Pages

Sabtu, 12 November 2011

黑客的终极武器-DDoS技术一览 The ultimate weapon-DDoS hackers Technology at a Glance

5月22日,星期二,只是Pittsburgh Carnegie Mellon大学CERT交流中心的另一个寻常的日子.被认为是计算机安全的泰斗的CERT将在这一天被黑客们"离散的服务拒绝"(DDoS)的攻击手段踢出网络. May 22, Tuesday, but the Pittsburgh Carnegie Mellon University CERT Center, another unusual day. Is considered the dean of the CERT computer security will be in this day hackers "discrete denial of service" (DDoS) attack means kicked out of the network.

时至2001年,就是网络安全界鼻祖自己的安全也岌岌可危.如果CERT能被攻击,你也逃不掉的. Time to 2001, is the originator of the network security industry's own security in jeopardy if the CERT can be attacked, you can not escape.

你可以为避免互联网上的DDoS攻击作出一点贡献并且同时使你在网络攻击面前不那么脆弱.但是如果有人真的想要用DDoS攻击使你的服务器瘫痪,他们是能够做到的.微软,雅虎和Exodus都在过去的12个月里遭到了DDos的毒手;你或是你的客户可能成为下一个目标. You can prevent DDoS attacks on the Internet and also make some contribution to make in front of you in the network less vulnerable to attack, but if someone really wants to use DDoS attacks to your server to its knees, they can do, Microsoft, Yahoo and Exodus in the past 12 months has been the hostility of a DDos; you or your customers may be the next target.

野兽的本性 The nature of the beast

" 拒绝服务"攻击就象它们的名字说的一样:阻止你的服务器发送你提供的服务.攻击者可以通过多种手段达到这个目的.例如,Outlook e-mail 蠕虫病毒Melissa及其同类可以被看作是DoS攻击的代理者,因为它们驱使Outlook程序的客户端向服务器不停的发出充满了蠕虫病毒的信件直到服务器在重压之下瘫痪. "Denial of service" attacks like the name says they are the same: to prevent your server to send you the services provided by the attacker can achieve this goal through various means such as, Outlook e-mail worm Melissa and its ilk can be seen DoS attacks for the agent, because they drive the Outlook client to the server program kept the issue of letters full of worms under the weight of paralysis until the server.

这是非常重要的一点.人们通常将DoS攻击的过程看成是用无用的信息来阻塞网络的带宽.当然,这是DoS攻击的一种,但是另一种消耗服务器资源方式的攻击也会成功.那意味着通过一个低速的modem连接来进行一次成功的DoS攻击也是可能的,只要它是冲着服务器资源去的.要真正保护一个网络,网络本身和其上的服务器都必须全副武装. This is a very important point. People usually seen as the process of DoS attacks is useless information to clog the network bandwidth. Of course, this is a DoS attack, but another way to consume server resources, the attack will success that means through a slow modem connection to make a successful DoS attack is possible, as long as it is directed at the server resources to go to really protect a network, the network itself and the server must be on their heavily armed.

对于企业用户来说,防火墙和象Zone Labs 公司的Zone Alarm Pro软件可以帮忙.另外,有几家公司,诸如 For business users, such as Zone Labs' firewall and the Zone Alarm Pro software can help. In addition, several companies, such as
Asta 网络公司和Mazu网络公司目前都提供对DDoS攻击的企业级的保护. Asta Networks and Mazu Networks currently provides DDoS attacks enterprise-level protection.

Asta 公司的Vantage系统采用了类似于反病毒软件的技术:寻找可能的DDoS攻击的各种征兆.它不停地将网络上数据包和已知的DDoS数据包的定式比较, 这些定式包括流往域名服务器(DNS)的非标准的数据流.但当它发现了可能的攻击,Vantage系统会提示网络管理员,然后网络管理员就能使用路由过滤器甚至在数据流传送的途中关闭网络服务器来阻止攻击. Asta's Vantage system uses a technology similar to anti-virus software: Find all possible signs of DDoS attacks and it kept on the network known DDoS packets and packets of fixed type of comparison, the fixed type including to Domain Name Server (DNS) of the non-standard data stream, but when it finds a possible attack, Vantage will be prompted to network administrators, network administrators can then use router filters and even the way the data stream to shut down the network server prevent attacks.

