Está en la página 1de 8

Phng Chng Tn Cng Denial Of Services(Dos)

- Tn cng DoS l mt kiu tn cng m mt ngi lm hay mt tp th lm cho mt h thng khng th s dng, hoc lm cho h thng chm i mt cch ng k vi ngi dng bnh thng, bng cch lm qu ti ti nguyn ca h thng. -Nu k tn cng khng c kh nng thm nhp c vo h thng, th chng c gng tm cch lm cho h thng sp v khng c kh nng phc v ngi dng bnh thng l tn cng Denial of Service (DoS). 1. Smurf Attack - L th phm sinh ra cc nhiu giao tip ICMP (ping) ti a ch Broadcast ca nhiu mng vi a ch ngun l mc tiu cn tn cng. * Chng ta cn lu l: Khi ping ti mt a ch l qu trnh hai chiu Khi my A ping ti my B my B reply li hon tt qu trnh. Khi attacker ping ti a ch Broadcast ca mng no th ton b cc my tnh trong mng s Reply li ti. Nhng gi attacker thay i a ch ngun, thay a ch ngun l my C v attacker ping ti a ch Broadcast ca mt mng no , th ton b cc my tnh trong mng s reply li vo my C ch khng phi vo my attacker v l tn cn Smurf. - Kt qu ch tn cng s phi chu nhn mt t Reply gi ICMP cc ln v lm cho mng b rt hoc b chm li khng c kh nng p ng cc dch v khc. - Qu trnh ny c khuych i khi c lung ping reply t mt mng c kt ni vi nhau (mng BOT). Hnh hin th tn cng DoS - dng tn cng Smurf s dng gi ICMP lm ngp cc giao tip khc.

Hnh 4.3 Smurf attack Phng chng Smurf: chng ta s khng chp nhn cc gi tin t cc a ch broadcast n Firewall Server ca chng ta u tin chng ta cu hnh cho Firewall Server chp nhn nhn v gi cc gi ICMP iptables A OUTPUT p icmp icmp-type echo-request j ACCEPT iptables A INPUT p icmp icmp-type echo-reply j ACCEPT Sau Chng ta c th chn cc gi tin ICMP echo-request messages gi broadcast ra ton mng h thng vi vic bt tnh nng

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts Khng chp nhn cc gi tin ICMP redirect message

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects Khng gi cc gi tin ICMP redirect message

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

sau khi bt cc tnh nng trn ta vo phn cu hnh ni dung Iptables thm vo cc rule sau.. IPTABLES -A INPUT -s 255.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!" IPTABLES -A INPUT -s 255.0.0.0/8 -j DROP IPTABLES -A INPUT -s 0.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!" IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP IPTABLES -A INPUT -s 127.0.0.0/8 -j LOG --log-prefix "Spoofed source IP!" IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP IPTABLES -A INPUT -s 192.168.0.0/16 -j LOG --log-prefix "Spoofed source IP!" IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP IPTABLES -A INPUT -s 172.16.0.0/12 -j LOG --log-prefix " Spoofed source IP!" IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP IPTABLES -A INPUT -s 10.0.0.0/8 -j LOG --log-prefix " Spoofed source IP!" IPTABLES -A INPUT -s 10.0.0.0/8 -j DROP IPTABLES -A INPUT -s 208.13.201.2 -j LOG --log-prefix "Spoofed Woofgang!" IPTABLES -A INPUT -s 208.13.201.2 -j DROP 2. ICMP Attack Vi ICMP ATTACK chng ta c th d dng bt gp mt trong nhng kiu tn cng nh ICMP-FLOOD.Khi tn cng bng ICMP-FLOOD,cc attacker s dng mt chng trnh gi lin tc cc gi tin ICMP echo-request n h thng chng ta nu nh s lng gi tin qu nhiu s lm h thng tr li khng kp nh vy s lm h thng b treo hay ng my

Hnh 4.4 ICMP FLOOD Cch phng chng ICMPFLOOD Chng ta s gii hn cc gi tin ICMP echo-request n h thng chng ta bng tp lnh sau: iptables -N icmp-flood iptables -A INPUT -i eth1 -p icmp -s 0/0 -j icmp-flood iptables -A icmp-flood -m limit --limit 1/s --limit-burst 20 -j RETURN iptables -A icmp-flood -j LOG --log-prefix "icmp-flood-detected" iptables -A icmp-flood -j DROP --limit 1/s: Tc truyn gi tin trung bnh ti a 1/s (1 giy) --limit-burst 20: S lng gi tin khi to ti a c php l 20 sau khi cu hnh xong chng ta save li service iptables save v khi ng li dch v iptables service iptables restart

3. Land Attack Trong kiu tn cng ny, mt gi tin TCP SYN s c gi vi cng a ch ngun, a ch ch v s cng. Khi mt host nhn c dng lu lng bt thng ny, host thng s chm li hoc treo hon ton v n c gng khi to kt ni vi chnh n trong mt vng lp bt tn.

