LI CM N

Trc tin, chung em xin cam n qui thy c khoa Cng ngh thng tin cung toan th qui thy c trng i Hc Ky Thut Cng Ngh a tn tinh chi day chung em trong gn hai nm hoc va qua. Trong sut qu trnh thc hin n, vi khong thi gian ngn chung em nhn c s hng dn tn tnh ca thy Vn

Thin Hong. Thy n c, nhc nh, ch dn chung em trong

sut qu thc hin n. Qua n thu thp c rt nhiu kin thc qu gi. Chung em xin gi li cm n chn thnh n Thy v nhng g Thy gip chung em trong khong thi gian va qua. Kinh chuc toan th thy c di do sc khoe va at nhiu thanh cng trong s nghip trng ngi cao ca. Cao Minh Nhn Hunh Vn Tho

-1-

MC LC

M U 2 3.3.4 Giao din h thng sau khi ci t................................71

KT LUN..................................................................................84 TI LIU THAM KHO .........................................................84

DANH MC HNH MINH HA

M U 2 3.3.4 Giao din h thng sau khi ci t................................71

KT LUN..................................................................................84 TI LIU THAM KHO .........................................................84

M U
1. Gii thiu Ngy nay cng vi s tin b ca Cng ngh Thng tin, mng my tnh tr thnh mt h tng c s quan trng ca tt c cc c quan x nghip ni chung v tt c cc cng ty ni ring trn. Mt m hnh mng c th c ci t di nhiu h iu hnh khc nhau. Chng hn vi m hnh Domain, ta c nhiu la chn nh: Windows NT, Windows 2000, Netware, Unix, Linux,... Tng t -2-

cc giao thc thng dng nh TCP/IP, NETBEUI, IPX/SPX cng c h tr trong hu ht cc h iu hnh.v s tin b c mt phn tiu cc l hnh thnh nn thnh phn ph hoi h thng bng cc l hng ca h iu hnh, ng dng vi mc tiu lm ch h thng hoc ph hoi h thng. chng li cc cuc tn cng ph hoi cn phi c kin thc xy dng h thng tt bo m h tr tt vi ngi dng v nng cao mc bo v cho h thng l vn chnh m ta phi phn tch trong cc mc sau y. 2. Mc tiu ca ti C rt nhiu cch tn cng vo h thng mng nhng k thut tn cng DoS, DDoS l nguy him nht v c gii hacker trn th gii nh gi l cch tn cng manh nht v kh phng trnh nht. V vy ti ny nghin cu cc phng php cc k thut tn cng DoS, DDoS c bn v xy dng h thng phng th cc cuc tn cng bng fireware linux. 1. Hng tip cn gii quyt thc hin c mc tiu t ra, ti ny trnh by chi tit xu hng cc cuc tn cng hin nay, cc phng php cc loi tn cng bng DoS v DDoS u v nhc im ca cc cuc tn cng. Nghin cu cc firewall ca linux trnh by cc cch thit lp lut v p dng firewall iptables phng chng cc cuc tn cng bng DoS, DDoS. Tin hnh m phng cc cuc tn cng DDoS v cch phng chng trn m hnh lab. 4. B cc ti Vi mc tiu v nh hng nh vy ni dung ca ti ny chia lm 4 chng . Chng 1 Gii thiu DoS v DDoS Gii thiu v lch s pht trin DoS, DDoS lch s cc cuc tn cng DDoS cc mc ch ca cuc tn cng DDoS. Tm hiu cc phng php tn cng DoS v DDoS cc giai on xc nh mc tiu thi im pht ng tn cng v xa b du vt sau khi tn cng . Chng 2 Trnh by firewall trn linux

-3-

Gii thiu v iptable chc nng cch thc hot ng, cc iu kin trong lut, cch thit lp lut p dng phng chng tn cng DoS, DDoS ca firewall iptables. Trnh by tnh nng mt s firewall khc ca linux ngoi iptables. Chng 3 M hnh thc nghim Thit lp m hnh mng dng h iu hnh Centos ci iptables lm firewall, bn trong h thng c server Web v t bn ngoi tn cng vo bng cc tool s dng cc phng php tn cng DoS v DdoS v a ra kt qu thc nghim.

Chng 1
1.1

Gii thiu DoS v DDoS

Lch s pht trin DoS v DDoS T cui nhng nm 90 ca th k trc. Hot ng ny bt ngun t khi

mt s chuyn gia bo mt, trong qu trnh pht hin khim khuyt h thng trn h iu hnh Windows 98, pht hin ra rng ch cn gi mt gi d liu ping c dung lng ln cng lm t lit mt server mc tiu. Pht hin ny sau ngay lp tc c gii hacker s dng trit tiu nhng i tng m h c nh tn cng. T y, hnh thc s khai ca DoS (Denial of Service) ra i. Tn cng DoS l mt kiu tn cng m mt ngi lm cho mt h thng -4-

khng th s dng, hoc lm cho h thng chm i mt cch ng k vi ngi dng bnh thng, bng cch lm qu ti ti nguyn ca h thng. 1998 Chng trnh Trinoo Distributed Denial of Service (DDoS) c vit bi Phifli. Trn Internet tn cng DDos (Distributed Denial of Service) l mt dng tn cng t nhiu my tnh ti mt ch, n gy ra t chi cc yu cu hp l ca cc user bnh thng. Bng cch to ra nhng gi tin cc nhiu n mt ch c th, n c th gy tnh trng tng t nh h thng b shutdown. Nu mt a ch IP tn cng mt cng ty, n c th c chn bi Firewall. Nu n t 30.000 a ch IP khc, th iu ny l v cng kh khn. Th phm c th gy nhiu nh hng bi tn cng t chi dch v DoS, v iu ny cng nguy him hn khi chng s dng mt h thng mng Bot trn internet thc hin tn cng DoS v c gi l tn cng DDoS. Nu k tn cng khng c kh nng thm nhp c vo h thng, th chng c gng tm cch lm cho h thng sp v khng c kh nng phc v ngi dng bnh thng l tn cng Denial of Service (DoS). Mc d tn cng DoS v DDos khng c kh nng truy cp vo d liu thc ca h thng nhng n c th lm gin on cc dch v m h thng cung cp. Nh nh ngha trn DoS khi tn cng vo mt h thng s khai thc nhng ci yu nht ca h thng tn cng . 1.1.1 Lch s cc cuc tn cng Thng 5 1999 Trang ch ca FBI ngng hat ng v cuc tn cng bng (DDOS). Thng 6 1999 Mng Trinoo c ci t v kim tra trn hn 2000 h thng. Cui thng 8 u thng 9 nm 1999, Tribal Flood Network u tiin ra i, Chng trnh c Mixter Pht trin. Cui thng 9 nm 1999, Cng c Stacheldraht bt u xut hin trn nhng h thng ca Chu u v Hoa k. Ngy 21 thng 10 nm 1999 David Dittrich thuc trng i hc Washington lm nhng phn tch v cng c tn cng t chi dch v. Ngy 21 thng 12 nm 1999 Mixter pht hnh Tribe Flood Network 2000 ( TFN2K ). Ngy 7/3/2000, yahoo.com phi ngng phc v hng trm triu user trn ton th gii nhiu gi lin. Vi gi sau, Yahoo tm ra nguyn nhn gy nn tnh trng ny, h ang phi gnh chu mt t tn cng DDoS vi quy m vi ngn

-5-

my tnh lin tc gi hng triu request n cc server dch v lm cc server ny khng th phc v cc user thng thng khc. 8 -2 nhiu Web site ln nh Buy.com, Amazon.com, eBay, Datek, MSN, v CNN.com b tn cng t chi dch v. Lc 7 gi ti ngy 9-2/2000 Website Excite.com l ci ch ca mt v tn cng t chi dch v, d liu c lun chuyn ti tp trong vng 1 gi cho n khi kt thc, v gi d liu h hng nng. Vo ngy 15 thng 8 nm 2003, Microsoft chu t tn cng DoS cc mnh v lm gin on websites trong vng 2 gi. Vo lc 15:09 gi GMT ngy 27 thng 3 nm 2003: ton b phin bn ting anh ca website Al-Jazeera b tn cng lm gin on trong nhiu gi. Qua ta c th thy r nhng v tn cng t chi dch v (Denial Of Services Attack ) v nhng cuc tn cng v vic gi nhng gi d liu ti my ch (Flood Data Of Services Attack) ti tp l nhng mi lo s cho nhiu mng my tnh ln v nh hin nay. 1.1.2 Cc mc ch ca tn cng DoS v DDoS C gng chim bng thng mng v lm h thng mng b ngp , khi h thng mng s khng c kh nng p ng nhng dch v khc cho ngi dng bnh thng. C gng lm ngt kt ni gia hai my, v ngn chn qu trnh truy cp vo dch v. C gng ngn chn nhng ngi dng c th vo mt dch v no . C gng ngn chn cc dch v khng cho ngi khc c kh nng truy cp vo. Khi tn cng DoS xy ra ngi dng c cm gic khi truy cp vo dch v nh b . Disable Network - Tt mng Disable Organization - T chc khng hot ng Financial Loss Ti chnh b mt

1.1.3 Mc tiu ca cuc tn cng thng s dng tn cng Dos v DDos Tn cng t chi dch v l mt loi hnh tn cng nhm ngn chn nhng ngi dng hp l c s dng mt dch v no . Cc cuc tn cng c th c thc hin nhm vo bt k mt thit b mng no bao gm l tn cng vo cc thit b nh tuyn, web, th in t v h thng DNS. Tn cng t chi dch v c th c thc hin theo mt s cch nht nh. C nm mc tiu tn cng c bn sau y. -6-

 sut.

Nhm tiu tn ti nguyn tnh ton nh bng thng, dung lng Ph v cc thng tin cu hnh nh thng tin nh tuyn. Ph v cc trng thi thng tin nh vic t ng reset li cc Ph v cc thnh phn vt l ca mng my tnh . Lm tc nghn thng tin lin lc c ch ch gia cc ngi

a cng hoc thi gian x l.

phin TCP.

dng v nn nhn dn n vic lin lc gia hai bn khng c thng Mt cuc tn cng t chi dch v c th bao gm c vic thc thi malware mc ch . Lm qu ti nng lc x l, dn n h thng khng th thc thi Nhng li gi tc th trong microcode ca my tnh. Nhng li gi tc th trong chui ch th, dn n my tnh ri Nhng li c th khai thc c h iu hnh dn n vic bt k mt cng vic no khc.

vo trng thi hot ng khng n nh hoc b . thiu thn ti nguyn hoc b thrashing. VD: nh s dng tt c cc nng lc c sn dn n khng mt cng vic thc t no c th hon thnh c. Gy crash h thng. Tn cng t chi dch v iFrame: trong mt trang HTML c th

gi n mt trang web no vi rt nhiu yu cu v trong rt nhiu ln cho n khi bng thng ca trang web b qu hn . 1.2 Khi nim DoS, DDOS Dos (Denial of Service - DoS) tn cng t chi dch v hay DDos(Distributed Denial of Service - DDoS) tn cng t chi dch v phn tn. l s c gng lm cho ti nguyn ca mt my tnh khng th s dng c nhm vo nhng ngi dng ca n. Mc d phng tin tin hnh, ng c, mc tiu ca tn cng t chi dch v l khc nhau, nhng ni cung n gm c

-7-

s phi hp, s c gng c ca mt hay nhiu ngi nhm chng li vic vn hnh hiu qu ca cc dch v mng trong mt khong thi gian no . Tn cng t chi dch v DoS (Denial of Service) c th m t nh hnh ng ngn cn kh nng truy cp v s dng vo mt dch v no ca nhng ngi dng hp php. N bao gm lm trn ngp mng, mt kt ni vi dch v m mc ch cui cng l my ch (Server) khng th p ng c cc yu cu s dng dch v t cc my trm (Client).DoS c th lm ngng hot ng ca mt my tnh, mt mng ni b, thm ch c mt h thng mng rt ln. V bn chc thc s ca DoS, k tn cng s chim dng mt lng ln ti nguyn mng nh bng thng, b nh v lm mt kh nng x l cc yu cu dch v t cc client khc. Thc cht ca tn cng bng t chi dch v(Denial Of Services Attack) l hacker s chim dng mt lng ln ti nguyn trn server, ti nguyn c th l bn thng, b nh, cpu, a cng, ... lm cho server khng th no p ng cc yu cu khc t cc clients ca nhng ngi dng bnh thng v c th nhanh chng b ngng hot ng, crash hoc reboot.