Mazu 网络公司为DDoS设计的TrafficMaster Inspector通过不停地进行以G为单位的以太网速度的数据检查,并且尽可能远的追溯数据来源.简单的说,Mazu希望能够实时的探测到网络攻击,然后让正常的数据包通过同时将DDoS数据包阻挡起来.它对网络的这种保护使得它适合于ISP和数据中心服务器. Mazu Networks for the DDoS designed TrafficMaster Inspector carried out by non-stop for the unit of G Ethernet speed data checking, and as far as possible sources of retrospective data. Simply put, Mazu want to detect network attacks in real time, then let the packet through normal while DDoS packets block up. it's such a protection network makes it suitable for ISP and data center servers.

通常,DoS攻击的目标是你网络的TCP/IP内层结构.这些攻击分为三种:一种是利用给定的TCP/IP协议栈软件的弱点;二种是利用TCP/IP协议的漏洞;第三种是不断尝试的野蛮攻击. Typically, DoS attacks aim is your network's TCP / IP inner structure of these attacks are divided into three types: one is the use of a given TCP / IP protocol stack software weaknesses; two kinds is the use of TCP / IP protocol vulnerability ; third is constantly trying to brutal attacks.

破坏TCP/IP Destruction of TCP / IP

一个利用TCP/IP协议软件弱点进行进攻的经典的例子是Ping of Death攻击.利用的具体方法是,你的对手创建一个超过了IP标准的最大长度--65535个字节的IP数据包.当这个"浮肿的"数据包到达的时候,它就使得一个使用脆弱的TCP/IP协议软件和操作系统的服务器瘫痪. A use of TCP / IP protocol software vulnerabilities to attack the classic example is the Ping of Death attacks using the specific method is more than your opponent to create a maximum length of the IP standard - 65535 bytes of IP packets when This "swelling" data packet arrives, it makes use of a vulnerable TCP / IP protocol software and operating system server to its knees.

所有现代的操作系统和协议软件对Ping of Death攻击都有免疫力,但是老的Unix系统可能仍然是脆弱的. All modern operating systems and protocol software for the Ping of Death attack has immunity, but the older Unix systems may still be fragile.

另一个利用粗制滥造的TCP/IP软件进行攻击的例子是Teardrop,它利用了系统重组IP数据包过程中的漏洞.一个数据包在从互联网的另一端到你这里的路上也许会被分拆成更小的数据报文.这些数据报中的每一个都拥有最初的IP数据报的报头,同时还拥有一个偏移字节来标示它拥有原始数据报中的哪些字节. 通过这些信息,一个被正常分割的数据报文能够在它的目的地被重新组装起来,并且网络也能够正常运转而不被中断.当一次Teardrop攻击开始时,你的服务器将受到拥有重叠的偏移字段的IP数据包的轰炸.如果你的服务器或是路由器不能丢弃这些数据包而且如果企图重组它们,你的服务器就会很快瘫痪.如果你的系统被及时更新了,或者你拥有一个可以阻挡Teardrop数据包的防火墙,你应该不会有什么麻烦. Another advantage of shoddy TCP / IP software is an example of an attack Teardrop, which uses the system during the reorganization of the IP packet vulnerability. A packet from the Internet the other end of the road here, you may be split into more small data packets and these packets each have the original IP datagram header, also has a byte offset to indicate that it has been reported in which the original data byte by this information, one is Normal data packets can be split in its destination is re-assembled, and the normal operation of the network can not be interrupted when the beginning of a Teardrop attack, your server will be offset with overlapping fields of IP data bombing of the package, if your server or router can not discard the data packets and if they attempted reorganization, it will soon paralyze your server if your system is up to date, or you can have a block Teardrop packets firewall, you should not have any trouble.

利用TCP/IP协议本身的漏洞来进行攻击的手段也很多.这些手段中最流行的就是SYN攻击.SYN工作的原理就是利用两个互联网程序间协议握手的过程进行的攻击.协议握手的过程如下,其中一个应用程序向另一个程序发送一个TCP SYN(同步)数据包.然后目标程序向第一个程序发送一个TCP-ACK应答数据包作为回答;第一个程序最后用一个ACK应答数据包确认已经收到.一旦这两个程序握手成功,它们就准备一起运行了. Using TCP / IP protocol vulnerability to attack itself the means of many of these tools is the most popular SYN attack. SYN working principle is to use two Internet applications handshake agreement between the process of attack. Protocol handshake is as follows one application to another program sends a TCP SYN (synchronize) packet and then the first program to target program sends a TCP-ACK response packet as the answer; first program last response packet with an ACK confirmation has been received to once the two programs handshake successfully, they are ready to run together.

