发现最新式的DDOS攻击方式
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:33.75pt;mso-char-indent-count:2.5;mso-outline-level:1"><font class="Apple-style-span" color="#808000" size="3"><b><span style="font-family: 微软雅黑, sans-serif; ">发现最新式的<span lang="EN-US">DDOS</span>攻击方式</span></b><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; ">DdoS</span><span style="font-family: 微软雅黑, sans-serif; ">攻击是利用一批受控制的机器向一台机器发起攻击,这样来势迅猛的攻击令人难以防备,因此具有较大的破坏性。通过本文的介绍,希望大家更多的了解<span lang="EN-US">DDos</span>攻击。<span lang="EN-US"></span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> 下面简单介绍攻击者如何以<span lang="EN-US">64</span>字节<span lang="EN-US">ACK</span>包换取服务器<span lang="EN-US">1518</span>大数据包重传,如果源<span lang="EN-US">IP</span>伪造成功,攻击者从理论上将获得<span lang="EN-US">20</span>余倍的带宽放大攻击效果<span lang="EN-US"> .</span>如果有两个目标网站,本方法将一箭双雕。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 攻击原理:利用<span lang="EN-US">TCP协议</span></span><span style="font-family: 微软雅黑, sans-serif; ">收到<span lang="EN-US">ACK</span>后的快速重传机制,攻击正常<span lang="EN-US">TCP/IP</span></span><span style="font-family: 微软雅黑, sans-serif; ">栈示意图当我们获得<span lang="EN-US">http response</span>回应后,立即回复一个<span lang="EN-US">ack</span>数据包,此<span lang="EN-US">ack</span>数据包的<span lang="EN-US">seq</span>值是<span lang="EN-US">http
response</span>数据包中的<span lang="EN-US">ack seq</span>值,而<span lang="EN-US">ack seq</span>值为<span lang="EN-US">http response</span>数据包的<span lang="EN-US">seq</span>序号值。<span lang="EN-US"></span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 这样当<span lang="EN-US">server</span>收到此<span lang="EN-US">ack</span>数据包后,会认为是自己刚才发送的<span lang="EN-US">http response</span>包在wang</span><span style="font-family: 微软雅黑, sans-serif; ">中已丢失,会利用快速重传机制加以重传。如果我们拼命发送大量的<span lang="EN-US">ack</span>包,则服务器就会不断进行重传。<span lang="EN-US">Ack</span>数据包的大小只需<span lang="EN-US">64</span>字节,但<span lang="EN-US">http response</span>通常都在<span lang="EN-US">512</span>字节左右,最长可达<span lang="EN-US">1518</span>字节。因为正常<span lang="EN-US">tcp</span></span><span lang="EN-US"><a href="http://net.anquan365.com/protocol" target="_blank" target="_blank"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span lang="EN-US">协议</span></span></a></span><span style="font-family: 微软雅黑, sans-serif; ">序号的不可预测性,所以我们在这次攻击中暴露了自己的真实<span lang="EN-US">IP.</span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 攻击采用静态<span lang="EN-US">syn cookie</span>的<span lang="EN-US">ddos</span>设备防护下的服务器,所谓静态<span lang="EN-US">syn cookie</span>就是以客户端请求之<span lang="EN-US">syn</span>包为参数计算回复<span lang="EN-US">syn ack</span>中的<span lang="EN-US">seq</span>值,并在<span lang="EN-US">ack</span>包回传时判断连接合法性的方法,这种方法被<span lang="EN-US">ddos</span>厂商大量采用,并且获得数量可观的国家发明专利,你经常会听到<span lang="EN-US">ddos</span>厂商的人说他们的设备比</span><span lang="EN-US"><a href="http://net.anquan365.com/equipment/firewall" target="_blank" target="_blank"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span lang="EN-US">防火墙</span></span></a></span><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; ">“</span><span style="font-family: 微软雅黑, sans-serif; ">牛<span lang="EN-US">”</span>多了,可轻松达到百兆线速<span lang="EN-US">syn</span>防御,但百兆</span><span lang="EN-US"><a href="http://net.anquan365.com/equipment/firewall" target="_blank" target="_blank"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span lang="EN-US">防火墙</span></span></a></span><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; ">30M</span><span style="font-family: 微软雅黑, sans-serif; ">攻击流量就可以干掉,说这种话的<span lang="EN-US">ddos</span>厂商,我可以打赌他们的设备<span lang="EN-US">80%</span>采用了这种<span lang="EN-US">syn cookie</span>算法。