在过载攻击中,一个共享的资源或者服务由于需要处理大量的请求,以至于无法满足从其他用户到来的请求。 In the overload attack, a shared resource or service need to handle a large number of requests that can not meet the requests coming from other users. 例如一个用户生成了大量的进程,那么其他用户就无法运行自己的进程。 For example, a user generates a lot of process, then other users can not run their own process. 如果一个用户使用了大量的磁盘空间,其他蝴户就无法生成新的文件。 If a user uses a lot of disk space, the other butterfly families can not generate a new file. 有效保护系统免遭过载攻击的办法是划分计算机中的资源,将每个用户的使用量限制在自己的那一份中。 Effectively protect the system from overload approach is to attack the computer division of resources, each user will be limited to the use of one of their own that. 另外,还可以让系统自动检查是否过载或者重新启动系统。 Also, you can let the system automatically checks whether the overload or restart the system.
1.进程过载的问题 1 process overload problem
最简单的拒绝服务的攻击是进程攻击。 The simplest process of denial of service attacks are attacks. 在进程攻击中,―个用户可以阻止在同时间内另一个用户使用计算机。 In the process of attack, - a user can block another user at the same time using the computer. 进程攻击通常发生在共享的计算机中,如果无人与自己争夺使用计算机,便没有必要使用这种攻击方法。 Attack usually occurs in the process of shared computers, if no one is competing with their own computer, it is not necessary to use this method of attack. 这种攻击对现在的UNIX系统没有多大效果,因为现在的UNIX系统限制任何UID(除了o)使用的进程数目。 This attack on the current UNIX system is not much effect, because the UNIX system to limit any UID (except o) the number of processes used. 这个限制叫做MAXUPROC,当系统构筑时,在内核进行设置,一些系统允许在启动时设置这个值。 This limit is called MAXUPROC, when the system is built, in the core set, some systems allow to set this value at boot time.
例如soIarts允许在/etc/system文件中设置这个值。 For example soIarts allow / etc / system file to set this value. set NAXUP助C;100进行这种攻击的用户消耗的是他自己的进程数目,而不是别人的。 set NAXUP help C; 100 user consumption of such attacks is the number of his own process, rather than others. 一个超级用户可以使用ps命令查看一个进程的子孙数目,使用kill命令来杀死那些无用进程。 A super-user can use the ps command to view the number of descendants of a process, use the kill command to kill the unwanted processes. 有时候不能一个又―个地杀死这些进程,因为剩余的进程会成新的进程。 Sometimes, not one after another - a way to kill these processes, because the remaining into the Cheng Huicheng new process. 一个好的办法是先用kill命令停止这些进程,然后杀死它们。 A good way is to use the kill command to stop these processes, and then kill them. 另外可以同时杀死一组进程。 In addition you can also kill a process. 在许多情况下,一个用户生成了许多进程,这些进程是问一组的。 In many cases, a user generates a lot of processes that are asked a group. 要找出进程组,可使用ps命令的勺选项,然后一次杀死这些进程。 To find a process group, the spoon can use the ps command options, and then again to kill the process.