SYN 攻击用一堆TCP SYN数据包来淹没它的受害者.每个SYN数据包迫使目标服务器产生一个SYN-ACK应答数据包然后等待对应的ACK应答.这很快就导致过量的SYN- ACK一个接一个的堆积在缓存队列里.当缓存队列满了以后,系统就会停止应答到来的SYN请求. SYN attacks using TCP SYN packets to a bunch of drowned victims of it each SYN packet to force the target server generates a SYN-ACK response packet and then wait for the corresponding ACK. This soon led to an excessive amount of a SYN-ACK then the accumulation of a queue in the cache when the cache queue is full, the system will stop answering incoming SYN requests.

如果SYN攻击中包括了拥有错误IP源地址的SYN数据包,情况很快就会变得更糟.在这种情况下,当SYN-ACK被送出的时候,ACK应答就永远不会被收到.飞快充满的缓存队列使得合法程序的SYN请求无法再通过. If the SYN attack included with incorrect IP source address of SYN packets, the situation will soon get worse. In this case, when the SYN-ACK is sent when, ACK response will never be received . fast cache queue is full due process makes the SYN request can not be passed.

更加厉害的是,与之相似的Land攻击手段使用欺骗性的SYN数据包,它带有一个伪装的IP地址,使得它看起来像是来自你自己的网络.现在,SYN攻击就像是来自于你防火墙的内部,这使得问题更加严重. More powerful, with similar attacks use spoofed Land SYN packet, it comes with a fake IP address, making it look like from your own network now, SYN attack is like to Since the firewall on your internal, which makes the problem worse.

大多数时新的操作系统和防火墙可以阻止SYN攻击.另一个简单的阻止SYN攻击的方法是阻塞掉所有带有已知的错误的IP源地址的数据包.这些数据包应该包括带有错误的为内部保留的IP地址的外部数据包,它的范围是从10.0.0.0到10.255.255.255,127.0.0.0到 127.255.255.255,从172.16.0.0到172.31.255.255以及从192.168.0.0到192.168.255.255 Most of the time the new operating system and firewall can prevent SYN attacks. Another simple way to prevent SYN attack is to block out all the known errors with the IP source address of the packet and these should be included with the packet error reserved for internal IP address of external packet, which range from 10.0.0.0 to 10.255.255.255,127.0.0.0 to 127.255.255.255, 172.16.0.0 to 172.31.255.255 and from 192.168.0.0 to 192.168.255.255

野蛮手段 Brutal means

但是当你的敌人能够轻易的推倒你的系统的时候,他为什么要躲躲藏藏的呢?Smurf攻击和用户数据报文协议冲击就使用了这样的手段. But when your enemies can easily tear down your system when, why he's hiding it? Smurf attack and the User Datagram Protocol impact on the use of such means.

当你被Smurf攻击的时候,攻击者用互联网控制信息协议(ICMP)的应答数据包--一种特殊的ping数据包来填充你的路由器.这些数据包的目的IP地址同时是你的广播地址,这使得你的路由器将ICMP数据包广播到网络上的每一台主机.不言自明的是,对于一个大型网络来说,它将引起巨大的网络信息流量. 而且,就像Land攻击那样,如果黑客将Smurf攻击和欺骗手段结合起来,破坏力就更大. When you are Smurf attack, the attacker using the Internet Control Message Protocol (ICMP) response packets - a special ping packet to fill your router these packets destination IP address is also your broadcast address , which makes your router will broadcast ICMP packets to every host on the network. self-evident that, for a large-scale networks, it will cause a huge network traffic, and, like the Land attack, as if the hacker Smurf attack and deception will combine even greater destructive power.

