Professional Documents
Culture Documents
Mc Lc
Mc Lc....................................................................................................................................... 1
I - Tn cng t chi dch v (DoS):..............................................................................................3
I.1 - Gii thiu v DoS
11
13
14
14
15
18
27
2.a - DDoS.......................................................................................................................... 27
2.b - Spamming (pht tn th rc)......................................................................................28
2.c - Sniffing v Keylogging................................................................................................28
2.d - n cp nhn dng......................................................................................................28
2.e - S hu phn mm bt hp php...............................................................................29
IV.3 - Cc kiu bot khc nhau
29
3.a - GT-Bot........................................................................................................................ 29
3.b - Agobot........................................................................................................................ 29
3.c - DSNX.......................................................................................................................... 30
IV.4 - Cc yu t ca mt cuc tn cng. 30
IV.5 - Cch phng chng Botnet: 35
5.a - Thu mt dch v lc Web..........................................................................................35
5.b - Chuyn i trnh duyt...............................................................................................35
5.c - V hiu ha cc kch bn............................................................................................36
5.d - Trin khai cc h thng pht hin xm phm v ngn chn xm phm......................36
5.e - Bo v ni dung c to bi ngi dng.................................................................36
5.f - S dng cng c phn mm.......................................................................................37
V Kt Lun :............................................................................................................................ 37
VI Ti Liu Tham Kho.......................................................................................................... 38
2
cc site cng cng thng 2/2000. Trong thi gian 3 ngy, cc site Yahoo.com,
amazon.com, buy.com, cnn.com v eBay.com t di s tn cng (v d nh
Yahoo b ping vi tc 1 GB/s).
T cc cuc tn cng Dos thng xuyn sy ra
V d : - Vo ngy 15 thng 8 nm 2003, Microsoft chu t tn cng DoS cc
mnh v lm gin on websites trong vng 2 gi;
- Vo lc 15:09 gi GMT ngy 27 thng 3 nm 2003: ton b phin bn
ting anh ca website Al-Jazeera b tn cng lm gin on trong nhiu gi.
4.a - Smurf :
- Smurf : l mt loi tn cng DoS in hnh. My ca attacker s gi rt nhiu lnh ping
n mt s lng ln my tnh trong mt thi gian ngn, trong a ch IP ngun ca
gi ICMP echo s c thay th bi a ch IP ca nn nhn, Cc my tnh ny s tr li
cc gi ICMP reply n my nn nhn.
- Kt qu ch tn cng s phi chu nhn mt t Reply gi ICMP cc ln v lm cho
mng b rt hoc b chm li, khng c kh nng p ng cc dch v khc.
4. c - Ping of death :
- K tn cng gi nhng gi tin IP ln hn s lng bytes cho php ca tin IP l 65.536
bytes.
- Qu trnh chia nh gi tin IP thnh nhng phn nh c thc hin layer II.
- Qu trnh chia nh c th thc hin vi gi IP ln hn 65.536 bytes. Nhng h iu
hnh khng th nhn bit c ln ca gi tin ny v s b khi ng li, hay n gin
l s b gin on giao tip.
- nhn bit k tn cng gi gi tin ln hn gi tin cho php th tng i d dng.
6
4.d - Teardrop :
Trong mng chuyn mch gi, d liu c chia thnh nhiu gi tin nh, mi gi tin c
mt gi tr offset ring v c th truyn i theo nhiu con ng khc nhau ti ch.
Ti ch, nh vo gi tr offset ca tng gi tin m d liu li c kt hp li nh ban
u.
Li dng iu ny, hacker c th to ra nhiu gi tin c gi tr offset trng lp nhau gi
10
Mt cuc tn cng t chi dch v c th bao gm c vic thc thi malware nhm:
Lm qu ti nng lc x l, dn n h thng khng th thc thi bt k mt cng
vic no khc.
Nhng li gi tc th trong microcode ca my tnh.
Nhng li gi tc th trong chui ch th, dn n my tnh ri vo trng thi hot
ng khng n nh hoc b .
Nhng li c th khai thc c h iu hnh dn n vic thiu thn ti nguyn
hoc b thrashing. VD: nh s dng tt c cc nng lc c sn dn n khng mt
cng vic thc t no c th hon thnh c.
