{"id":407,"date":"2016-04-28T20:52:00","date_gmt":"2016-04-28T12:52:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=407"},"modified":"2024-06-14T10:40:12","modified_gmt":"2024-06-14T02:40:12","slug":"dos-and-ddos","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/407","title":{"rendered":"DoS and DDoS"},"content":{"rendered":"\n<h3 class=\"wp-block-heading\">\u653b\u64ca\u7279\u6027<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u5982\u679c\u4e3b\u6a5f\u7cfb\u7d71\u6709\u5927\u91cf\u4e0d\u5b8c\u6574\u7684\u9023\u63a5\uff0c\u5247\u7121\u6cd5\u56de\u61c9\u5be6\u969b\u6d41\u91cf<\/li>\n\n\n\n<li>\u5229\u7528TCP\/IP\u5354\u5b9a\u7576\u521d\u8a2d\u8a08\u7684\u7f3a\u5931<\/li>\n\n\n\n<li>\u6301\u7e8c\u9001\u51fa\u5927\u91cf\u5c01\u5305\u6216\u662f\u7279\u7570\u7578\u5f62\u7684\u5c01\u5305\u4f86\u7671\u7613\u76ee\u6a19\u4e3b\u6a5f\u4e0a\u7684\u670d\u52d9,\u8f15\u5247\u505c\u6b62\u670d\u52d9,\u91cd\u5247\u7576\u6a5f<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u653b\u64ca\u76ee\u5730<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Render a network or computer incapable of providing normal service<\/li>\n\n\n\n<li>\u8b66\u544a\u6216\u5a01\u8105\u5c0d\u65b9<\/li>\n\n\n\n<li>dos\u6210\u529f\u5f8c\u66ff\u63db\u5c0d\u65b9\u7db2\u7ad9,\u8b93client\u9023\u5230\u5047\u7db2\u7ad9<\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">\u4f9d\u6578\u91cf\u5206\u653b\u64ca\u985e\u578b<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DoS attack\uff1a \u4e00\u5c0d\u4e00\u7684\u653b\u64ca<\/li>\n\n\n\n<li>DDos attack\uff1a \u591a\u5c0d\u4e00\u7684\u653b\u64ca<\/li>\n<\/ul>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.\u00a0<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>DoS(Denial-of-Service,\u963b\u65b7\u670d\u52d9)<\/strong><\/h2>\n\n\n\n<p><strong>dos attack technic&nbsp;<\/strong><br>\u5e38\u898b\u6280\u5de7\u5982\u4e0b &nbsp;<br><strong>\u900f\u904e\u5ee3\u64ad\u4f4d\u7f6e\u52a0\u500d\u64f4\u5927\u5c01\u5305\u6578\u91cf<\/strong><br>\u3000\u8aaa\u660e:\u5047\u5192\u53d7\u5bb3\u8005\u767c\u9001\u5927\u91cf\u5c01\u5305\u5230\u5ee3\u64ad\u4f4d\u7f6e\uff0c\u4ee5\u4fbf\u50b3\u7d66\u7db2\u6bb5\u6240\u6709\u96fb\u8166\uff0c\u6240\u6709\u96fb\u8166\u6536\u5230\u5f8c\u56de\u61c9\u7d66\u5047\u5192\u4f86\u6e90\uff0c\u8b93\u8a72\u4f86\u6e90\u63a5\u6536\u6975\u5927\u7684\u5c01\u5305<br>\u3000\u5305\u62ecsmurf,fraggle(udp flooding)<br><strong>\u9001\u51fa\u6703\u8b93\u76ee\u6a19\u7121\u6cd5\u6b63\u5e38\u8655\u7406\u7684\u5c01\u5305\u5c0e\u81f4\u76ee\u6a19\u7576\u6a5f<\/strong><br>\u3000\u5305\u62ecping of death,teardrop,land<br><strong>\u4f54\u7528\u9023\u7dda\u79cf\u76e1\u76ee\u6a19\u8cc7\u6e90\u4f7f\u76ee\u6a19\u7121\u6cd5\u670d\u52d9<\/strong><br>\u3000\u5305\u62ecsyn attack,ack attack\uff0cScript Flood<br><strong>\u900f\u904e\u5176\u4ed6\u6a5f\u5668\u5c07\u6d41\u91cf(reflection)\u53cd\u5c04\/(amplification)\u589e\u91cf\u4e1f\u5230\u53d7\u5bb3\u4e3b\u6a5f<\/strong><br>\u3000\u5305\u62ecdns reflection\/amplification,ntp