Hnh 1-1: M hnh tn cng DDoS 1.2.1 Cc giai on ca mt cuc tn cng kiu DDoS C ba giai on Giai on chun b

-8-

Chun b cng c quan trng ca cuc tn cng, cng c ny thng thng hot ng theo m hnh client-server. Hacker c th vit phn mm ny hay down load mt cch d dng, theo thng k tm thi c khong hn 10 cng c DDoS c cung cp min ph trn mng (cc cng c ny s phn tch chi tit vo phn sau). K tip, dng cc k thut hack khc nm trn quyn mt s host trn mng. tin hnh ci t cc software cn thit trn cc host ny, vic cu hnh v th nghim ton b attack-netword (bao gm mng li cc my b li dng cng vi cc software c thit lp trn , my ca hacker hoc mt s my khc c thit lp nh im pht ng tn cng) cng s c thc hin trong giai on ny. Giai on xc nh mc tiu v thi im Sau khi xc nh mc tiu ln cui, hacker s c hot ng iu chnh attack-netword chuyn hng tn cng v pha mc tiu. Yu t thi im s quyt nh mc thit hi v tc p ng ca mc tiu i vi cuc tn cng. Pht ng tn cng v xa du vt ng thi im nh, hacker pht ng tn cng t my ca mnh, lnh tn cng ny c th i qua nhiu cp mi n host thc s tn cng. Ton b attack-network (c th ln n hng ngn my), s vt cn nng lc ca server mc tiu lin tc, ngn chn khng cho n hot ng nh thit k. Sau mt khong thi gian tn cng thch hp, hacker tin hnh xa mi du vt c th truy ngc n mnh, vic ny i hi trnh khc cao v khng tuyt i cn thit. 1.2.2 Kin trc tng quan ca DDoS attack-network DDoS attack-network c hai m hnh chnh M hnh Agent Handler M hnh IRC Based

-9-

DDoS attack-network

Agent -Handler

IRC - Based

Client Handler Communication

ClientHandler Communication

Secret/private channel

Public channel

TCP

UDP

ICM P

TCP

UDP

ICM P

Hnh 1-2: S chnh phn loi cc kiu tn cng DDoS 1.2.3 M hnh Agent Handler Theo m hnh ny, attack-network gm 3 thnh phn: Agent, Client v Handler. Client ( l software c s hacker iu khin mi hot ng ca attack-network). Handler ( l mt thnh phn software trung gian gia Agent v Client). Agent ( l thnh phn software thc hin s tn cng mc tiu, nhn iu khin t Client thng qua cc Handler).
Attacker Attacker

Handler

Handler

Handler

Handler

Agent

Agent

Agent

Agent

Agent

Victim
Hnh 1-3: Kin trc attack-network kiu Agent Handler Attacker s t Client giao tip vi cc1 Handler xc nh s lng Agent ang online, iu chnh thi im tn cng v cp nht cc Agent. Ty theo cch

- 10 -

attacker cu hnh attack-network, cc Agent s chu s qun l ca mt hay nhiu Handler. Thng thng Attacker s t Handler software trn mt Router hay mt server c lng traffic lu thng nhiu. Vic ny nhm lm cho cc giao tip gia Client, handler v Agent kh b pht hin. Cc gia tip ny thng thng xy ra trn cc protocol TCP, UDP hay ICMP. Ch nhn thc s ca cc Agent thng thng khng h hay bit h b li dng vo cuc tn cng kiu DDoS, do h khng kin thc hoc cc chng trnh Backdoor Agent ch s dng rt t ti nguyn h thng lm cho hu nh khng th thy nh hng g n hiu nng ca h thng. 1.2.4 M hnh IRC Based Internet Relay Chat (IRC) l mt h thng online chat multiuser, IRC cho php User to mt kt ni n multipoint n nhiu user khc v chat thi gian thc. Kin trc c IRC network bao gm nhiu IRC server trn khp internet, giao tip vi nhau trn nhiu knh (channel). IRC network cho php user to ba loi channel: public, private v serect. Public channel: Cho php user ca channel thy IRC name Private channel: c thit k giao tip vi cc i tng v nhn c message ca mi user khc trn cng channel cho php. Khng cho php cc user khng cng channel thy IRC name v message trn channel. Tuy nhin, nu user ngoi channel dng mt s lnh channel locator th c th bit c s tn ti ca private channel . Secrect channel : tng t private channel nhng khng th xc nh bng channel locator.

- 11 -

Attacker

Attacker

IRC NETWORK

Agent

Agent

Agent

Agent

Agent

Victim
Hnh 1-4: Kin trc attack-network ca kiu IRC-Base IRC Based net work cng tng t nh Agent Handler network nhng m hnh ny s dng cc knh giao tip IRC lm phng tin giao tip gia Client v Agent (khng s dng Handler). S dng m hnh ny, attacker cn c thm mt s li th khc nh Cc giao tip di dng chat message lm cho vic pht hin chng l v cng kh khn IRC traffic c th di chuyn trn mng vi s lng ln m Khng cn phi duy tr danh sch cc Agent, hacker ch cn khng b nghi ng. logon vo IRC server l c th nhn c report v trng thi cc Agent do cc channel gi v.
1.3

Sau cng: IRC cng l mt mi trng file sharing to iu

kin pht tn cc Agent code ln nhiu my khc. PHN LOI KIU TN CNG DDOS Nhn chung, c rt nhiu bin th ca k thut tn cng DDoS nhng nu nhn di gc chuyn mn th c th chia cc bin th ny thnh hai loi da trn mch ch tn cng: Lm cn kit bng thng v lm cn kit ti nguyn h thng. Di y l s m t s phn loi cc kiu tn cng DDoS.

- 12 -

DDoS
attack

Bandwith
DeleptionDeleption

Resource
Deleption

Amplificati Flood
Attack on Attack

Protocol Exploit
Attack

Malformed Paclket attack IP IP@ Attack Spoof source Attack Spoo Attack sourc Attac

UD
P

Smuft ICMP Static Port Attac k Spoof Source Atta ck Attac attac k Direc Loop Attack Flaggle
Attack

TCP
Attac k

PUSH +ACK
SYN Attack

Rand Port
Attack

Spoof source Attack

Spoof source Attack

Hnh 1-5 : Phn loi tn cng ku DDoS 1.3.1 Nhng kiu tn cng lm cn kit bng thng (BandWith BandWith Depletion Attack c thit k nhm lm trng ngp mng mc tiu vi nhng traffic khng cn thit, vi mc ch lm gim ti thiu kh nng ca cc traffic hp l n c h thng cung cp dch v ca mc tiu. C hai loi BandWith Depletion Attack. Flood attack iu khin cc Agent gi mt lng ln traffic n h thng dch v ca mc tiu, lm dch v ny b ht kh nng v bng thng. Amplification attack iu khin cc agent hay Client t gi message n mt a ch IP broadcast, lm cho tt c cc my trong subnet ny gi message n h thng dch v ca mc tiu. Phng php ny lm gia tng traffic khng cn thit, lm suy gim bng thng ca mc tiu. 1.3.1.1 Flood attack Trong phng php ny, cc Agent s gi mt lng ln IP traffic lm h thng dch v ca mc tiu b chm li, h thng b treo hay t n trng thi - 13 Depletion Attack)

hot ng bo ha. Lm cho cc User thc s ca h thng khng s dng c dch v. Ta c th chia Flood Attack thnh hai loi. UDP Flood Attack Do tnh cht connectionless ca UDP, h thng nhn UDP message ch n gin nhn vo tt c cc packet mnh cn phi x l. Mt lng ln cc UDP packet c gi n h thng dch v ca mc tiu s y ton b h thng n ngng gii hn. Cc UDP packet ny c th c gi n nhiu port ty hay ch duy nht mt port. Thng thng l s gi n nhiu port lm cho h thng mc tiu phi cng ra x l phn hng cho cc packet ny. Nu port b tn cng khng sn sng th h thng mc tiu s gi ra mt ICMP packet loi destination port unreachable. Thng thng cc Agent software s dng a ch IP gi che giu hnh tung, cho nn cc message tr v do khng c port x l s dn n mt i ch Ip khc. UDP Flood attack cng c th lm nh hng n cc kt ni xung quanh mc tiu do s hi t ca packet din ra rt mnh. ICMP Flood Attack c thit k nhm mc ch qun l mng cng nh nh v thit b mng. Khi cc Agent gi mt lng ln ICMP_ECHO_REPLY n h thng mc tiu th h thng ny phi reply mt lng tng ng Packet tr li, s dn n nghn ng truyn. Tng t trng hp trn, a ch IP ca c Agent c th b gi mo. 1.3.1.2 Amplification Attack Amplification Attack nhm n vic s dng cc chc nng h tr a ch IP broadcast ca cc router nhm khuych i v hi chuyn cuc tn cng. Chc nng ny cho php bn gi ch nh mt a ch IP broadcast cho ton subnet bn nhn thay v nhiu a ch. Router s c nhim v gi n tt c a ch IP trong subnet packet broadcast m n nhn c. Attacker c th gi broadcast message trc tip hay thng qua mt s Agent nhm lm gia tng cng ca cuc tn cng. Nu attacker trc tip gi message, th c th li dng cc h thng bn trong broadcast network nh mt Agent. C th chia amplification attack thnh hai loi, Smuft va Fraggle attack. - 14 -

Attacker/Age nt

VICTIM

Amplifi er

Amplifier Network System Hnh 1-6 : Amplification Attack Smuft attack Trong kiu tn cng ny attacker gi packet n network amplifier (router hay thit b mng khc h tr broadcast), vi a ch ca nn nhn. Thng thng nhng packet c dng l ICMP ECHO REQUEST, cc packet ny yu cu yu cu bn nhn phi tr li bng mt ICMP ECHO REPLY packet. Network amplifier s gi n ICMP ECHO REQUEST packet n tt c cc h thng thuc a ch broadcast v tt c cc h thng ny s REPLY packet v a ch IP ca mc tiu tn cng Smuft Attack. Fraggle Attack Tng t nh Smuft attack nhng thay v dng ICMP ECHO REQUEST packet th s dng UDP ECHO packet gi m mc tiu. Tht ra cn mt bin th khc ca Fraggle attack s gi n UDP ECHO packet n chargen port (port 19/UNIX) ca mc tiu, vi a ch bn gi l echo port (port 7/UNIX) ca mc tiu, to nn mt vng lp v hn. Attacker pht ng cuc tn cng bng mt ECHO REQUEST vi a ch bn nhn l mt a ch broadcast, ton b h thng thuc a ch ny lp tc gi REPLY n port echo ca nn nhn, sau t nn nhn mt ECHO REPLY li gi tr v a ch broadcast, qu trnh c th - 15 -

tip din. y chnh l nguyn nhn Flaggle Attack nguy him hn Smuft Attack rt nhiu. 1.3.2 Attack) Resource Deleption Attack l kiu tn cng trong Attacker gi nhng packet dng cc protocol sai chc nng thit k, hay gi nhng packet vi dng lm tt nghn ti nguyn mng lm cho cc ti nguyn ny khng phc v user thng thng khc c. 1.3.2.1 Protocol Exploit Attack TCP SYS Attack: Transfer Control Protocol h tr truyn nhn vi tin cy cao nn s dng phng thc bt tay gia bn gi v bn nhn trc khi truyn d liu. Bc u tin, bn gi gi mt SYN REQUEST packet (Synchronize). Bn nhn nu nhn c SYN REQUEST s tr li bng SYN/ACK REPLY packet. Bc cui cng, bn gi s truyn packet cui cng ACK v bt u truyn d liu. Nhng kiu tn cng lm cn kit ti nguyn (Resource Deleption

TCP Client
Client Port 1024-65535

SYS SYN/A CK ACK Hnh 1-7 : M hnh truyn d liu

80

TCP Server

Service Port 1-1023

Nu bn server tr li mt yu cu SYN bng mt SYN/ACK REPLY nhng khng nhn c ACK packet cui cng sau mt khong thi gian quy nh th n s resend li SYN/ACK REPLY cho n ht thi gian timeout. Ton b ti nguyn h thng d tr x l phin giao tip nu nhn c ACK packet cui cng s b phong ta cho n ht thi gian timeout.

- 16 -

SYS packet with a deliberately fraudulent (spoofed) source IP return

Victim TCP Server

Malicious TCP Client

address

SYN

?
SYS/A CK Hnh 1-8 : M hnh khi b tn cng
0 8

Nm c im yu ny, attacker gi mt SYN packet n nn nhn vi a ch bn gi l gi mo, kt qu l nn nhn gi SYN/ACK REPLY n mt a ch kh v s khng bao gi nhn c ACK packet cui cng, cho n ht thi gian timeout nn nhn mi nhn ra c iu ny v gii phng cc ti nguyn h thng. Tuy nhin, nu lng SYN packet gi mo n vi s lng nhiu v dn dp, h thng ca nn nhn c th b ht ti nguyn.
Serve r SYN
SYN/A CK

Client

Attacker/Age nt SYN

Serve r
SYN/A CK SYN/A

ACK

CK

Hnh 1-9 : Biu cc giao thc trc v sau khi tn cng PUSH = ACK Attack: Trong TCP protocol, cc packet c cha trong buffer, khi buffer y th cc packet ny s c chuyn n ni cn thit. Tuy nhin, bn gi c th yu cu h thng unload buffer trc khi buffer y bng cch gi mt packet vi PUSH v ACK mang gi tr l 1. Nhng packet ny lm cho h thng ca nn nhn unload tt c d liu trong TCP buffer ngay lp tc v gi mt ACK packet tr v khi thc hin xong iu ny, nu qu trnh c din ra lin tc vi nhiu Agent, h thng s khng th x l c lng ln packet gi n v s b treo. 1.3.2.2 Malformed Packet Attack

- 17 -

Malformed Packet Attack l cch tn cng dng cc Agent gi cc packet c cu trc khng ng chun nhm lm cho h thng ca nn nhn b treo. C hai loi Malformed Packet Attack. IP address attack: dng packet c a ch gi v nhn ging IP packet options attack ngu nhin ha vng OPTION trong IP nhau lm cho h iu hnh ca nn nhn khng x l ni v b treo. packet v thit lp tt c cc bit QoS ln 1, iu ny lm cho h thng ca nn nhn phi tn thi gian phn tch, nu s dng s lng ln Agent c th lm h thng nn nhn ht kh nng x l. 1.4 Mt s c tnh ca cng c DDoS attack
DDoS SoftWare Tool
AttackNetwork Agent Setup Hidewith Protocol rootkit No TCP ICMP Bugged website Corrupted File Agent Handlerl Client Buffer Overlfow Handlerl UDP IRC Basedl Agent Handler l None No Public Comminication

OS supported

Instalation

Agent Encruption Activation Unix Solaris Linux Windows Method s Actively Poll Live&wait YES Private/Sere ct

