Documentos de Académico
Documentos de Profesional
Documentos de Cultura
- Tn cng DoS l mt kiu tn cng m mt ngi lm hay mt tp th lm cho mt h thng khng th s dng, hoc lm cho h thng chm i mt cch ng k vi ngi dng bnh thng, bng cch lm qu ti ti nguyn ca h thng. -Nu k tn cng khng c kh nng thm nhp c vo h thng, th chng c gng tm cch lm cho h thng sp v khng c kh nng phc v ngi dng bnh thng l tn cng Denial of Service (DoS). 1. Smurf Attack - L th phm sinh ra cc nhiu giao tip ICMP (ping) ti a ch Broadcast ca nhiu mng vi a ch ngun l mc tiu cn tn cng. * Chng ta cn lu l: Khi ping ti mt a ch l qu trnh hai chiu Khi my A ping ti my B my B reply li hon tt qu trnh. Khi attacker ping ti a ch Broadcast ca mng no th ton b cc my tnh trong mng s Reply li ti. Nhng gi attacker thay i a ch ngun, thay a ch ngun l my C v attacker ping ti a ch Broadcast ca mt mng no , th ton b cc my tnh trong mng s reply li vo my C ch khng phi vo my attacker v l tn cn Smurf. - Kt qu ch tn cng s phi chu nhn mt t Reply gi ICMP cc ln v lm cho mng b rt hoc b chm li khng c kh nng p ng cc dch v khc. - Qu trnh ny c khuych i khi c lung ping reply t mt mng c kt ni vi nhau (mng BOT). Hnh hin th tn cng DoS - dng tn cng Smurf s dng gi ICMP lm ngp cc giao tip khc.
Hnh 4.3 Smurf attack Phng chng Smurf: chng ta s khng chp nhn cc gi tin t cc a ch broadcast n Firewall Server ca chng ta u tin chng ta cu hnh cho Firewall Server chp nhn nhn v gi cc gi ICMP iptables A OUTPUT p icmp icmp-type echo-request j ACCEPT iptables A INPUT p icmp icmp-type echo-reply j ACCEPT Sau Chng ta c th chn cc gi tin ICMP echo-request messages gi broadcast ra ton mng h thng vi vic bt tnh nng
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts Khng chp nhn cc gi tin ICMP redirect message
sau khi bt cc tnh nng trn ta vo phn cu hnh ni dung Iptables thm vo cc rule sau.. IPTABLES -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!" IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP IPTABLES -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!" IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP IPTABLES -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!" IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP IPTABLES -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "Spoofed source IP!" IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP IPTABLES -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix " Spoofed source IP!" IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP IPTABLES -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix " Spoofed source IP!" IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP IPTABLES -A INPUT -s 208.13.201.2 -j LOG --log-prefix "Spoofed Woofgang!" IPTABLES -A INPUT -s 208.13.201.2 -j DROP 2. ICMP Attack Vi ICMP ATTACK chng ta c th d dng bt gp mt trong nhng kiu tn cng nh ICMP-FLOOD.Khi tn cng bng ICMP-FLOOD,cc attacker s dng mt chng trnh gi lin tc cc gi tin ICMP echo-request n h thng chng ta nu nh s lng gi tin qu nhiu s lm h thng tr li khng kp nh vy s lm h thng b treo hay ng my
Hnh 4.4 ICMP FLOOD Cch phng chng ICMPFLOOD Chng ta s gii hn cc gi tin ICMP echo-request n h thng chng ta bng tp lnh sau: iptables -N icmp-flood iptables -A INPUT -i eth1 -p icmp -s 0/0 -j icmp-flood iptables -A icmp-flood -m limit --limit 1/s --limit-burst 20 -j RETURN iptables -A icmp-flood -j LOG --log-prefix "icmp-flood-detected" iptables -A icmp-flood -j DROP --limit 1/s: Tc truyn gi tin trung bnh ti a 1/s (1 giy) --limit-burst 20: S lng gi tin khi to ti a c php l 20 sau khi cu hnh xong chng ta save li service iptables save v khi ng li dch v iptables service iptables restart
3. Land Attack Trong kiu tn cng ny, mt gi tin TCP SYN s c gi vi cng a ch ngun, a ch ch v s cng. Khi mt host nhn c dng lu lng bt thng ny, host thng s chm li hoc treo hon ton v n c gng khi to kt ni vi chnh n trong mt vng lp bt tn.
