Professional Documents
Culture Documents
Tấn công DOS DDOS DRDOS và BOTNET
Uploaded by
GióLạnhCopyright
Available Formats
Share this document
Did you find this document useful?
Is this content inappropriate?
Report this DocumentCopyright:
Available Formats
Tấn công DOS DDOS DRDOS và BOTNET
Uploaded by
GióLạnhCopyright:
Available Formats
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
Mc Lc
Mc Lc....................................................................................................................................... 1
I - Tn cng t chi dch v (DoS):..............................................................................................3
I.1 - Gii thiu v DoS
I.2 - Lch s cc cuc tn cng v pht trin ca DoS
I.3 - Mc ch ca tn cng DoS v him ha
I.4 - Cc hnh thc tn cng DoS c bn :5
4.a - Smurf :.......................................................................................................................... 5
4.b - Buffer Overflow Attack :................................................................................................6
4. c - Ping of death :.............................................................................................................7
4.d - Teardrop :..................................................................................................................... 8
4.e - SYN Attack:..................................................................................................................8
II - Tn cng t chi dch v phn tn (DDoS) :.........................................................................11
II.1 - Gii thiu DDoS :
11
II.2 - Cc c tnh ca tn cng DDoS:
13
II.3 - Tn cng DDoS khng th ngn chn hon ton:
II.4 - K tn cng khn ngoan:
14
14
4.a - Agent Handler Model:.................................................................................................14
4.b - Tn cng DDoS da trn nn tng IRC:.....................................................................15
II.5 - Phn loi tn cng DDoS:
15
II.6 - Tn cng Reflective DNS (reflective - phn chiu): 17
6.a - Cc vn lin quan ti tn cng Reflective DNS:....................................................17
6.b - Tool tn cng Reflective DNS ihateperl.pl:...............................................................18
II.7 - Cc tools s dng tn cng DDoS:
18
III - DRDoS (Distributed Reflection Denial of Service)...............................................................19
III.1 Gii thiu DRDOS. 19
III.2 - Cch Phng chng : 20
1
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
2.a - Ti thiu ha s lng Agent:....................................................................................21
2.b - Tm v v hiu ha cc Handler:................................................................................22
2.c - Pht hin du hiu ca mt cuc tn cng:................................................................22
2.d - Lm suy gim hay dng cuc tn cng:.....................................................................22
2.e - Chuyn hng ca cuc tn cng:.............................................................................23
2.f - Giai on sau tn cng:...............................................................................................23
2.g - Phng chng tng qut :.............................................................................................24
IV Botnet................................................................................................................................. 25
IV.1 - Gii thiu v Bot v Botnet 25
1.a - Bot l g ?................................................................................................................... 25
1.b - Ti sao gi l mng botnet ?......................................................................................25
1.c - IRC............................................................................................................................. 25
IV.2 - Bot v cc ng dng ca chng
27
2.a - DDoS.......................................................................................................................... 27
2.b - Spamming (pht tn th rc)......................................................................................28
2.c - Sniffing v Keylogging................................................................................................28
2.d - n cp nhn dng......................................................................................................28
2.e - S hu phn mm bt hp php...............................................................................29
IV.3 - Cc kiu bot khc nhau
29
3.a - GT-Bot........................................................................................................................ 29
3.b - Agobot........................................................................................................................ 29
3.c - DSNX.......................................................................................................................... 30
IV.4 - Cc yu t ca mt cuc tn cng. 30
IV.5 - Cch phng chng Botnet: 35
5.a - Thu mt dch v lc Web..........................................................................................35
5.b - Chuyn i trnh duyt...............................................................................................35
5.c - V hiu ha cc kch bn............................................................................................36
5.d - Trin khai cc h thng pht hin xm phm v ngn chn xm phm......................36
5.e - Bo v ni dung c to bi ngi dng.................................................................36
5.f - S dng cng c phn mm.......................................................................................37
V Kt Lun :............................................................................................................................ 37
VI Ti Liu Tham Kho.......................................................................................................... 38
2
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
I - Tn cng t chi dch v (DoS):
I.1 - Gii thiu v DoS
- Tn cng DoS l mt kiu tn cng m mt ngi lm cho mt h thng khng
th s dng, hoc lm cho h thng chm i mt cch ng k vi ngi dng
bnh thng, bng cch lm qu ti ti nguyn ca h thng .
- Nu k tn cng khng c kh nng thm nhp c vo h thng, th chng c
gng tm cch lm cho h thng sp v khng c kh nng phc v ngi dng
bnh thng l tn cng Denial of Service (DoS).
- Mc d tn cng DoS khng c kh nng truy cp vo d liu thc ca h thng
nhng n c th lm gin on cc dch v m h thng cung cp. Nh nh ngha
trn DoS khi tn cng vo mt h thng s khai thc nhng ci yu nht ca h thng
tn cng, nhng mc ch ca tn cng DoS
I.2 - Lch s cc cuc tn cng v pht trin ca DoS
- Cc tn cng DoS bt u vo khong u nhng nm 90. u tin, chng hon
ton nguyn thy, bao gm ch mt k tn cng khai thc bng thng ti a t nn
nhn, ngn nhng ngi khc c phc v. iu ny c thc hin ch yu bng
cch dng cc phng php n gin nh ping floods, SYN floods v UDP floods.
Sau , cc cuc tn cng tr nn phc tp hn, bng cch gi lm nn nhn, gi vi
thng ip v cc my khc lm ngp my nn nhn vi cc thng ip tr li.
(Smurf attack, IP spoofing).
- Cc tn cng ny phi c ng b ho mt cch th cng bi nhiu k tn
cng to ra mt s ph hu c hiu qu. S dch chuyn n vic t ng ho s
ng b, kt hp ny v to ra mt tn cng song song ln tr nn ph bin t 1997,
vi s ra i ca cng c tn cng DDoS u tin c cng b rng ri, l
Trinoo. N da trn tn cng UDP flood v cc giao tip master-slave (khin cc my
trung gian tham gia vo trong cuc tn cng bng cch t ln chng cc chng
trnh c iu khin t xa). Trong nhng nm tip theo, vi cng c na c ph
bin TFN (tribe flood network), TFN2K, vaf Stacheldraht.
- Tuy nhin, ch t cui nm 1999 mi c nhng bo co v nhng tn cng nh
vy, v ti ny c cng chng bit n ch sau khi mt cuc tn cng ln vo
3
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
cc site cng cng thng 2/2000. Trong thi gian 3 ngy, cc site Yahoo.com,
amazon.com, buy.com, cnn.com v eBay.com t di s tn cng (v d nh
Yahoo b ping vi tc 1 GB/s).
T cc cuc tn cng Dos thng xuyn sy ra
V d : - Vo ngy 15 thng 8 nm 2003, Microsoft chu t tn cng DoS cc
mnh v lm gin on websites trong vng 2 gi;
- Vo lc 15:09 gi GMT ngy 27 thng 3 nm 2003: ton b phin bn
ting anh ca website Al-Jazeera b tn cng lm gin on trong nhiu gi.