Active Passive Yes

Backdoor Trojan

Hnh 1-10 : Tnh nng ca DDoS attack C rt nhiu im chung v mt software ca cc cng c DDoS attack. C th k ra mt s im chung nh: cch ci Agent software, phng php giao tip gia cc attacker, handler v Agent, im chung v loi h iu hnh h tr cc cng c ny. S trn m t s so snh tng quan gia cc cng c tn cng DDoS ny. 1.4.1 Cch thc ci t DDoS Agent - 18 -

Attacker c th dng phng php active v passive ci t agent software ln cc my khc nhm thit lp attack-network kiu Agent-Handler hay IRC-based. Cch ci t Active Scaning Dng cc cng c nh Nmap, Nessus tm nhng s h trn cc h thng ang online nhm ci t Agentsoftware. Ch , Nmap s tr v nhng thng tin v mt h thng c ch nh bng a ch IP, Nessus tm kim t nhng a ch IP bt k v mt im yu bit trc no . Backdoor Sau khi tm thy c danh sch cc h thng c th li dng, attacker s tin hnh xm nhp v ci Agentsoftware ln cc h thng ny. C rt nhiu thng tin sn c v cch thc xm nhp trn mng, nh site ca t chc Common Vulnerabilities and Exposures (CVE), y lit k v phn loi trn 4.000 loi li ca tt c cc h thng hin c. Thng tin ny lun sn sng cho c gii qun tr mng ln hacker. Trojan L mt chng trnh thc hin mt chc nng thng thng no , nhng li c mt s chc nng tim n phc v cho mc ch ring ca ngi vit m ngi dng khng th bit c. C th dng trojan nh mt Agent software. Buffer Overflow Tn dng li buffer overflow, attacker c th lm cho chu trnh thc thi chng trnh thng thng b chuyn sang chu trnh thc thi chng trnh ca hacker (nm trong vng d liu ghi ). C th dng cch ny tn cng vo mt chng trnh c im yu buffer overflow chy chng trnh Agent software. Cch ci t passive Bug Website Attacker c th li dng mt s li ca web brower ci Agent software vo my ca user truy cp. Attaker s to mt website mang ni dung tim n nhng code v lnh t by user. Khi user truy cp ni dung ca website, th - 19 -

website download v ci t Agent software mt cch b mt.

Microsoft

Internet Explorer web browser thng l mc tiu ca cch ci t ny, vi cc li ca ActiveX c th cho php IE brower t ng download v ci t code trn my ca user duyt web. Corrupted file Mt phng php khc l nhng code vo trong cc file thng thng. Khi user c hay thc thi cc file ny, my ca h lp tc b nhim Agent software. Mt trong nhng k thut ph bin l t tn file rt di, do default ca cc h iu hnh ch hin th phn u ca tn file nn attacker c th gi km theo email cho nn nhn file nh sau (iloveyou.txt_hiiiii_NO_this_is) do ch thy phn iloveyou.txt hin th nn user s m file ny c v lp tc file ny thc thi v agent code c ci vo my nn nhn, ngoi ra cn nhiu cch khc nh ngy trang file v ghp file Rootkit L nhng chng trnh dng xa du vt v s hin din ca Agent hay Handler trn my ca nn nhn. Rootkit thng c dng trn Hander software c ci, ng vai tr xung yu cho s hot ng ca attack-network hay trn cc mi trng m kh nng b pht hin ca Handler l rt cao. Rootkit rt t khi dng trn cc Agent do mc quan trng ca Agent khng cao v nu c mt mt s Agent cng khng nh hng nhiu n attack-network. 1.4.2 Giao tip trn Attack-Network Protocol: giao tip trn attack-network c th thc hin trn nn cc protocol TCP, UDP, ICMP. M ha cc giao tip: mt vi cng c DDoS h tr m ha giao tip trn ton b attack-network. Ty theo protocol c s dng giao tip s c cc phng php m ha thch hp. Nu attack-network dng IRC-based th private v secrect channel h tr m ha giao tip. Cch kch hot Agent: c hai phng php ch yu kch hot Agent. Cch th nht l Agent s thng xuyn qut thm d Handler hay IRC channel nhn ch th (active Agent). Cch th hai l Agent ch n gin l nm vng ch ch th t Handler hay IRC Channel. - 20 -

1.4.3 Cc nn tng h tr Agent C cng c DDoS thng thng c thit k hot ng tng thch vi nhiu h iu hnh khc nhau nh: Unix, Linux, Solaris hay Windows. Cc thnh phn ca attack-network c th vn hnh trn cc mi trng h iu hnh khc nhau. Thng thng Handler s vn hnh trn cc h chy trn cc server ln nh Unix, Linux hay Solaris. Agent thng thng chy trn h iu hnh ph bin nht l windows do cn s lng ln d khai thc. 1.4.4 Cc chc nng ca cng c DDoS Mi cng c DDoS c mt tp lnh ring, tp lnh ny c Handler v Agent thc hin. Tuy nhin ta c th phn loi tng qut tp lnh chung ca mi cng c nh sau. Lnh Log On Turn On Log Off Turn Off Initiate Attack List Agents Kiss Agents Add victim Download Upgrades Set Spoofing TP LNH CA HANDLER M t Nhm dng logon vo Handler software (user + password) Kch hot Handler sn sng nhn lnh Nhm dng Logoff ra khi Handler software Ch dn Handler ngng hot ng, nu Handler ang qut tm Agent th dng ngay hnh vi ny Ra lnh cho Handler hng dn mi Agent trc thuc tn cng mc tiu nh Yn cu Handler lit k cc Agent trc thuc Loi b mt Agent ra khi hng ng Attack-Network Thm mt mc tiu tn cng Cp nht cho Handler software (downloads file.exe v v thc thi) Kch hot v thit lp c ch gi mo a ch IP cho cc Agent Set nh thi im tn cng cho cc Agent AttackTime Set Thng bo di ca cuc tn cng vo mc tiu AttackDuration BufferSize Help Thit lp kch thc buffer ca Agent (nhm gia tng sc mnh cho Agent) Hng dn s dng chng trnh

- 21 -

Turn On Turn Off

TP LNH ca AGENT Kich hoat Agent sn sng nhn lnh Ch dn Agent ngng hot ng, nu Agent ang qut tm Handler/IRC Channel th dng ngay hnh vi ny li Ra lnh Agent tn cng mc tiu nh Cp nht cho Agent software (downloaf file .exe v v thc thi) Thit lp c ch gi mo a ch IP cho cc Agent hot ng Thng bo di cc cuc tn cng vo mc tiu Thit lp kch thc ca attack packet Hng dn s dng chng trnh

Initiate Attacke Download Upgrades Set Spoofing Set Attack Duration Set Packet Size Help 1.5

Mt s cng c DDoS Da trn nn tng chung ca phn trn, c nhiu cng c c vit ra,

thng thng cc cng c ny l m ngun m nn mc phc tp ngy cng cao v c nhiu bin th mi l. 1.5.1 Cng c DDoS dng Agent Handler TrinOO: l mt trong cc cng c DDoS u tin c pht tn rng ri. TrinOO c kin trc Agent Handler, l cng c DDoS kiu Bandwidth Depletion Attack, s dng k thut UDP flood. Cc version u tin ca TrinOO khng h tr gi mo a ch IP. TrinOO Agent c ci t li dng li remote buffer overrun. Hot ng trn h iu hnh Solaris 2.5.1 Red Hat Linux 6.0. Attack network giao tip dng TCP (attacker client v handler) v UDP (Handler v Agent). M ha giao tip dng phng php m ha i xng gia Client, handler v Agent. Tribe Flood Network (TFN): Kiu kin trc Agent Handler, cng c DDoS ho tr kiu Bandwidth Deleption Attack v Resourse Deleption Attack. S dng k thut UDP flood, ICMP Flood, TCP SYN v Smurf Attack. Cc version u tin khng h tr gi mo a ch IP, TFN Agent c ci t li - 22 -

dng li buffer overflow. Hot ng trn h iu hnh Solaris 2.x v Red Hat Linux 6.0. Attack Network giao tip dng ICMP ECHO REPLY packet (TFN2K h tr thm TCP/UDP vi tnh nng chn protocol ty ), khng m ha giao tip (TFN2K h tr m ha) Stacheldraht: l bin th ca TFN c thm kh nng updat Agent t ng. Giao tip telnet m ha i xng gia Attacker v Handler. 1.5.2 Cng c DDoS dng IRC Based Cng c DDoS dng IRC-based c pht trin sau cc cng c dng Agent Handler. Tuy nhin, cng c DDoS dng IRC phc tp hn rt nhiu, do tch hp rt nhiu c tnh ca cc cng c DDoS dng Agent Handler. Trinity L mt in hnh ca cng c dng ny. Trinity c hu ht cc k thut tn cng bao gm: UDP, TCP SYS, TCP ACK, TCP fragment, TCP NULL, TCP RST, TCP random flag, TCP ESTABLISHED packet flood. N c sn kh nng ngu nhin ha a ch bn gi. Trinity cng h tr TCP flood packet vi kh nng ngu nhn tp CONTROL FLAG. Trinity c th ni l mt trong s cc cng c DDoS nguy him nht. Knight c thit k chy trn Windows, s dng k thut ci t ca troijan back Orifice. Knight dng cc k thut tn cng nh SYV, UDP Flood v Urgent Pointer Flooder. Kaiten l bin th ca Knight, h tr rt nhiu k thut tn cng nh: UDP, TCP flood, SYN, PUSH + ACK attack. Kaiten cng tha hng kh nng ngu nhin ha a ch gi mo ca Trinity. 1.6 Phng php phng chng DDoS C rt nhiu gii php v tng c a ra nhm i ph vi cc cuc tn cng kiu DDoS. Tuy nhin khng c gii php v tng no l gii quyt trn vn bi ton Anti-DDoS. Cc hnh thi khc nhau ca DDoS lin tc xut hin theo thi gian song song vi cc gii php i ph, tuy nhin cuc ua vn

- 23 -

tun theo quy lut tt yu ca bo mt my tnh. C ba giai on chnh trong qu trnh Anti-DDoS. Giai on ngn nga: ti thiu ha lng Agent, tm v v hiu Giai on i u vi cuc tn cng: Pht hin v ngn chn ha cc Handler. cuc tn cng, lm suy gim v dng cuc tn cng, chuyn hng cuc tn cng. Giai on sau khi cuc tn cng xy ra: thu thp chng c v rt kinh nghim.
DDoS Countermeasures

Detect and Detect and Neutralize handler Prevent

Agent

Detect/Prevent Potential Attack

Mitigate/ Stop
Attack

Deflect
Attack

Post

attack

Forensic Traffic Pattern Analys Packet is

Egress Filtering

MIBS tatistic

Honeyspots

Invidual user

Network Service Provider Cost Shadow Real Network Study Attack Event Log

Install Software Patch

Build In defense Load Balancing Throttling Drop Request

Hnh 1-11 : M hnh phng php phng chng DDos 1.6.1 Ti thiu ha s lng Agent T pha User: mt phng php rt tt nng nga tn cng DDoS l tng internet user s t phng khng b li dng tn cng h thng khc. Mun t c iu ny th thc v k thut phng chng phi c ph bin rng ri cho cc internet user. Attack-Network s khng bao gi hnh thnh nu

- 24 -

khng c user no b li dng tr thnh Agent. Cc user phi lin tc thc hin cc qu trnh bo mt trn my vi tnh ca mnh. H phi t kim tra s hin din ca Agent trn my ca mnh, iu ny l rt kh khn i vi user thng thng. Mt s gii php tch hp sn kh nng ngn nga vic ci t code nguy him thng o hardware v software ca tng h thng. V pha user h nn ci t v updat lin tc cc software nh antivirus, anti_trojan v server patch ca h iu hnh. T pha Network Service Provider: Thay i cch tnh tin dch v truy cp theo dung lng s lm cho user lu n nhng g h gi, nh vy v mt thc tng cng pht hin DDoS Agent s t nng cao mi User. 1.6.2 Tm v v hiu ha cc Handler Mt nhn t v cng quan trng trong attack-network l Handler, nu c th pht hin v v hiu ha Handler th kh nng Anti-DDoS thnh cng l rt cao. Bng cch theo di cc giao tip gia Handler v Client hay Handler v Agent ta c th pht hin ra v tr ca Handler. Do mt Handler qun l nhiu, nn trit tiu c mt Handler cng c ngha l loi b mt lng ng k cc Agent trong Attack Network. 1.6.3 Pht hin du hiu ca mt cuc tn cng Agress Filtering: K thut ny kim tra xem mt packet c tiu chun ra khi mt subnet hay khng da trn c s gateway ca mt subnet lun bit c a ch IP ca cc my thuc subnet. Cc packet t bn trong subnet gi ra ngoi vi a ch ngun khng hp l s b gi li iu tra nguyn nhn. Nu k thut ny c p dng trn tt c cc subnet ca internet th khi nhim gi mo a ch IP s khng cn tn ti. MIB statistics: trong Management Information Base (SNMP) ca route lun c thng tin thng k v s bin thin trng thi ca mng. Nu ta gim st cht ch cc thng k ca protocol mng. Nu ta gim st cht ch cc thng k ca Protocol ICMP, UDP v TCP ta s c kh nng pht hin c thi im bt u ca cuc tn cng to qu thi gian vng cho vic x l tnh hung. 1.6.4 Lm suy gim hay dng cuc tn cng