<span lang="EN-US"></span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> <span lang="EN-US">Syn cookie</span>算法的好处是只在<span lang="EN-US">synflood</span>攻击时消耗<span lang="EN-US">CPU</span>资源,这对于<span lang="EN-US">X86</span>下强悍的通用<span lang="EN-US">CPU</span>来说,正适用。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 读者可能会感到很奇怪,为什么如此成熟的</span><span lang="EN-US"><a href="http://tech.anquan365.com/" target="_blank" target="_blank"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span lang="EN-US">技术</span></span></a><a href="http://net.anquan365.com/equipment/firewall" target="_blank" target="_blank"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span lang="EN-US">防火墙</span></span></a></span><span style="font-family: 微软雅黑, sans-serif; ">不采用,而让<span lang="EN-US">ddos</span>厂商成天挤对<span lang="EN-US">?</span>这有如下几个方面的原因:<span lang="EN-US">1</span>:防火墙也用<span lang="EN-US">syn cookie</span>进行<span lang="EN-US">synflood</span>防御的,但大多不是静态<span lang="EN-US">syn cookie</span>,而是严格记录连接状态采用动态<span lang="EN-US">syn cookie</span>,所以当<span lang="EN-US">syn flood</span>攻击时不光消耗<span lang="EN-US">CPU</span>,还要消耗大量内存。这也就是我本文开头提及的本方法可以攻击大部分<span lang="EN-US">ddos</span>厂商和小部分防火墙厂商的原因。<span lang="EN-US"></span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> <span lang="EN-US">2</span>:<span lang="EN-US">syn cookie/syn proxy</span>是<span lang="EN-US">bsd</span></span><span lang="EN-US"><a href="http://sys.anquan365.com/" target="_blank" target="_blank"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span lang="EN-US">系统</span></span></a></span><span style="font-family: 微软雅黑, sans-serif; ">内核源码的一部分,在<span lang="EN-US">Linux</span>最新版的<span lang="EN-US">2.6</span>内核中<span lang="EN-US">syn proxy</span>还没有被包含。所以<span lang="EN-US">ddos</span>设备也大多由<span lang="EN-US">bsd</span></span><span lang="EN-US"><a href="http://sys.anquan365.com/" target="_blank" target="_blank"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span lang="EN-US">系统</span></span></a></span><span style="font-family: 微软雅黑, sans-serif; ">组成。当然<span lang="EN-US">bsd</span>是开源的,移植也不是什么大问题喽。<span lang="EN-US"></span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> <span lang="EN-US">3</span>:防火墙大多以<span lang="EN-US">Linux</span>下的开源软件<span lang="EN-US">netfilter</span>为基础,但<span lang="EN-US">netfilter</span>中<span lang="EN-US">hash</span>算法和连接表设计不是很优秀,防火墙转发性能的瓶颈就在于此,如果再加入<span lang="EN-US">syn proxy</span>表项,会进一步降低对数据包的处理能力或加大连接表体积。高端防火墙大都支持数百万的连接数,这百万的表项就够防火墙喝一壶的了,再加一个<span lang="EN-US">syn proxy</span>表项,性能还不得掉的稀里哗拉的<span lang="EN-US">?</span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> <span lang="EN-US">4</span>:防火墙很重要的一个</span><span lang="EN-US"><a href="http://net.anquan365.com/" target="_blank" target="_blank"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span lang="EN-US">网络</span></span></a></span><span style="font-family: 微软雅黑, sans-serif; ">功能就是<span lang="EN-US">DNAT</span>,在没有<span lang="EN-US">DNAT</span>操作前,防火墙不知道这些<span lang="EN-US">syn</span>包的最终目的地是自身还是<span lang="EN-US">DMZ</span>区的服务器,所以<span lang="EN-US">syn</span>包必须<span lang="EN-US">DNAT</span>后才知道是否要进行<span lang="EN-US">syn cookie</span>保护。但这时就已经进入到<span lang="EN-US">netfilter</span>处理框架了,性能当然就跟不上了。你见过几个<span lang="EN-US">ddos</span>设备支持<span lang="EN-US">NAT</span>的<span lang="EN-US">?</span>如果支持了,他的性能也会下降不少。如果防火墙工作在桥模式下,不经过<span lang="EN-US">netfilter</span>处理框架,防火墙就可以摇身一变成为性能卓越的抗<span lang="EN-US">ddos</span>设备了,吗功能都没有,当然一身轻松了。呵呵<span lang="EN-US">…</span>但您买的是防火墙,会这么大材小用吗<span lang="EN-US">?</span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> 言归正传,采用静态<span lang="EN-US">syn cookie</span>的<span lang="EN-US">ddos</span>设备,我们只需要重放一个<span lang="EN-US">ack</span>包就可以达到与服务器的三次握手效果,因此可以做到源<span lang="EN-US">IP</span>地址伪装。