Hnh 4.5 Land Attack

Phng chng LAND ATTACK

Bt tnh nng bo v a ch ngun chng vic spoofing gi mo 1 a ch Ip no trong mng echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

4. UDP Flood

Vi UDP FLOODING attacker s gi mt s lng gi ln UDP n server ca chng ta vi cc port ngu nhin Khi h thng chng ta nhn c mt s lng cc gi UDP ln n s xc nh nhng ng dng ang ch i trn cng ch. Khi h thng chng ta nhn ra rng khng c ng dng no ang ch i,n s to ra mt s lng gi ICMP destination unreachable n a ch ngun gi mo. Nu h thng gi ra qu nhiu gi packets th dn hn h thng b Flood

Hnh 4.6 UDP FLOOD

Phng chng UDP FLOODING: Chng ta s gii hn cc gi UDP n h thng chng ta bng tp lnh sau: iptables -N udp-flood iptables -A INPUT -i eth1 -p udp m udp ! sport 53 -j udp-flood iptables -A udp-flood -m limit --limit 1/s --limit-burst 20 -j RETURN iptables -A udp-flood -j LOG --log-prefix "udp-flood-detected" iptables -A udp-flood -j DROP vi tp lut trn th khi c cc gi tin UDP khc port 53 n Firewall th s c a n b lc udp-flood kim tra lc ny Firewall ch chp nhn cho 20 gi tin

UDP u tin vo Firewall nu vt qu th Firewall s gii hn ch chp nhn 1s ch cho php 1 gi UDP vo h thng cc gi cn li s b ghi li LOG v DROP

4. SYN Flood Attack Syn Flood l mt dng tn cng t chi dch v (Dos), k tn cng gi cc gi tin kt ni SYN n h thng. y l 1 loi tn cng rt ph bin. Loi tn cng ny s nguy him nu h thng cp pht ti nguyn ngay sau khi nhn gi tin SYN t k tn cng v trc khi nhn gi ACK. Nu vic thit lp kt ni cha han tt 3 bc y (gi l half-open connection) m buc h thng Server phi cp ti nguyn qun l th k tn cng c th ly ht ti nguyn ca h thng Server bng cc "Flooding" vo Server vi cc gi tin SYN. Syn Flood l 1 dng tn cng ph bin v n c th c ngn chn bng on lnh iptables sau:

Hnh 4.7 Syn Flood Attack u tin chng ta s bt c ch bo v bin syncookie echo 1 > /proc/sys/net/ipv4/tcp_syncookies Backlog-queue l mt cu trc b nh ln dng x l cc gi tin yu cu kt ni SYN cho n khi qu trnh bt tay kt ni (3-way handshake) hon tt. H iu hnh s cp pht 1 phn b nh h thng cho mi yu cu kt ni n. Backlogqueue s cho bit c th x l bao nhiu kt ni half-open cng mt lc. Khi lng yu cu kt ni n t gi tr maximum ca backlog-queue, th cc yu cu kt ni tip theo s khng c x l. V vy hn ch mc nh hng ca SYN Flood, chng ta s iu chnh cc thng s bo v ca h iu hnh gm: * Tng kch thc ca backlog-queue c th x l nhiu yu cu kt ni hn.

* Gim ti thiu thi gian "cc kt ni ch x l" trong backlog-quee m chim dng b nh do OS cp pht. * Tng kch thc backlog-queue ln 2048 # sysctl -w net.ipv4.tcp_max_syn_backlog="2048" * Gim thi gian x l yu cu kt ni xung 45s, 21s, 9s # sysctl -w net.ipv4.tcp_synack_retries=9 # sysctl -w net.ipv4.tcp_syn_retries=9 echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo 0 > /proc/sys/net/ipv4/conf/eth1/accept_source_route tcp_syncookies=1 bt chc nng chng DoS SYN qua syncookie ca Linux tcp_fin_timeout=10 t thi gian timeout cho qu trnh ng kt ni TCP l 10 giy tcp_keepalive_time=1800 t thi gian gi kt ni TCP l 1800 giy Sau ta thm cc rules sau vo iptables iptables -N CHECK_SYNFLOOD iptables -A CHECK_SYNFLOOD -m limit --limit 1/s --limit-burst 20 -j RETURN iptables -A CHECK_SYNFLOOD -j LOG --log-prefix "SYNFLOOD" iptables -A CHECK_SYNFLOOD -j DROP iptables -A INPUT -i eth1 -p tcp --syn -j CHECK_SYNFLOOD Vi tp rules trn chng ta s to ra 1 rule c tn l CHECK_SYNFLOOD rule ny kim tra xem nhng gi tin TCP Syn khi n my Firewall Server c phi l SynFlood hay khng bng cc quy nh h thng ch chp nhn 20 gi tin Syn u tin vo h thng sau n s gin hn gi tin Syn vo h thng l 1s ch cho php 1 gi Syn vo h thng nu c nhiu 1 gi Syn vo h thng th s DROP cc gi tin ny v ghi vo nht k LOG vi nhn dng l SYNFLOOD v action l DROP