- 25 -

Load balancing

Thit lp kin trc cn bng ti cho cc server trng im s lm gia tng thi gian chng chi ca h thng vi cuc tn cng DDoS. Tuy nhin, iu ny khng c ngha lm v mt thc tin v quy m ca cuc tn cng l khng c gii hn. Throttling Thit lp c ch iu tit trn router, quy nh mt khong ti hp l m server bn trong c th x l c. Phng php ny cng c th c dng ngn chn kh nng DDoS traffic khng cho user truy cp dch v. Hn ch ca k thut ny l khng phn bit c gia cc loi traffic, i khi lm dch v b gin on vi user, DDoS traffic vn c th xm nhp vo mng dch v nhng vi s lng hu hn. Drop request Thit lp c ch drop request nu n vi phm mt s quy nh nh: thi gian delay ko di, tn nhiu ti nguyn x l, gy deadlock. K thut ny trit tiu kh nng lm cn kit nng lc h thng, tuy nhin n cng gii hn mt s hot ng thng thng ca h thng, cn cn nhc khi s dng. 1.6.5 Chuyn hng ca cuc tn cng Honeyspots l mt h thng c thit k nhm nh la attacker tn cng vo khi xm nhp h thng m khng ch n h thng quan trng thc s. Honeyspots cn rt hiu qu trong vic pht hin v x l xm nhp, v trn Honeyspots thit lp sn cc c ch gim st v bo ng. Ngoi ra Honeyspots cn c gi tr trong vic hc hi v rt kinh nghim t Attacker, do Honeyspots ghi nhn kh chi tit mi ng thi ca attacker trn h thng. Nu attacker b nh la v ci t Agent hay Handler ln Honeyspots th kh nng b trit tiu ton b attack-network l rt cao. 1.6.6 Giai on sau tn cng Traffic Pattern Analysis Nu d liu v thng k bin thin lng traffic theo thi gian c lu li th s c a ra phn tch. Qu trnh phn tch ny rt c ch cho vic tinh chnh li cc h thng Load Balancing v Throttling. Ngoi ra cc d liu ny - 26 -

cn gip Qun tr mng iu chnh li cc quy tc kim sot traffic ra vo mng ca mnh. Packet Traceback bng cch dng k thut Traceback ta c th truy ngc li v tr ca Attacker (t nht l subnet ca attacker). T k thut Traceback ta pht trin thm kh nng. Block Traceback t attacker kh hu hiu. gn y c mt k thut Traceback kh hiu qu c th truy tm ngun gc ca cuc tn cng di 15 pht. Bevent Logs Bng cch phn tch file log sau cuc tn cng, qun tr mng c th tm ra nhiu manh mi v chng c quan trng.

- 27 -

Chng 2
2.1

Gii thiu Firewall

Gii thiu Firewall Thut ng Firewall c ngun gc t mt k thut thit k trong xy dng

ngn chn, hn ch ho hon. Trong Cng ngh mng thng tin, FireWall l mt k thut c tch hp vo h thng mng chng li s truy cp tri php nhm bo v cc ngun thng tin ni b cng nh hn ch s xm nhp vo h thng ca mt s thng tin khc khng mong mun. Internet FireWall l mt tp hp thit b (bao gm phn cng v phn mm) c t gia mng ca mt t chc, mt cng ty, hay mt quc gia (Intranet) v Internet. Trong mt s trng hp, Firewall c th c thit lp trong cng mt mng ni b v c lp cc min an ton. V d nh m hnh di y th hin mt mng Firewall ngn cch phng my, ngi s dng v Internet. 2.2 Cc loi Firewall Firewall c chia lm 2 loi, gm Firewall cng v Firewall mm 2.2.1 Firewall cng L nhng firewall c tch hp trn Router.

Hnh 2-1 : Firewall cng c im ca Firewall cng Khng c linh hot nh Firewall mm: (Khng th thm chc nng, thm quy tc nh firewall mm).

- 28 -

Firewall cng hot ng tng thp hn Firewall mm (Tng Firewall cng khng th kim tra c nt dung ca gi tin. V d Firewall cng: NAT (Network Address Translate).

Network v tng Transport).

2.2.2 Firewall mm

Hnh 2-2 : Firewall mm c im ca Firewall mm 2.2.3 Firewall Tnh linh hot cao: C th thm, bt cc quy tc, cc chc nng. Firewall mm hot ng tng cao hn Firewall cng (tng Firewal mm c th kim tra c ni dung ca gi tin (thng V d v Firewall mm: Zone Alarm, Norton Firewall

ng dng) qua cc t kha).

Hnh 2-3 : Chc nng ca firewall Nu my tnh ca bn khng c bo v, khi bn kt ni Internet, tt c cc giao thng ra vo mng u c cho php, v th hacker, trojan, virus c

- 29 -

th truy cp v ly cp thng tin c nhn cu bn trn my tnh. Chng c th ci t cc on m tn cng file d liu trn my tnh. Chng c th s dng my tnh cu bn tn cng mt my tnh ca gia nh hoc doanh nghip khc kt ni Internet. Mt firewall c th gip bn thot khi gi tin him c trc khi n n h thng ca bn. Chc nng chnh ca Firewall : kim sot lung thng tin t gia Intranet v Internet. Thit lp c ch iu khin dng thng tin gia mng bn trong (Intranet) v mng Internet. C th l Cho php hoc cm nhng dch v truy nhp ra ngoi (t Cho php hoc cm nhng dch v php truy nhp vo trong (t Theo di lung d liu mng gia Internet v Intranet. Kim sot a ch truy nhp, cm a ch truy nhp. Kim sot ngi s dng v vic truy nhp ca ngi s dng. Kim sot ni dung thng tin thng tin lu chuyn trn mng. Intranet ra Internet). Internet vo Intranet).

2.2.4 Cu trc ca FireWall FireWall bao gm : Mt hoc nhiu h thng my ch kt ni vi cc b nh tuyn (router) hoc c chc nng router. Cc phn mm qun l an ninh chy trn h thng my ch. Thng thng l cc h qun tr xc thc (Authentication), cp quyn (Authorization) v k ton (Accounting). 2.2.5 Cc thnh phn ca FireWall Mt FireWall bao gm mt hay nhiu thnh phn sau : B lc packet (packet- filtering router). Cng ng dng (Application-level gateway hay proxy server). Cng mch (Circuite level gateway).

- 30 -

Hnh 2-4 : Cu trc ca firewall B lc paket (Paket filtering router)

Nguyn l hot ng

Hnh 2-5 : Nguyn l hot ng ca firewall Khi ni n vic lu thng d liu gia cc mng vi nhau thng qua Firewall th iu c ngha rng Firewall hot ng cht ch vi giao thc TCI/IP. V giao thc ny lm vic theo thut ton chia nh cc d liu nhn c t cc ng dng trn mng, hay ni chnh xc hn l cc dch v chy trn cc giao thc (Telnet, SMTP, DNS, SMNP, NFS...) thnh cc gi d liu (data pakets) ri gn cho cc paket ny nhng a ch c th nhn dng, ti lp li ch cn gi n, do cc loi Firewall cng lin quan rt nhiu n cc packet v nhng con s a ch ca chng. B lc packet cho php hay t chi mi packet m n nhn c. N kim tra ton b on d liu quyt nh xem on d liu c tho mn mt

- 31 -

trong s cc lut l ca lc packet hay khng. Cc lut l lc packet ny l da trn cc thng tin u mi packet (packet header), dng cho php truyn cc packet trn mng. l a ch IP ni xut pht ( IP Source address), a ch IP ni nhn (IP Destination address). nhng th tc truyn tin (TCP, UDP, ICMP, IP tunnel). cng TCP/UDP ni xut pht (TCP/UDP source port). cng TCP/UDP ni nhn (TCP/UDP destination port). dng thng bo ICMP ( ICMP message type). giao din packet n ( incomming interface of packet). giao din packet n ( incomming interface of packet). giao din packet i ( outcomming interface of packet) u im : a s cc h thng firewall u s dng b lc packet. Mt trong nhng u im ca phng php dng b lc packet l chi ph thp v c ch lc packet c bao gm trong mi phn mm router. Ngoi ra, b lc packet l trong sut i vi ngi s dng v cc ng dng, v vy n khng yu cu s hun luyn c bit no c. Hn ch : Vic nh ngha cc ch lc package l mt vic kh phc tp, i hi ngi qun tr mng cn c hiu bit chi tit v cc dch v Internet, cc dng packet header, v cc gi tr c th c th nhn trn mi trng. Khi i hi v s lc cng ln, cc lut l v lc cng tr nn di v phc tp, rt kh qun l v iu khin. Do lm vic da trn header ca cc packet, r rng l b lc packet khng kim sot c ni dung thng tin ca packet. Cc packet chuyn qua vn c th mang theo nhng hnh ng vi n cp thng tin hay ph hoi ca k xu. Cng ng dng (application-level getway) Nguyn l hot ng : y l mt loi Firewall c thit k tng cng chc nng kim sot cc loi dch v, giao thc c cho php truy cp vo h thng mng. C ch hot ng ca n da trn cch thc gi l Proxy service. Proxy service l cc b code c bit ci t trn gateway cho tng ng dng. Nu ngi qun tr mng khng ci t proxy code cho mt ng dng no , dch v tng ng s khng c cung cp v do khng th chuyn thng tin qua firewall. Ngoi ra, proxy code c th c nh cu hnh h tr ch mt s c im trong ng dng m ngi qun tr mng cho l chp nhn c - 32 -

trong khi t chi nhng c im khc. Mt cng ng dng thng c coi nh l mt pho i (bastion host), bi v n c thit k t bit chng li s tn cng t bn ngoi. u im : Cho php ngi qun tr mng hon ton iu khin c tng dch v trn mng, bi v ng dng proxy hn ch b lnh v quyt nh nhng my ch no c th truy nhp c bi cc dch v. Cho php ngi qun tr mng hon ton iu khin c nhng dch v no cho php, bi v s vng mt ca cc proxy cho cc dch v tng ng c ngha l cc dch v y b kho. Cng ng dng cho php kim tra xc thc rt tt, v n c nht k ghi chp li thng tin v truy nhp h thng. Lut l lc filltering cho cng ng dng l d dng cu hnh v kim tra hn so vi b lc packet. Hn ch : Yu cu cc users thay i thao tc, hoc thay i phn mm ci t trn my client cho truy nhp vo cc dch v proxy. Chng hn, Telnet truy nhp qua cng ng dng i hi hai bc ni vi my ch ch khng phi l mt bc thi. Tuy nhin, cng c mt s phn mm client cho php ng dng trn cng ng dng l trong sut, bng cch cho php user ch ra my ch ch khng phi cng ng dng trn lnh Telnet. Cng vng (circuit-Level Gateway) Cng vng l mt chc nng c bit c th thc hin c bi mt cng ng dng. Cng vng n gin ch chuyn tip (relay) cc kt ni TCP m khng thc hin bt k mt hnh ng x l hay lc packet no. Cng vng n gin chuyn tip kt ni telnet qua firewall m khng thc hin mt s kim tra, lc hay iu khin cc th tc Telnet no.Cng vng lm vic nh mt si dy,sao chp cc byte gia kt ni bn trong (inside connection) v cc kt ni bn ngoi (outside connection). Tuy nhin, v s kt ni ny xut hin t h thng firewall, n che du thng tin v mng ni b. cng vng thng c s dng cho nhng kt ni ra ngoi, ni m cc qun tr mng tht s tin tng nhng ngi dng bn trong. u im ln nht l mt bastion host c th c cu hnh nh l mt hn hp cung cp Cng ng dng cho nhng kt ni n, v cng vng cho cc kt ni i. iu ny lm cho h thng bc tng la d dng s dng cho nhng ngi trong mng ni b mun trc tip truy nhp ti cc - 33 -

dch v Internet, trong khi vn cung cp chc nng bc tng la bo v mng ni b t nhng s tn cng bn ngoi. 2.3 Chc nng ca firewall FireWall bo v chng li nhng s tn cng t bn ngoi. Tn cng trc tip Nghe trm Gi mo a ch IP Li ngi qun tr h thng Yu t con ngi

Ngy nay, trnh ca cc hacker ngy cng gii hn, trong khi cc h thng mng vn cn chm chp trong vic x l cc l hng ca mnh. iu ny i hi ngi qun tr mng phi c kin thc tt v bo mt mng c th gi vng an ton cho thng tin ca h thng. i vi ngi dng c nhn, h khng th bit ht cc th thut t xy dng cho mnh mt Firewall, nhng cng nn hiu r tm quan trng ca bo mt thng tin cho mi c nhn, qua t tm hiu bit mt s cch phng trnh nhng s tn cng n gin ca cc hacker. Vn l thc, khi c thc phng trnh th kh nng an ton s cao hn. 2.3.1 Nhng hn ch ca firewall Firewall khng thng minh nh con ngi c th c hiu tng loi thng tin v phn tch ni dung tt hay xu ca n. Firewall ch c th ngn chn s xm nhp ca nhng ngun thng tin khng mong mun nhng phi xc nh r cc thng s a ch. Firewall khng th ngn chn mt cuc tn cng nu cuc tn cng ny khng "i qua" n. Mt cch c th, firewall khng th chng li mt cuc tn cng t mt ng dial-up, hoc s d r thng tin do d liu b sao chp bt hp php ln a mm. Firewall cng khng th chng li cc cuc tn cng bng d liu (data-drivent attack). Khi c mt s chng trnh c chuyn theo th in t, vt qua firewall vo trong mng c bo v v bt u hot ng y. Mt v d l cc virus my tnh. Firewall khng th lm

- 34 -

nhim v r qut virus trn cc d liu c chuyn qua n, do tc lm vic, s xut hin lin tc ca cc virus mi v do c rt nhiu cch m ha d liu, thot khi kh nng kim sot ca firewall. 2.4 2.4.1 IPTable Gii thiu IPTable Mt trong nhng firewall thng dng nht chy trn Linux l iptables, iptables l mt tng la ng dng lc gi d liu rt mnh . Khi mt gi tin u tin ti firewall , phn cng s tip nhn n v sau chuyn n trnh iu khin thit b tng ng trong nhn h iu hnh . sau , gi tin s bt u i qua mt lot cc bc trong nhn h iu hnh, trc khi n c gi ti ng dng cc b hoc l c chuyn tip n my tnh khc hay chi tc ng no ca nhn h iu hnh. Mt mt mnh ca iptable l ch nhiu bng c th c s dng quyt nh s phn ca mt gi tin no d, ph thuc vo ku ca gi tin ang c kim tra v hnh ng s c thc hin trn gi tin . Bng mc nh , bng filter, c cha cc chui lut c xy dng sn , INPUT, OUTPUT, v FORWARD .nhng chui lut ny tng ng vi cc chui lut c s dng trong ipchains.tuy nhin, theo mc nh, iptable cng cha hai bng b sung dng thc hin cc cng vic lc gi xc nh. Bng nat c th c s dng thay i a ch ngun v a ch ch ca gi tin, v bng mangle cho php tat hay i mt s thong tin trong header ca cc gi tin. Mi mt bng c cha cc chui lut mc nh thc hin cc tc v cn thit da trn mc ch ca bng, tuy nhin, ngi dng cng c php nh ngha nhng chui lut mi trong cc bng. Netfilter/Iptables gm 2 phn l Netfilter trong nhn Linux v Iptables nm ngoi nhn. Iptables chu trch nhim giao tip gia ngi dng v Netfilter y cc lut ca ngi dng vo cho Netfiler x l. Netfilter tin hnh lc cc gi d liu mc IP. Netfilter lm vic trc tip trong nhn, nhanh v khng lm gim tc ca h thng.