<span lang="EN-US">(</span>这个伪装的源<span lang="EN-US">IP</span>地址是你以前用过的,并且与<span lang="EN-US">ddos</span>设备通讯过,并保存下来的,现在将它重放而己。如果你看不懂我在说什么,参照我写的《对国内<span lang="EN-US">ddos</span>厂商</span><span lang="EN-US"><a href="http://tech.anquan365.com/" target="_blank" target="_blank"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span lang="EN-US">技术</span></span></a></span><span style="font-family: 微软雅黑, sans-serif; ">点评》一文,抓包分析一下就知道了<span lang="EN-US">)</span>。第二步就是发送一个正常的<span lang="EN-US">http request</span>请求,随后就是大量的虚假<span lang="EN-US">ack</span>请求重传。<span lang="EN-US"></span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> 天知道,谁在用我们伪装的源<span lang="EN-US">IP</span>地址,做为一个连带的牺牲品。你可能会认为受害服务器<span lang="EN-US">B</span>会回复<span lang="EN-US">rst</span>包给受害服务器<span lang="EN-US">A.</span>这是有可能,但如果服务器<span lang="EN-US">B</span>前面加装了一个<span lang="EN-US">“</span>状态检测<span lang="EN-US">”</span>防火墙,就会直接丢弃这个反射的<span lang="EN-US">http response</span>数据包。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> 本思路有价值的地方:<span lang="EN-US">1. </span>利用一条合法连接,对服务器进行下行带宽攻击,现在的<span lang="EN-US">“</span>状态检测<span lang="EN-US">”</span>设备不一定可以发现<span lang="EN-US">2. </span>目标服务器应用层程序感知不到这种攻击,可以逃避基于应用层流量统计的防御方式,因为重传是<span lang="EN-US">TCP</span>协议特性,<span lang="EN-US">TCP</span>协议自动完成。重传的数据包,对应用层来说是透明的。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><font class="Apple-style-span" color="#808000" size="3"><span style="font-family: 微软雅黑, sans-serif; "> <span lang="EN-US">3. </span>现在只是一种思路,不局限于<span lang="EN-US">TCP</span>协议。<span lang="EN-US">UDP</span>加入重传机制后,也可以保证通讯可靠性。并且这是私人或公司独立开发的协议,</span><span lang="EN-US"><a href="http://news.anquan365.com/Notice/Loophole" target="_blank" target="_blank"><span lang="EN-US" style="font-family: 微软雅黑, sans-serif; "><span lang="EN-US">漏洞</span></span></a></span><span style="font-family: 微软雅黑, sans-serif; ">会比<span lang="EN-US">TCP</span>协议更大。<span lang="EN-US"></span></span></font></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> <span lang="EN-US">4. drdos</span>的带宽放大效果也只不过是<span lang="EN-US">6</span>倍而己,并且消耗的是上行带宽。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> <span lang="EN-US">5. </span>真正的威胁不在现在,而是在对<span lang="EN-US">“</span>长肥管道<span lang="EN-US">”</span>的攻击效果。对方下行带宽越宽,攻击效果越明显。<span lang="EN-US">TCP</span>会禁用分片,所以重传数据包大小依靠你与服务器之间最小的那个设备的<span lang="EN-US">MTU</span>值,所以你见到的<span lang="EN-US">TCP</span>协议的<span lang="EN-US">IP</span>首部中的长度字段不会超时<span lang="EN-US">1518.</span>但在<span lang="EN-US">“</span>长肥管道<span lang="EN-US">”</span>中,<span lang="EN-US">IP</span>首部的长度字段会达到<span lang="EN-US">65535</span>的极大值,对这些数据包的重传攻击,会达到令人吃惊的<span lang="EN-US">1</span>:<span lang="EN-US">1024</span>的放大效果。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> <span lang="EN-US">1M</span>对<span lang="EN-US">1G 1G</span>对<span lang="EN-US">1T</span>明白<span lang="EN-US">?</span>就是因为这点,我才会提供本思路,否则<span lang="EN-US">1</span>:<span lang="EN-US">25</span>的消耗也是蛮力。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> 攻击完善的<span lang="EN-US">TCP</span>协议其实是很困难的:<span lang="EN-US">1.</span>具体可以参见<span lang="EN-US">RFC2581</span>中关于<span lang="EN-US">Fast Retransmit/Fast Recovery</span>的说明部分。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> <span lang="EN-US">2.</span>你的<span lang="EN-US">ack</span>包构造不好,服务器协议栈还是会利用超时重传,而不是快速重传。<span lang="EN-US"></span></font></span></p>
<p style="text-align:justify;text-justify:inter-ideograph;text-indent:18.0pt;
mso-char-indent-count:2.0"><span style="font-family: 微软雅黑, sans-serif; "><font class="Apple-style-span" color="#808000" size="3"> <span lang="EN-US">DdoS</span>攻击是黑客最常用的攻击手段,我们一定要对其多多防范才是</font><span lang="EN-US" style="font-size: 9pt; "></span></span></p>
页:
[1]