Author: Robert Keyes
整理:bigshrimp Finishing: bigshrimp
最近出现了一种新的DoS攻击方法,通常用NAPTHA来表示这一类攻击。 The recent emergence of a new method of DoS attacks, usually NAPTHA to represent this type of attack. NAPTHA主要利用了操作系统TCP/IP栈和网络应用程序需要使用一定的资源来控制TCP连接的特点。 NAPTHA main advantage of the operating system TCP / IP stack and network application needs to use some resources to control the characteristics of TCP connections.
如果在短时间里不断的建立大量的TCP连接,并且不断开,使其保持在某个特定的状态,那么被攻击机对应端口的程序或整个操作系统会被很快消耗大量的系统资源而陷入瘫痪。 If you continue to build in a short time a large number of TCP connections, and constantly open, to keep it in a particular state, then the corresponding port by attack aircraft program or the operating system will be quickly consume a large amount of system resources into paralyzed. 在以前攻击TCP的方式通常是利用TCP三次握手的缺陷进行SYN Flood,如果要进行建立大量连接来耗尽对方资源,恐怕自己先耗尽了自己的资源。 In the previous attack is the use of TCP TCP three way handshake is usually the defects SYN Flood, if you want to build a large number of connections to run out of other resources, afraid that they first exhaust their own resources. 因为,利用虚假的IP很难进行真正的连接,而建立真正的连接,自己机器系统可能同样要耗费和被攻击机差不多的资源。 Because the IP is difficult to use false true connection, and establish a true connection, your system may be the same machine and the attack aircraft to consume less resources. 这样的攻击也就失去了真正的意义。 This attack will lose the real meaning. 而现在NAPTHA利用一些技巧实现了利用自己机器上少量的资源就可以快速建立大量连接的方法,那么就使这种攻击成为了可能。 Now NAPTHA use some techniques to achieve a small amount of use of their resources on the machine can quickly establish a large number of connection methods, then make such an attack possible.
MAPTHA是一个非常有效的利用TCP连接保持状态来耗尽系统资源的例子.它不利用传统的那些网络API来实现建立TCP连接。 MAPTHA is a very effective use of TCP connection state to run out of system resources to keep the example of those that it does not use traditional network API to achieve the establishment of TCP connections. 与真正的TCP/IP堆栈不同,它不记录任何端口的状态,它只传输和回应那些标记包, 它可以很快的在被攻击机上建立成千上万的连接,而在攻击机上占用非常少的资源。 With real TCP / IP stack, it does not record the status of any port, transport and only respond to those marked packets, it can quickly build on the machine being attacked thousands of connections, and in attack aircraft on take up very little of resources. 那么它就能很容易的暴露并利用对方机器上特定服务程序或系统在TCP连接处理上的漏洞。 Then it can be easily exposed and use the other machines on the specific program or service in the TCP connection handling system vulnerabilities.
下面是几个例子: Here are a few examples:
- Novell's Netware 5.0 sp1 在524端口打开3000个连接后,所有的64M内存被耗尽,CPU 负荷达到100%. 在停止攻击12个小时后,服务器仍然没有复位连接和恢复内存。 - Novell's Netware 5.0 sp1 on port 524 open 3000 connections, all 64M memory is exhausted, CPU load to 100% in 12 hours to stop the attack, the server still does not reset the connection and restore the memory.
- FreeBSD 4.0-REL 在SSH端口打开495个连接后,系统陷入瘫痪。 - FreeBSD 4.0-REL to open the SSH port 495 to connect the system to a standstill. 由于每一个连接都打开一个实例,使得系统的文件句柄很快耗光,系统报错:"too many open files in system". 差不多30 分钟后连接开始复位,系统开始恢复。 Because each connection open an instance of making the system very quickly run out of file handles, system error: "too many open files in system". Almost 30 minutes after the connection began to reset, the system began to recover.
- Windows 2000 看起来并不受影响。 - Windows 2000 look and is not affected.
建议: Recommendation:
不幸的, 还有许多系统都不同程度的受到NAPTHA攻击的影响, 在这有一些小小的系统设置方面的建议 Unfortunately, many systems have varying degrees of influence by NAPTHA attack, in which some aspects of the proposed small system settings
1. 限制开启的服务,尤其是那些易受到NAPTHA影响的服务。 1 restrictions on services, particularly those affecting vulnerable NAPTHA service.
2. 在unix系统里限定inetd产生的进程占用系统资源的大小。 (2) limit the unix system process inetd produce the size of system resources.
3. 调整内核TCP默认连接参数。 3 Adjust the kernel TCP default connection parameters.
# cat /proc/sys/net/ipv4/tcp_keepalive_time # Cat / proc/sys/net/ipv4/tcp_keepalive_time
7200 7200
# cat /proc/sys/net/ipv4/tcp_keepalive_probes # Cat / proc/sys/net/ipv4/tcp_keepalive_probes
9 9
# cat /proc/sys/net/ipv4/tcp_max_ka_probes # Cat / proc/sys/net/ipv4/tcp_max_ka_probes
5 5
# echo 30 > /proc/sys/net/ipv4/tcp_keepalive_time # Echo 30> / proc/sys/net/ipv4/tcp_keepalive_time
# echo 2 > /proc/sys/net/ipv4/tcp_keepalive_probes # Echo 2> / proc/sys/net/ipv4/tcp_keepalive_probes
# echo 100 > /proc/sys/net/ipv4/tcp_max_ka_probes # Echo 100> / proc/sys/net/ipv4/tcp_max_ka_probes
6. 可以用下列指纹利用ids系统侦测这种攻击。 6 can be used with the following ids system detects the fingerprint of this attack.
IP: IP:
TOS = Low Delay TOS = Low Delay
ID = 413 ID = 413
TCP: TCP:
FLAGS = SYN FLAGS = SYN
SEQ ID = 6060842 SEQ ID = 6060842
WINDOW = 512 WINDOW = 512
在Snort (http://www.snort.org) 中填加Naptha过滤规则: In Snort (http://www.snort.org) in the fill plus Naptha filter rules:
alert tcp any any <> any any (flags:S; seq: 6060842; id: 413; msg: "NAPTHA DoS Attack";) alert tcp any any <> any any (flags: S; seq: 6060842; id: 413; msg: "NAPTHA DoS Attack";)
Tidak ada komentar:
Posting Komentar