I.3 - Mc ch ca tn cng DoS v him ha
- C gng chim bng thng mng v lm h thng mng b ngp (flood), khi
h thng mng s khng c kh nng p ng nhng dch v khc cho ngi dng
bnh thng.
- C gng lm ngt kt ni gia hai my, v ngn chn qu trnh truy cp vo
dch v.
- C gng ngn chn nhng ngi dng c th vo mt dch v no
- C gng ngn chn cc dch v khng cho ngi khc c kh nng truy cp vo.
- Khi tn cng DoS xy ra ngi dng c cm gic khi truy cp vo dch v
nh b:
+ Disable Network - Tt mng
+ Disable Organization - T chc khng hot ng
+ Financial Loss Ti chnh b mt
- Nh chng ta bit bn trn tn cng DoS xy ra khi k tn cng s dng ht ti
nguyn ca h thng v h thng khng th p ng cho ngi dng bnh thng
c vy cc ti nguyn chng thng s dng tn cng l g:
- To ra s khan him, nhng gii hn v khng i mi ti nguyn
- Bng thng ca h thng mng (Network Bandwidth), b nh, a, v CPU
Time hay cu trc d liu u l mc tiu ca tn cng DoS.
- Tn cng vo h thng khc phc v cho mng my tnh nh: h thng iu ho,
h thng in, ht hng lm mt v nhiu ti nguyn khc ca doanh nghip. Bn th
tng tng khi ngun in vo my ch web b ngt th ngi dng c th truy cp
vo my ch khng.
- Ph hoi hoc thay i cc thng tin cu hnh.
- Ph hoi tng vt l hoc cc thit b mng nh ngun in, iu ho
4
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
I.4 - Cc hnh thc tn cng DoS c bn :
- Smurf
- Buffer Overflow Attack
- Ping of death
- Teardrop
- SYN Attack
4.a - Smurf :
- Smurf : l mt loi tn cng DoS in hnh. My ca attacker s gi rt nhiu lnh ping
n mt s lng ln my tnh trong mt thi gian ngn, trong a ch IP ngun ca
gi ICMP echo s c thay th bi a ch IP ca nn nhn, Cc my tnh ny s tr li
cc gi ICMP reply n my nn nhn.
- Kt qu ch tn cng s phi chu nhn mt t Reply gi ICMP cc ln v lm cho
mng b rt hoc b chm li, khng c kh nng p ng cc dch v khc.
4.b - Buffer Overflow Attack :
- Buffer Overflow xy ra ti bt k thi im no c chng trnh ghi lng thng tin ln
hn dung lng ca b nh m trong b nh.
5
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
- K tn cng c th ghi ln d liu v iu khin chy cc chng trnh v nh cp
quyn iu khin ca mt s chng trnh nhm thc thi cc on m nguy him.
- Qu trnh gi mt bc th in t m file nh km di qu 256 k t c th s xy ra
qu trnh trn b nh m.
4. c - Ping of death :
- K tn cng gi nhng gi tin IP ln hn s lng bytes cho php ca tin IP l 65.536
bytes.
- Qu trnh chia nh gi tin IP thnh nhng phn nh c thc hin layer II.
- Qu trnh chia nh c th thc hin vi gi IP ln hn 65.536 bytes. Nhng h iu
hnh khng th nhn bit c ln ca gi tin ny v s b khi ng li, hay n gin
l s b gin on giao tip.
- nhn bit k tn cng gi gi tin ln hn gi tin cho php th tng i d dng.
6
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
VD : Ping -l 65500 address
-l : buffer size
Khong nm 1997-1998, li ny c fix, v vy by gi n ch mang tnh lch s.
4.d - Teardrop :
Trong mng chuyn mch gi, d liu c chia thnh nhiu gi tin nh, mi gi tin c
mt gi tr offset ring v c th truyn i theo nhiu con ng khc nhau ti ch.
Ti ch, nh vo gi tr offset ca tng gi tin m d liu li c kt hp li nh ban
u.
Li dng iu ny, hacker c th to ra nhiu gi tin c gi tr offset trng lp nhau gi
n mc tiu mun tn cng
Kt qu l my tnh ch khng th sp xp c nhng gi tin ny v dn ti b treo my
v b "vt kit" kh nng x l.
4.e - SYN Attack:
- K tn cng gi cc yu cu (request o) TCP SYN ti my ch b tn cng. x l
lng gi tin SYN ny h thng cn tn mt lng b nh cho kt ni.
- Khi c rt nhiu gi SYN o ti my ch v chim ht cc yu cu x l ca my ch.
Mt ngi dng bnh thng kt ni ti my ch ban u thc hin Request TCP SYN v
lc ny my ch khng cn kh nng p li - kt ni khng c thc hin.
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
M hnh tn cng bng cc gi SYN
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
Bc 1: Client (my khch) s gi cc gi tin (packet cha SYN=1) n my ch yu
cu kt ni.
Bc 2: Khi nhn c gi tin ny, server s gi li gi tin SYN/ACK thng bo cho
client bit l n nhn c yu cu kt ni v chun b ti nguyn cho vic yu cu ny.
Server s ginh mt phn ti nguyn h thng nh b nh m (cache) nhn v truyn d liu.
Ngoi ra, cc thng tin khc ca client nh a ch IP v cng (port) cng c ghi nhn.
Bc 3: Cui cng, client hon tt vic bt tay ba ln bng cch hi m li gi tin cha
ACK cho server v tin hnh kt ni.
- Do TCP l th tc tin cy trong vic giao nhn (end-to-end) nn trong ln bt tay th
hai, server gi cc gi tin SYN/ACK tr li li client m khng nhn li c hi m ca client
thc hin kt ni th n vn bo lu ngun ti nguyn chun b kt ni v lp li vic gi
gi tin SYN/ACK cho client n khi no nhn c hi p ca my client.
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
- Nu qu trnh ko di, server s nhanh chng tr nn qu ti, dn n tnh trng
crash (treo) nn cc yu cu hp l s b t chi khng th p ng c. C th hnh dung qu
trnh ny cng ging h khi my tnh c nhn (PC) hay b treo khi m cng lc qu nhiu
chng trnh cng lc vy .
10
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
II - Tn cng t chi dch v phn tn (DDoS) :
II.1 - Gii thiu DDoS :
Trn Internet tn cng Distributed Denial of Service (DDoS) hay cn gi l Tn cng
t chi dch v phn tn l mt dng tn cng t nhiu my tnh ti mt ch, n gy ra t chi
11
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
cc yu cu hp l ca cc user bnh thng. Bng cch to ra nhng gi tin cc nhiu n mt
ch c th, n c th gy tnh trng tng t nh h thng b shutdown.
Nhn chung, c rt nhiu bin th ca k thut tn cng DDoS nhng nu nhn di gc
chuyn mn th c th chia cc bin th ny thnh hai loi da trn mch ch tn cng:
Lm cn kit bng thng.
Lm cn kit ti nguyn h thng.
Mt cuc tn cng t chi dch v c th bao gm c vic thc thi malware nhm:
Lm qu ti nng lc x l, dn n h thng khng th thc thi bt k mt cng
vic no khc.