避免Smurf攻击的一种简单的方法就是在路由器中禁用广播地址并且设置你的防火墙来过滤ICMP应答协议.你也可以设置你的服务器来使得它不对发送 ICMP数据包到IP广播地址的要求做出响应.这些设置不会影响到你的网络的正常工作因为很少有应用程序使用IP协议的广播功能. Avoid the Smurf attack is a simple way to disable the broadcast address in the router and set your firewall to filter ICMP response protocol. You can also set your server to make it not send ICMP packets to IP broadcast addresses to make demands respond to these settings do not affect the normal operation of your network because few applications use the IP protocol broadcast capabilities.

要对付采用UDP冲击方法的DoS攻击就不那么容易了,因为一些合法的应用程序,比方说RealVideo,也使用UDP协议.在一次UDP冲击中,攻击者伪造出一个请求,将一个系统的UDP开启测试服务程序与另一个系统的UDP应答程序连在一起.UDP开启测试服务程序是一个用于测试的从收到的数据包产生字符的程序.结果是,由UDP开启测试服务程序伪随机产生的字符在两个系统间不停的被反射,使得合法应用程序的带宽要求得不到满足. Methods to deal with the impact of using UDP DoS attack is not so easy, because some legitimate applications, for example, RealVideo, also uses the UDP protocol. In a UDP flood, the attacker forges a request, on a system of UDP Testing procedures and response procedures for the UDP to another system together. UDP services on testing procedures for testing a packet received from the character generation process. As a result, testing services by the UDP open process generated by pseudo-random character in the non-stop between the two systems is reflected, making the legal application of the bandwidth demands are not met.

一种阻止UDP攻击的方法是禁用或者过滤对主机的所有UDP服务要求.只要你允许非服务请求的UDP请求通过,使用UDP协议的或是把UDP协议当作备用数据传输协议的通常的应用程序将继续正常工作. One way to prevent UDP attacks is to disable or filter all UDP services on hosts required as long as you allow non-UDP request a service request by using the UDP protocol or the UDP protocol as a backup data transmission protocol of the usual application will continue to work properly.

使用这些防御的方法,你可能认为应付DoS攻击就像应付一根火腿肠一样容易.你错了.因为发动DDoS攻击是如此的容易,任何心怀不轨的人都能组织起几十台甚至上百台计算机来对你的系统发动DoS攻击. Using these methods of defense, you might think to cope with DoS attacks like as easy to cope with a ham and you are wrong, because to launch DDoS attacks are so easy, any evil intentions of the people can organize dozens or even hundreds of on your computer to launch DoS attacks the system.

单是巨大的参与攻击的计算机的数量就能冲垮你的堡垒并将你的网络塞满垃圾信息.使用Tribe Force Alone is a huge number of computers involved in the attacks can be washed away and your fortress filled with spam on your network using Tribe Force
Network(TFN),Trin00或是Stacheldraht这样的工具,任何人都可以将DDoS的攻击"僵尸"植入一些毫无防范的系统中.然后,攻击者发送攻击目标的信息以及攻击的指令.DDoS瞬间即至. Network (TFN), Trin00 or Stacheldraht this tool, anyone can be DDoS attacks "zombie" systems implanted in a number of unsuspecting Then, the attacker targets the information and send attack instructions. DDoS moment that is up to.

这些在1997年到1999年被发明的攻击方法是容易被察觉的.但是,新一点的DDoS却使用"脉动僵尸."这种攻击手段并不使用野蛮的攻击,而是发送一波一波的小带宽的数据,这样,它们就能绕过那些为密集进攻而设置的网络警报器. The 1997 to 1999, was invented method of attack is likely to be perceived, but a new point of DDoS are using the "pulse of zombies." The attack does not use the brutal attack, but sent waves of small-bandwidth data, so that they can bypass the intensive attack on those who set up the network alarms.

如何应对残酷的现状 How to deal with the cruel status quo

DDoS 攻击只可能增加.随着互联网的扩大,更多的用户将获得对网络的宽带接入,这给了黑客们更多的可以利用的系统. 火上浇油的是,微软将它的Windows XP操作系统定位为下一代的面向大多数消费者的操作系统,Windows XP将使用"原始的"TCP/IP套接字.通常,程序员们在编写程序时使用与其功能相关的套接字--套接字是一种将应用程序与TCP/IP相连的软件对象. DDoS attacks can only be increased with the expansion of the Internet, more users will get broadband access network, which gives hackers more can take advantage of the system fuel is that it's Microsoft Windows XP operating system positioned for the next generation operating system for most consumers, Windows XP will use the "raw" TCP / IP sockets. Typically, programmers write programs using the socket associated with its function - a socket is an application with TCP / IP connected software objects.