Bt tnh nng bo v a ch ngun chng vic spoofing gi mo 1 a ch Ip no trong mng echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
4. UDP Flood
Vi UDP FLOODING attacker s gi mt s lng gi ln UDP n server ca chng ta vi cc port ngu nhin Khi h thng chng ta nhn c mt s lng cc gi UDP ln n s xc nh nhng ng dng ang ch i trn cng ch. Khi h thng chng ta nhn ra rng khng c ng dng no ang ch i,n s to ra mt s lng gi ICMP destination unreachable n a ch ngun gi mo. Nu h thng gi ra qu nhiu gi packets th dn hn h thng b Flood
Phng chng UDP FLOODING: Chng ta s gii hn cc gi UDP n h thng chng ta bng tp lnh sau: iptables -N udp-flood iptables -A INPUT -i eth1 -p udp m udp ! sport 53 -j udp-flood iptables -A udp-flood -m limit --limit 1/s --limit-burst 20 -j RETURN iptables -A udp-flood -j LOG --log-prefix "udp-flood-detected" iptables -A udp-flood -j DROP vi tp lut trn th khi c cc gi tin UDP khc port 53 n Firewall th s c a n b lc udp-flood kim tra lc ny Firewall ch chp nhn cho 20 gi tin
UDP u tin vo Firewall nu vt qu th Firewall s gii hn ch chp nhn 1s ch cho php 1 gi UDP vo h thng cc gi cn li s b ghi li LOG v DROP
4. SYN Flood Attack Syn Flood l mt dng tn cng t chi dch v (Dos), k tn cng gi cc gi tin kt ni SYN n h thng. y l 1 loi tn cng rt ph bin. Loi tn cng ny s nguy him nu h thng cp pht ti nguyn ngay sau khi nhn gi tin SYN t k tn cng v trc khi nhn gi ACK. Nu vic thit lp kt ni cha han tt 3 bc y (gi l half-open connection) m buc h thng Server phi cp ti nguyn qun l th k tn cng c th ly ht ti nguyn ca h thng Server bng cc "Flooding" vo Server vi cc gi tin SYN. Syn Flood l 1 dng tn cng ph bin v n c th c ngn chn bng on lnh iptables sau:
Hnh 4.7 Syn Flood Attack u tin chng ta s bt c ch bo v bin syncookie echo 1 > /proc/sys/net/ipv4/tcp_syncookies Backlog-queue l mt cu trc b nh ln dng x l cc gi tin yu cu kt ni SYN cho n khi qu trnh bt tay kt ni (3-way handshake) hon tt. H iu hnh s cp pht 1 phn b nh h thng cho mi yu cu kt ni n. Backlogqueue s cho bit c th x l bao nhiu kt ni half-open cng mt lc. Khi lng yu cu kt ni n t gi tr maximum ca backlog-queue, th cc yu cu kt ni tip theo s khng c x l. V vy hn ch mc nh hng ca SYN Flood, chng ta s iu chnh cc thng s bo v ca h iu hnh gm: * Tng kch thc ca backlog-queue c th x l nhiu yu cu kt ni hn.
* Gim ti thiu thi gian "cc kt ni ch x l" trong backlog-quee m chim dng b nh do OS cp pht. * Tng kch thc backlog-queue ln 2048 # sysctl -w net.ipv4.tcp_max_syn_backlog="2048" * Gim thi gian x l yu cu kt ni xung 45s, 21s, 9s # sysctl -w net.ipv4.tcp_synack_retries=9 # sysctl -w net.ipv4.tcp_syn_retries=9 echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_source_route tcp_syncookies=1 bt chc nng chng DoS SYN qua syncookie ca Linux tcp_fin_timeout=10 t thi gian timeout cho qu trnh ng kt ni TCP l 10 giy tcp_keepalive_time=1800 t thi gian gi kt ni TCP l 1800 giy Sau ta thm cc rules sau vo iptables iptables -N CHECK_SYNFLOOD iptables -A CHECK_SYNFLOOD -m limit --limit 1/s --limit-burst 20 -j RETURN iptables -A CHECK_SYNFLOOD -j LOG --log-prefix "SYNFLOOD" iptables -A CHECK_SYNFLOOD -j DROP iptables -A INPUT -i eth1 -p tcp --syn -j CHECK_SYNFLOOD Vi tp rules trn chng ta s to ra 1 rule c tn l CHECK_SYNFLOOD rule ny kim tra xem nhng gi tin TCP Syn khi n my Firewall Server c phi l SynFlood hay khng bng cc quy nh h thng ch chp nhn 20 gi tin Syn u tin vo h thng sau n s gin hn gi tin Syn vo h thng l 1s ch cho php 1 gi Syn vo h thng nu c nhiu 1 gi Syn vo h thng th s DROP cc gi tin ny v ghi vo nht k LOG vi nhn dng l SYNFLOOD v action l DROP