Nhng li gi tc th trong microcode ca my tnh.
Nhng li gi tc th trong chui ch th, dn n my tnh ri vo trng thi hot
ng khng n nh hoc b .
Nhng li c th khai thc c h iu hnh dn n vic thiu thn ti nguyn
hoc b thrashing. VD: nh s dng tt c cc nng lc c sn dn n khng mt
cng vic thc t no c th hon thnh c.
Gy crash h thng.
Tn cng t chi dch v iFrame: trong mt trang HTML c th gi n mt trang
web no vi rt nhiu yu cu v trong rt nhiu ln cho n khi bng thng ca
trang web b qu hn.
II.2 - Cc c tnh ca tn cng DDoS:
- N c tn cng t mt h thng cc my tnh cc ln trn Internet, v thng
da vo cc dch v c sn trn cc my tnh trong mng botnet
- Cc dch v tn cng c iu khin t nhng "primary victim" trong khi cc
my tnh b chim quyn s dng trong mng Bot c s dng tn cng thng c
gi l "secondary victims".
12
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
- L dng tn cng rt kh c th pht hin bi tn cng ny c sinh ra t nhiu
a ch IP trn Internet.
- Nu mt a ch IP tn cng mt cng ty, n c th c chn bi Firewall. Nu
n t 30.000 a ch IP khc, th iu ny l v cng kh khn.
- Th phm c th gy nhiu nh hng bi tn cng t chi dch v DoS, v iu
ny cng nguy him hn khi chng s dng mt h thng mng Bot trn internet thc
hin tn cng DoS v c gi l tn cng DDoS.
II.3 - Tn cng DDoS khng th ngn chn hon ton:
- Cc dng tn cng DDoS thc hin tm kim cc l hng bo mt trn cc my
tnh kt ni ti Internet v khai thc cc l hng bo mt xy dng mng Botnet gm
nhiu my tnh kt ni ti Internet.
- Mt tn cng DDoS c thc hin s rt kh ngn chn hon ton.
- Nhng gi tin n Firewall c th chn li, nhng hu ht chng u n t
nhng a ch IP cha c trong cc Access Rule ca Firewall v l nhng gi tin hon
ton hp l.
- Nu a ch ngun ca gi tin c th b gi mo, sau khi bn khng nhn c s
phn hi t nhng a ch ngun tht th bn cn phi thc hin cm giao tip vi a ch
ngun .
- Tuy nhin mt mng Botnet bao gm t hng nghn ti vi trm nghn a ch IP
trn Internet v iu l v cng kh khn ngn chn tn cng.
II.4 - K tn cng khn ngoan:
Gi y khng mt k tn cng no s dng lun a ch IP iu khin mng
Botnet tn cng ti ch, m chng thng s dng mt i tng trung gian di y l
nhng m hnh tn cng DDoS
4.a - Agent Handler Model:
K tn cng s dng cc handler iu khin tn cng
13
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
4.b - Tn cng DDoS da trn nn tng IRC:
K tn cng s dng cc mng IRC iu khin, khuych i v qun l kt ni
vi cc my tnh trong mng Botnet.
II.5 - Phn loi tn cng DDoS:
- Tn cng gy ht bng thng truy cp ti my ch.
+ Flood attack
+ UDP v ICMP Flood (flood gy ngp lt)
- Tn cng khuch i cc giao tip
14
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
+ Smurf and Fraggle attack
Tn cng DDoS vo Yahoo.com nm 2000
S phn loi tn cng DDoS:
S tn cng DDoS dng khuch i giao tip:
Nh chng ta bit, tn cng Smurf l tn cng bng cch Ping n a ch
Broadcast ca mt mng no m a ch ngun chnh l a ch ca my cn tn cng,
khi ton b cc gi Reply s c chuyn ti a ch IP ca my tnh b tn cng.
15
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
II.6 - Tn cng Reflective DNS (reflective - phn chiu):
6.a - Cc vn lin quan ti tn cng Reflective DNS:
- Mt Hacker c th s dng mng botnet gi rt nhiu yu cu ti my ch
DNS.
- Nhng yu cu s lm trn bng thng mng ca cc my ch DNS,
- Vic phng chng dng tn cng ny c th dng Firewall ngn cm nhng giao
tip t cc my tnh c pht hin ra.
- Nhng vic cm cc giao tip t DNS Server s c nhiu vn ln. Mt DNS
Server c nhim v rt quan trng trn Internet.
- Vic cm cc giao tip DNS ng ngha vi vic cm ngi dng bnh thng
gi mail v truy cp Website.
- Mt yu cu v DNS thng chim bng 1/73 thi gian ca gi tin tr li trn
my ch. Da vo yu t ny nu dng mt Tools chuyn nghip lm tng cc yu cu
16
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
ti my ch DNS s khin my ch DNS b qu ti v khng th p ng cho cc ngi
dng bnh thng c na.
6.b - Tool tn cng Reflective DNS ihateperl.pl:
- Ihateperl.pl l chng trnh rt nh, rt hiu qu, da trn kiu tn cng DNSReflective
- N s dng mt danh sch cc my ch DNS lm trn h thng mng vi cc
gi yu cu Name Resolution.
- Bng mt v d n c th s dng google.com resole gi ti my ch v c
th i tn domain thnh www.vnexperts.net hay bt k mt trang web no m k tn
cng mun.
- Cch s dng cng c ny rt n gin: ta ch cn to ra mt danh sch cc my
ch DNS, chuyn cho a ch IP ca my c nhn v thit lp s lng cc giao tip.
II.7 - Cc tools s dng tn cng DDoS:
Di y l cc Tools tn cng DDoS.
Trinoo
Tribe flood Network (TFN)
TFN2K
Stacheldraht
Shaft
Trinity
Knight
Mstream
Kaiten
Cc tools ny hon ton c th c download min ph trn Internet v lu y
ch l cc tools yu mang tnh Demo v tn cng DDoS m thi
17
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
III - DRDoS (Distributed Reflection Denial of Service)
III.1 Gii thiu DRDOS.
-
Xut hin vo u nm 2002, l kiu tn cng mi nht, mnh nht trong h DoS.
Nu c thc hin bi k tn cng c tay ngh th n c th h gc bt c h
thng no trn th gii trong pht chc.
DRDoS l s phi hp gia hai kiu DoS v DDoS.
Mc tiu chnh ca DRDoS l chim ot ton b bng thng ca my ch, tc l
lm tc nghn hon ton ng kt ni t my ch vo xng sng ca Internet
v tiu hao ti nguyn my ch.
Ta c Server A v Victim, gi s ta gi 1 SYN packet n Server A trong IP
ngun b gi mo thnh IP ca Victim. Server A s m 1 connection v gi
SYN/ACK packet cho Victim v ngh rng Victim mun m connection vi mnh.
V y chnh l khi nim ca Reflection ( Phn x ). Hacker s iu khin Spoof
SYN generator, gi SYN packet n tt c cc TCP Server ln, lc ny cc TCP
Server ny v tnh thnh Zombie cho Hacker cng tn cng Victim v lm
nghn ng truyn ca Victim.