在现在的UNIX系统中,一个具有超级用户权限的用户仍旧可以通过使用进程攻击的方法来使系统停机。 In the current UNIX systems, a user with superuser privileges can still attack methods by using the process to make the system down. 这是因为对超级用户能使蝴多少进程数日没有什么限制,但是作为一个超级用户,他还是可以关闭系统,或者执行其他命令,所以这不是一个很重要的问题。 This is because the number of butterfly superuser process can not limit the number of days, but as a super user, he can shut down the system, or perform other commands, so this is not a very important issue. 除非超级用户正在运行的程序有一个极值,没有人可以得到一个进程,哪怕仅仅是登录。 Unless the super-user is running an extreme program, no one can be a process, even if only login. 还有其他一些情况可能使系统过载。 There are other conditions may make the system overload. 虽然没使一个用户到达他自己的最大进程数目,但由于太多的用户在位用计算机,系统还是达到了一个可允许的最大进程数。 Although he did not make a user process to reach the largest number of his own, but because too many users in office with a computer, the system is allowed to reach a maximum number of processes. 另外一个可能性是系统配置错误,一个用户允许使用的进程树本身已等于或者超出了系统允许的最大进程数目。 Another possibility is a system configuration error, a user is allowed to use the process tree itself is equal to or exceed the system maximum number of processes. 当系统中有太多的进程时,没有更好的办法来纠正,只有让系统重启。 When there are too many processes, there is no better way to correct, and only let the system reboot. 这是因为:用户无法运行ps命令来决定有多少进程需要杀死,因为执行ps命令也需要生成进程。 This is because: the user can not run ps command to determine how many processes need to kill, because the ps command also needs to generate the process. 如果网络管理员当前没有登录为超级用户,则也不能使用su或者是10gin命令,因为这两个命令同样要生成新的进程。 If the network administrator does not currently have a super user, you can not use su or 10gin command, because the same two commands to generate a new process. 针对这种情况,可以使用exec% exec /b 2n/su Pass word:#需要注意的是,不要敲错了口令,或者去运行exec ps命令,因为程序会 For this situation, you can use exec% exec / b 2n/su Pass word: # need to pay attention, do not knock the wrong password, or to run the exec ps command, because the program
执行,但执行完毕之后,将自动地退出系统。 Implementation, but is finished, the system will automatically exit.
如果用户遇到了rk于太多进程而造成的系统饱和,使被边重新启动系统。 If you encounter a rk in the system caused by too much saturation process, restart the system to be side. 最简单的方法是按机箱上的RESET键。 The easiest way is to press the RESET button on the chassis. 但是,这会破坏磁盘上的文件块,因为系统还没有来得及刷新磁盘。 However, this will destroy the files on the disk block, because the system has not had time to refresh the disk. 没有多少系统被设计得能在突然关闭时,还执行正常关闭的那些工作。 Not many systems are designed to be able to suddenly shut down, but also perform a graceful shutdown of those jobs. 比较好的办法是杀死一些进程,然后进入单用户模式。 Better approach is to kill some process, and then enter single-user mode.
在现代的unix系统中,超级用户可以发送一个SIGTEBM信号给除了系统进程和自己进程之外的所有进程:#KILL-TERM-1# In the modern unix systems, super-user can send a signal to SIGTEBM system processes and their process in addition to all processes other than: # KILL-TERM-1 #
如果当前使用的UNIX没有这一点可以执行如下命令:#KILL-TERM1向INIT进程发送一个SIGTERM信号。 If you are using UNIX without which you can execute the following command: # KILL-TERM1 INIT process to send a SIGTERM signal. UNIX自动杀死所有的进程,进入单用户模式,这时,可以执行sync命令,然后重新启动系统。 UNIX automatically kill all the processes into single user mode, then, can the sync command, and then restart the system.
2. 2. 系统过载攻击 System overload attacks
另一种流行的基于进程的攻击是一个用户产生了许多进程,消耗了大量的cpu时间。 Another popular process-based attack is a user generated a lot of process, consumes a lot of cpu time. 这种攻击减少了其他用户可用的CPU处理时间。 This attack other users can reduce the CPU processing time. 例如,某用户使蝴了十个find命令,并使用则在一些目录中查找文件,这些都可以使系统运行得像爬行一样漫。 For example, a user makes butterfly ten find command, and use it to find the file in some directory, which can make the system run like a crawl Man.
比较好的办法是,教育用户合理地共享系统,鼓励用户使用nice命令降低后台运行的进程的优先级。 Better approach is to educate users on reasonable sharing system, encourages users to use the nice command to lower the priority of a process running in the background level. 另外,也可以使用at和batch命令,将一些长的任务安排在系统不是很繁忙的时候去执行。 Alternatively, you can use at and batch commands, some of the long task of arrangement is not very busy in the system when to do it. 对那些故意或者重复这种行为的用户可以采取一些措施。 For those who repeat such acts intentionally, or you can take some measures.