Gy crash h thng.
Tn cng t chi dch v iFrame: trong mt trang HTML c th gi n mt trang
web no vi rt nhiu yu cu v trong rt nhiu ln cho n khi bng thng ca
trang web b qu hn.
12
13
14
15
16
17
Xut hin vo u nm 2002, l kiu tn cng mi nht, mnh nht trong h DoS.
18
19
- Giai on i u vi cuc tn cng: Pht hin v ngn chn cuc tn cng, lm suy
gim v dng cuc tn cng, chuyn hng cuc tn cng.
- Giai on sau khi cuc tn cng xy ra: thu thp chng c v rt kinh nghim
Cc giai on chi tit trong phng chng DDoS:
DDoS
Countermeasures
Detect and
Detect and
Prevent
Agent
Neutralize
Detect/Prevent
Mitigate/Stop
Potential
Attack
Attack
Deflect Attack
Post attack
Forensic
Traffic
Pattern
Analysis
handler
Egress
Filtering
Invidual
Honeyspots
Packet
Traceback
Network
Service
Provider
user
Install
Software
Patch
MIB Statistic
Build in
defense
Event Log
Shadow Real
Network
Study
Attack
Cost
Load Balancing
Throttling
Drop
Request
- Mt s gii php tch hp sn kh nng ngn nga vic ci t code nguy him thng o
hardware v software ca tng h thng. V pha user h nn ci t v updat lin tc cc
software nh antivirus, anti_trojan v server patch ca h iu hnh.
- T pha Network Service Provider: Thay i cch tnh tin dch v truy cp theo dung
lng s lm cho user lu n nhng g h gi, nh vy v mt thc tng cng pht hin
DDoS Agent s t nng cao mi User.
21
-Traffic Pattern Analysis: Nu d liu v thng k bin thin lng traffic theo thi gian
c lu li th s c a ra phn tch. Qu trnh phn tch ny rt c ch cho vic tinh
chnh li cc h thng Load Balancing v Throttling. Ngoi ra cc d liu ny cn gip Qun tr
mng iu chnh li cc quy tc kim sot traffic ra vo mng ca mnh.
- Packet Traceback: bng cch dng k thut Traceback ta c th truy ngc li v tr ca
Attacker (t nht l subnet ca attacker). T k thut Traceback ta pht trin thm kh nng
Block Traceback t attacker kh hu hiu. gn y c mt k thut Traceback kh hiu qu c
th truy tm ngun gc ca cuc tn cng di 15 pht, l k thut XXX.
- Bevent Logs: Bng cch phn tch file log sau cuc tn cng, qun tr mng c th tm
ra nhiu manh mi v chng c quan trng.
23
IV Botnet.
S lc lch s :
- Cui th k 19 cng nh u thin nin k mi nh du bc pht trin nhanh, mnh
ca mt s chin lc tn cng khc bit nhm vo h thng mng. DDoS, tc Distributed
Denial of Services, hnh thc tn cng t chi dch v phn tn kht ting ra i. Tng t vi
ngi anh em DoS (tn cng t chi dch v), DDoS c pht tn rt rng, ch yu nh tnh
n gin nhng rt kh b d tm ca chng. c nhiu kinh nghim i ph c chia s, vi
khi lng kin thc khng nh v n, nhng ngy nay DDoS vn ang l mt mi e do
nghim trng, mt cng c nguy him ca hacker. Chng ta hy cng tm hiu v DDoS v sn
phm k tha t n: cc cuc tn cng botnet.
1.c - IRC
-IRC l tn vit tt ca Internet Relay Chat. l mt giao thc c thit k cho hot
ng lin lc theo kiu hnh thc tn gu thi gian thc (v d RFC 1459, cc bn update RFC
2810, 2811, 2812, 2813) da trn kin trc client-server. Hu ht mi server IRC u cho php
truy cp min ph, khng k i tng s dng. IRC l mt giao thc mng m da trn nn tng
24
TCP (Transmission Control Protocol - Giao thc iu khin truyn vn), i khi c nng cao
vi SSL (Secure Sockets Layer - Tng socket bo mt).