reflection\/amplification&nbsp;<br><strong>other:<\/strong><br>\u3000\u5305\u62ecbuffer overflow attack\uff0cIGMP Nuker\uff0cBoink\uff0cBonk\uff0cOOB,&#8230;\u7b49<\/p>\n\n\n\n<p>refer<br>DNS\u653b\u64ca http:\/\/www.cc.ntu.edu.tw\/chinese\/epaper\/0028\/20140320_2808.html&nbsp;<br>NTP\u653b\u64ca http:\/\/www.ithome.com.tw\/node\/85144&nbsp;<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<p><strong>smurf attack<\/strong><br>a huge number of icmp echo reply flooding target host<br>1 to generate a large amount of ICMP echo traffic to a network broadcast address with a spoofed source ip set to a victim host<br>2 broadcast address\u5728layer 2\u5c07\u8a72\u5ee3\u64ad\u8cc7\u8a0a\u50b3\u7d66\u5b83\u7684\u5b50\u7db2\u8def\u7684\u6240\u6709\u4e3b\u6a5f<br>3 the network will be lots of ping replies flooding the spoofed host<\/p>\n\n\n\n<p><strong>fraggle attack<\/strong><br>\u985e\u4f3csmurf,\u4f7f\u7528 udp<br>UDP Flood DoS\u653b\u64ca:\u53c8\u7a31Fraggle\u653b\u64ca,\u7528UDP protocol\u9001\u51fa\u5047\u9020\u4f86\u6e90\u7684UDP broadcast\u5c01\u5305\u81f3\u76ee\u6a19\u7db2\u8def\uff0c\u4ee5\u7522\u751f\u653e\u5927\u7684\u8cc7\u6599\u6d41<\/p>\n\n\n\n<p>PS:<br>\u8ffd\u6355smurf\u6b65\u9a5f\uff1a<br>1\u627e\u5230\u50b3\u64ad\u8005\u7684 IP \u4f4d\u5740\u7a7a\u9593\uff0c\u7136\u5f8c\u806f\u7d61\u5b83\u5011\u7684\u7db2\u8def\u7ba1\u7406\u8005\u3002\u8a18\u4f4f\uff0c\u9019\u4e9b\u4f60\u6240\u770b\u5230\u7684\u9019\u4e9b\u5c01\u5305\u662f\u4f86\u81ea\u65bc\u50b3\u64ad\u8005\uff0c\u800c\u975e\u99ed\u5ba2\u672c\u8eab\u3002<br>2\u8acb\u6c42\u4ed6\u5011\u5c07\u91dd\u5c0d\u53d7\u5bb3\u7db2\u7ad9\u7684 IP \u4f4d\u5740\u50b3\u9001\u8cc7\u8a0a\u7684\u4f86\u6e90\u7684\u7db2\u8def\u50b3\u8f38\u7d00\u9304\u4e0b\u4f86\u3002\u9019\u4e9b\u5c31\u662f\u507d\u9020\u4f86\u6e90\u7684\u7db2\u8def\u8cc7\u6599\u5c01\u5305\u3002<br>3\u53d6\u5f97\u9019\u4e9b\u507d\u9020\u4f86\u6e90\u7684\u7db2\u8def\u8cc7\u6599\u5c01\u5305\u7684 MAC \u4f4d\u5740\uff0c\u7136\u5f8c\u8acb\u4ed6\u5011\u5c0d\u9019\u500b MAC \u4f4d\u5740\u57f7\u884c show ip arp \u7684\u6307\u4ee4\uff08\u5982\u679c\u4f7f\u7528\u7684\u662f Cisco IOS \u7684\u8a71\uff09\u3002<br>4\u6307\u4ee4\u57f7\u884c\u7d50\u679c\u6703\u986f\u793a\u507d\u9020\u4f86\u6e90\u7684\u8cc7\u6599\u5c01\u5305\u7684 hop \u7684\u51fa\u8655\u3002<br>5\u627e\u5230\u8ab0\u63a7\u5236\u90a3\u500b hop \u51fa\u8655\u7684\u8def\u7531\u5668\uff0c\u7136\u5f8c\u901a\u77e5\u4ed6\u5011\u7684\u7db2\u8def\u7ba1\u7406\u8005\u3002<br>6\u91cd\u8907\u6b65\u9a5f 2 \u5230 5 \u76f4\u5230\u627e\u5230\u4e00\u500b\u76f4\u63a5\u9023\u7d50\u4f60\u6b63\u5728\u8ffd\u8e64\u7684 MAC \u4f4d\u5740\u7684\u8def\u7531\u5668\u70ba\u6b62\u3002<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>ping of death attack<\/strong><br>\u9001\u51fa\u8d85\u904e65536bytes\u7684icmp packet<br>\u65e9\u671f\u6a5f\u5668\u5c0d\u5c01\u5305\u8655\u7406\u8f03\u4e0d\u597d,\u82e5\u6a5f\u5668\u7121\u6cd5\u8655\u7406\u5247\u6703\u7576\u6a5f<br>ps:\u73fe\u5728\u653b\u64ca\u6210\u529f\u7387\u4e0d\u9ad8<\/p>\n\n\n\n<p>Ping of Death:\u5c07Echo Request\u7684Option Data\u585e\u5165\u5927\u91cf\u8cc7\u6599\u7d66\u5c0d\u65b9\u4e3b\u6a5f.