Vi nhiu server ln tham gia nn server mc tiu nhanh chng b qu ti,
bandwidth b chim dng bi server ln.
18
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
Tnh ngh thut l ch ch cn vi mt my tnh vi modem 56kbps,
mthacker lnh ngh c th nh bi bt c my ch no trong giy lt m khng
cn chim ot bt c my no lm phng tin thc hin tn cng.
III.2 - Cch Phng chng :
C rt nhiu gii php v tng c a ra nhm i ph vi cc cuc tn cng kiu
DDoS. Tuy nhin khng c gii php v tng no l gii quyt trn vn bi ton Anti-DDoS.
Cc hnh thi khc nhau ca DDoS lin tc xut hin theo thi gian song song vi cc gii php
i ph, tuy nhin cuc ua vn tun theo quy lut tt yu ca bo mt my tnh: Hacker lun i
trc gii bo mt mt bc.
C ba giai on chnh trong qu trnh Anti-DDoS:
- Giai on ngn nga: ti thiu ha lng Agent, tm v v hiu ha cc Handler
19
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
- Giai on i u vi cuc tn cng: Pht hin v ngn chn cuc tn cng, lm suy
gim v dng cuc tn cng, chuyn hng cuc tn cng.
- Giai on sau khi cuc tn cng xy ra: thu thp chng c v rt kinh nghim
Cc giai on chi tit trong phng chng DDoS:
DDoS
Countermeasures
Detect and
Detect and
Prevent
Agent
Neutralize
Detect/Prevent
Mitigate/Stop
Potential
Attack
Attack
Deflect Attack
Post attack
Forensic
Traffic
Pattern
Analysis
handler
Egress
Filtering
Invidual
Honeyspots
Packet
Traceback
Network
Service
Provider
user
Install
Software
Patch
MIB Statistic
Build in
defense
Event Log
Shadow Real
Network
Study
Attack
Cost
Load Balancing
Throttling
Drop
Request
2.a - Ti thiu ha s lng Agent:
- T pha User: mt phng php rt tt nng nga tn cng DDoS l tng internet
user s t phng khng b li dng tn cng h thng khc. Mun t c iu ny th
thc v k thut phng chng phi c ph bin rng ri cho cc internet user. Attack-Network
s khng bao gi hnh thnh nu khng c user no b li dng tr thnh Agent. Cc user phi
lin tc thc hin cc qu trnh bo mt trn my vi tnh ca mnh. H phi t kim tra s hin
din ca Agent trn my ca mnh, iu ny l rt kh khn i vi user thng thng.
20
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
- Mt s gii php tch hp sn kh nng ngn nga vic ci t code nguy him thng o
hardware v software ca tng h thng. V pha user h nn ci t v updat lin tc cc
software nh antivirus, anti_trojan v server patch ca h iu hnh.
- T pha Network Service Provider: Thay i cch tnh tin dch v truy cp theo dung
lng s lm cho user lu n nhng g h gi, nh vy v mt thc tng cng pht hin
DDoS Agent s t nng cao mi User.
2.b - Tm v v hiu ha cc Handler:
Mt nhn t v cng quan trng trong attack-network l Handler, nu c th pht hin v
v hiu ha Handler th kh nng Anti-DDoS thnh cng l rt cao. Bng cch theo di cc giao
tip gia Handler v Client hay handler va Agent ta c th pht hin ra v tr ca Handler. Do mt
Handler qun l nhiu, nn trit tiu c mt Handler cng c ngha l loi b mt lng ng
k cc Agent trong Attack Network.
2.c - Pht hin du hiu ca mt cuc tn cng:
C nhiu k thut c p dng:
- Agress Filtering: K thut ny kim tra xem mt packet c tiu chun ra khi mt
subnet hay khng da trn c s gateway ca mt subnet lun bit c a ch IP ca cc my
thuc subnet. Cc packet t bn trong subnet gi ra ngoi vi a ch ngun khng hp l s b
gi li iu tra nguyn nhn. Nu k thut ny c p dng trn tt c cc subnet ca
internet th khi nhim gi mo a ch IP s khng cn tn ti.
- MIB statistics: trong Management Information Base (SNMP) ca route lun c thng
tin thng k v s bin thin trng thi ca mng. Nu ta gim st cht ch cc thng k ca
protocol mng. Nu ta gim st cht ch cc thng k ca Protocol ICMP, UDP v TCP ta s c
kh nng pht hin c thi im bt u ca cuc tn cng to qu thi gian vng cho
vic x l tnh hung.
2.d - Lm suy gim hay dng cuc tn cng:
21
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
Dng cc k thut sau:
- Load balancing: Thit lp kin trc cn bng ti cho cc server trng im s lm gia
tng thi gian chng chi ca h thng vi cuc tn cng DDoS. Tuy nhin, iu ny khng c
ngha lm v mt thc tin v quy m ca cuc tn cng l khng c gii hn.
- Throttling: Thit lp c ch iu tit trn router, quy nh mt khong ti hp l m
server bn trong c th x l c. Phng php ny cng c th c dng ngn chn kh
nng DDoS traffic khng cho user truy cp dch v. Hn ch ca k thut ny l khng phn bit
c gia cc loi traffic, i khi lm dch v b gin on vi user, DDoS traffic vn c th xm
nhp vo mng dch v nhng vi s lng hu hn.
- Drop request: Thit lp c ch drop request nu n vi phm mt s quy nh nh: thi
gian delay ko di, tn nhiu ti nguyn x l, gy deadlock. K thut ny trit tiu kh nng
lm cn kit nng lc h thng, tuy nhin n cng gii hn mt s hot ng thng thng ca
h thng, cn cn nhc khi s dng.
2.e - Chuyn hng ca cuc tn cng:
Honeyspots: Mt k thut ang c nghin cu l Honeyspots. Honeyspots l mt h
thng c thit k nhm nh la attacker tn cng vo khi xm nhp h thng m khng ch
n h thng quan trng thc s.
Honeyspots khng ch ng vai tr L Lai cu cha m cn rt hiu qu trong vic
pht hin v x l xm nhp, v trn Honeyspots thit lp sn cc c ch gim st v bo
ng.
Ngoi ra Honeyspots cn c gi tr trong vic hc hi v rt kinh nghim t Attacker, do
Honeyspots ghi nhn kh chi tit mi ng thi ca attacker trn h thng. Nu attacker b nh
la v ci t Agent hay Handler ln Honeyspots th kh nng b trit tiu ton b attack-network
l rt cao.
2.f - Giai on sau tn cng:
Trong giai on ny thng thng thc hin cc cng vic sau:
22
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
-Traffic Pattern Analysis: Nu d liu v thng k bin thin lng traffic theo thi gian
c lu li th s c a ra phn tch. Qu trnh phn tch ny rt c ch cho vic tinh
chnh li cc h thng Load Balancing v Throttling. Ngoi ra cc d liu ny cn gip Qun tr
mng iu chnh li cc quy tc kim sot traffic ra vo mng ca mnh.