如果系统过载了,用root登录,将自己的优先纽设为较高的值。 If the system is overloaded, log in as root, the priority of their New Zealand to a higher value. 然后使用ps命令观察运行的进程,并使用kill命令。 Then run the ps command to observe the process using the kill command.
3.磁盘攻击 3 disk attack
攻击方式是填充磁盘空间个用户向磁盘填充了大量的文件,其他用户使不能生成文件做其他有用的事. Attack is to fill the disk space a user to fill a lot of disk files, so other users can not generate files do other useful things.
磁盘满攻击 Disk full attack
du命令可以发现系统中磁盘分区空间的使用情况。 The du command can be found in the system disk partition space usage. du命令递归地查找目录树,列出每一个使用了多少块。 du command to find the directory tree recursively, using the number listed for each block. 也可以使用flnd命令列出那些大文件的文件名。 You can also use flnd command to list the name of the file that large. 可以使用find命令的-size选项,列出文件大小超过一定慎的文件。 Can use the find command-size option, list the file size exceeds a certain cautious document.
quot命令可以根据每一个用户来总结文件系统的使用情况。 quot command can be summarized for each user to the file system usage. 使用―f选项,quot打印出每一个用户使用的文件数量和使用的块数。 Use the-f option, quot print out each user's file number and the number of blocks used.
UNIX文件系统使用inode来存放文件的信息。 UNIX file system to store the file inode information. 一个可以便磁盘不能使用的途径是消耗所有磁盘上的空闲inode,使之不能生成新的文件。 A disk can not be used the way it is free to consume all the disk inode, so they can not generate a new file. 一个用户可能生成了上千个空文件。 A user may generate thousands of empty files. 这是一个很令人困惑的问题,因为df命令提示有许多可用的空间,然而当生成文件时,却得到一个天空间的错误。 This is a very perplexing problem, because many of the df command prompt available space, but when the generated files, they get one day of space error. 这是因为每一个新文件、目录、管道文件、刃F0或套接字都需要一个inode结构去描述。 This is because each new file, directory, the file, blade or socket needs a F0 inode structure to describe. 如果可用的inode消耗尽了,系统便无法生成新文件,但此时,系统还有可用的磁盘空间。 If the available inode depleted, the system can not generate a new file, but this time, the system has available disk space.
可以使用df命令的―I选项来查看有多少空闲的inode。 You can use the df command-I option to see how many free inode. 通常,可以将磁盘划分成一些小的分区,末保护磁盘满攻击。 Typically, the disk can be divided into smaller partitions to protect the end of the disk is full attack. 将不同用户的主目录放到不同的分区中。 Different user's home directory into a different partition. 用这种方式,如果一个分区被充满了,别的用户并不受影响。 In this way, if a partition is full, other users are not affected.
另一个有效的办法是,使用在许多现代unix系统中都有的quota系统,来保护系统不受这种攻击。 Another effective approach is used in many modern unix system has a quota system to protect the system against such attacks. 通过磁盘配额系统,每一个用户可以确定有多少inode可用;有多少磁盘块可用. Through the disk quota system, each user can determine how many inode available; how many disk blocks are available.
防止拒绝服务的攻击 Prevent denial of service attacks
许多现代的UNIX允许管理员设置一些限制,如限制可以使用的最大内存、CPu时间以及可以生成的最大文件等。 Many modern UNIX allows administrators to set some restrictions, such as restrictions on the maximum memory that can be used, CPu time and can generate the largest files. 如果当前正在开发―个新的程序,而又不想偶然地使系统变得非常缓慢,或者使其他分享这台主机的用户无法使用,这些限制是很有用的。 If you are currently being developed - a new program, but do not want to accidentally make the system become very slow, or to share the host's other users can not use, these restrictions are useful. Korn Shell的ulimit命令和C Shell的Iimit命令可以列出当前进程的资源限制。 Ulimit command in the Korn Shell and C Shell's Iimit command lists the current process of resource constraints.
Tidak ada komentar:
Posting Komentar