rng v c duy tr tip tc bi mt gi tr to ln ,khng c my gi mo SYN.Vi ctr l SYN/ACK s xc thc s c mt ca my tnh v n sn sng khng c tnh tham gia vo cc cuc tn cng nh x trong tng lai
S dng danh sch server nh x
Nhiu host c kh nng raw socket(Unix,linuxv windows 2000 v by gi l Windows XP) c th thng c s dng nh l b phng cho s pht sinh cc tn cng flood syn nh x .S host pht sinh SYN i hi pht ng mt cuc tn cng s c xc nh bi tng bng thng flood yu cu c kh nng c th chn vi my ch hoc mng iu khin mt danh sch di ca cc server nh x TCP khng b li ,mi host gi mo SYN sprays-cc gi SYN u vt mi server nh x trn danh sch .Mt gi SYN gi mo s vt qua cc server c port TCP m ,vi gi hn x nhm vo mng ca nn nhn khi c tn cng K t lc my flood SYN l Sprays ,nhng gi vt qua con s khng l ca cc server nh x trung gian .Mi server nh x s tri qua mt cp thp SYN flux-lung SYNhn l cp cao flood SYN
Ti sao chng ti lo lng?
Ti sao mt cuc tn cng nh x cao thng c cc host flood trc tip mnh m v tn cng nn nhn cu h ?
S khuych tn ng dn gi
Mt thng li ln cho nhng k tn cng l mc cc ca s khuych tn ng dn gi Packet path diffusionKhi lu lng tn cng c th vt ra qu mt s gii hn ca cc server TCP trung gian .Lc sau s miu t ng dn ca lu lng thng tin gia k tn cng v nn nhn :
T khi cc router Intetnet khng th gi li ng i ca cc gi trc y ,nhng gi rt luit my ca nn nhn quay tr li vi my ca nhng k tn cng ,da vo tnh tin li ca cc gi flood upstream-ngc dng thng thng t mt router tr ngc li mt router trc
Khuych tn ng dn:
Trong mt hnh th vng chc v s lu thng gi tin mnh m, ng dn gi rt lui mt cch kh khn v phng php thc hin rt tn thi gian .V th ,hy tng tng rng chuyn g s xy ra khi mt s lng ln cc gi thuc cc server nh x c mt khp mi ni k c h thng
[img]http:/bmuht_fig.95954_05601b336fe44883ee4c74e165cad9d1/03/6/6002/daolpu/enilnoav h/ten.enilnoavh.www//:ptth/> y l lc gii thch ng i ca lu lng thng tin ,s thm vo cc server nh x v hi v thc cht thay i hon ton bn cht ca cuc tn cng .Chng li mt my tn cng ,nhng gi SYN tinh vi ngay lp tc b nh bt ra ngoi .Khng thi gian ngm vo nn nhn ,nhng gi tn cng ng ra oc gi cho cc TCP server xa .Nh chng ta bit ,cc server c kh nng xc nh v tr khp ni trn mng .Ch mt vi router hopsth vt ra ngoi tm ca nhng k tn cng ,nhng lung thng tin mnh m s khng mnh ti cc server bi v cc server ny c mt mi quan h chc ch vi cc server khc bn cnh hn l theo sau mt ng dn n V tr ti im kt thc th lun c s bin i quan trng hn l bt u cng kch bi nhng lung thng tin ring l .T mi mt my tn cng ,nn nhn by gi ang phi hng chu hng trm ,hng ngn ,thm ch hng triu cuc tn cng lm trn SYN/ACK .Mc d nhng lung thng tin c pht ra mt cch ring bit v khng gy hi cho nn nhn (ch c mi mt s v hi t server nh x ring bit ),s hi t cc gi n t khp ni thng xut khp ni trong mng Internet s to ra mt cuc tn cng s nhn chm nn nhn trong trn flood
Victim c th lm g ?
Victim c th lm g ?mc d khng mun phi nm trong kh nng hng chu hng trm ,hng ngn,thm ch hng triu cuc tn cng , i khi mi mt gi SYN/ACK hp l c gi i ring bit cng c c may mng ca bn s c nhiu iu ng phi lo lng tht s v.