- Packet Traceback: bng cch dng k thut Traceback ta c th truy ngc li v tr ca
Attacker (t nht l subnet ca attacker). T k thut Traceback ta pht trin thm kh nng
Block Traceback t attacker kh hu hiu. gn y c mt k thut Traceback kh hiu qu c
th truy tm ngun gc ca cuc tn cng di 15 pht, l k thut XXX.
- Bevent Logs: Bng cch phn tch file log sau cuc tn cng, qun tr mng c th tm
ra nhiu manh mi v chng c quan trng.
2.g - Phng chng tng qut :
1. Khi bn pht hin my ch mnh b tn cng hy nhanh chng truy tm a ch IP v cm
khng cho gi d liu n my ch.
2. Dng tnh nng lc d liu ca router/firewall loi b cc packet khng mong mun, gim
lng lu thng trn mng v ti ca my ch.
3. S dng cc tnh nng cho php t rate limit trn router/firewall hn ch s lng packet
vo h thng.
4. Nu b tn cng do li ca phn mm hay thit b th nhanh chng cp nht cc bn sa li cho
h thng hoc thay th.
5. Dng mt s c ch, cng c, phn mm chng li TCP SYN Flooding.
6. Tt cc dch v khc nu c trn my ch gim ti v c th p ng tt hn. Nu c c
th nng cp cc thit b phn cng nng cao kh nng p ng ca h thng hay s dng
thm cc my ch cng tnh nng khc phn chia ti.
7. Tm thi chuyn my ch sang mt a ch khc.
23
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
IV Botnet.
S lc lch s :
- Cui th k 19 cng nh u thin nin k mi nh du bc pht trin nhanh, mnh
ca mt s chin lc tn cng khc bit nhm vo h thng mng. DDoS, tc Distributed
Denial of Services, hnh thc tn cng t chi dch v phn tn kht ting ra i. Tng t vi
ngi anh em DoS (tn cng t chi dch v), DDoS c pht tn rt rng, ch yu nh tnh
n gin nhng rt kh b d tm ca chng. c nhiu kinh nghim i ph c chia s, vi
khi lng kin thc khng nh v n, nhng ngy nay DDoS vn ang l mt mi e do
nghim trng, mt cng c nguy him ca hacker. Chng ta hy cng tm hiu v DDoS v sn
phm k tha t n: cc cuc tn cng botnet.
IV.1 - Gii thiu v Bot v Botnet
1.a - Bot l g ? : l nhng chng trnh tng t Trojan backdoor cho php k tn cng
s dng my ca h nh l nhng Zoombie ( my tnh thy ma my tnh b chim quyn iu
khin hon ton ) v chng ch ng kt ni vi mt Server d dng iu khin , cc bn lu
ch ch ng l mt c im khc ca bot so vi trojan backdoor . Chnh v s ch ng
ny m my tnh b ci t chng kt ni tr nn chm chp , mt c im gip ta d dng nhn
din bot .
1.b - Ti sao gi l mng botnet ? : mng botnet l mt mng rt ln gm hng trm
hng ngn my tnh Zombie kt ni vi mt my ch mIRC ( Internet Replay Chat ) hoc qua
cc my ch DNS nhn lnh t hacker mt cch nhanh nht . Cc mng bot gm hng ngn
thnh vin l mt cng c l tng cho cc cuc chin tranh mu nh DDOS , spam, ci t
cc chng trnh qung co ..
1.c - IRC
-IRC l tn vit tt ca Internet Relay Chat. l mt giao thc c thit k cho hot
ng lin lc theo kiu hnh thc tn gu thi gian thc (v d RFC 1459, cc bn update RFC
2810, 2811, 2812, 2813) da trn kin trc client-server. Hu ht mi server IRC u cho php
truy cp min ph, khng k i tng s dng. IRC l mt giao thc mng m da trn nn tng
24
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
TCP (Transmission Control Protocol - Giao thc iu khin truyn vn), i khi c nng cao
vi SSL (Secure Sockets Layer - Tng socket bo mt).
-Mt server IRC kt ni vi server IRC khc trong cng mt mng. Ngi dng IRC c
th lin lc vi c hai theo hnh thc cng cng (trn cc knh) hoc ring t (mt i mt). C
hai mc truy cp c bn vo knh IRC: mc ngi dng (user) v mc iu hnh (operator).
Ngi dng no to mt knh lin lc ring s tr thnh ngi iu hnh. Mt iu hnh vin c
nhiu c quyn hn (tu thuc vo tng kiu ch do ngi iu hnh ban u thit lp ) so
vi ngi dng thng thng.
-Cc bot IRC c coi nh mt ngi dng (hoc iu hnh vin) thng thng. Chng
l cc quy trnh daemon, c th chy t ng mt s thao tc. Qu trnh iu khin cc bot ny
thng thng da trn vic gi lnh thit lp knh lin lc do hacker thc hin, vi mc ch
chnh l ph hoi. Tt nhin, vic qun tr bot cng i hi c ch thm nh v cp php. V th,
ch c ch s hu chng mi c th s dng.
-Mt thnh phn quan trng ca cc bot ny l nhng s kin m chng c th dng
pht tn nhanh chng ti my tnh khc. Xy dng k hoch cn thn cho chng trnh tn cng
s gip thu c kt qu tt hn vi thi gian ngn hn (nh xm phm c nhiu my tnh
hn chng hn). Mt s n bot kt ni vo mt knh n ch lnh t k tn cng th c gi
l mt botnet.
-Cch y cha lu, cc mng zombie (mt tn khc ca my tnh b tn cng theo kiu
bot) thng c iu khin qua cng c c quyn, do chnh nhng k chuyn b kho c tnh
pht trin. Tri qua thi gian, chng hng ti phng thc iu khin t xa. IRC c xem l
cng c pht ng cc cuc tn cng tt nht nh tnh linh hot, d s dng v c bit l cc
server chung c th c dng nh mt phng tin lin lc. IRC cung cp cch thc iu khin
n gin hng trm, thm ch hng nghn bot cng lc mt cch linh hot. N cng cho php k
tn cng che y nhn dng tht ca mnh vi mt s th thut n gin nh s dng proxy nc
danh hay gi mo a ch IP. Song cng chnh bi vy m chng li du vt cho ngi qun tr
server ln theo.
25
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
-Trong hu ht cc trng hp tn cng bi bot, nn nhn ch yu l ngi dng my
tnh n l, server cc trng i hc hoc mng doanh nghip nh. L do l bi my tnh
nhng ni ny khng c gim st cht ch v thng h hon ton lp bo v mng.
Nhng i tng ngi dng ny thng khng xy dng cho mnh chnh sch bo mt, hoc
nu c th khng hon chnh, ch cc b mt s phn. Hu ht ngi dng my tnh c nhn kt
ni ng truyn ADSL u khng nhn thc c cc mi nguy him xung quanh v khng s
dng phn mm bo v nh cc cng c dit virus hay tng la c nhn.
IV.2 - Bot v cc ng dng ca chng
-Kh nng s dng bot v cc ng dng ca chng cho my tnh b chim quyn iu
khin hon ton ph thuc vo sc sng to v k nng ca k tn cng. Chng ta hy xem mt
s ng dng ph bin nht.
