1

-

:

V

GVHD

SVTH : 1.

MSSV: 0951150005

CNG

MSSV: 0951150006

TP.HCM ngy 20

2

nhm

cch phng c .

3

TI: DOS ATTACK

P I: QUAN CNG

Trang

I. cc cng 4

II. v cc cng

II I. 7

PH N II :

I . DoS attack l g ? 12

II. Cc cng DoS 14

III . 23

P III : DOS

I. DoS 27

II.

III . 34

P IV : DOS

4

I: QUAN CNG

I. CC CNG

1.S ki n b o m t c

VietNamNet b t n cng DDoS l ng c

http://vietnamnet.vn

"Hacktivism" n i d y

Hacktivism l

nhm hacker

),

,

http://nhipsongso.tuoitre.vn/Index.aspx?ArticleID=471121&ChannelID=16http://nhipsongso.tuoitre.vn/Index.aspx?ArticleID=471121&ChannelID=16http://nhipsongso.tuoitre.vn/Index.aspx?ArticleID=471121&ChannelID=16http://nhipsongso.tuoitre.vn/Index.aspx?ArticleID=472082&ChannelID=16

5

2.Cng ty cung cp gi i php b o m t cho chnh ph Hoa K b t n

cng

Vo thng 1-

hbgaryfederal.com

gim

3.Cc cu c t n cng DDoS ni ti ng trong l ch s

-

-

.

-

- Return to

Castle Wolfenstein, Halo, Counter-Strike

-

-

-

Visa.com

-

-

v DDoS.

6

I I. CNG

c l php, quy

trnh, an ninh

C l do m c nhn cng doanh c nhn

cc cng l

vi m cng v tin

tm

tri php ti k dng v

m cho cc

m v tham

cho ch ti chnh gin cng

cc hnh dng php c

truy vo cc v cc

hnh lm ti nguyn v thng.

7

II I .

1. "Tay trong"

2.

nguy

3.

4.

8

5.

ess access-

-

6.

7.

8.

spyware, virus, trojan...

9. Email

d

tnh.

10.

9

hng

11. M t s

-

m.

tr

12. Nh m y u trong v b o m t:

configuration weaknesses v policy weaknesses.

12.1) Technology weaknesses:

c ,

hardware.

12.1.1) TCP/IP weaknesses:

10

IP

.

nn

IP

IP

IP spoofing, man-in-the-middle v

session replay.

12.1.2) Operating System weaknesses:

12.1.3) Network equipment weaknesses:

12.2) Configuration weaknesses:

.

: ,

,

12.2.1) Unsecured user account:

Cc

12.2.2) System account with easily guessed password:

. ,

12.2.3) Misconfigured Internet services:

11

g vo.

ra

12.2.4) Unsecured default settings in product:

N lm cho cng

gip ch

12.2.5) Misconfigured Netword Equipment:

12.3) Policy weaknesses:

12

I - GI I THI U V DOS

1. Khi ni m

Denial Of Services Attack ( cng ) l cng

cng ny, my tnh Internet l c

cng my tnh .

T DoS attack l hacker ti nguyn

trn server ( ti nguyn c l thng, cpu, ... ) lm cho

server khng no cc yu cc my khc ( my

dng bnh ) v server c nhanh chng ng

crash reboot.

2. Cc m c c a t n cng DoS

C g ng chi m thng m ng v lm h th ng m ng b ng p (flood), khi

h th ng m ng s khng c kh ng nh ng d ch v khc cho

i dng bnh ng.

C g ng lm ng t k t n i gi a hai my, v ch n qu trnh truy c p vo

d ch v .

C g ng ch n nh ng i dng c th vo m t d ch v no

C g ng ch n cc d ch v khng cho i khc c kh truy c p

vo.

Khi t cng DoS ra dng c gic khi truy vo

+ Disable Network -

+ Disable Organization - khng

+ Financial Loss Ti chnh

13

3. M c tiu m k t n cng ng s d ng t n cng DoS

chng ta bn trn cng DoS ra khi cng

ti nguyn v khng cho dng bnh

cc ti nguyn chng cng l g:

ra khan v khng ti nguyn

thng c a h th ng m ng (Network Bandwidth), b nh , v CPU

Time hay c u trc d li u u l m c tiu c a t n cng DoS.

T n cng vo h th ng khc ph c v cho m ng my tnh h th ng u

ho, h th ng n, h t h ng lm mt v nhi u ti nguyn khc c a doanh

nghi p. B n th ng ng khi ngu n n vo my ch web b ng t th

i dng c th truy c p vo my ch khng.