- 35 -

Hnh 2-6 : IPTable 2.4.2 Chc nng ca IPTables Tch hp tt vi Linux kernel, ci thin s tin cy v tc chy iptables. Quan st k tt c cc gi d liu. iu ny cho php firewall theo di mi mt kt ni thng qua n, v d nhin l xem xt ni dung ca tng lung d liu t tin liu hnh ng k tip ca cc giao thc. iu ny rt quan trng trong vic h tr cc giao thc FTP, DNS Lc gi da trn a ch MAC v cc c trong TCP header. iu ny gip ngn chn vic tn cng bng cch s dng cc gi d dng ( malformed packets ) v ngn chn vic truy cp t ni b n mt mng khc bt chp IP ca n. Ghi chp h thng ( System logging ) cho php vic iu chnh mc ca bo co. H tr vic tch hp cc trnh Web proxy chng hn nh Squid. Ngn chn cc kiu tn cng t chi dch v. 2.4.3 C ch x l package trong iptables Iptables s kim tra tt c cc package khi n i qua iptables host, qu trnh kim tra ny c thc hin mt cch tun t entry u tin n entry cui cng, c ba loi bng trong iptables. Mangle table Chu trch nhim bin i quality of service bits trong TCP header. Thng thng loi table ny c ng dng trong SOHO (Small Office/Home Office). Filter queue Chu trch nhim thit lp b lc packet (packet filtering), c ba loi builtin chains c m t thc hin cc chnh sch v firewall (firewall policy rules).

- 36 -

Forward chain (Cho php packet ngun chuyn qua firewall), Input chain (Cho php nhng gi tin i vo t firewall), Output chain (Cho php nhng gi tin i ra t firewall) NAT queue Thc thi chc nng NAT (Network Address Translation), cung cp hai loi built-in chains sau y. Pre-routing chain : NAT t ngoi vo trong ni b. Qu trnh NAT s thc hin trc khi thc thi c ch routing. iu ny thun li cho vic i a ch ich a ch tng thich vi bng nh tuyn ca firewall, khi cu hnh ta c th dng kha DNAT m t k thut ny. Post-routing chain : NAT t trong ra ngoai. Qua trinh NAT s thc hin sau khi thc hin c ch nh tuyn. Qu trnh ny nhm thay i a ch ngun ca gi tin. K thut ny c gi l NAT one-to-one hoc many-to-one, c gi l Source NAT hay SNAT. OUPUT: Trong loi ny firewall thc hin qu trnh NAT. Chc
Loi queues

Quy tt x l gi (chain)

Chc nng ca chain

nng queue s

Lc gi d liu i
FORWARD

n cc server khc Kt ni trn cc NIC khc ca firewall Lc gi i n firewall Lc gi di ra khi firewall Vic thay i a ch in ra trc khi dn ng. thay i a ch ch s gip gi d liu ph hp vi bng ch ng

Filter

Lc gi
INPUT OUTPUT

NAT

Network Address Translatio n (Bindc h a ch

PREROUTING

- 37 -

Ca firewall s dng mng) destination NAT or DNAT. Vic thay i a

POSTROUTING

ch ch din ra sau khi dn ng. S dng source NAT, or SNAT. NAT s dng cho cc gi d liu xut pht t firewall. him

OUTPUT

khi dng trong mi trng S ( small office -home office) . iu chnh cc bit

PREROUTING Chnh Mangle sa TCP header . POSTROUTIN G OUTPUT INPUT FORWARD

quy nh cht lng dch v trc khi dn ng. Him khi dng trong mi trng SOHO ( small office home office) .

C th tm tt trnh t x l gi tin ca iptables bng hnh v sau

- 38 -

Hnh 2-7 : C ch x l gi tin ca IPTables Cc gi tin t ngoi i vo s c kim tra bi cc Pre-routing chain u tin xem xem n c cn DNAT khng sau gi tin c routing. Nu gi tin cn i ti mt h thng khc ( protected network ) n s c lc bi cc FORWARD chain ca bng FILTER v nu cn n c th c SNAT bi cc Post-routing chain trc khi n c h thng ch. Tng t khi h thng ch cn tr li, gi tin s i theo th t nh vy nhng theo chiu ngc li. Lu trong hnh v nhng FORWARD v Post-routing chain ca bng mangle ch tc ng vo c im QOS ( Quality of Service ) ca gi tin. Nu gi tin c gi ti h thng ( h thng cha iptables ) n s c x l bi cc INPUT chain v nu khng b lc b n s c x l bi mt dch v ( System Service ) no chy trn h thng. Khi h thng gi tr li, gi tin m n gi i c x l bi

- 39 -

cc OUTPUT chain v c th c x k bi cc Post-routing chain ca bng FILTER v bng MANGLE nu n cn SNAT hay QoS. 2.4.4 Target v Jumps Jump l c ch chuyn mt packet n mt target no x l thm mt s thao tc khc. Target l c ch hot ng trong iptables, dng nhn din v kim tra packet. Cc target c xy dng sn trong iptables nh . ACCEPT : iptables chp nhn chuyn data n ch. DROP : iptables kha nhng packet. LOG REJECT : thng tin ca packet s gi vo syslog daemon

iptables tip tc x l lut tip theo trong bng m t lut. Nu lut cui cng khng match th s drop packet. Vi ty chn thng dng l --logprefix=string, tc iptables s ghi nhn li nhng message bt u bng chui string. DNAT: thay i a ch ich ca packet. Ty chn l --toSNAT: thay i a ch ngun ca packet. Ty chn l --toMASQUERADING: c s dng thc hin k thut NAT destination ipaddress source <address>[-address][:<port>-<port>] (gi mo a ch ngun vi a ch ca interface ca firewall). Ty chn l [--to-ports <port>[-<port>]], ch nh dy port ngun s nh x vi dy port ban u. 2.4.5 Cac tuy chon lut c ban cua IPtable Nu ch va khi ng server, ta s khng c lut no , v s thy nh sau.
Chain INPUT target (policy ACCEPT) prot opt source destination

Chain FORWARD (policy ACCEPT) target prot opt source destination

Chain OUTPUT (policy ACCEPT)

- 40 -

target

prot opt source

destination

Sau y la mt s giai thich cho cac tuy chon cua iptables -A : Thm lut nay vao lung. Lung hp l la INPUT,

FORWARD va OUTPUT , nhng chung ta hu ht tac ng vi lung INPUT tac ng vao traffic vao. -L : Lit k cac lut hin tai

-m conntrack : Cho phep loc cac lut phu hp vi trang thai --ctstate : inh nghia danh sach trang thai cho cac lut xem NEW :Kt ni cha c ghi nhn. RELATED :Kt ni mi, nhng co lin h vi kt ni khac a c cho phep. ESTABLISHED :Kt ni a c thit lp. INVALID :Traffic khng c xac inh vi mt s ly do.

kt ni. Cho phep s dung tuy chon --ctstate xet phu hp. Cac trang thai hp l bao gm.

-m limit : oi hoi lut phai phu hp trong mt s ln xac inh.

Cho phep s dung tuy chon --limit. To ra hiu qua trong chinh xac gii han s ln logging. -limit :S ln nhiu nht phu hp, c xac inh bng s ln theo giy, phut, gi hoc ngay tuy theo ngi quan tri. Nu tuy chon nay khng c s dung va -m limit c dung thi mc inh se la 3 ln mt gi. -p :Giao thc kt ni c dung. --dport :Port ich c yu cu cho lut nay. Mt port hay 1 dai

port co th c dung bng cach start:end: no se xem xet tt ca cac port t start n end.

- 41 -

-j : Nhay n mt muc tiu xac inh. Mc inh c cho phep 4 muc tiu. ACCEPT :Cho phep goi packet va dng vic ap dung lut lung nay. REJECT : T chi goi packet va thng bao cho ngi gi rng chung ta a lam th ng thi dng ap dung lut trn lung. DROP : m thm chn goi packet va dng ap dung lut cho lung. LOG : inh. -I : -I INPUT 5 -v : Chen mt lut. Gm 2 la chon, lung cn chen lut va se chen lut vao INPUT cua lung va ap dung Hin thi nhiu thng tin ouput hn. Hiu qua nhin co ve ging nhau nu khng dung v : ia chi[/mask] ngun. ia chi[/mask] ich Tn output[+] tn interface mang. s hiu cua lut. lut th 5 trong danh sach. khi ban co nhng lut hin thi.

Lc goi packet va tip tuc x ly cac lut khac trn

lung. Cho phep s dung --log-prefix va --log-level. --log-prefix :Khi logging, a text nay ln trc thng ip log. --log-level : Lc s dung log c bit cua cac mc h thng. -i : Chi xem xet nu goi packet ti t mt interface xac S dung gp i trich dn xung quanh text s dung. Mc 7 la mt la chon tt tr khi ban tht s cn mc khac.

-s --source -d --destination :

-o --out-interface :

Chung ta co th cho phep thit lp phin nhn traffic #Iptables A INPUT m conntrack ctstate ESTABLISHED j ACCEPT V d : Cho phep traffic vao tai mt port xac inh.

- 42 -

Chng ta co th bt u chn traffic, nhng ban phai lam vic thng qua SSH, vi vy ban cn cho phep SSH trc khi chn moi th khac. cho phep traffic trn cng mc inh 22 cua SSH cn chi cho iptables rng cho phep tt cua traffic TCP trn cng nay i vao. #Iptables A INPUT p tcp dport ssh j ACCEPT Tr lai danh sach phn trn, ta co th thy y nghia cua cac tuy chon Chen rute nay cho lung INPUT, nn chung ta ang tac ng vao traffic vao(-A ), Kim tra nu no s dung TCP (-p tcp), Nu no s dung TCP, kim tra xem no co i vao port cua SSH (--dport ssh), Nu thoa man cac iu kin trn thi chp nhn (-j ACCEPT). By gi ta xem xet lut sau # iptables L Chain INPUT (policy ACCEPT) target ACCEPT anywhere anywhere prot all opt -source anywhere state RELATED,ESTABLISHED tcp dpt:ssh destination

By gi hay cho phep tt ca cac traffic vao. #iptables A INPUT p tcp dport 80 j ACCEPT Kim tra rute hin ti. # iptables L Chain INPUT (policy ACCEPT) target ACCEPT anywhere protoptsource all -anywhere destination

state RELATED,ESTABLISHED

- 43 -

ACCEPT anywhere ACCEPT anywhere

tcp

--

anywhere tcp dpt:ssh

tcp

--

anywhere tcp dpt:www

Chng ta cho php traffic tcp, ssh v web ,nhng cha chn g nn mi traffic u c th i vo c. 2.4.6 Chinh sa Iptables Vn duy nht vi vic tip lp cua chung ta la port loopback a bi chn. Ta co th khc phuc iu nay bng vic chi ra -i eth0, nhng ta cung phai thm lut cho port lookback. Nu ta thm lut, no se c a vao cui cung sau khi moi traffic u bi chn. Ta cn thm lut nay vao trc lut chn tt ca. Trong trng hp a co nhiu traffic, ta se thm no vao u danh sach no c x ly trc.
# iptables -I INPUT 1 -i lo -j ACCEPT # iptables L Chain INPUT (policy ACCEPT) target ACCEPT prot opt source all -anywhere destination anywhere anywhere anywhere anywhere state tcp dpt:ssh tcp dpt:www anywhere

ACCEPT all -- anywhere RELATED,ESTABLISHED ACCEPT ACCEPT DROP tcp tcp all ---anywhere anywhere anywhere

Dong u va cui nhin co ve ging nhau, nn ta se lit k dach sach vi ghi chu cua no.
# iptables -L v Chain INPUT (policy ALLOW 0 packets, 0 bytes) pkts bytes target 0 0 ACCEPT all prot opt in -lo any out source destination anywhere anywhere