\u7cfb\u7d71\u7121\u6cd5\u8655\u7406\u8b8a\u5f62\u5c01\u5305\u800c\u9020\u6210\u7576\u6a5f<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>teardrop attack<\/strong><br>overlapping packet fragments to confuse a target system and cause the system to reboot or crash<br>\u5c07\u904e\u5927\u5c01\u5305\u4e1f\u7d66\u4e3b\u6a5f\u8981\u6c42\u5206\u6bb5,\u4f46\u5c01\u5305\u88e1\u6709\u5947\u602a\u7684\u503c,\u8b93\u4e3b\u6a5f\u7d44\u5408\u4e0d\u8d77\u4f86,\u5c0e\u81f4\u4e3b\u6a5f\u7576\u6a5f<\/p>\n\n\n\n<p>\u5229\u7528\u5206\u5272\u91cd\u7d44\u9593\u7684\u6f0f\u6d1e,\u88fd\u9020\u7684\u4e0d\u6b63\u5e38\u5c01\u5305\u5e8f\u5217<br>\u5229\u7528IP\u5c01\u5305\u91cd\u7d44\u7684\u6f0f\u6d1e\u3002\u7576\u8cc7\u6599\u7d93\u7531\u7db2\u8def\u50b3\u9001\uff0cIP\u5c01\u5305\u7d93\u5e38\u6703\u88ab\u5207\u5272\u6210\u8a31\u591a\u5c0f\u7247\u6bb5\u3002<br>\u6bcf\u500b\u5c0f\u7247\u6bb5\u548c\u539f\u4f86\u5c01\u5305\u7684\u7d50\u69cb\u5927\u81f4\u90fd\u76f8\u540c\uff0c\u9664\u4e86\u4e00\u4e9b\u8a18\u8f09\u4f4d\u79fb\u7684\u8cc7\u8a0a\u3002<br>Teardrop\u5275\u9020\u51fa\u4e00\u4e9bIP\u7247\u6bb5\uff0c\u9019\u4e9b\u7247\u6bb5\u5305\u542b\u91cd\u758a\u7684\u4f4d\u79fb\u503c\u3002\u7576\u9019\u4e9b\u7247\u6bb5\u5230\u9054\u76ee\u7684\u5730\u800c\u88ab\u91cd\u7d44\u6642\uff0c\u53ef\u80fd\u5c31\u6703\u9020\u6210\u4e00\u4e9b\u7cfb\u7d71\u7576\u6a5f\u3002<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>Land attack<\/strong><br>\u7528\u7279\u6b8a TCP\u5c01\u5305\u50b3\u9001\u81f3\u76ee\u6a19,\u4f7f\u5176\u56e0\u7121\u6cd5\u5224\u5225\u800c\u7576\u6a5f<br>\u6703\u9001\u51fa\u4e00\u9023\u4e32\u7684SYN\u5c01\u5305\u7d66\u7db2\u8def\u4e0a\u7684\u7cfb\u7d71\uff0c\u4e26\u4e14\u5229\u7528&#8221;IP Spoofing&#8221;\u7684\u6280\u8853\u8b93\u7cfb\u7d71\u4ee5\u70ba\u9019\u4e9b\u5c01\u5305\u90fd\u662f\u4ed6\u81ea\u5df1\u767c\u9001\u7684<br>\u7576\u7cfb\u7d71\u5728\u8655\u7406\u9019\u4e9b\u5c01\u5305\u6642\uff0c\u7531\u65bc\u4ed6\u81ea\u5df1\u4e26\u4e0d\u80fd\u56de\u61c9\u7d66\u81ea\u5df1\uff0c\u800c\u9020\u6210\u7cfb\u7d71\u7576\u6a5f\u3002<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>syn attack<\/strong><br>createing a high number of half-open connections<br>TCP connection requests floods a target machine is flooded with randomized source address &amp; ports for the TCP ports<br>signature:a large number of syn packets appearing on a network without the corresponding reply packets<br>\u53ea\u4e1fsyn,\u8b93\u5c0d\u65b9\u4e3b\u6a5f\u4e00\u76f4\u7b49,\u7b49\u5230\u8a18\u61b6\u9ad4\u8017\u76e1<\/p>\n\n\n\n<p>syn flood(TCP SYN\u653b\u64ca):<br>\u5229\u7528\u4e09\u5411\u4ea4\u63e1,\u9001\u51fa\u8a31\u591aTCP