Ph ho i ho c thay i cc thng tin c u hnh.

Ph ho i t ng v t l ho c cc thi t b m ng ngu n n, u

4. D u hi u khi b t n cng DoS

ng th hi u su t m ng s r t ch m.

Khng th s d ng website.

Khng truy c c b t k website no.

14

II . CC CNG DOS

1. Winnuke

Hnh 2.1

DoS attack ny c p cho cc my tnh

Windows9x. Hacker cc gi tin "Out of Band" 139

my tnh 139 chnh l NetBIOS, ny cc gi

tin c Out of Band ). Khi my tnh victim gi tin ny,

mn hnh xanh bo ln nhn do trnh

Windows cc gi tin ny n khng cc

Out Of Band no crash .

2. Ping of Death

15

Khi

N

3. Teardrop

16

Hnh 2.3

ta , cc trn

qua 2 qu trnh : chia ra thnh cc

c gi offset xc

tr trong gi Khi cc ny

ch vo gi offset cc nhau theo

ban . , ta

gi packets gi offset cho ln nhau. khng

no cc packets ny, n khng v c crash, reboot

gi packets gi offset cho ln

nhau qu !

4. SYN Attack

Hnh 2.4

SYN

ACK

SYN/ACK

Client Server

SYN

SYN/ACK

SYN/ACK

Server Attacker/Agent

Malicious

TCP

Client

Victim

TCP

Server

SYS packet with a deliberately fraudulent

(spoofed) source IP return address

SYS/ACK

SYN

80

?

TCP

Client

ClientPort

1024-65535

TCP

Server

ServicePort

1-1023

SYS

ACK

SYN/ACK

80

17

Trong SYN Attack, hacker SYN packets

IP khng c khi cc SYN packets ny

cc khng c v thng tin

cc IP .

V l cc IP khngc nn v ch

v cn cc ny vo , gy lng ph

nh trn my m ra l dng vo khc thay cho

thng tin khng c ny . ta cng lc gi tin c

IP th qu crash boot my tnh .

5. Land Attack

Hnh 2.5 M Hnh t n cng b ng Land Attack

Land Attack SYN Attack, thay v dng cc IP

khng c hacker dng chnh IP nhn. ny

nn vng v trong chnh nhn bn

thng tin cn bn th bao thng tin

. == > ng ng .

6. Smurf Attack

18

Trong Smurf Attack, c ba thnh hacker ra cng),

nghe hacker) v nhn. Hacker

cc gi tin ICMP broadcast l cc

gi tin ICMP packets ny c IP chnh l ch IP nhn .

Khi cc packets broadcast cc my

tnh trong my tnh nhn gi tin ICMP

packets v chng nhn cc gi tin

ICMP packets. my nhn khng

cc gi tin ny v nhanh chng crash reboot.

cc gi tin ICMP packets th

gi tin ICMP packets ny ln .

vo tnh c trong i .

cc hacker l cng routers cho php

cc gi tin broadcast khng qua

cc ra gi tin . C cc ny, hacker dng hnh Smurf

Attack trn cc cng . == > .

7. Fraggle Attack

19

Hnh 2.7 M H

tiu.

8. UDP Flooding

Hnh 2.8

20

Cch cng UDP c 2 my cng tham gia. Hackers

lm cho mnh vo vng trao cc qua giao

UDP. V IP cc gi tin l loopback (127.0.0.1 ) ,

gi tin ny nhn trn UDP echo( 7 ).

nhn cc messages do 127.0.0.1( chnh n)

, l n vng vng v Tuy nhin, c

khng cho dng loopback nn hacker IP my

tnh no trn nhn v hnh UDP trn

nhn . lm cch ny khng thnh cng th chnh my s .

9. T n cng DNS

Hacker c vo trn Domain Name Server

nhn cho website no hacker. Khi my khch yu DNS

phn tch xm thnh IP, DNS ( hacker thay

cache i ) thnh IP m hacker cho . l

thay v vo trang Web vo th cc nhn vo trang Web do chnh

hacker ra . cch cng !.

10. Distributed DoS Attacks ( DDos )

Attacker cng

Handler: my tnh

Attacker

Zombie: my tnh

Handler

Victim : nhn cng

Attacker

Hnh 2.10 M hnh cng DDos

DDoS yu c t vi hackers cng tham gia. tin cc hackers

thm vo cc my tnh km, sau ci ln cc

21

ny trnh DDoS server. By cc hackers nhau

gian dng DDoS client cc DDoS servers, sau ra

cho cc DDoS servers ny hnh cng DDoS nhn .