- 44 -

0 0 ACCEPT

all

--

any

any

anywhere

anywhere

State RELATED,ESTABLISHED 0 0 ACCEPT 0 0 ACCEPT 0 0 DROP tcp tcp --all any any -any any any any anywhere anywhere tcp dpt:ssh

anywhere anywhere Tcp dpt:www anywhere anywhere

Ghi lai hoat ng

Trong vi du trn, khng co traffic nao c ghi lai. Nu ban mun ghi lai cac packet a bi loai bo vao log cua h thng, y se la cach d dang nht. #iptables I INPUT 5 m limit 5/min j LOG log-prefix iptable denied-log-level 7 Saving iptables

Nu ban reboot lai h thng ma cha save, thi cac cu hinh cua iptables se bin mt. Thay bng vic phai anh lai nhng lnh nay mi ln reboot, ban co th save chung lai. save cu hinh, ta co th dung lnh. # iptables-save va iptables-restor 2.4.7 Cc iu kin trong lut xy ng mt lut ca iptable, ta cn ch ra cc iu kinkim tra gi tin v sau ch ra cch hnh ng x l gi tin khi thng tin ca gi tin p ng c iu kin ch ra . trong phn ny, ta kho st mt s iu kin c bn thng c s dng trong bng filter v NAT . Iptable s ch thc hin kim tra cc gi tin da vo cc iu kin c ch ra. Nhng iu kin kim tra gi tin c chia thnh cc nhm Nhm iu kin chung Nhm iu kin n Nhm cc iu kin hin

2.4.7.1 Nhm iu kin chung

- 45 -

Nhm iu kin chung c th c s dng trong tt c cc lut . Nhm iu kin chung chung lun lunc hiu lc ,khng xt n giao thc gi tin,khng xt n cc iu kin m rng. khng c tham s c bit no cn phi c khi s dng nhng iu kin ny. -p protocol iu kin ny c s dng kim tra giao thc (protocol) ca gi tin. Giao thc c th c ch ra bng gi tr s ca giao thc (cc gi tr s hp l l cc gi tr c khai bo trong tp tin /etc/protocols ), th d nh 1 c ngha l giao thc ICMP. Cc gi tri ca iu kin p cng c th l mt danh sch cc giao thc, c phn cch nhau bi du ,.Gi tr ALL i in cho mi giao thc. Th d : iptable -AINPUT p tcp,udp -s soure_addr iu kin ny c s dng kim tra a ch ngun (source_addr), Ca cc gi tin. Gi tr ca iu kin ny, source_addr, l mt a ch IP vi netmask c th c ghi dng CIRD. Thid : iptable A INPUT s 192.168.1.1/27 -d dest_addr iu kin ny c s dng kim tra ia ch ch (dest_addr) ca cc gi tin. Gi tr ca iu kin ny, dest_addr, l mt a ch IP vi netmask c th c ghi dng CIRD . Th d : iptable A INPUT d 192.168.1.1/24 -i in_interface iu kin I c s dng ch thc hin kim tra nhng gi tin c i n giao tip mng in_interface. iu kin ny ch c php khai bo trong cc chui lut INPUT, FORWARD v PREROUTING. Gi tr ca iu kin ny, in_intreface, l tn ca giao tip mng. c th s dng k t thay th + trong tn ca giao tip mng. Nu + ng mt mnh th s i din cho tt c cc giao tip mng. Nu + c vit lin sau mt phn tn ca giao tip mng, n thay th cho tt c cc giao tip mng c phn tn . Th d iu kin -I eth+ s p

- 46 -

dng lut cho bt k giao tip Enthernet no trn h thng ngoi tr cc giao tip khc nh l ppp0. Th d : iptable -A INPUT I eth0 -o out_interface

iu kin -o c s dng ch thc hin kim tra nhng gi tin xut pht t giao tip mng out_interface. iu kin ny ch c php khai bo trong cc chui lut OUTPUT, FORWARD v POSTROUTING, ngc vi iu kin -I, C php ca iu kin - i . Th d: -A INPUT - i eth0 2.4.7.2 Nhm iu kin n Cc iu kin n c thc hin, cng nhn, t ng v c np mt cch hon ton. Hin c ba kiu iu kin n p dng cho ba giao thc .iu kin kim tra gi tin TCP, kim tra gi UDP, v kim tra gi ICMP . --sport source port iu kin ny ch hp l khi trong lut c ch ra iu kin p tcp hoc p udp. iu kin --source port c s dng kim tra cc gi tin da trn cng ngun (source port) ca chng. Nu khng ch ra iu kin ny, iptables s khng kim tra cng ngun ca gi tin. Gi tr ca iu kin ny, source port c th l cng hoc tn dch v (tn dch v hp l l cc tn dch v c khai bo trong tp tin /etc/services) source port cng c th l mt dy cc cng, c phn cch nhau bi du :. Th d : iptables -A INPUT p tcp sport 22:80 --dport destination port

iu kin ny ch hp l khi trong lut c ch ra iu kin p tcp hocp udp. iu kindport c s dng kim tra cc gi tin da trn cng ch(destination port) ca chng. C php ca iu kin ny ging nh c php ca iu kin source-port. Th d : iptables A INPUT p tcp dport 22 --icmp-type type

- 47 -

iu kin ny ch hp l khi trong lut c ch ra iu kin p icmp. iu kin icmp- type c s dng kim tra cc gi tin da tren kiu giao thc ICMP c th c ch ra nh dng s hoc nh dnh tn. Th d: iptables A INPUT p icmp icmp-type 8 --syn goi 1 iu kin --syn c duy tr ipchains m bo tnh tng thch v to s chuyn tip mt cch d dng hn. N dng kim tra cc tin nu chng c c SYN c bt v cc c ACK v RST b tt. nhng gi tin ny ch yu c dng yu cu mt kt ni mi t my ch. Nu ta thc hin loi b nhng gi tin ny , tt c gi tin. 2.4.8 Nhm iu kin hin Nhng iu kin hin l nhng iu kin phi c np mt cch c bit vi s la chn -m . S khc gia cc iu kin hin v iu kin n l ch cc iu kin c np mt cch t ng np khi kim tra thuc tnh gi tin, trong khi cc iu kin c np hin s khng bao gi c np mt cch t ng n cho ngi qun tr t ng pht hin v kch hot cc iu kin hin. --sorce-port list iu kin ny ch hp l khi trong lut c ch ra iu kin p tcp hoc-p udp v iu kin m multiport. iu kin source-port v iu kin sport khng s dng cng nhau trong mt lut. iu kin source-port tng t nh iu kin sport, nhng gi tr ca iu kin l mt danh sch , list (ti da 15 phn t) , cc cng c phn cch nhau bi du ,. Th d: iptable A INPUT p tcp m multiport soure22.53.85.110 --destination-port list iu kin destination-port tng t nh iu kin dport, nhng gi tr ca n l mt danh sch cc cng. C php v iu kin s dng iu kin ny tng t nh iu khin source-port. Th d : iptables A INPUT p tcp m multiport soure-port 22.53.80.110 - 48 --port list port

iu kin ny kim tra gi tin da vo a ch ngun ln a ch ch ca gi tin. C php v iu kin ging nh source-port. Th d: -A INPUT p tcp m multiport soure port 22.53.80.110 --mac-source mac_addr iu kin ny c dng kim tra cc gi tin da trn a ch MAC ngun ca chng. a ch MAC, mac_addr, phi c ghi nh dng XX:XX:XX:XX:XX:XX.iu kin mac-source ch hp l trong cc chui PREROUTING,FORWARD v INPUT, ng thi trong lut phi ch ra iu kin m mac. Th d : iptables A INPUT m mac -- mac- source 00:00:00:00:00: 01 Cc gi tr ca iu kin c th ly nghch o bng cch s dng k t ! ng sau iu kin . Th d , nu ta khai bo iu kin sau p !icmp, iptables s kim tra cc gi tin khng lm vic theo giao thc ICMP . 2.5 2.5.1 IPCOP Gii thiu v IPCOP IPCop l mt phn ct ra t Linux v c kh nng hot ng nh mt firewall, v n ch c kh nng hot ng nh mt firewall. N c nhng tnh nng cao cp ca firewall, bao gm VPNs s dng IPSec. IPCop l mt phin bn c bn quyn v c cung cp min ph bi GPL.a co them nhiu tnh nng ca phin bn thng mi SmoothWall c thm vo phin bn IPCop hin nay. Mc d IPCop c pht trin da trn SmoothWall nhng nhn h iu hnh ca IPCop l mt phn ca h nhn Red Hat 7.2 RPMs. Hin nay c hai phin bn IPCop v SmoothWall u s dng nhn 2.2 v 2.4 ca phin bn Red Hats Enterprise. 2.5.2 Cc tnh nng ca IPCOP IPCop bt ngun t SmoothWall nhng c pht trin thnh mt d n ring bit. IPCop vi tnh nng chnh nh mt h thng firewall cho cc vn phong nh hay cho gia nh. Bn quyn thuc v GPL, v n c min ph khi s dng, hay gi c ca n ch l gi c ca phn cng v cng lp t m thi, IPCop h tr 3 card mng, v bao gm cc tnh nng sau. - 49 IPChains-based firewall

H tr DMZ Qun tr trn nn Web-based GUI SSH server for Remote Access DHCP server Caching DNS TCP/UDP port forwarding Intrusion detection system IPSec based VPN Support

IPCop l mt h thng phn mm firewall hon thin, t hot ng trn my tnh cng vi h iu hnh ring ca n c ci t. Tuy nhin, n khng n gin ng gi nh Ipchains hay nhng cng c qun tr qua Web. N khng ch l mt dch v bo mt c thm vo h thng m n c hot ng ring bit trn mt my tnh; l mt h iu hnh hon chnh vi tnh nng firewall ngi dng s dng n nh mt Internet Gateway.

- 50 -

Hnh 2-8 : M hnh mng c th s dng IPCOP 2.5.3 Cu hnh IPCOP Sau khi ci t xong IPCop, IPCop hot ng khng c rule no c to ra sn. Do mun s dng phi to cc rule cho php truy cp vo internet cng nh to cc rule cho php truy cp vo DMZ t mng interal, Rt nhiu th cn thit cho mt h thng IPCop hot ng. (Phi enable cc dch v khc nh Web proxy, DHCP, va snort IDS, Thit lp portforwarding v cc ng dng cho external truy cp vo h thng mng ca bn, Thit lp cc rule cho vng DMZ). Web Proxy Mt tnh nng quan trng ca IPCop c kt hp vo l h thng c kh nng hot ng nh mt Web Proxy Server. Dch v Proxy mc nh b diable, nhng chng ta c th chy n sau khi cu hnh. La chn "service trn

- 51 -

pha bn tay tri ca mn hnh cu hnh cho cng cn thit, sau bn la chn "Web Proxy". Sau Web proxy s c enable vi du tch enable. Nu Webproxy hot ng nh mt gateway trong h thng, chng ta cng cn phi chn "Transparent", n c ngha cc brower client ca mng s khng cn phi cu hnh proxy cho cc ng dng web m s c cu hnh t ng. DHCP IPCop cng bao gm tnh nng DHCP, c kh nng gn a ch IP cho h thng mng LAN. Intrusion Detection IPCop cng bao gm Snort intrusion Detection System (IDS), n l mt h thng c kh nng giam sat h thng v nhn dng cc tn cng vo cc my ch bn trong mng. Nu s dng IPCop bo v my ch (DMZ hay internal) chng ta s phi s dng Snort. Mt IDS nh Snort (hay mt firewall) nhng iu ny cng khong ngn cn vic update ca cc h thng ti cac trang web ca nh cung cp nh vic client chy windows xp c th update trn trang web ca microsoft m khng h b IDS pht hin hay cm. V iu c ngha lacac k xm nhp vn c kh nng chui c qua h thng v chng phi l ngi thc s c kinh nghim trong bo mt lm vic vi IDS. Port Forwarding and External Service Access Port Forwarding and External Service Access tab trn tab "service" ca IPCop cho php cc truy cp t internet vo h thng DMZ hay internal. Mt v d n gin, l ta c mt Web server v mt mail server c ci t v chy trong vng DMZ. V chng gn a ch cho ORANGE network l 192.168.200.x, v a ch ca Web server l 192.168.200.10 v mail l 192.168.200.20, Dch v Web s dng cng TCP 80, trong khi mail li s dng TCP port 25. Di y l cu hnh port forwarding cho hai ng dng trn. Under Port Forwarding
Protocol TCP Source Port 80 Destination IP 192.168.200.10 Destination Port 80

- 52 -

TCP

25

192.168.200.20

25

Under External Service Access

Source IP Address ALL ALL Destination Port 80 25

DMZ Pinholes

DMZ Pinholes c s dng trong IPCop cho php qu trnh truy cp gia mng ORANGE V GREEN network cn t mng GREEN ti ORANGE c cho php t cu hnh mc nh ca h thng. 2.6 2.6.1 Edian firewall Gii thiu v Edian firewall y l mt trong nhng bc tng la m ngun m c s dng rng ri nht vi cc tnh nng ton din. N gn nh l mt nh qun l ton din vi vi mt thit b tng la Stateful, VPN, Webproxy, proxy, SIP cho VoIP, Web Security, lc ni dung, Mail gateway v Antivirus, Anti-spyware v kh nng chng la o .. 2.6.2 Cc tnh nng ca Edian firewall D dng cu hnh v qun l giao din web, h tr Routing v Nat, kim sot truy xut port, h tr NTP client v NTP server, bo co vi h thng v lu lng truy cp, h tr my ch sysol t xa, ipsec VPN cho trang web VPN v trang web h tr ngi dung t xa (Windows, MacOSX, Linux) s dng Open VPN. Bo mt mail vi SMTP v POP3 vi cc chng trnh chng virus, spyware v la o trc tuyn (Phising), Webproxy h tr HTTP, FTP v DNS Phng chng SPAM bng cch s dng B lc th rc "pyzor" H tr DNS v DNS