-Mt server IRC kt ni vi server IRC khc trong cng mt mng. Ngi dng IRC c
th lin lc vi c hai theo hnh thc cng cng (trn cc knh) hoc ring t (mt i mt). C
hai mc truy cp c bn vo knh IRC: mc ngi dng (user) v mc iu hnh (operator).
Ngi dng no to mt knh lin lc ring s tr thnh ngi iu hnh. Mt iu hnh vin c
nhiu c quyn hn (tu thuc vo tng kiu ch do ngi iu hnh ban u thit lp ) so
vi ngi dng thng thng.
-Cc bot IRC c coi nh mt ngi dng (hoc iu hnh vin) thng thng. Chng
l cc quy trnh daemon, c th chy t ng mt s thao tc. Qu trnh iu khin cc bot ny
thng thng da trn vic gi lnh thit lp knh lin lc do hacker thc hin, vi mc ch
chnh l ph hoi. Tt nhin, vic qun tr bot cng i hi c ch thm nh v cp php. V th,
ch c ch s hu chng mi c th s dng.
-Mt thnh phn quan trng ca cc bot ny l nhng s kin m chng c th dng
pht tn nhanh chng ti my tnh khc. Xy dng k hoch cn thn cho chng trnh tn cng
s gip thu c kt qu tt hn vi thi gian ngn hn (nh xm phm c nhiu my tnh
hn chng hn). Mt s n bot kt ni vo mt knh n ch lnh t k tn cng th c gi
l mt botnet.
-Cch y cha lu, cc mng zombie (mt tn khc ca my tnh b tn cng theo kiu
bot) thng c iu khin qua cng c c quyn, do chnh nhng k chuyn b kho c tnh
pht trin. Tri qua thi gian, chng hng ti phng thc iu khin t xa. IRC c xem l
cng c pht ng cc cuc tn cng tt nht nh tnh linh hot, d s dng v c bit l cc
server chung c th c dng nh mt phng tin lin lc. IRC cung cp cch thc iu khin
n gin hng trm, thm ch hng nghn bot cng lc mt cch linh hot. N cng cho php k
tn cng che y nhn dng tht ca mnh vi mt s th thut n gin nh s dng proxy nc
danh hay gi mo a ch IP. Song cng chnh bi vy m chng li du vt cho ngi qun tr
server ln theo.
25
2.a - DDoS
-Cc botnet c s dng thng xuyn trong cc cuc tn cng Distributed Denial of
Service (DDoS). Mt k tn cng c th iu khin s lng ln my tnh b chim quyn iu
khin ti mt trm t xa, khai thc bng thng ca chng v gi yu cu kt ni ti my ch.
Nhiu mng tr nn ht sc ti t sau khi hng chu cc cuc tn cng kiu ny. V trong mt s
trng hp, th phm c tm thy ngay khi ang tin hnh cuc ph hoi (nh cc cuc
chin dotcom).
Tn cng t chi dch v phn tn (DDoS)
-Tn cng DDoS l mt bin th ca Foolding DoS (Tn cng t chi dch v trn). Mc
ch ca hnh thc ny l gy trn mng ch, s dng tt c bng thng c th. K tn cng sau
s c ton b lng bng thng khng l trn mng lm trn website ch. l cch pht
ng tn cng tt nht t c nhiu my tnh di quyn kim sot. Mi my tnh s a ra
bng thng ring (v d vi ngi dng PC c nhn ni ADSL). Tt c s c dng mt ln, v
nh , phn tn c cuc tn cng vo website ch. Mt trong cc kiu tn cng ph bin
nht c thc hin thng qua s dng giao thc TCP (mt giao thc hng kt ni), gi l TCP
syn flooding (trn ng b TCP). Cch thc hot ng ca chng l gi ng thi cng lc mt
s lng khng l yu cu kt ni TCP ti mt Web Server (hoc bt k dch v no khc), gy
26
trn ti nguyn server, dn n trn bng thng v ngn khng cho ngi dng khc m kt ni
ring ca h. Qu l n gin nhng thc s nguy him! Kt qu thu c cng tng t khi
dng giao thc UDP (mt giao thc khng kt ni).
