I.

Tng quan v Smurf 1. Lch s smurf

-

Mt bin th ca tn cng DoS gy trn ngp l tn cng kiu Smurf Amplification attack: iu khin cc agent hay Client t gi message n mt a ch IP broadcast, lm cho tt c cc my trong subnet ny gi message n h thng dch v ca mc tiu. Phng php ny lm gia tng traffic khng cn thit, lm suy gim bng thng ca mc tiu.

Smurf l tn software ln u tin p dng thnh cng k thut gy trn ngp bng cc gi tin broadcast v ping. (Tn ny ly theo cc nhn vt truyn tranh ca ha s ngi B Peyo, bn dch Vit Nam gi l x trum, gm 101 ch nhc b t da mu xanh ).

2. Gii thiu v nguyn l v smurf

Smurf l th phm sinh ra cc nhiu giao tip ICMP (ping) ti a ch Broadcast ca nhiu mng vi a ch ngun l mc tiu cn tn cng. Chng ta cn lu l: Khi ping ti mt a ch l qu trnh hai chiu Khi my A ping ti my B my B reply li hon tt qu trnh. Khi ti ping ti a ch Broadcast ca mng no th ton b cc my tnh trong mng s Reply li ti. Nhng gi ti thay i a ch ngun, thay a ch ngun l my C v ti ping ti a ch Broadcast ca mt mng no , th ton b cc my tnh trong mng s reply li vo my C ch khng phi ti v l tn cng Smurf. Trong Smurf Attack, cn c ba thnh phn: hacker (ngi ra lnh tn cng), mng khuch i (s lnh ca hacker) v h thng ca nn nhn.

Hacker s gi cc gi tin ICMP n a ch broadcast ca mng khuch i. iu c bit l cc gi tin ICMP packets ny c a ch ip ngun chnh l a ch ip ca nn nhn. Khi cc packets n c a ch broadcast ca mng khuch i, cc my tnh trong mng khuch i s tng rng my tnh nn nhn gi gi tin ICMP packets n v chng s ng lot gi tr li h thng nn nhn cc gi tin phn hi ICMP packets.

Kt qu l h thng my nn nhn s khng chu ni mt khi lng khng l cc gi tin ny v nhanh chng b ngng hot ng, crash hoc reboot, khng c kh nng p ng cc dch v khc.

Qu trnh ny c khuych i khi c lung ping reply t mt mng c kt ni vi nhau (mng BOT). Nh vy, ch cn gi mt lng nh cc gi tin ICMP packets i th h thng mng khuch i s khuch i lng gi tin ICMP packets ny ln gp bi. T l khuch i ph thuc vo s mng tnh c trong mng khuch i. Nhim v ca cc hacker l c chim c cng nhiu h thng mng hoc routers cho php chuyn trc tip cc gi tin n a ch broadcast khng qua ch lc a ch ngun cc u ra ca gi tin. C c cc h thng ny, hacker s d dng tin hnh Smurf Attack trn cc h thng cn tn cng.

III Cch phng chng Thc ra i ph l c mt vn v khng mt c nhn no lm c m yu cu phi l mt cng ng (mt cy lm chng nn non - 3 cy chm li nn hn ni cao). Tng c nhn, cng ty, t chc phi bit config my tnh h thng ca mnh khng b bin thnh mng khuch i. Khi b tn cng cc cng ty,c nhn cn phi phi hp vi ISP nhm gii hn lu long ICMP, tng cng bin php i ph Theo ri cuc tn cng nh kiu ny l rt kh nhng khng phi l khng c khng b bin thnh mang khuch i bn nn v hiu ha chc nng directed broadcast ti b nh tuyn:i vi b nh tuyn ca Cisco: v hiu ha bng lnh no ip directed-broadcast + i vi thit b khc bn nn tham kho ti liu +Solaris: b sung thm dng sau vo:/etc/rc2.d/S69inet ndd -set /dev/ip ip_respond_to_echo_broadcast 0 +Linux :p dng bc tng la cp nhn thng qua ipfw .Nh bin dch bc tng la sang nhn ri thi hnh cc lnh sau:

ipfwadm -I -a deny -P icmp -D 10.10.10.0 -S 0/0 0 8 ipfwadm -I -a deny -P icmp -D 10.10.10.255 -S 0/0 0 8 n khi Smurf attack tr nn thnh hnh th SYN flood attack ( y ti gi tt l SFA) gy tn ph nhiu nht . PANIX l mt v d in hnh v kh nng tn ph ca SFA Khi hai h thng kt ni TCP vi nhau,chng s phi bt tay nhau qua 3 bc ( phng php bt tay 3 bc) clien 1. ------------ SYN gi t clien ---------------- sever, clien 2. -------- SYN/ACK gi t sever ---------------- sever clien 3. ----------------- ACK gi t clien -------------sever sau 3 bc trn kt ni mi c thit lp gia hai h thng. Trong hon cnh bnh thng ,SYN packet t mt cng c th trn h thng A n mt cng c th trn h thng B trong tnh trang LISTEN.Vo thi im ny kt ni trn h thng B tnh trng SYN_RECV. Vo giai on ny h thng B s tm cch gi packet SYN/ACK v cho h thng A. Nu mi s n tha h thng A s gi tr packet ACK,v kt ni truyn sang tnh trng ESTABLISHED. D c nhiu lc c ch ny chng c vn g ,nhng trong h thng c nhng ch yu c hu k tn cng c th li dng DOS .Vn l a s h thng phn phi s lng ti nguyn nht nh khi thit lp kt ni tim tng hoc kt ni cha c thit lp hn ( SYN_RECV).Tuy rng 1 h thng chp nhn hng trm kt ni vo mt cng c th ( v d nh cng 80 ) nhng ch ly mt chc yu cu kt ni l ht sch ti nguyn phn phi cho thit lp kt ni .y chnh l im m k tn cng s li dng v hiu ha h thng. Attacker (h thng A ) s gi SYN packet n Victim ( h thng B) v gi mo a ch IP ca h thng C ( h thng C ny khng tn ti trn thc t nha) Lc h thng B s s l nh th no ? h thng B s gi packet SYN/ACK n h thng C. Gi s rng h thng C tn ti ,n s gi packet RST cho h thng B (v n khng khi ng kt ni).Nhng chng i no ATTACKER gi mo IP ca mt h thng tn ti ,chnh v th m h thng B s chng bao gi nhn c packet RST t h thng C.V lc h thng B s t kt ni ny vo hng i ( SYN_RECV).Do hng i kt ni thng rt nh attacker ch cn gi vi packet SYN ( sau 10 giy th c th v hiu ha hon ton mt cng :

Mun bit mnh c b tn cng SYN flood khng ban c th dng lnh Netstat -a nu thy nhiu kt ni trong tnh trng SYN_RECV th c ngha bn ang bi tn cng Mt s gii php Tng kch thc hng i kt ni -Gim khong thi gian thit lp kt ni -trnh n tn cng syn flood bng phn mm -IDS mng