SYN\u5c01\u5305\u7d66\u76ee\u6a19\uff0c\u7b49\u5f85\u9023\u7d50\u7684\u8cc7\u8a0a\u8d85\u904e\u5176\u5bb9\u8a31\u91cf\uff0c\u800c\u5c0e\u81f4\u66ab\u505c\u670d\u52d9<br>\u7576\u524d\u6700\u6d41\u884c\u7684DoS\u8207DDoS\u7684\u65b9\u5f0f\u4e4b\u4e00<br>\u5229\u7528TCP\u5354\u8b70\u7f3a\u9677,\u767c\u9001\u5927\u91cf\u507d\u9020\u7684TCP\u9023\u63a5\u8acb\u6c42,\u5f9e\u800c\u4f7f\u5f97\u88ab\u653b\u64ca\u65b9\u8cc7\u6e90\u8017\u76e1(CPU\u6eff\u8ca0\u8377\u6216\u8a18\u61b6\u9ad4\u4e0d\u8db3)\u7684\u653b\u64ca\u65b9\u5f0f<br>SYN Timeout\uff1a\u8b93\u4f3a\u670d\u5668\u91cd\u8a66\u4e00\u6bb5\u6642\u9593\u5f8c\u4e1f\u68c4\u672a\u5b8c\u6210\u7684\u9023\u63a5\u7684\u6642\u9593\uff0c\u7d0430\u79d2-2\u5206\u9418<br>ps:<br>ACK Flood:\u767c\u9001\u5927\u91cf\u507dIP\u8207\u9023\u63a5\u57e0\u7684ACK\u6578\u64da\u5305\uff0c\u6d88\u8017\u4e3b\u6a5f\u7684\u5b58\u5132\u8cc7\u6e90<br>SYN\/ACK Flood\u653b\u64ca:\u7d93\u5178\u6700\u6709\u6548\u7684DDOS\u65b9\u6cd5\uff0c\u53ef\u901a\u6bba\u5404\u7a2e\u7cfb\u7d71\u7684\u7db2\u7d61\u670d\u52d9<br>TCP\u5168\u9023\u63a5\u653b\u64ca:\u70ba\u4e86\u7e5e\u904e\u5e38\u898f\u9632\u706b\u7246\u7684\u6aa2\u67e5\u800c\u8a2d\u8a08\u7684,\u7528\u5927\u91cf\u7684TCP\u9023\u63a5\u5c0e\u81f4\u7db2\u7ad9\u8a2a\u554f\u975e\u5e38\u7de9\u6162\u751a\u81f3\u7121\u6cd5\u8a2a\u554f<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>Script Flood attack<\/strong><br>\u548c\u4f3a\u670d\u5668\u5efa\u7acb\u5408\u6cd5TCP\u9023\u63a5\uff0c\u4e0d\u65b7\u5411\u8173\u672c(ASP,JSP,PHP)\u63d0\u4f9b\u67e5\u8a62\u7b49\u5927\u91cf\u8017\u8cbb\u8cc7\u6599\u5eab\u8cc7\u6e90\u8abf\u7528\u8acb\u6c42<\/p>\n\n\n\n<p>&#8230;\u3000\u3000<\/p>\n\n\n\n<p><strong>buffer overflow attack<br><\/strong>Flooding the target network buffers with data traffic to reduce the bandwidth available to legitimate users<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;<\/p>\n\n\n\n<p><strong>dos attack tools<\/strong><\/p>\n\n\n\n<p>\u5e38\u898b\u7684\u6709<br>jolt2<br>bubonic.c<br>land and latierra<br>targa<br>blast20<br>nemesystr<br>panther2<br>crazy pinger<br>some trouble<br>udp flood<br>fsmax<br>slowhttptest<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.<br>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>DDos(Distributed Denial of Service,\u5206\u6563\u5f0f\u963b\u65b7\u670d\u52d9)<\/strong><\/h2>\n\n\n\n<p>\u53c8\u7a31\u70ba\u6d2a\u6c34\u5f0f\u653b\u64ca<br>\u591a\u53f0\u5206\u6563\u7684\u96fb\u8166\u505ados attack,\u653b\u64ca\u7684\u6a21\u5f0f\u70ba\u591a\u5c0d\u4e00,\u591a\u6578\u4fc2\u4ee5\u9059\u63a7\u65b9\u5f0f<\/p>\n\n\n\n<p><strong>characteristics of ddos attacks<\/strong><br>\u5927\u898f\u6a21<br>\u96e3\u4ee5\u5075\u6e2c<br>\u96e3\u4ee5\u963b\u64cb,\u4e00\u4f46\u767c\u52d5\u4fbf\u5f88\u96e3\u505c\u6b62<\/p>\n\n\n\n<p><strong>conduct a ddos attack\u5e38\u898b\u6b65\u9a5f<\/strong><br>1 wirte a virus that will send ping packets to a target network\/websites<br>2 infect a minimum of (30,000) compuers with this virus and turn them into zombies<br>3 trigger the zombies to launch the attack by sending wake-up signals to the zombies or activated by certain data<br>4 the zombies will start attacking the target server until