- Gii tin tc cng b ra kh nhiu thi gian v cng sc u t nhm nng cao cch thc
tn cng ca chng. Hin nay, ngi dng mng my tnh nh chng ta ang phi i mt vi
nhiu k thut tinh vi hn xa so kiu tn cng DDoS truyn thng. Nhng k thut ny cho php
k tn cng iu khin mt s lng cc k ln my tnh b chim quyn iu khin (zombie) ti
mt trm t xa m n gin ch cn dng giao thc IRC.
3.a - GT-Bot
- Tt c cc bot GT (Global Threat) u da trn kiu client IRC ph bin dnh cho
Windows gi l mIRC. Ct li ca cc bot ny l xy dng tp hp script (kch bn) mIRC, c
dng iu khin hot ng ca h thng t xa. Kiu bot ny khi chy mt phin client nng
cao vi cc script iu khin v dng mt ng dng th hai, thng thng l HideWindows n
mIRC trc ngi dng my tnh ch. Mt file DLL b sung s thm mt s thnh phn mi
vo mIRC cc script c th chi phi nhiu kha cnh khc nhau trn my tnh b chim quyn
iu khin.
3.b - Agobot
- Agobot l mt trong nhng kiu bot ph bin nht thng c cc tay b kho (craker)
chuyn nghip s dng. Chng c vit trn nn ngn ng C++ v pht hnh di dng bn
quyn GPL. im th v Agobot l m ngun. c modul ho mc cao, Agobot cho php
28
thm chc nng mi vo d dng. N cng cung cp nhiu c ch n mnh trn my tnh ngi
dng. Thnh phn chnh ca Agobot gm: NTFS Alternate Data Stream (Xp lun phin dng d
liu NTFS), Antivirus Killer (b dit chng trnh chng virus) v Polymorphic Encryptor
Engine (c ch m ho hnh dng). Agobot cung cp tnh nng sp xp v sniff lu lng. Cc
giao thc khc ngoi IRC cng c th c dng iu khin kiu bot ny.
3.c - DSNX
- Dataspy Network X (DSNX) cng c vit trn nn ngn ng C++ v m ngun da
trn bn quyn GPL. kiu bot ny c thm mt tnh nng mi l kin trc plug-in n
gin.
3.d - SDBot
- SDBot c vit trn nn ngn ng C v cng s dng bn quyn GPL. Khng ging
nh Agobot, m ngun ca kiu bot ny rt r rng v bn thn phn mm c mt lng gii hn
chc nng. Nhng SDBot rt ph bin v c pht trin ra nhiu dng bin th khc nhau.
29
Mt v d c th
Hot ng ca k tn cng c th chia thnh bn giai on khc nhau:
+ To
+ Cu hnh
+ Tn cng
+ iu khin
- Giai on To ph thuc ln vo k nng v i hi ca k tn cng. Nu l ngi b
kho chuyn nghip, h c th cn nhc gia vic vit m bot ring hoc n gin ch l m
rng, tu bin ci c. Lng bot c sn l rt ln v kh nng cu hnh cao. Mt s cn cho
php thao tc d dng hn qua mt giao din ho. Giai on ny khng c g kh khn,
thng dnh cho nhng k mi vo ngh.
- Giai on Cu hnh l cung cp server IRC v knh thng tin. Sau khi ci t ln mt
my tnh c kim sot, bot s kt ni ti host c chn. u tin k tn cng nhp d liu
cn thit vo gii hn quyn truy cp bot, bo v an ton cho knh v cui cng cung cp mt
danh sch ngi dng c cp php (nhng ngi c th iu khin bot). giai on ny, bot
c th c iu chnh su hn, nh nh ngha phng thc tn cng v ch n.
- Giai on Tn cng l s dng nhiu k thut khc nhau pht tn bot, c trc tip v
gin tip. Hnh thc trc tip c th l khai thc l hng ca h iu hnh hoc dch v. Cn gin
tip thng l trin khai mt s phn mm khc phc v cho cng vic en ti, nh s dng file
HTML d dng khai thc l hng Internet Explorer, s dng mt s phn mm c hi khc
phn phi qua cc mng ngang hng hoc qua trao i file DCC (Direct ClienttoClient) trn
IRC. Tn cng trc tip thng c thc hin t ng thng qua cc su (worm). Tt c cng
vic nhng su ny phi lm l tm kim mng con trong h thng c l hng v chn m bot
vo. Mi h thng b xm phm sau s tip tc thc hin chng trnh tn cng, cho php k
31
tn cng ghi li ti nguyn dng trc v c c nhiu thi gian tm kim nn nhn
khc.