TCP/IP 协议同时定义了一种SOCK_ROW的套接字类型.并不是所有的操作系统支持这种套接字,但是Unix和Windows XP支持.使用原始套接字,一个程序员可以编写代码调用任何TCP/IP套接字.只要对不按TCP/IP标准进行编程很在行,原始套接字就能让程序员编写非法的应用程序,比方说DDoS僵尸,因为它们允许程序员以一种无法预料的方式使用广泛流行的套接字.例如,你可以使用原始套接字来编写DDoS攻击程序,它们使用套接字80--Web超文本传输协议选择的套接字,来获取它的指令. TCP / IP protocol also defines a SOCK_ROW socket type is not all operating systems support this socket, but Unix and Windows XP support using raw sockets, a programmer can write code to call any TCP / IP sockets as long as errant TCP / IP standards are pretty good at programming, so that programmers can write the original Illegal socket applications, for example, DDoS zombies, because they can not allow the programmer in a expected widespread use of sockets, for example, you can use raw sockets to write DDoS attack programs that use sockets 80 - Web Hypertext Transfer Protocol socket options to get its instructions .

虽然Windows 2000,Unix和它的后代,Linux和BSD操作系统,也支持原始套接字,但这些操作体统是被拥有足够技术的行家照看着的.这些用户即使不能使他们的系统以适当地方式运行,他们也懂得如何锁定这些系统.但是XP却将由一个刚刚从电脑城里将它买回来的人看管,它远不太可能被一个专家级的管理员来使用并查找出新的DDoS代理程序. Although Windows 2000, Unix and its offspring, Linux and BSD operating systems also support raw sockets, but these operations have enough decency is looked after the technical experts of these users can not make their system even if an appropriate way of run, they also know how to lock the system, but the XP computer, but will be in town recently from people who will buy it back care, it is far less likely to be an expert-level administrators to use and find a new DDoS agents .

因为这一点,Gibson 研究团体的Steve Gibson预言说目前DDoS攻击的爆炸式的增长(据Gibson估计为每星期4,000次)将大幅度增加.从理论上讲,这将使互联网本身因为成百上千的DDoS攻击而减慢速度. Because of this, Gibson Steve Gibson research group predicts that the current DDoS attacks of explosive growth (according to Gibson estimated at 4,000 times per week) will increase significantly from theory, this will make the Internet itself as hundreds of DDoS attacks and slow down.

除了保护你的系统不被DDoS 僵尸和上面所述的方法攻击,你还应该鼓励任何使用宽带互联网的人安装一个基本的防火墙.ZDNet的下载站点有一长串的个人防火墙,这些防火墙易于使用并且提供基本的保护功能. In addition to protecting your system against DDoS zombies and attack the methods described above, you should also encourage the use of broadband Internet to any person to install a basic firewall. ZDNet's download site has a long list of personal firewall, a firewall is easy to use and provide these basic protection.

one Labs公司的ZoneAlarm就是一种由专家推荐给那些想要了解在他的网络连接上究竟发生了些什么的初级用户的软件.在一位朋友的使用DSL连接的电脑上使用了ZoneAlarm后我们发现了两个,不是一个,蓄势待发的DDoS僵尸.我们还注意到每天都有人企图非法闯入他的系统.如果你拥有宽带连接, 那么安全不仅仅是一个好主意,它是一种必要. one Labs' ZoneAlarm is a company recommended by experts for those who want to learn in his network connection what really happened on the primary user of the software in a friend's computer using a DSL connection using ZoneAlarm, we found two, not one, ready to be launched DDoS zombies. We also note that every day people attempting to illegally break into his system and if you have a broadband connection, so security is not just a good idea, it is a necessary.

什么样的防御是足够的呢?只有时间和经验才能告诉我们,但是如果现在你不打算保护你不受DDoS的攻击,你不仅有失去网络连接的危险,你本身就可能成为网络安全问题的一部分了.(续) What kind of defense is enough? Only time and experience will tell, but if now you do not intend to protect you from DDoS attacks, you not only risk losing the network connection, you may be in itself a part of network security issues a (continued)

Tidak ada komentar:

Posting Komentar