they are disinfected<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p>\u5e38\u898b\u7684\u64cd\u4f5c\u6a21\u5f0f<\/p>\n\n\n\n<p><strong>agent handler model<\/strong><br>attack\u767c\u6307\u4ee4\u7d66\u4e00\u7fa4handler,\u8981\u6c42handler\u547d\u4ee4\u4e00\u7fa4agent\u653b\u64cavictim<\/p>\n\n\n\n<p><strong>irc-based model<\/strong><br>attack\u5f9eirc network\u4e0b\u6307\u4ee4\u8981\u6c42\u4e00\u7fa4agent\u653b\u64cavictim<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.<\/p>\n\n\n\n<p><strong>ddos attack taxonomy<\/strong><br>\u653b\u64ca\u5f31\u9ede\u5206:<br>\u3000\u5354\u5b9a\u653b\u64ca:\u5229\u7528\u67d0\u500b\u7db2\u8def\u5354\u5b9a\u8a2d\u8a08\u4e0a\u7684\u5f31\u9ede\u6216\u57f7\u884c\u4e0a\u7684bug\u6d88\u8017\u5927\u91cf\u8cc7\u6e90\uff0c\u4f8b\u5982TCP SYN\u653b\u64ca\u3001\u5c0d\u8a8d\u8b49\u4f3a\u670d\u5668\u7684\u653b\u64ca\u7b49<br>\u3000\u66b4\u529b\u653b\u64ca:\u653b\u64ca\u65b9\u767c\u51fa\u7684\u7db2\u8def\u6d41\u91cf\u9ad8\u65bc\u76ee\u6a19\u6240\u80fd\u8655\u7406\u901f\u5ea6\uff0c\u5927\u91cf\u6b63\u5e38\u7684\u9023\u7dda\u5c07\u6d88\u8017\u6389\u76ee\u6a19\u8655\u7406\u80fd\u529b\u800c\u7121\u6cd5\u4f7f\u7528\u670d\u52d9<br>\u653b\u64ca\u983b\u7387\u5206:<br>\u3000\u6301\u7e8c\u653b\u64ca:\u77ac\u9593\u7522\u751f\u5927\u91cf\u6d41\u91cf\u963b\u65b7\u76ee\u6a19\u7684\u670d\u52d9\uff0c\u5bb9\u6613\u88ab\u5075\u6e2c\u5230<br>\u3000\u8b8a\u52d5\u983b\u7387\u653b\u64ca:\u5f9e\u6162\u901f\u6f38\u6f38\u589e\u52a0\u6216\u983b\u7387\u9ad8\u4f4e\u8b8a\u5316\uff0c\u5229\u7528\u9019\u6a23\u7684\u65b9\u5f0f\u5ef6\u7de9\u653b\u64ca\u88ab\u5075\u6e2c\u7684\u6642\u9593<br>\u4f9d\u653b\u64ca\u5f62\u614b\u5206\uff1a<br>\u3000bandwidth depletion(\u6d41\u91cf\u653b\u64ca):attacker\u91dd\u5c0d\u983b\u5bec\u653b\u64ca,\u963b\u7919\u7db2\u8def\u6d41\u91cf,\u8b93user\u7121\u6cd5\u9023\u5230 server<br>\u3000resource depletion(\u8cc7\u6e90\u8017\u76e1\u653b\u64ca):attacker \u91dd\u5c0d\u4e3b\u6a5f\u653b\u64ca,\u6d88\u8017\u7cfb\u7d71\u8cc7\u6e90,\u8b93server\u7121\u6cd5\u670d\u52d9user<\/p>\n\n\n\n<p><strong>bandwidth depletion:<\/strong><br>flood attack:tcp,udp,icmp<br>amplification attack,smurf,fraggle<\/p>\n\n\n\n<p><strong>resource depletion:<\/strong><br>protocol exploit attack:tcp syn attack,push+ack attack<br>malformed packet attack<\/p>\n\n\n\n<p>&#8230;<br><br><strong>\u653b\u64ca\u6280\u5de7<\/strong><\/p>\n\n\n\n<p><strong>flooding<\/strong><br>attacker \u6216bot\u5c07\u5927\u91cf\u7684\u5c01\u5305\u9001\u7d66victim<\/p>\n\n\n\n<p><strong>amplification<\/strong><br>attacker \u50b3\u9001\u4e00\u500b\u8a0a\u606f\u5230\u76ee\u5730,\u8a72\u76ee\u5730\u53ef\u5c07\u8a0a\u606f\u653e\u5927<br>\u5e38\u898b\u7684\u76ee\u5730\u6709<br>broadcast address:attacker\u50b3\u9001\u4e00\u500bip\u5230broadcast address,\u6b64address\u6703\u5c07ip\u9001\u7d66\u8a72network\u6240\u6709\u8a2d\u5099,\u6703\u4f7f\u5c01\u5305\u589e\u52a0<br>dns server:attacker\u9001\u4e00\u500b\u5927\u7d0460byte\u7684dns query\u5230dns