2.a - DDoS
-Cc botnet c s dng thng xuyn trong cc cuc tn cng Distributed Denial of
Service (DDoS). Mt k tn cng c th iu khin s lng ln my tnh b chim quyn iu
khin ti mt trm t xa, khai thc bng thng ca chng v gi yu cu kt ni ti my ch.
Nhiu mng tr nn ht sc ti t sau khi hng chu cc cuc tn cng kiu ny. V trong mt s
trng hp, th phm c tm thy ngay khi ang tin hnh cuc ph hoi (nh cc cuc
chin dotcom).
Tn cng t chi dch v phn tn (DDoS)
-Tn cng DDoS l mt bin th ca Foolding DoS (Tn cng t chi dch v trn). Mc
ch ca hnh thc ny l gy trn mng ch, s dng tt c bng thng c th. K tn cng sau
s c ton b lng bng thng khng l trn mng lm trn website ch. l cch pht
ng tn cng tt nht t c nhiu my tnh di quyn kim sot. Mi my tnh s a ra
bng thng ring (v d vi ngi dng PC c nhn ni ADSL). Tt c s c dng mt ln, v
nh , phn tn c cuc tn cng vo website ch. Mt trong cc kiu tn cng ph bin
nht c thc hin thng qua s dng giao thc TCP (mt giao thc hng kt ni), gi l TCP
syn flooding (trn ng b TCP). Cch thc hot ng ca chng l gi ng thi cng lc mt
s lng khng l yu cu kt ni TCP ti mt Web Server (hoc bt k dch v no khc), gy
26
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
trn ti nguyn server, dn n trn bng thng v ngn khng cho ngi dng khc m kt ni
ring ca h. Qu l n gin nhng thc s nguy him! Kt qu thu c cng tng t khi
dng giao thc UDP (mt giao thc khng kt ni).
- Gii tin tc cng b ra kh nhiu thi gian v cng sc u t nhm nng cao cch thc
tn cng ca chng. Hin nay, ngi dng mng my tnh nh chng ta ang phi i mt vi
nhiu k thut tinh vi hn xa so kiu tn cng DDoS truyn thng. Nhng k thut ny cho php
k tn cng iu khin mt s lng cc k ln my tnh b chim quyn iu khin (zombie) ti
mt trm t xa m n gin ch cn dng giao thc IRC.
2.b - Spamming (pht tn th rc)
- Botnet l mt cng c l tng cho cc spammer (k pht tn th rc). Chng , ang
v s c dng va trao i a ch e-mail thu thp c, va iu khin c ch pht tn
th rc theo cng mt cch vi kiu tn cng DDoS. Th rc c gi ti botnet, sau phn
phi qua cc bot v t pht tn ti my tnh ang b chim quyn iu khin. Tt c spammer
u ly tn nc danh v mi hu qu th my tnh b ph hoi gnh chu.
2.c - Sniffing v Keylogging
- Cc bot cng c th c s dng mt cch hiu qu nng cao ngh thut c in
ca hot ng sniffing. Nu theo di lu lng d liu truyn i, bn c th xc nh c con
s kh tin lng thng tin c truyn ti. c th l thi quen ca ngi dng, trng ti gi
TCP v mt s thng tin th v khc (nh mt khu, tn ngi dng). Cng tng t nh vy vi
keylogging, mt hnh thc thu thp tt c thng tin trn bn phm khi ngi dng g vo my
tnh (nh e-mail, password, d liu ngn hng, ti khon PayPal,).
2.d - n cp nhn dng
- Cc phng thc c cp trn cho php k tn cng iu khin botnet thu thp
mt lng thng tin c nhn khng l. Nhng d liu c th c dng xy dng nhn dng
gi mo, sau li dng c th truy cp ti khon c nhn hoc thc hin nhiu hot ng
khc (c th l chun b cho nhiu cuc tn cng khc) m ngi gnh chu hu qu khng ai
khc chnh l ch nhn ca cc thng tin .
27
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
2.e - S hu phn mm bt hp php
- y l hnh thc cui cng, nhng cha phi l kt thc. Cc my tnh b tn cng theo
kiu bot c th c dng nh mt kho lu tr ng ti liu bt hp php (phn mm n cp bn
quyn, tranh nh khiu dm,). D liu c lu tr trn cng trong khi ngi dng ADSL
khng h hay bit.
- Cn rt nhiu, rt nhiu kiu ng dng khc na c pht trin da trn botnet (nh tr
tin cho mi ln kch chut s dng mt chng trnh, phishing, hijacking kt ni
HTTP/HTTPS), nhng lit k ra c ht c l s phi mt hng gi. Bn thn bot ch l mt
cng c vi kh nng lp ghp v thch ng d dng cho mi hot ng i hi t quyn kim
sot n ln mt s lng ln my tnh.
IV.3 - Cc kiu bot khc nhau
- Nhiu kiu bot c xy dng v cho php download c cung cp nhan nhn
khp Internet. Mi kiu c nhng thnh phn c bit ring. Chng ta s xem xt mt s bot ph
bin nht v tho nhng thnh phn chnh v cc yu t phn bit ca chng.
3.a - GT-Bot
- Tt c cc bot GT (Global Threat) u da trn kiu client IRC ph bin dnh cho
Windows gi l mIRC. Ct li ca cc bot ny l xy dng tp hp script (kch bn) mIRC, c
dng iu khin hot ng ca h thng t xa. Kiu bot ny khi chy mt phin client nng
cao vi cc script iu khin v dng mt ng dng th hai, thng thng l HideWindows n
mIRC trc ngi dng my tnh ch. Mt file DLL b sung s thm mt s thnh phn mi
vo mIRC cc script c th chi phi nhiu kha cnh khc nhau trn my tnh b chim quyn
iu khin.
3.b - Agobot
- Agobot l mt trong nhng kiu bot ph bin nht thng c cc tay b kho (craker)
chuyn nghip s dng. Chng c vit trn nn ngn ng C++ v pht hnh di dng bn
quyn GPL. im th v Agobot l m ngun. c modul ho mc cao, Agobot cho php
28
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
thm chc nng mi vo d dng. N cng cung cp nhiu c ch n mnh trn my tnh ngi
dng. Thnh phn chnh ca Agobot gm: NTFS Alternate Data Stream (Xp lun phin dng d
liu NTFS), Antivirus Killer (b dit chng trnh chng virus) v Polymorphic Encryptor
Engine (c ch m ho hnh dng). Agobot cung cp tnh nng sp xp v sniff lu lng. Cc
giao thc khc ngoi IRC cng c th c dng iu khin kiu bot ny.
3.c - DSNX
- Dataspy Network X (DSNX) cng c vit trn nn ngn ng C++ v m ngun da
trn bn quyn GPL. kiu bot ny c thm mt tnh nng mi l kin trc plug-in n
gin.
3.d - SDBot
- SDBot c vit trn nn ngn ng C v cng s dng bn quyn GPL. Khng ging
nh Agobot, m ngun ca kiu bot ny rt r rng v bn thn phn mm c mt lng gii hn
chc nng. Nhng SDBot rt ph bin v c pht trin ra nhiu dng bin th khc nhau.