Vi mt bit thng minh hn t nhng k tn cng .n to ra mt s nguy him tht s Thc hin cch s dng nh x
Nu trng thi tnh th bn trn khng qu xu ,thm vo la s thng minh hn ca nhng ngi tn cng c th to ra nhiu th t hi hn .Chng tra d dng bt gp mt bng tm tt di v cc server nh x kt ni mng nhanh c th ang hot ng v ang c qun l .V trang vi mt vi mt bng tm tt server nh x c kh nng cao ,hy tip tc v bnh tnh trc dng chy ca cc trn lm trn lu lng thng tin c th c tp trung vo chng li mng ca Victim trong khi bng qua tp hp con ca ton b bng tm tt server nh x . i lc ch mt phn nh ca ton b bng tm tt server nh x s c s dng Thc hin cch s dng nh x s em n mt tc dng ca s bin i lin tip tt c nhng ng dn tn cng ,thc hin v s dng chng mt cch ti u i khi chng bao gi lm gim bt nhng cuc chng li mng Do bi tnh cht ca s tay l ghi li s rt lui ca cuc tn cng ,theo sau nhng lng d liu nh ring l l nhng dng flood to ln theo sau..Nhng khng c g kh chu hn l nhng dng d liu nh ang chylin tc bng ngng ri tip tc chytip.Trong thc t ,vi cng ngh router hin ti th n hu nh khng th xy ra
S khuch tn nh x
H qu quan trng khc ca vic s dng mt bng kim k server nh x ln l Khuch tn nh x vi nhng k tn cng cc gi flood Syn bt u i ra ngoi sprayedv tri rng khp phn ln nhng server nh x , khng c server nh x n no nhn c nhng s quy ri t nhng gi SYN .T khi nhng kt ni half-open s b hu b trong vng mt n hai pht,con s nhng nhng chng bao gi kt thc ,nhng kt ni TCp half-open s chng bao gi pht tn ln hn c na .Bi v server s d dng thy c client hu b kt ni - iu c th v xy ra thng trnh gia server v client - mt co thp ca s pht sinh ra cc gi nh x tinh vi hu nh chc chn chng bao gi to ra s bo ng hu ht cc server.Mc d mt nh iu hnh mng ch tm c th ngc nhin v s thu thp mt cch lin tc ca s lun lun thay i cc kt ni half open.chc chn S c s nghi ng bi v server b li do mt cch no
Nhn bng thng
Mt s thng minh v mt c im quan trng ca mt vi cch tn cng nh x TCP l s pht ra cng lc nhiu cuc tn cng SYN/ACK t cc server nh x hn l gy ra mt lu lng SYN.Bi v TCP t ng gi li cc gi hng ,cc server nh x s pht sinh ra cng lc nhiu trn flood SYN/ACK ra ngoi hn l h nhn t cc host pht sinh SYN Cho mi mt gi SYN nhn c bi server nh x TCP,cn n 4 gi SYN/ACK th server s gi i . iu ny s xut hin bi v s tp trung router ca victim phn ln s b hu b v lu lg flood i vo .Mt server nh x s nhn c s khng p li t gi SYN/ACK s tin tng rng gi ny b hng dc ng v s gi li gi SYN/ACK hng trc khi gi li thng tin hu b ktt ni y l mt hin tng c kt qu th v ca s tn cng c mc ch phn b rng khp mng vi thi gian ch mt vi pht
C th iu khin s ci tin
Theo cuc tn cng DdoS truyn thng s dng mt mng ln ca cc my tn cng cho hai kt qu :Th nht l to ra mt khi flood ln v th hai l khuych tn ngun tn cng ca h .Cho mt mc tiu ,l s kt hp tnh nhn ca bng thng v cp ln ca ng dn khuych tn c cung cp bi cc cuc tn cng nh x phn tn ,theo mt cch truyn t c ngha c bit lm bin i s host i hi cung cp mt yu cu lm trn bng thng v c kh nng hu b ng dn quay tr li .Kt qu l s d dng hn trong vic lp rp v bo dng mng cc host b cuc tn cng lm tn thng ,v s c nhiu c hi hn trong vic khm ph bn cht v ni xut pht ca cuc tn cng
S ln lt
V b ngoi ln lt ca cuc tn cng ny l thjiu to ra mt vi lu lng backscatter .Cc cuc tn cng nh x s khng xut hin trn mn hnh theo di .S gi mo ngun flood Syn IP v hnh dng khc ca cc cuc tn cng gi mo IP.KHng ging nh cc cuc tn cng gi mo IP truyn thng ,n to ra mt c trng tiu biu cc ngun IP mt cch ngu nhin ,nhiu IP xut hin vi ci v b khc ca cuc tn cng nh x chuyn n mt my thc t -mi mt server nh x hoc im tn cng . Vi tt c nhng l do ,nhng cuc tn cng t chi dch v nh x phn tn c th d dng to ra v sa cha chng v chng c mt sc thuyt phc mnh m
Thm chng c