server,server\u6700\u591a\u53ef\u56de\u8986512byte,\u6703\u4f7f\u6d41\u91cf\u589e\u52a0<\/p>\n\n\n\n<p><strong>reflected<\/strong><br>attacker \u5047\u5192\u4f86\u6e90ip\u50b3\u8a0a\u606f\u7d66\u76ee\u6a19,\u76ee\u6a19\u5728\u56de\u61c9\u7d66\u5047\u5192ip<br>\u5e38\u898b\u7684\u56de\u61c9\u6709<br>icmp:attacker\u50b3\u9001\u5047\u5192\u4f86\u6e90ip\u7684icmp request\u5230\u76ee\u6a19\u5f8c,\u8a72\u76ee\u6a19\u6703reply\u7d66\u5047\u5192ip<br>tcp:attacker\u50b3\u9001\u5047\u5192\u4f86\u6e90ip\u53ef\u9001tcp syn,&#8230;\u7b49\u7d66\u76ee\u6a19\u5f8c,\u8a72\u76ee\u6a19\u6703\u548c\u5047\u5192ip\u505athree way handshaking<br>dns:attacker\u50b3\u9001\u5047\u5192\u4f86\u6e90dns query\u7d66\u76ee\u6a19\u5f8c,dns server\u6703\u56de\u50b3\u7d50\u679c\u7d66\u5047\u5192ip<\/p>\n\n\n\n<p>ps:<br>reflective dns attack tool:ihateperl.pl<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.<\/p>\n\n\n\n<p><strong>ddos attack tools<\/strong><br>\u6709\u4e9bDDoS\u5de5\u5177\u63a1\u591a\u5c64\u6b21\u67b6\u69cb\uff0c\u53ef\u63a7\u5236\u4e0a\u5343\u53f0\u96fb\u8166\u5c55\u958b\u653b\u64ca<br>\u653b\u64ca\u7a0b\u5f0f\u5206\u624b\u52d5\u3001\u534a\u81ea\u52d5\u8207\u81ea\u52d5\u653b\u64ca<\/p>\n\n\n\n<p>tfn(tribal flood network):\u597d\u7528<br>tfn2k:\u66fe\u7528\u4f86\u653b\u64cayahoo<br>shaft<br>trinity<br>knight<br>kaiten<br>mstream<br>trinoo<br>wintrinoo<br>t-sight<br>stracheldraht<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.<br>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>reflected dos countermeasures<\/strong><\/h2>\n\n\n\n<p>router port 179\u53efblock<br>\u5c07\u5047\u5192ip block<\/p>\n\n\n\n<p>tools for detecting ddos attacks<br>ipgrep<br>tcpdstat<br>findoffer<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>ddos countermeasures<\/strong><br>\u5f9e\u88ab\u653b\u64ca\u76ee\u6a19\u5f80\u56de\u63a8,\u8abf\u67e5\u653b\u64ca\u662f\u7531\u7ba1\u8f44\u7db2\u8def\u7684\u54ea\u4e9b\u908a\u754c\u8def\u7531\u5668\u9032\u4f86<br>\u653b\u64ca\u76ee\u6a19\u662f\u55ae\u4e00ip:\u6539ip\u548cDNS mapping\u6216\u8a31\u53ef\u907f\u958b\u653b\u64ca\uff0c\u9019\u662f\u6700\u5feb\u901f\u800c\u6709\u6548\u7684\u65b9\u5f0f<br>\u653b\u64ca\u624b\u6cd5\u55ae\u7d14:\u7531\u7522\u751f\u7684\u6d41\u91cf\u627e\u51fa\u898f\u5247\uff0c\u5229\u7528\u8def\u7531\u5668\u7684 ACLs(Access Control Lists)\u6216\u9632\u706b\u7246\u898f\u5247\u4e5f\u8a31\u53ef\u963b\u64cb<br>\u9810\u9632:\u900f\u904e\u7db2\u8def\u4e0a\u5404\u500b\u5718\u9ad4\u548c\u4f7f\u7528\u8005\u7684\u5171\u540c\u5408\u4f5c\uff0c\u5236\u5b9a\u66f4\u56b4\u683c\u7684\u7db2\u8def\u6a19\u6e96\u4f86\u89e3<\/p>\n\n\n\n<p><strong>three esential components:<\/strong><br>1<br>detect and neutralize handlers:\u5075\u6e2c\u662f\u90a3\u908a\u4f86\u7684,\u627e\u51fa\u63a7\u5236\u7aef<br>preventing secondary victims<br>2<br>detecting or preventing the attack<br>mitigating or stopping the attack<br>deflecting the attack<br>3<br>post attack forensics<\/p>\n\n\n\n<p>&#8230;<\/p>\n\n\n\n<p><strong>detect and neutralize