11. The Distributed Reflection Denial of Service Attack(DRDoS )

c l cng v lm boot my tnh

nhanh Cch lm th DDos thay v

my tnh th cng dng my cng thng qua cc

server trn i . php IP victim ,

cng cc gi tin cc server nhanh v c

Yahoo , cc server ny cc gi tin

victim .

cng m lc gi tin thng qua cc server ny nhanh

chng lm my tnh nhn v lm crash , reboot my

tnh . Cch cng ny my c Internet

bnh th c c

ta khng . Trang WebHVA chng

ta DoS cch cng ny

22

Hnh 2.10 M hnh cng DRDos

23

I II :

1. DoSHTTP + Sprut:

Hnh 3.1 tool DoSHTTP v Sprut

2

24

2. LOIC

Hnh 3.2 Giao di n tool LOIC

LOIC l ng d ng t n cng t ch i d ch v c vi t b ng C#. Loic th c hi n

t n cng t ch i d ch v t n cng (ho c s d ng b i nhi u c nhn, l

m t cu c t n cng DDoS).

Trn m t trang web mc tiu lm ng p cc my ch v i cc gi tin TCP hoc

UDP v n dch v c a m t my ch c th . Cng c LOIC l

m t botnet tnh nguyn k t n i n m t my ch t xa m ch o cc cuc t n

cng. Hi n nay, c 40.000 i k t n i v i botnet.

25

3. UDP Flood

Hnh 3.3

c .

sinh

server.

26

4. rDoS

d ng th ph i c n th u khng my

tnh c a mnh s t ng t n cng DoS t nh khi mnh bt

ki m tra th chng ta s d ng

WireShark s th y r v .

27

I.

1. K thu t pht hi n

.

1.1 Ho nh hnh

ng gi a cc clusters.

s ng r rng clusters (tn cng DDoS).

1.2 Phn tch wavelet

1.3 Pht hi n m theo trnh t

gian.

28

2. Bi n i ph chi c DoS

H p th cu c t n cng:Dng kh h p th t n cng, yu

c u k ho c.

Lm gi m d ch v :Nh n bi t d ch v nguy hi m v d ng dch v

khng nguy him.

T t d ch v : T t t t c d ch v cho t i khi cu c t n cng gim b t.

3. Bi i ph t n cng DoS

3.1 B o v th c p victims

t ph n m m anti-virus, anti-Trojan v cp nh p b n m i.

n th c v v b o m t v k thu i s d ng

t t t c ngu n trn internet.

T t d ch v khng cn thi t, g b ng d ng khng s d ng, v qut tt

c files nh n t ngu n bn ngoi.

C ng xuyn cp nh p xy d u phng th trn li

ph n c ng v phn m m h th ng.

3.2 Pht hi n ti n cng

B l c xm nhp: B o v t t n cng trn ngp c ngu n g c t cc

ti n t h p l i kh i t o truy tm ngun g c th c s .

B l Qut header gi tin ca gi tin IP ra mt m ng. B l

ra khng chng th c ho ng nguy hi c ra kh i

m ng bn ngoi.

Ng t TCP: C u hnh ng a t n cng bng cch ngt v

yu c u k t n i TCP h p l .

29

3.3 Lm l ng t n cng

H th ng thi t l p v i gi i h n b o m t

ng cm d i v i k t n cng.

Ph c v k t n cng b

m t b n ghi cc ho ng, h c ki u t n cng v cng c ph n m m k

t n cng s d ng.

Dng phng th chi u su tip c n v i IPSec t m m ng khc nhau

chuy lu n vi honeypot.

3.4 Lm du cu c t n cng

Cn b ng t i:

o Nh cung c trn k t n i quan tr

ng a v gi m xu ng t n cng.

o Nhn bn my ch c th cung cp thm bo v an ton.

o Cn bng t i cho m i server trn cu trc nhi u server c th c i

ti n hi u su m ng c a cu c t n

cng DoS.

Ho u ch nh:

o Thi t l p cch thc router truy cp m t server v u chnh logic

i m s server x l.

o B x l c th a trn ngp thi t h i t i server.

o B x l ny c th m r u chnh lu ng t n i

l ng h p php c i s d ng cho kt qu t

30

3.5 Php l

nh n bi t ngu n c ng

DoS. M c d k t ng gi m a ch ngu n, d u v t

IP tr l i v i tr gip ngay l p t c c a ISP v thc thi php lu

quan c th cho php bt cc th ph m.