Trong khi ti ang vit trang ny .Mt bi vit c tn l bugtraqxut hin trong danh sch mail cu chng ti Trong mt va ngy t ,ti s nhn c mt ci g tng t nh l cuc tn cng flood SYN trn port 80 vt qua tt c nhng i ch IP trn mng cu ti .Tuy nhin,nu n l flood ,n s khng qu mnh .Nhng cu hnh bnh thng cng c th gi nhng lung m khng gp bt c vn g ,nhng nhng gi Syn s chy mt cch u n . i ch ngun IP s lu lI v khng thay I t mt n hai pht v sau th dng lI ,sau mt va i ch IP khc bt u gI nhng dng SYN cu chnh n ,mc d thnh thong i khi c nhiu hn mt host s gI lu lng thng tin trong thI gian ny .Cc i ch ngun l mt s a dng cu mng ,nhng c v ph hp v mng dng dial up hoc nhng s kt nI n gin N c v ging nh s c gng nhm vo cuc tn cng t chI dch v ,nhng tI sao n lI ph trng ra ngoi qu nhiu i ch IP ch (Nhiu i ch khng c tht trn mng )Nhng tI sao lI flood mt cch yu t v khng c bt c ci g gy nh hng thc t Nu bn co theo di phn tho lun ny ,bn s nhn st rng l mt vn hon ton ng ci m mt nh qun tr mng giI cu cc server nh x s thy rng khi server cu hc tham gia vo trong cuc tn cng nh x .Anh ta hiu sai v du tch mt bit cu anh ta ,bI v anh ta khng c mt s hiu bit thu o rng server cu anh ta ang b s dng nh l mt server nh x .Anh ta thy c mt s lu thng lin tc (m khng phI l flood )cu nhng gi SYN n t mt s IP l ,n c th thnh lnh thay I v xut hin trong ngun cu IP khc .Chng ti bit y l mt iu ng n thay I mc tiu tn cng T mt vin cnh cu server nh x ,nhng ngun r rng cu cc gi SYN l mt mc tiu tn cng thc t , m server cu anh ta c gI nhng lu lng cc gi SYN/ACK mt cch nh nhng khng mnh m nh flood .Bng thng ra ngoi cu anh ta hu nh chc chn nhiu hn gp 4 ln lu lng SYN i vo ,nh l mt s giI thch cho s tht v nhng kt nI v ni r v tnh trng SYN_RECVD.. iu na c nghi l chng ch I s tr lI cu client (ni m chng khng th n )v gI lI cc gi SYN/Ack , thc hin mt cuc tn cng nhn bng thng Nh bn thy ba vit bn trn .Ti ngay lp tc tr lI trong danh sch vI lI giI thch cn k cu ti v ci m anh ta thy .Trc khi s p lI cu ti b loan truyn trong danh sch mail cu mt vi nh qun tr mng tinh mt khc Vng ,chng ta c th thy mt vi th y .N xut hin mt cch c nh hng rt ln khi cuc tn cng l mt im tI subnet cng vI s chia s web server -vI nhi IP gi hn mt va giao din .Th lun c gng s dng nh l mt h thng nh x flood cc i ch IP c bit Chng ti tng thy mt vi tnh hung tng t mt vi ngy trc .N din t mt cuc tn cng chng lI mt cng ty IRC server.Ngun i ch b gi mo v s dng i ch web cng khai cu chng ti nh l mt nh x Vng chng ti cng thy chng y .Tt c tht l l lng Chng ti bt u thng ba chng sm nht trong thng 2,kim tra phn u cn nguyn cu file log hin th nhng hot ng sm nht vo ngy 15 thng 1 .Chng ta nhn c thng ba rng chng c v nh n t mt phm vi giI hn cu cc IP .Nhiu i ch trong s chng dng nh n t cc trng a hc .Sau khi thng bo mt vi i ch trong s chng v nhn c s phn hI t phi nh cung cp dch v v h s block cc i ch IP ny lI v h s tip tc iu tra cc i ch khc Chng ti lun thy mt chuI cc con s miu t s kin bt u ging ht nhau cho cc gi tin ln .Chng ti pht hin mt s lu lng thng tin co i ch IP n t Hn Quc v chng gI hn 1,000,000 gi tin trong thI gian l mt gi ,c nghi l sp x 10,000 n 30,000 gi trong vng mt gi Chng ti lun nhn c thng bo cc gi c i ch ngun v ch u mang Port l 23 Chng ti gI n l cuc tn cng Stuttering SYN.S lo lng cu bn l iu u tin m ti c th thy u tin V ti s fix n trong vng mt tun Nn nh rng t khi nh qun tr mng thy c cc cuc tn cng nh x SYN,chuyn n lu lng thng tin t mt phm vi giI hn cu cc IPc th l mt Dozen.Nhi trong s chng c v nh n t trng I hc ,thc t c nghi l chng l mc tiu cu cuc tn cng nh x ,Ni m server cu anh ta v tnh ng gp vo cuc tn cng nh x Ti c hai web server trn hai mng khc nhau v nhn c nhng lu lng thng tin nh th trong 2-3 tun .Mt va ngun ip nh c hai host trong mt thI gian trng nhau . y l mt lu lng thng tin c t l thp v gi ACK pht sinh ra quay tr lI ch .Ti m file log cu ti ra v c nhng hot ng trong v tm c mt vi thng tin (gi ).Ti nghi ng rng c nhiu hn mt my tnh c t c s lm host nh x trong mt khong thI gian khng c nh cu mt nga Trn thc t hai server khc nhau ti nhng v tr khc nhau trn mng u nhn c cc gi SYN cng lc t mt vi ngun IP gi mo cho bit rng cc my tnh trong hai vng IP khc nhau th c hai u nm trn bng kim k server nh x v b tham gia mt cch v tnh vo mt vi cuc tn cng Chng ti c mt vi bng chng rng cc cng c gy ra cc cuc tn cng c th bt u xut hin vo u thng 11 nm 2001.Chng ti khng c kh nng phn on rng ln ca cc cuc tn cng nh x cho n khi cc nh qun tr mng bt u tm kim du hiu nhn bit ra nhng trn flood SYN vi cng thp trong server ca h.