涉及程序: Involved in the program:
任何主机 Any host
描述: Description:
分布式DOS攻击(DDOS)威胁Internet Distributed DOS attack (DDOS) threat to Internet
详细: Details:
7月份出现的一种新的攻击形式引起了人们的注意。 July, the emergence of a new form of attack caused by people's attention. 该攻击方式称为分布式DOS(Distributed Denial Of Service)攻击。 The attack is called a distributed DOS (Distributed Denial Of Service) attacks. 国外一些高性能的商业网络和教育网络遭受到了这种攻击。 Some foreign high-performance business network and education network suffered such attacks. 它利用攻击者已经侵入并控制的主机(可能是数百台),对某一单机发起攻击。 It uses the attacker has invaded and controlled by the host (possibly hundreds), of a single attack. 在悬殊的带宽力量对比下,被攻击的主机会很快失去反应。 The balance of power in the bandwidth of the poor, the attack will soon lose the host response. 这种攻击方式被证实是非常有效的,而且非常难以抵挡。 This attack proved to be very effective, and very difficult to resist.
一般的人比较难以顺利实现这些攻击。 The average person is more difficult to successfully achieve these attacks. 因为攻击者必须熟悉一些入侵技巧。 Because the attacker must be familiar with some of the intrusion techniques. 出现在一些黑客网站上的两个已知工具可以帮助实现这种攻击。 Appear on the site in some of the two known hacker tools can help achieve such an attack. 它们是trin00和Tribe Flood Network。 They are trin00 and Tribe Flood Network. 源代码包的安装使用过程是比较复杂的,因为编译者首先要找一些internet上有漏洞的主机,通过一些典型而有效的远程溢出漏洞攻击程序,获取其系统控制权,然后在这些机器上装上并运行分布端的攻击守护进程,下面简单地介绍一下trin00的结构: Source code package installation process is more complicated, since the compiler would first have to find some of the vulnerable hosts on the internet, through a number of typical and effective remote overflow exploit program, to obtain control over their systems, and then installed on these machines and run the distribution side of the attack daemon, following a brief introduction trin00 structure:
trin00由三部分组成: trin00 consists of three parts:
1、客户端 1, the client
2、主控端(master) 2, the host (master)
3、分布端(broadcast)---攻击守护进程 3, the distribution side (broadcast) --- Attack daemon
------------------------------------ ------------------------------------
1、客户端可以是telnet之类的常用连接软件,客户端的作用是向主控端(master)发送命令。 1, the client can be used like telnet connection software, the client's role is to host (master) sends commands. 它通过连接master的27665端口,然后向master发送对目标主机的攻击请求。 It does this by connecting the master port 27665, then the master sends a request to the target host's attack.
2、主控端(master)侦听两个端口,其中27655是接收攻击命令,这个会话是需要密码的。 2, the host (master) listening on two ports, of which 27,655 are receiving attack orders, and the session password is required. 缺省的密码是"betaalmostdone"。 The default password is "betaalmostdone". master启动的时候还会显示一个提示符:"??",等待输入密码。 starts when the master will display a prompt :"??", waiting for a password. 密码为"gOrave",另一个端口是31335,等候分布端的UDP报文。 Password is "gOrave", another port is 31335, waiting for the distribution side of the UDP packet.
在7月份的时候这些master的机器是: In July, when the master of the machine are:
129.237.122.40 129.237.122.40
207.228.116.19 207.228.116.19
209.74.175.130 209.74.175.130
3、分布端是执行攻击的角色。 3, the distribution side is an attack role. 分布端安装在攻击者已经控制的机器上,分布端编译前植入了主控端master的IP地址,分布端与主控端用UDP报文通信,发送到主控端的31355端口,其中包含"*HELLO*"的字节数据。 Distribution side of the attackers have been installed in the control of the machine, the distribution of implanted before the end of compilation host master's IP address, the distribution side and remote communication with a UDP packet sent to the host port of 31355, which contains " * HELLO * "bytes of data. 主控端把目标主机的信息通过27444UDP端口发送给分布端,分布端即发起flood攻击。 Host to the target host to send information through 27444UDP port to the distribution side, the distribution end of the launch flood attacks.
攻击者-->master-->分布端-->目标主机通信端口: Attacker -> master -> distribution side -> target host communication ports:
攻击者to Master(s): 27665/tcp Attacker to Master (s): 27665/tcp
Master to 分布端: 27444/udp Master to the distribution side: 27444/udp
分布端to Master(s): 31335/udp The distribution side to Master (s): 31335/udp
从分布端向受害者目标主机发送的DOS都是UDP报文,每一个包含4个空字节,这些报文都从一个端口发出,但随机地袭击目标主机上的不同端口。 From the distribution side of the target host to send to the victims of the DOS are UDP packets, each containing four null bytes, these messages are sent from a port, but random attacks on different ports on the target host. 目标主机对每一个报文回复一个ICMP Port Unreachable的信息,大量不同主机发来的这些洪水般的报文源源不断,目标主机将很快慢下来,直至剩余带宽变为0。 For each target host replies with a packet ICMP Port Unreachable message sent to a number of different hosts, these endless flood of packets, the destination host will soon slow down, until the remaining bandwidth to 0.
解决方案: Solution:
有几种方式可以查到这种攻击,但由于这种攻击的主要目的是消耗主机的带宽,所以很难抵挡。 There are several ways can be found in this attack, but because the main purpose of this attack is to consume the host's bandwidth, it is difficult to resist. 必须开发一些动态的IDS产品,才有助于对付这种攻击。 Must develop some dynamic IDS products, it helps to deal with such attacks. IDS的检测方法是:分析一系列的UDP报文,寻找那些针对不同目标端口,但来自于相同源端口的UDP报文。 IDS detection method is: analysis of a series of UDP packets, look for different target port, but from the same source port of UDP packets. 或者取10个左右的UDP报文,分析那些来自于相同的IP,相同的目标IP,相同的源端口,但不同的目标端口的报文。 Or take the 10 or so of UDP packets, analyze those from the same IP, same target IP, the same source port, destination port, but different packets. 这样可以逐一识别攻击的来源。 This can identify the source of the attack one by one. 还有一种方法是寻找那些相同的源地址和相同的目标地址的ICMP Port Unreachable的信息。 Another way is to find those same source address and destination address of the same ICMP Port Unreachable message.
附加信息: Additional Information:
trin00该工具在1999年8月17日攻击了美国明尼舒达大学, 那时候这个工具集成了至少227个主机的控制权,其中有114个是Internet2的主机。 trin00 the tool August 17, 1999 attacks on the United States Mingnishuda University, then at least this tool integrates control of the host 227, of which 114 are Internet2 hosts. 攻击包从这些主机源源不断地送到明尼舒达大学的服务器,造成其网络严重瘫痪。 Attack packets from these hosts to continuously Mingnishuda University server, resulting in severe paralysis of its network. 其结构形式是这样的: Its structure is like this:
Tidak ada komentar:
Posting Komentar