handlers<\/strong><br>\u99ed\u5ba2\u6703\u5148\u5728\u8a31\u591a\u6a5f\u5668\u4e0a\u653e\u7f6eDDoS\u7684\u5e38\u99d0\u653b\u64ca\u7a0b\u5f0f\uff0c\u9032\u800c\u5229\u7528DDoS\u653b\u64ca\u8feb\u4f7f\u7db2\u8def\u4e3b\u6a5f\u7671\u7613\uff0c\u56e0\u6b64\u70ba\u8981\u6709\u6548\u9632\u5236DDoS\u653b\u64ca\uff0c\u7cfb\u7d71\u7ba1\u7406\u8005\u53ea\u8981\u80fd\u627e\u51fa\u5df2\u7d93\u88ab\u653e\u7f6e\u9019\u4e9b\u5e38\u99d0\u653b\u64ca\u7a0b\u5f0f\u7684\u7db2\u7ad9\u4e3b\u6a5f\uff0c\u5c31\u80fd\u89e3\u6c7a\u88abDDoS\u653b\u64ca\u7684\u5a01\u8105\u3002<br>\u5075\u6e2c\u653b\u64ca\u5e38\u99d0\u7a0b\u5f0ftool:<br>IIS\u7684Internet Scanner 6.01:\u80fd\u6709\u6548\u5730\u6383\u63cf\u51faTribeFlood Network\u7684\u5e38\u99d0\u653b\u64ca\u7a0b\u5f0f\uff0c\u4e26\u4e14\u4ea6\u53ef\u5354\u52a9\u627e\u51fa\u7db2\u7ad9\u6f0f\u6d1e\uff0c\u4ee5\u907f\u514d\u8a72\u7db2\u7ad9\u6210\u70ba\u99ed\u5ba2\u9032\u884cDDoS\u653b\u64ca\u7684\u5e6b\u51f6\u3002<br>RealSecure 3.2.1:\u80fd\u5920\u5075\u6e2c\u51fa\u5728DDoS\u7684\u767c\u8d77\u4e3b\u6a5f\u8207\u653b\u64ca\u4f3a\u670d\u5668\u806f\u7e6b\u6642\u7684\u901a\u8a0a\uff0c\u9032\u800c\u6709\u6548\u5730\u963b\u6b62\u99ed\u5ba2\u555f\u52d5DDoS\u653b\u64ca\u3002<br>find_ddos:\u82f1\u570bNIPC \u91dd\u5c0dddos\u8a2d\u8a08,\u80fd\u8b93\u7cfb\u7d71\u7ba1\u7406\u8005\u91dd\u5c0d\u81ea\u5df1\u7684\u7cfb\u7d71\u9032\u884c\u5075\u6e2c\uff0c\u4ee5\u78ba\u5b9a\u662f\u5426\u66fe\u88ab\u5b89\u88dd\u4e86DDoS\u4e4b\u985e\u7684\u653b\u64ca\u7a0b\u5f0f<\/p>\n\n\n\n<p><strong>preventing secondary victims:<\/strong><br>network service providers<br>individual users:install software patches,built in defenses<\/p>\n\n\n\n<p><strong>detecting or preventing the attack:<\/strong><br>egree filtering:scanning the packet headers of ip packets leaving a network<br>\u5165\u4fb5\u904e\u6ffe\uff08Ingress filtering\uff09\u662f\u4e00\u7a2e\u7c21\u55ae\u800c\u4e14\u6240\u6709\u7db2\u8def\uff08ISP\uff09\u90fd\u61c9\u8a72\u5be6\u65bd\u7684\u5b89\u5168\u7b56\u7565\u3002\u5728\u4f60\u7684\u7db2\u8def\u908a\u7de3\uff08\u6bd4\u5982\u6bcf\u4e00\u500b\u8207\u5916\u7db2\u76f4\u63a5\u76f8\u9023\u7684\u8def\u7531\u5668\uff09\uff0c\u61c9\u8a72\u5efa\u7acb\u4e00\u500b\u8def\u7531\u8072\u660e\uff0c\u5c07\u6240\u6709\u8cc7\u6599\u4f86\u4f86\u6e90IP\u6a19\u8a18\u70ba\u672c\u7db2\u4f4d\u5740\u7684\u8cc7\u6599\u5305\u4e1f\u68c4\u3002\u96d6\u7136\u9019\u7a2e\u65b9\u5f0f\u4e26\u4e0d\u80fd\u9632\u6b62DDoS\u653b\u64ca\uff0c\u4f46\u662f\u537b\u53ef\u4ee5\u9810\u9632DDoS\u53cd\u5c04\u653b\u64ca\u3002<br>mib statistics<\/p>\n\n\n\n<p><strong>mitigating or stopping the attack<\/strong><br>load balancing<br>throttling<br>drop request<\/p>\n\n\n\n<p><strong>deflecting the attack<\/strong><br>\u4f7f\u7528honeypots<br>shadow real network resources<br>study attack<br>ps:\u9700\u6ce8\u610f\u983b\u5bec\u554f\u984c<\/p>\n\n\n\n<p><strong>post attack forensics<\/strong><br>traffic pattern analysis<br>packet traceback<br>event logs<\/p>\n\n\n\n<p>test tool:<br>doshttp tool:http flood dos testing software for windows<\/p>\n\n\n\n<p>&#8230;&#8230;&#8230;&#8230;&#8230;&#8230;..