- C ch c dng phn phi bot l mt trong nhng l do chnh gy nn ci gi l
tp nhiu nn Internet. Mt s cng chnh c dng cho Windows, c th l Windows 2000, XP
SP1 (xem Bng 1). Chng dng nh l ch ngm yu thch ca hacker, v rt d tm ra mt
my tnh Windows cha c cp nht bn v y hoc khng ci t phn mm tng la.
Trng hp ny cng rt ph bin vi ngi dng my tnh gia nh v cc doanh nghip nh,
nhng i tng thng b qua vn bo mt v lun kt ni Internet bng thng rng.
Cng Dch v
42 WINS (Host Name Server)
80 HTTP (l hng IIS hay Apache)
135 RPC (Remote Procedure Call)
137 NetBIOS Name Service
139 NetBIOS Session Service
445 MicrosoftDSService
1025 Windows Messenger
1433 MicrosoftSQLServer
2745 Bagle worm backdoor
3127 MyDoom worm backdoor
3306 MySQL UDF (User Definable Functions)
5000 UPnP (Universal Plug and Play)
32
- IRC khng ch cung cp phng tin iu khin hng trm bot m cn cho php k tn
cng s dng nhiu k thut khc nhau n nhn dng thc ca chng. iu khin vic i
ph trc cc cuc tn cng tr nn kh khn. Nhng may mn l, do c im t nhin ca
chng, cc botnet lun to ra lu lng ng ng, to iu kin d dng c th d tm nh
mt s kiu mu hay m hnh bit. iu gip cc qun tr vin IRC pht hin v can thip
kp thi, cho php h g b cc mng botnet v nhng s lm dng khng ng c trn h thng
ca h.
- Trc tnh hnh ny, nhng k tn cng buc phi ngh ra cch thc khc, ci tin k
thut C&C (Control and Command - iu khin qua lnh) thnh botnet hardening. k thut
mi ny, cc bot thng c cu hnh kt ni vi nhiu server khc nhau, s dng mt
hostname nh x ng. Nh , k tn cng c th chuyn bot sang server mi d dng, vn
hon ton nm quyn kim sot ngay c khi bot b pht hin. Cc dch v DNS ng nh
dyndns.com hay no-IP.com thng c dng trong kiu tn cng ny.
DNS ng
33
34
5.d - Trin khai cc h thng pht hin xm phm v ngn chn xm phm
- Mt phng php khc l iu chnh cc IDS v ISP chng c th tm kim c
cc hot ng tng t nh botnet.
- V d, mt my tnh no bt ng gp vn s c trn Internet Relay Chat l hon
ton ng nghi ng. Cng ging nh vic kt ni vo cc a ch IP xa hoc a ch DNS khng
hp l. Tuy vn ny l kh pht hin nhng chng ta c cch pht gic khc khi pht hin
thy s thu ht bt ng trong lu lng SSL trn mt my tnh, c bit trong cc cng khng
bnh thng. iu c th l knh m botnet chim quyn iu khin b kch hot.
35
- Chnh v vy chng ta cn mt ISP kim tra v nhng hnh vi khng bnh thng
ch th cnh bo cc tn cng da trn HTTP v th tc gi t xa, Telnet- v gi mo giao thc
gii php a ch, cc tn cng khc. Mc d vy chng ta phi nn ch rng nhiu b cm bin
ISP s dng pht hin da trn ch k, iu ngha l cc tn cng ch c b sung vo c s
d liu khi no chng c pht hin. Chnh v vy cc ISP phi cp nht kp thi nhn ra
c cc tn cng ny, bng khng b pht hin s khng cn gi tr.
V Kt Lun :
-
36
vic ri. Vic i ph bng cch tng cng phn cng cng l gii php tt,
nhng thng xuyn theo di pht hin v ngn chn kp thi ci gi tin IP t
-
37