IV.4 - Cc yu t ca mt cuc tn cng.
Hnh 1 th hin cu trc ca mt botnet in hnh:
29
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
Hnh 1: Cu trc ca mt botnet in hnh
u tin k tn cng s pht tn trojan horse vo nhiu my tnh khc nhau. Cc my
tnh ny tr thnh zombie (my tnh b chim quyn iu khin) v kt ni ti IRC server
nghe thm nhiu lnh sp ti.
Server IRC c th l mt my cng cng mt trong cc mng IRC, nhng cng c th
l my chuyn dng do k tn cng ci t ln mt trong cc my b chim quyn iu
khin.
Cc bot chy trn my tnh b chim quyn iu khin, hnh thnh mt botnet.
30
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
Mt v d c th
Hot ng ca k tn cng c th chia thnh bn giai on khc nhau:
+ To
+ Cu hnh
+ Tn cng
+ iu khin
- Giai on To ph thuc ln vo k nng v i hi ca k tn cng. Nu l ngi b
kho chuyn nghip, h c th cn nhc gia vic vit m bot ring hoc n gin ch l m
rng, tu bin ci c. Lng bot c sn l rt ln v kh nng cu hnh cao. Mt s cn cho
php thao tc d dng hn qua mt giao din ho. Giai on ny khng c g kh khn,
thng dnh cho nhng k mi vo ngh.
- Giai on Cu hnh l cung cp server IRC v knh thng tin. Sau khi ci t ln mt
my tnh c kim sot, bot s kt ni ti host c chn. u tin k tn cng nhp d liu
cn thit vo gii hn quyn truy cp bot, bo v an ton cho knh v cui cng cung cp mt
danh sch ngi dng c cp php (nhng ngi c th iu khin bot). giai on ny, bot
c th c iu chnh su hn, nh nh ngha phng thc tn cng v ch n.
- Giai on Tn cng l s dng nhiu k thut khc nhau pht tn bot, c trc tip v
gin tip. Hnh thc trc tip c th l khai thc l hng ca h iu hnh hoc dch v. Cn gin
tip thng l trin khai mt s phn mm khc phc v cho cng vic en ti, nh s dng file
HTML d dng khai thc l hng Internet Explorer, s dng mt s phn mm c hi khc
phn phi qua cc mng ngang hng hoc qua trao i file DCC (Direct ClienttoClient) trn
IRC. Tn cng trc tip thng c thc hin t ng thng qua cc su (worm). Tt c cng
vic nhng su ny phi lm l tm kim mng con trong h thng c l hng v chn m bot
vo. Mi h thng b xm phm sau s tip tc thc hin chng trnh tn cng, cho php k
31
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
tn cng ghi li ti nguyn dng trc v c c nhiu thi gian tm kim nn nhn
khc.
- C ch c dng phn phi bot l mt trong nhng l do chnh gy nn ci gi l
tp nhiu nn Internet. Mt s cng chnh c dng cho Windows, c th l Windows 2000, XP
SP1 (xem Bng 1). Chng dng nh l ch ngm yu thch ca hacker, v rt d tm ra mt
my tnh Windows cha c cp nht bn v y hoc khng ci t phn mm tng la.
Trng hp ny cng rt ph bin vi ngi dng my tnh gia nh v cc doanh nghip nh,
nhng i tng thng b qua vn bo mt v lun kt ni Internet bng thng rng.
Cng Dch v
42 WINS (Host Name Server)
80 HTTP (l hng IIS hay Apache)
135 RPC (Remote Procedure Call)
137 NetBIOS Name Service
139 NetBIOS Session Service
445 MicrosoftDSService
1025 Windows Messenger
1433 MicrosoftSQLServer
2745 Bagle worm backdoor
3127 MyDoom worm backdoor
3306 MySQL UDF (User Definable Functions)
5000 UPnP (Universal Plug and Play)
32
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
Danh sch cc cng gn vi l hng dch v
- Giai on iu khin gm mt s hot ng thc hin sau khi bot c ci t ln
my ch trong mt th mc chn. khi ng vi Windows, bot update cc kho ng k,
thng thng l
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.
- Vic u tin bot thc hin sau khi c ci t thnh cng l kt ni ti mt server
IRC v lin kt vi knh iu khin thng qua s dng mt mt khu. Nickname trn IRC c
to ngu nhin. Sau , bot trng thi sn sng ch lnh t ng dng ch. K tn cng cng
phi s dng mt mt khu kt ni ti botnet. iu ny l cn thit khng ai khc c th s
dng mng botnet c cung cp.
- IRC khng ch cung cp phng tin iu khin hng trm bot m cn cho php k tn
cng s dng nhiu k thut khc nhau n nhn dng thc ca chng. iu khin vic i
ph trc cc cuc tn cng tr nn kh khn. Nhng may mn l, do c im t nhin ca
chng, cc botnet lun to ra lu lng ng ng, to iu kin d dng c th d tm nh
mt s kiu mu hay m hnh bit. iu gip cc qun tr vin IRC pht hin v can thip
kp thi, cho php h g b cc mng botnet v nhng s lm dng khng ng c trn h thng
ca h.
- Trc tnh hnh ny, nhng k tn cng buc phi ngh ra cch thc khc, ci tin k
thut C&C (Control and Command - iu khin qua lnh) thnh botnet hardening. k thut
mi ny, cc bot thng c cu hnh kt ni vi nhiu server khc nhau, s dng mt
hostname nh x ng. Nh , k tn cng c th chuyn bot sang server mi d dng, vn
hon ton nm quyn kim sot ngay c khi bot b pht hin. Cc dch v DNS ng nh
dyndns.com hay no-IP.com thng c dng trong kiu tn cng ny.
DNS ng
33
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
- Mt DNS ng (nh RFC 2136) l mt h thng lin kt tn min vi a ch IP ng.
Ngi dng kt ni Internet qua modem, ADSL hoc cp thng khng c a ch IP c nh.
Khi mt i tng ngi dng kt ni ti Internet, nh cung cp dch v mng (ISP) s gn mt
a ch IP cha c s dng ly ra t vng c chn. a ch ny thng c gi nguyn cho
ti khi ngi dng ngng s dng kt ni .
- C ch ny gip cc hng cung cp dch v mng (ISP) tn dng c ti a kh nng
khai thc a ch IP, nhng cn tr i tng ngi dng cn thc hin mt s dch v no
qua mng Internet trong thi gian di, song khng phi s dng a ch IP tnh. gii quyt vn
ny, DNS ng c cho ra i. Hng cung cp s to cho dch v mt chng trnh chuyn
dng, gi tn hiu ti c s d liu DNS mi khi a ch IP ca ngi dng thay i.