Phn tch m ng: D li u c th c phn tch-sau tn cng-

tm ki m ring bi ng t n cng.

M ng t n cng DoS c th i qu n tr m ng pht trin

k thu t l ng

Dng nh m, d li u c th c p nh p cn bng

t u chnh bi i ph.

4. B o v DoS

4.1 M ISP

( )

31

4.2 H th ng b o v IntelliGuard

IntelliGuard

cch

II. CNG C B O V DOS

1. NetFlow Analyzer

32

Hnh 2.1 Cng c NetFlow Analyzer

2. M t s cng c khc

D-Guard Anti -DDoS Firewall

D-Guard Anti-DDoS Firewall cung c y nh t v nhanh nht b o

v DDoS cho cc doanh nghip tr c tuy n, v cc d ch v n truy n thng,

thi t y u h t ng cng cng v cung cp d ch v Internet.

L m t chuyn nghip Anti-DDoS Firewall, D-Guard c th b o v ch ng l i

h u h t cc cuc t n cng cc loi, bao g m c DoS / DDoS, Super DDoS, DrDoS,

Fragment tn cng, t t t t bi n,

ng u nhin UDP Flooding tn cng, ICMP, IGMP tn cng, ARP Spoofing, HTTP

Proxy t n cng, CC Flooding tn cng, CC Proxy t

33

D-Guard Anti-DDoS Firewall cung cp m t c p trn cch tip c

gi m nh cc cuc t n cng DDoS, vi m t thi t k t p trung vo giao thng qua

h p php ch khng phi l lo i b giao thng tn cng, x l cc cu c t n cng

k ch b n c th suy thoi t i t nh t m khng cn hi u su t.

Hnh 2.2.1 Cng c D-Guard Anti -DDoS Firewall

FortGuard Firewall

FortGuard Firewall - m t gi i dng ch ng l i cc cu c t n

cng DDoS v chnh xc v hiu su t cao nht...

FortGuard Firewall l mt ph n m ng l a Anti-DDoS nh nh

m v i Intrusion Prevention System sn c.N c th b o v my tnh ca b n ch ng

l i cc cu c t n cng DDoS chnh xc nht v i hi u su t cao nht. FortGuard

Firewall c th ch ng l i SYN, TCP Flooding v cc loi t n cng DDoS khc v

kh c cc gi t n cng th i gian th c. n v

hi u ha/ kch hot truy c p qua proxy vo tng ng d ng v c th

2000 ki u ho ng c a hacker.

34

Hnh 2.2.2 Cng c FortGuard Firewall

III. KI M TRA THM NH P DOS

35

1. Ki m tra web server dng cng c t

Stress(WAS) v Jmeter cho kh u t i, hi u su t server, kha, v

kh r ng pht sinh.

2. Qut h th ng dng cng c t

khm ph bt k h th ng d b t n cng DoS.

3. Trn ngp m c tiu v i yu c u gi tin k t n i dng cng c Trin00, Tribe

Flood, v TFN2K.

4. T n cng trn ngp c y c d ng duy tr t t c

yu c u k t n i lm t c ngh n c ng.Dng cng c

t ng t n c ng trn ngp c ng.

5. Dng cng c Mail Bomber, Attache Bomber, v Advanced Mail Bomber

g i s ng mail l n cho mail server mc tiu.

6. n vo cc mu n i dung ty v ko di lm trn ngp trang web.

36

P

DOS

1. Ping of Dealth Attack

Trong h ta c th s d ng l IP -t -

ping m t destination mt cch lin tc

N n mu n m cng m t lc 20 c a s Window ping th ta c th k t

h p v i cu l For /L %i in (1,1,20) do start ping

192.168.1.254 -t -l 36000 s m ra cng mt lc 20 c a s

window ping lin t n IP 192.168.1.254

37

(B t wireshark khi b t n cng trn ng p ICMP b ng Ping of Death)

Ki u t n cng ICMP l kiu t n cng c n nh t, r t d th c hi n.

Cc router cu hnh y u r t d b t n cng v treo nhanh chng.

38

2. Syn Flood Attack

th th c hi u

nh xem hin t port 80 bng

cng c Nmap

Gi s IP Public hi n th i c d ng cu

l nmap sS p 80 118.68.226.1/24 scan

Ta th c hi n scan v xut ra file l scan_adsl.txt

Ki m tra n i dung file scan_adsl.txt v chn ra m t IP ta lm lab tip t c