- 53 -

Qun l lu lng thng minh hay cn gi l bng thng ti a trong c hai chiu (Traffic Shaping) khi truy cp trn Internet cho QoS. (chc nng ny ngm hiu l hn ch mc nh hng n tc h thng) . 2.7 Trnh by phng php p dng firewall chng tn cng trong DDoS l mt dng tn cng, theo , hackers thc thi mt s lng ln connection ti server, lm cho server b qu ti.C nhiu cch ngn chn, phng nga cc cuc tn cng dng ny. C th s dng cc gii php phn cng (nh firewall), hoc phn mm(DDoS-Deflate). 2.7.1 Kim tra xem server c b DDOS hay khng T command line Linux g [root@lemon tmp]#netstat anp |grep tcp\|udp | awk {print $5} |cut d: -f | sort |uniq c |sort n Cu ln trn s tr v hng lot IP chim nhiu connection nht trn server Cn lu rng DDOS c th xut pht t mt lng nh connection. Do vic kt qu tr v connection thp chng ta vn c th trong tnh trng under attack. khng [root@lemon tmp]#netstat n | grep :80 |wc l [root@lemon tmp]#netstat n | grep :80|grep SYN |wc l Dng lnh th nht tr v s lng active connection (connection ang hot ng). Rt nhiu kiu tn cng DDOS bng cch m mt kt ni connection ln server ri khng lm g c khin cho server ch i cho n khi timeout. Nn nu dng lnh th nht tr v trn 500 th server c rt nhiu kh nng b DDOS. Dng lnh th 2 tr v kt qu trn 100 th rt nhiu kh nng server trong tnh trang b DDOS. 2.7.2 Cc phng php phng chng DDoS Chng HTTP DoS or DDoS attack trong OS linux CentOS Cho php user "Apache" c th s dng iptables - qua sudoers - chn cc IP DDOS Trong Apache c mt mod l mod_dosevasive. - 54 Mt phng php khc Kim tra xem server c b DDOS hay DOS, DDoS

1. LoadModule dosevasive20_module modules/mod_dosevasive20.so 2. [color="#0000FF"]<ifmodule mod_dosevasive20.c>[/color] 3. DOSHashTableSize 3097 4. DOSPageCount 2 5. DOSSiteCount 50 6. DOSPageInterval 1 7. DOSSiteInterval 1 8. DOSBlockingPeriod 10 9. # Optional Directives - /usr/share/doc/mod_dosevasive/README for more info 10. DOSEmailNotify admin@domain.be 11. DOSWhitelist 192.168.1.* 12. DOSSystemCommand "[b]sudo /sbin/iptables -A INPUT -s %s -j DROP[/b]" 13. [color="#0000FF"]</ifmodule>[/color]

Dng in m sudo /sbin/iptables -A INPUT -s %s -j DROP .Tc l nng quyn user Apache cho php s dng iptables chn cc IP khng hp l, Trc ta phi login vo root v cho php user ny s dng iptables bng cch. [user@lemon Thm vo dng ny [root@lemon tmp]apacheALL=(ALL) NOPASSWD :/sbin/iptables -A INPUT -s [0-9.]* -j DROP Cu hnh mod trn c tc dng chn cc IP request vo vi iu kin(Request vo cng 1 trang nhiu hn 5 ln / 1 giy, To hn 50 concurrent requests trn cng mt child mi giy, To ra cc request khc khi tm cho vo blacklisted (on a blocking list). Chng Syn Flood attacks Syn flood l 1 dng tn cng t chi dch v, k tn cng gi cc gi tin kt ni SYN n h thng. y l 1 loi tn cng rt ph bin. Loi tn cng ny s nguy him nu h thng cp pht ti nguyn ngay sau khi nhn gi tin SYN t k tn cng v trc khi nhn gi ACK. Nu vic thit lp kt ni cha han tt 3 bc y (gi l half-open connection) m buc h thng server phi cp - 55 tmp]$vim /etc/sudoers

ti nguyn qun l th k tn cng c th ly ht ti nguyn ca h thng server bng cc "flooding" vo server vi cc gi tin SYN. Syn flood l 1 dng tn cng ph bin v n c th c ngn chn bng on lnh iptables sau. [root@lemon tmp]#iptables A INPUT p tcp syn m limit limit 1/s limit- burst 3 j RETURN Tt c cc kt ni n h thng ch c php theo cc thng s gii hn sau. --limit 1/s (Tc truyn gi tin trung bnh ti a 1/s (giy)), --limit-burst 3(S lng gi tin khi to ti a c php l 3) Dng iptables, thm rule sau vo [root@lemon tmp]#Limit the number of incoming tcp connections [root@lemon tmp]#Interface 0 incoming syn-flood protection [root@lemon tmp]#iptables -N syn_flood [root@lemon tmp]#iptables A INPUT p tcp syn j syn_flood [root@lemon tmp]#iptables A INPUT -m limit limit 1/s limit-burst 3 j RETURN [root@lemon tmp]#iptables A syn_flood j DROP--limit rate n limit burst number m Rule trn gii hn s kt ni ti a n h thng l n trn mi 1 giy sau khi c m kt ni c thit lp" , Chng ta cn iu chnh thng s -limit-rate v -limit-burst ty theo yu cu v mi 10 pht, rule nh sau. [root@lemon tmp]#iptables I INPUT -p tcp -s 0/0 -d $SERVER_IP - -sport 513:65535 dport 22 -m state --state NEW, ESTABLLSHED -m recent --set -j ACCEPT [root@lemon tmp]#iptables I INPUT -p tcp --dport 22 -m state-state NEW -m recent --update seconds 600 --hitcount 11 -j DROP [root@lemon tmp]#iptables A OUTPUT -P tcp -s $ SERVER_IP-d 0/0 --sport 22 dport 513:65 - 56 traffic ca mng , Gi s bn cn gii hn cc kt ni SSH (port 22) khng c php hn 10 connections trn --

Shell chng DOS n gin dng SYN attack

C ch hot ng ca on m ny n ch n gin l tm xem c nhng IP no ang thc hin kt ni dng SYN_RECV th s c a vo blacklist v kha li, c 2 pht 1 ln h thng s gi n file ny, nu nh ip khng thc hin tn cng SYN Flood na th IP s c xa ra khi danh sch cm Shell gm 3 file: Files blocked.ips , File iptables.sh, autoblock.sh Files blocked.ips : Files blocked.ips, y ch n gin l 1 file text bn ch vic to ra n bng lnh vi bnh thng, ni dung trng, n c dng lm ni lu nhng IP b nghi ng ang DOS. File iptables.sh : Tc dng ca file ny l c cc IP b cm trong file blocked.ips v thc hin cm i vi nhng IP ny v a vo log tin theo di. IPT=/sbin/iptables SPAMLIST=spamlist SPAMDROPMSG=SPAM LIST DROP BADIPS=$(egrep -v -E ^#|^$ /root/iptables/blocked.ips) # create a new iptables list $IPT -N $SPAMLIST for ipblock in $BADIPS do $IPT -A $SPAMLIST -s $ipblock -j LOG log-prefix $SPAMDROPMSG $IPT -A $SPAMLIST -s $ipblock -j DROP done $IPT -I INPUT -j $SPAMLIST $IPT -I OUTPUT -j $SPAMLIST $IPT -I FORWARD -j $SPAMLIST File autoblock.sh: Tc dng ca file ny l tm xem c nhng IP no ang gi cc gi tin dng SYN_RECV, v a nhng IP ny vo file blocked.ips, sau gi file iptables.sh kha IP.

- 57 -

#!/bin/bash # Ban quyen thuoc ve Hanh_bk /etc/init.d/iptables start cd /root/iptables netstat -atun | grep SYN_RECV | awk {print $5} | cut -d: -f1 |sort | uniq -d | sort -n > blocked.ips sh ./iptables.sh Tt c 3 file ny chng ta lu vo mt th mc, y ti lu vo /root/iptables v c chmod cho php thc thi, thng mi ngi hay chmod 777, Sau chng ta khai bo vo Crontab. 2.7.2.1 Cu hnh firewall chng tn cng DDoS Gi s local network l 10.0.0.0/8 v firewall s dng hai card mng, kt ni vi internet bng card mng ethO v vi local network l eth1. Chng Syn Flooding [root@lemon tmp]#Iptables -A FORWARD -p tcp -syn -m hmit -limit 1/s j ACCEPT Chng Scan Port [root@lemon tmp]#Iptables -A FORWARD -P tcp tcp- flags SYN/ACK.FIN/RST mlimit limit1/s j ACCEPT Chng Ping of Death

[root@lemon tmp]#Iptables -A FORWARD -P icmp -icmp-type echorequest m limit limit 1/s -ACCEPT Cho cc packet thit lp kt ni tip tc i qua firewall tmp]#Iptables -A FORWARD -m state state [root@lemon

ESTABLISHBD.RELATED j ACCEPT - j DROP - 58 Chng gi mo a ch ni b t bn ngoi xm nhp

[root@lemon tmp]# Iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8

Chuyn i a ch t trong mng ni b ra bn ngoi (SNAT). [root@lemon tmp]#Iptables -t nat -A POSTROUT-o eth0 - j Chuyn i a ch ca web server t bn ngoi vo

SNAT -to 203.162.0.10 trong mng ni b (DNAT). [root@lemon tmp]#Iptables -t nat -A PREROUTING -d 203.162.0.9 -p tcp dport 80 j DNAT to 10.0.0.10 Thit lp Transparent proxy bng cch chuyn hng port 80

n server squid proxy 10.0.0.9 [root@lemon tmp]#Iptables -t nat -A PREROUTING -p tcp -dport 80 -j DNAT to 10.0.0.9:3128 Ch cho my tnh trong mng ni b c a ch card mng 00:C7:8F:72:14 i ra [root@lemon tmp]#Iptables -A FORWARD) -m state -state NEW -macmac-source balancing) [root@lemon tmp]#Iptables -t nat -A POSTROUTING -o eth0 m nth counter 7 - every 3 - packet 0 - j SNAT -to-source 10.0.0.5 [root@lemon tmp]#Iptables -t nat -A POSTROUTING -o eth0 m nth -counter 7- every 3 packet 1 - j SNAT-to - source 10.0.0.6 [root@lemon tmp]#iptables -t nat -A POSTROUTING -o eth0 m nth counter 7- every 3 packet 2 - j SNAT-to- source 10.0.0.7 Chc nng u tin thng lng i vi truy cp web [root@lemon tmp]#Iptables -A PREROUTING -t mangle -p tcp -sport 80 -j TOS set-tos Maximize-Throughput Ngn chn su Nimda hay Codered (mc ng dng) 00:C7:8F:72:14-jACCEPT Thc hin chia ti trn c hai hng inbound v outhound (load

- 59 -

[root@lemon tmp]#Iptables -I INPUT - j DROP -m string -P tcp 0.0.0.0.0-string"c+ir"

Chng 3 M Hnh Thc Nghim

3.1 M t thc nghim

- 60 -

Ngy nay vi s pht trin ca cng ngh thng tin, mng my tnh khng th thiu i vi doanh nghip, mng my tnh em n rt nhiu li t cho cc c quan tp on doanh nghip thng qua cc ng dng ca n nh email, data, vpn. bn cnh nhng li t l nhng nguy c m cc hacker li dng l hng ca cc ng dng tn cng vo h thng mng ca cc doanh nghip. v vy cc doanh nghip phi xy dng h thng mng v cng phc tp, i hi cc k thut, cc cng ngh bo mt cao. Ty theo nhu cu tng c quan, cng ty m cc k thut hay cng ngh c s dng cng khc nhau, Tuy nhin hai thnh phn c bn m bt k h thng no cng dng l h thng firewall v h thng pht hin xm nhp IDS. Do m hnh thc nghim a ra l m hnh ang c ng dng trong thc t nhm nh gi hot ng ca h thng mng cng nh c ch hot ng ca firewall v kh nng pht hin v ngn chn ca IDS.

Hnh 3-1: M hnh tng quan mng Trong m hnh ny Hacker c nu mun tn cng vo vng DMZ th phi i qua h thng phn tch gi tin IDS v h thng firewall trc nu may mn qua c firewall v IDS th mi tn cng c vo vng DMZ. 3.2 H tng mng thc nghim

- 61 -

M hnh mng thc nghim s xy dng mail server, web server trn windows Server2k3 v c ip l 10.0.0.2 , h thng phng th firewall v h thng pht hin xm nhp snort(IDS) c xy dng trn CentOS, trn h iu hnh centos c hai card mang eth0 v eth1. Eth1 c IP l 10.0.0.10 c ni vi windows server2k3, eth0 c IP l 192.168.1.200 c ni vi route i internet v h thng tn cng DDoS c xy dng trn windows xp vi ip 192.168.1.55 . m phng thc nghim trn chng ta s xy ng cu hnh tng bc iptables v snort .Sau dng winxp tn cng vo webserver trong cng thi im chng ta dng h thng snort theo di, pht hin cc lu lung xm nhp vo h thng v dng firewall ngn chn c cc lu lng c hi .