- n hot ng, knh IRC c cu hnh gii hn quyn truy cp v n thao tc. Cc
m hnh IRC in hnh cho knh botnet l: +k (i hi phi nhp mt khu khi dng knh); +s
(khng c hin th trn danh sch cc knh cng cng); +u (ch c ngi iu hnh (operator)
l c hin th trn danh sch ngi dng); +m (ch c ngi dng trng thi s dng m
thanh +v mi c th gi tin n knh). Hu ht mi chuyn gia tn cng u dng server IRC c
nhn, m ho tt c lin lc trn knh dn. Chng cng c khuynh hng s dng nhiu bin th
c nhn ho ca phn mm IRC server, c cu hnh nghe trn cc cng ngoi tiu chun v
s dng phin bn c chnh sa ca giao thc, mt IRC client thng thng khng th
kt ni vo mng.
IV.5 - Cch phng chng Botnet:
- Botnet l mt mi e da ang ngy mt lan rng, tuy nhin chng ta c nhiu cch i
ph gim c cc tc hi gy ra t n, chng ti s gii thiu 6 cch kh chuyn nghip c
th chng tr li c botnet.
5.a - Thu mt dch v lc Web
- Dch v lc Web l mt trong nhng cch tt nht u tranh vi bot. Cc dch v ny
qut website khi thy xut hin hnh vi khng bnh thng hoc c cc hnh ng m nguy him
v kha site t ngi dng.
34
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
- Websense, Cyveillance v FaceTime Communications l cc v d in hnh. Tt c s
kim tra Internet theo thi gian thc tm cc website b nghi ng c hnh ng nguy him nh ti
JavaScript v cc tr la o khc ngoi ranh gii ca vic duyt web thng thng. Cyveillance
v Support Intelligence cng cung cp dch v cho bit v cc t chc website v ISP pht
hin l c malware, v vy cc my ch b tn cng c th c sa cha kp thi.
5.b - Chuyn i trnh duyt
- Mt cch khc ngn chn s xm nhp ca bot l khng nn s dng mt trnh
duyt. Internet Explorer hay Mozilla Firefox l hai trnh duyt ph bin nht v v vy chng
cng l cc trnh duyt m malware tp trung tn cng ti. Chng ta c th dng Apple Safari,
Google Chrome, Opera, Netscape, ... Tng t nh vy i vi cc h iu hnh. Theo thng k
th Macs l h iu hnh an ton vi botnet bi v hu ht chng u nhm vo Windows. Ngoi
c th s dng h iu hnh h *nix ngn chn cc phn mm m c nh virus, trojan,
spyware , sworm .... v cc phn mm m c ny ch chy trn h iu hnh ph bin nht l
Windows.
5.c - V hiu ha cc kch bn
- Mt cch na l v hiu ha trnh duyt khi cc kch bn ni chung (script), iu ny
c th gy kh khn cho mt s nhn vin s dng ng dng ty chnh v da trn nn web
trong cng vic ca h.
5.d - Trin khai cc h thng pht hin xm phm v ngn chn xm phm
- Mt phng php khc l iu chnh cc IDS v ISP chng c th tm kim c
cc hot ng tng t nh botnet.
- V d, mt my tnh no bt ng gp vn s c trn Internet Relay Chat l hon
ton ng nghi ng. Cng ging nh vic kt ni vo cc a ch IP xa hoc a ch DNS khng
hp l. Tuy vn ny l kh pht hin nhng chng ta c cch pht gic khc khi pht hin
thy s thu ht bt ng trong lu lng SSL trn mt my tnh, c bit trong cc cng khng
bnh thng. iu c th l knh m botnet chim quyn iu khin b kch hot.
35
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
- Chnh v vy chng ta cn mt ISP kim tra v nhng hnh vi khng bnh thng
ch th cnh bo cc tn cng da trn HTTP v th tc gi t xa, Telnet- v gi mo giao thc
gii php a ch, cc tn cng khc. Mc d vy chng ta phi nn ch rng nhiu b cm bin
ISP s dng pht hin da trn ch k, iu ngha l cc tn cng ch c b sung vo c s
d liu khi no chng c pht hin. Chnh v vy cc ISP phi cp nht kp thi nhn ra
c cc tn cng ny, bng khng b pht hin s khng cn gi tr.
5.e - Bo v ni dung c to bi ngi dng
- Cc hot ng website ca ring bn cng phi c bo v trnh tr thnh k tng
phm khng ch tm i vi nhng k vit malware. Cc blog cng cng v forum ca cng ty
nn c hn ch ch dng vn bn.
- Nu site ca bn cn cho cc thnh vin trao i file th n phi c thit lp cho
php cc kiu file c gii hn v m bo an ton, v d vi cc file c ui m rng .jpeg
hoc .mp3. (Tuy vy nhng k vit malware cng bt u nhm vo i tng ngi chi
MP3)
5.f - S dng cng c phn mm
- Nu bn pht hin thy my tnh b tim nhim m h thng khng c cch no tt nht
gii quyt vi tnh hung ny. Bn khng phi lo s iu v cc cng ty nh Symantec xc
nhn rng h c th pht hin v xa sch s tim nhim rootkit nguy him nht. Cng ty ny
a ra mt cng ngh mi trong Veritas, VxMS (Dch v bn ha Veritas Veritas Mapping
Service), a ra b qut chng virus b qua Windows File System API, thnh phn c iu
khin bi h iu hnh c th gy ra l hng bi mt rootkit. VxMS truy cp trc tip vo cc
file th ca h thng Windows NT File System. Bn cnh cc hng phn mm chng virus
khc cng ang c gng trong vic chng li rootkit ny gm c McAfee v FSecure.
V Kt Lun :
-
Nhn chung, tn cng t chi dch v khng qu kh thc hin, nhng rt kh
phng chng do tnh bt ng v thng l phng chng trong th b ng khi s
36
Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
vic ri. Vic i ph bng cch tng cng phn cng cng l gii php tt,
nhng thng xuyn theo di pht hin v ngn chn kp thi ci gi tin IP t
-
cc ngun khng tin cy l hu hiu nht.
Ty m hnh, quy m c th ca h thng m c cc bin php bo v, phng
chng khc nhau.
Cc k thut trn ang v vn l vn nn nguy hi ln cho nn Internet ton cu.
C rt nhiu vic phi lm v chun b kim sot c chng. Chng ta phi
c nhng bc i c th v mnh m hn cng khng ch loi hnh tn cng
ny.
VI Ti Liu Tham Kho
1 - Books:
[1] Tactical Perimeter Defense
[2] Slide An Ton Mng Th.s T Nguyn Nht Quang.
2 Internet :
[1] www.hvaonline.net
[2] - www.ceh.vn
[3] - www.24hcongnghe.net
[4] - www.wikipedia.org
37
You might also like
- Sotheodoiphuongtien PCCCDocument4 pagesSotheodoiphuongtien PCCCGióLạnhNo ratings yet
- MeolaptrinhDocument80 pagesMeolaptrinhClarken TranNo ratings yet
- XMLDocument59 pagesXMLgiang0107No ratings yet
- Bai Bao Vu Khong Xuyen Tac VN Cua RIA Novosti 2Document2 pagesBai Bao Vu Khong Xuyen Tac VN Cua RIA Novosti 2Vinh TrinhvinhubNo ratings yet