<\/p>\n\n\n\n<p><strong>\u907f\u514dsyn flood\u7684\u505a\u6cd5<\/strong><br>syn cookies<br>rst cookies<br>stack tweaking<\/p>\n\n\n\n<p><strong>SYN Cookie<\/strong><br>\u9632\u7bc4syn flood\u4e2d\u6700\u8457\u540d\u7684\u4e00\u79cd,\u5bf9TCP\u670d\u52a1\u5668\u7aef\u7684\u4e09\u6b21\u63e1\u624b\u534f\u8bae\u4f5c\u4e00\u4e9b\u4fee\u6539\uff0c\u4e13\u95e8\u7528\u6765\u9632\u8303SYN Flood\u653b\u51fb\u7684\u4e00\u79cd\u624b\u6bb5\u3002<br>\u7531D. J. Bernstain\u548c Eric Schenk\u53d1\u660e<br>\u539f \u7406:\u5728TCP\u670d\u52a1\u5668\u6536\u5230TCP SYN\u5305\u5e76\u8fd4\u56deTCP SYN+ACK\u5305\u65f6\uff0c\u4e0d\u5206\u914d\u4e00\u4e2a\u4e13\u95e8\u7684\u6570\u636e\u533a\uff0c\u800c\u662f\u6839\u636e\u8fd9\u4e2aSYN\u5305\u8ba1\u7b97\u51fa\u4e00\u4e2acookie\u503c\u3002\u5728\u6536\u5230TCP ACK\u5305\u65f6\uff0cTCP\u670d\u52a1\u5668\u5728\u6839\u636e\u90a3\u4e2acookie\u503c\u68c0\u67e5\u8fd9\u4e2aTCP ACK\u5305\u7684\u5408\u6cd5\u6027\u3002\u5982\u679c\u5408\u6cd5\uff0c\u518d\u5206\u914d\u4e13\u95e8\u7684\u6570\u636e\u533a\u8fdb\u884c\u5904\u7406\u672a\u6765\u7684TCP\u8fde\u63a5\u3002<br>SYN Cookie\u7684\u539f\u7406\u6bd4\u8f83\u7b80\u5355\u3002\u5230\u5b9e\u9645\u7684\u5e94\u7528\u4e2d\uff0c\u5b83\u6709\u591a\u79cd\u4e0d\u540c\u7684\u5b9e\u73b0\u65b9\u5f0f\u3002<br>\u4e00\u958b\u59cb\u4e0d\u5728\u7de9\u885d\u5340\u4e2d\u4fdd\u7559\u7a7a\u9593,\u5229\u7528 cookie \u9a57\u8b49\u5ba2\u6236\u7aef\u7684\u56de\u61c9,\u9a57\u8b49\u6210\u529f\u5f8c\u624d\u6703\u5728\u7de9\u885d\u5340\u4e2d\u4fdd\u7559\u7a7a\u9593,\u975e\u5e38\u640d\u8017\u8cc7\u6e90 (\u56e0\u70ba\u5fc5\u9808\u4f3a\u670d\u5668\u5fc5\u9808\u505a\u52a0\u5bc6hash)<\/p>\n\n\n\n<p><strong>RST Cookies<\/strong><br>\u53cd\u5411\u78ba\u8a8d,\u9001\u56de\u4e00\u500b\u5047\u7684 SYNACK \u5c01\u5305,\u61c9\u8a72\u6536\u5230 RST \u56de\u61c9,\u9a57\u8b49\u6b64\u4e3b\u6a5f\u662f\u5408\u6cd5\u7684,\u4e0d\u76f8\u5bb9\u65bc Windows 95<\/p>\n\n\n\n<p><strong>Stack Tweaking<\/strong><br>\u8907\u96dc\u7684\u65b9\u6cd5,\u4fee\u6539 TCP \u5354\u5b9a\u5806\u758a,\u53ea\u662f\u589e\u52a0\u4e86\u653b\u64ca\u7684\u96e3\u5ea6\u800c\u4e0d\u662f\u8b8a\u70ba\u4e0d\u53ef\u80fd<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u653b\u64ca\u7279\u6027 \u653b\u64ca\u76ee\u5730 \u4f9d\u6578\u91cf\u5206\u653b\u64ca\u985e\u578b &#8230;&#038;#82 &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[39],"tags":[],"class_list":["post-407","post","type-post","status-publish","format-standard","hentry","category-concept"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/407","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=407"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/407\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=407"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=407"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=407"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}