Hnh 3-2 : M hnh thc nghim 3.3 Cc bc ci t IPTables v Snort trn Centos Kin tra iptables c ci t cha 3.3.1 Ci t v cu hnh IPTables

Hnh 3-3 : Kim tra ci t iptables Iptables c ci t vi version 1.3.5-5.3.el5 - 62 Khi ng iptables

Hnh 3-4 : Khi ng iptable Cu hnh iptables C 2 cch cu hnh iptables l dng lnh v sa file /etc/sysconfig/iptables nu cu hnh iptables bng lnh s khng lu li sau khi restart service iptables xem bng iptables c cu hnh khi ci t thnh cng iptables ta dung lnh sau. #cat /etc/sysconfig/iptables

Hnh 3-5 : Cu hnh iptables Cu hnh Nat in , Nat out

- 63 -

a vo m hnh trn th ta phi cu hnh Nat in, Nat out trn card eth0 cc my bn trong truy cp c internet v cc my bn ngoi c th truy cp v mail server trn my win2k3. Bt tnh nng nh tuyn #vi /etc/sysctl.conf Sa dng net.ipv4.ip_forward =0 thnh net.ipv4.ip_forward =1 Bt tnh nng switchinh cho php ip_forward gia cc lan card #echo 1 > /proc/sys/net/ipv4/ip_forward Kim tra #sysctl p : quan st ta thy c dng net.ipv4.ip_forward =1

Hnh 3-6 : Bt tnh nng switchinh Cu hnh NAT out

Hnh 3-7 : Cu hnh NAT out Gii thch -A : Thm mt lut vo lung POSTROUTING : Thao tc i a ch ngun -s 10.0.0.0/8 -d 0/0 -o eth0 #service iptables restart Kim tra iptables cp nhp - 64 : soure-internal destination internet : i ra cng eth0

#cat /etc/sysconfig/iptables

Hnh 3-8 : Kim tra NAT out Cu hnh NAT in

Hnh 3-9 : Cu hnh NAT in Gii thch -o eth0 -p tcp : i vo cng eth0 : Giao thc tcp c dng kt ni

-d 192.168.1.10 : a ch ch Nat vo #service iptables restart #cat /etc/sysconfig/iptables : Kim tra iptables cp nhp

- 65 -

Hnh 3-10 : Kim tra NAT in Kim tra ta dng winxp IP:192.168.1.2 ping 10.0.0.2 thnh cng ta thy mng 10.0.0.0/8 v mng 192.168.1.0/24 thng nhau

Hnh 3-11 : Kim tra bng lnh ping 3.3.2 Ci t v cu hnh snort Ci t cc gi ph thuc: Mysql, mysql-bench, mysql-server, mysqldevel, yum-utils, php-mysql, httpd, gcc, pcre-devel, php-gd, gd, distcache-devel, distcache-devel, mod_ssl, glib2-devel, gcc-c++, libpcap-devel, php, php-pear Yu cu my phi kt ni vi internet v phi c soure Cenos 5.2

Hnh 3-12 : Ci gi ph thuc #mkdir /snort :to th mc snort - 66 -

#tar zxvf snort-2.8.4.1.tar.gz /snort :gii nn snort-2.8.4.1.tar.gz vo th mc snort va to #cd snort-2.8.4.1 : #make #make install Cu hnh snort To cc th mc hot ng cho snort Ci t snort #./configure with-mysql enable-dynamicplugin

Hnh 3-13 : To Th mc hot ng cho snort Chp cc file cu hnh snort v th mc snort va to trong /etc/snort

Hnh 3-14 : Copy file cu hnh snort To nhm v ngi dng cho snort, v set quyn s hu cho php snort ghi vo th mc cha log

Hnh 3-15 : To ngi dng, nhm ngi dng Ci t tp rule cho snort #tar xzvf snortrules-snapshot-2.8.tar.gz /snort:gii nn vo th mc snort #cd rules : vo th mc rules ca tp tin va gii nn #cp * /etc/snort/rules : copy vo th mc rules va to trn Sa file cu hnh snort

- 67 -

Hnh 3-16 : Ci t rule cho snort Thit lp snort khi ng cng h thng To mt lin kt mm (symbolic link) ca file snort binary n /usr/sbin/snort, v copy cc scrip trong th mc gii nn snort vo th mc /etc/sysconfig/snort

Hnh 3-17 : Thit lp snort t li quyn cho file snort

Hnh 3-18 : t li quyn cho snort Qun l snort bng webmin Ci t webmin

Hnh 3-19 : Ci Webmin Log vo webmin bng cch vo http://localhost-1:10000/ Vi Username : Root Password : 12345678

- 68 -

Hnh 3-20 : Qun l snort bng Webmin 3.3.3 Cu hnh MySQL server To c s d liu vi MySQL

Hnh 3-21 : To c s d liu Ci t BASE v ADODB Ti ADODB ti http://nchc.dl.sourceforge.net/sourceforge/adodb/ #tar xzvf adodb480.tgz /var/www/html/ :gii nn adodb480.tgz vo th mc html

- 69 -

Ti BASE ti http://nchc.dl.sourceforge.net/sourceforge/secureideas/ #tar zxvf base-1.44.tar.gz /var/www/html/ : gii nn base-144.tar.gz vo th mc html #mv base-1.44/ base/ #cd base #cp base_conf.php.dist base_conf.php Cu hnh BASE #vi base_conf.php

Hnh 3-22 : Ci Base v ADODB #service snortd restart #service httpd restar n y ta c th qun l snort bng giao in web Log vao webmin bng cch sau http://10.0.0.10/base

- 70 -

Hnh 3-23 : Giao din chnh ca BASE 3.3.4 Giao din h thng sau khi ci t Cc thng tin c bn

Win 2k3 : Ci cc dch v mng nh ftp server, web server, c mt card mng v c ni vi CentOS Network IP :10.0.0.2 SM :255.0.0.0 DW:10.0.0.10 Centos : Ci cc phn mn nh iptables , snort-2.8.4.1, mysql server , php, base, adodb, v c 2 card mng eth1 c vi win 2k3, eth0 c ni vi route i internet . Eth0 IP :192.168.1.200 SM: 255.255.255.0 DW:192.168.1.1 Eth1 IP :10.0.0.10

- 71 -

SM : 255.0.0.0 Win Xp : Ci chng trnh scan port Nmap v cc tool tn cng DdoS c mt card mng c ni vi router i internet. Network IP :192.168.1.55 SM :255.255.225.0 DW :192.168.1.1 Kt qu thng k snort T win xp ta s dng phn mm scan port vo my win 2k3

Hnh 3-24 : Nmap hot ng Da vo hnh trn th win xp thy c win 2k3 ang open port 80 vi ng dng http version Microssoft IIS webserver 6.0, cc ng dng khc th closed hacker c th li dng thng tin ny tn cng web server. S dng phn mm Base kim tra base cung cp cng c bng giao din, cho php admin truy xut v phn tch cnh bo.

- 72 -

Hinh 3-25 : Base ang phn tch packet Ta xem mc Traffic Profile By Protocol click vo Portsan Traffic xem tn xut cc alerts

Hnh 3-26 : Snort pht hin Nmap ang scan port Trn bng Summary Statistics, click vo link Destination hng Unique addresses xem cc a ch ch b tn cng. - 73 -

Hnh 3-27 : Cc a ch scan port xem ni dung ca packet ta click vo ct IO tng ng ca packet Tnh nng ny c bit rt hu ch, cho php IDS admin review li c ton b gi tin to ra alert, gip cho qu trnh tinh chnh cc rules chnh xc hn.

Hnh 3-28 : Ni dung ca packet

- 74 -

Ti trang chnh, click vo Grap Alert Detection Time xem biu th hin tn sut cc alert theo gi, ngy hoc theo thng. Dng biu ny rt hu ch, cho php xc nh nhng thi im bt thng, qua gip nh hng ngi qun tr tp trung vo nhng im quan trng.

Hnh 3-29 : Biu thng k theo gi 3.4 m cc cuc tn cng v thc nghim Cch tn cng 3.4.1 Tn cng ICMP Flood Attack T win xp ta s dng Tool DDoS CrazyPing tn cng n win2k3 vi 50 kt ni v gi gi tin l 65500 bytes.

Hnh 3-30 : Tool DdoS CrazyPing - 75 -

Hnh 3-31 : CrazyPing ang hot ng By gi ta xem kt qu bng thng k snort thu c khi winxp tn cng win 2k3

- 76 -

Hnh 3-32 : Cc gi tin i qua snort

- 77 -

Hnh 3-33 : Bng thng card mng ca Centos Da vo hai hnh trn Ta thy y snort bt c cc gi tin icmp 100% v bng thng card mng trn Centos sp nghn. nh sau. Cch ngn chn Ta dng firewall iptables ngnn chn tnh trng qu ti trn bng tp lut

Hnh 3-34 : Ngn chn bng Firewall Gii thch tp lut trn Iptables N CHECK_FLOOD : To mt chain mi tn CHECK_FLOOD - 78 -

-A CHECK_FLOOD : Thm mt lut mi vo chain CHECK_FLOOD -m limit limit-burst 6 : Gii hn trong chain CHECK_FLOOD mc 6 gi tin, vi limit l 2 gi/pht -A CHECK_FLOOD j DROP : loai b gi tin nu khng tha iu kin trn. Tp lut cui cng l ni thm chain CHECK_FLOOD vo chain INPUT vi card mang l eth0 v giao thc icmp, loi icmp l echo-request. Lut c p dng trong iptables l ch 6 gi u tin c chp nhn nu tha th RETURN, Nu t n mc 6 gi lp tc lut s p dng gii hn ping n card mng eth0 l 2 gi/pht bt chp c bao nhiu gi ping ti eth0. Nu trong pht ti khng c gi no Ping ti, iptables s gim limit i 2 gi, ngha l tc ang 2 gi/ pht s tng ln 4 gi/ pht. Nu trong pht na khng c gi n, limit s gim i 2 gi na v tr li trng thi t mc nh 6 gi. Qu trnh c tip tc nh vy. Kt qu

Hnh 3-35 : Gii hn cc gi tin gi ti Win2k3 Chng ta thy iptables lm vic rt hiu qu, gii hn c s lng cc gi tin gi n, lm cho h thng ca chng ta chng li c tn cng theo kiu gy ngp lt h thng. Cc ty chn rt linh hot, chng ta c th thit lp lut ty theo mc cho php s lng gi tin vo trong h thng.

- 79 -

3.4.2 Tn cng DoSHTTP thng Cch tn cng Lc cha tn cng ta vn truy cp vo webserver http://10.0.0.2 bnh

Hnh 3-36 : Webserver ang hot ng T winxp ta s dng tool DosHTTP tn cng vo web win2k3 vi a ch l http://10.0.0.2

- 80 -

Hnh 3-37 : Tool DoSHTT Winxp s gi cc gi tin kt ni SYN n h thng cha webserver, khi win2k3 nhn gi tin SYN t win xp v trc khi nhn gi ACK (theo m hnh 3 way handshake TCP connection). Nu vic thit lp kt ni cha hon tt 3 bc lc win2k3 lun trong tnh trng i kt ni buc server phi cp ti nguyn qun l th winxp c th ly ht ti nguyn ca h thng win2k3 bng cch lm trn y b nh ca win2k3 vi cc gi tin SYN.

Hnh 3-38 : Ti nguyn server ang x l qu ti

- 81 -

Hnh 3-39 : khng vo c web

Hnh 3-40 : Snort phn tch gi tin Lc ny ta khng th truy cp vo web server c do website khng th phc v HTTP Request v hin th thng bo ging bn di nh sau. Cch ngn chn Ta dng firewall iptables ngn chn tnh trng qu ti trn bng tp lut

- 82 -

Hnh 3-41 : To rule ngn chn Gii thch tp lut trn -N syn_flood : To mt chain mi tn l syn_flood -p tcp : Giao thc kt ni tcp -A INPUT : Ni chain syn_flood vo chain INPUT --limit 1/s : Tc truyn gi tin trung bnh ti da 1/s --limit-burst 3 : S lng gi tin ti a c php l 3 Rule trn gii hn s lng kt ni ti a n h thng l n kt ni trn mi giy sau khi c m kt ni c thit lp. Kt qu Sau khi dng iptables gii hn c kt ni n server th ti nguyn server gim xung r v ta c th truy cp vo website

Hnh 3-42 : H thng gim hot ng chim ti nguyn

- 83 -

KT LUN
S pht trin ca ngnh cng ngh thng tin ni chung v ngnh mng my tnh ni ring, nhiu cng ngh mi c p dng thnh cng v mang li nhiu li ch ng k, gim thiu c chi ph, tng cng tnh an ton trn ton h thng mng, m bo tnh ton vn ca d liu trn h thng mng. ti ny gii thiu nhng kin thc c bn v bo mt cng nh l ngn chn nhng tnh hung khi h thng b tn cng DoS v DDoS. Tuy m hnh thc nghim m ti ny trnh by tng i nh, n gin v cn nhiu hn ch nhng n cng th hin nhng ci c bn nht cch thc tn cng, phng chng DoS v DDoS, da trn c th trin khai h thng firewall trn thc t. Vi kt qu thc nghim kh thnh cng vi vic tn cng t bn ngoi v ngn chn t bn trong. Ngoi ra khi s dng iptables xy dng h thng phng chng tn cng kh hiu qu v c chy trn nn tng Linux c tnh bo mt cao, iu th hin kh nng p dng thnh cng ca mc tiu ca ti ny trn thc t l rt tt. Tuy nhin, ngoi nhng u im ca firewall iptables so vi h thng firewall cng th iptables kh c kh nng tip cn vi hng trin khai v p dng, v trn thc t i hi phi am hiu rt nhiu v nn tng h iu hnh Linux. Qua cn phi c kin thc ng b ha nhiu h iu hnh c c mt h thng tt v n nh nht.

TI LIU THAM KHO

1. http://tailieutructuyen.com/ 2. http://tailieu.vn/ 3. http://www.vnlamp.vn/ 4. Ti lin hng dn Linux CentOS ca Nht Ngh 5. V nhiu thng tin trn http://google.com.vn.

- 84 -