DDoS attacks using common tools-vulnerability warning-the black bar safety net

2005-12-12T00:00:00
ID MYHACK58:6220055321
Type myhack58
Reporter 佚名
Modified 2005-12-12T00:00:00

Description

DDoSattack using common tools

DDoSattack to implement a certain degree of difficulty, it requires that the attacker must have the invasion of another's computer capabilities. But unfortunately some fool hacker app appears, these programs can be completed within a few seconds of the invasion and the attack program is installed, so LaunchDDoSthe attack becomes a breeze. Below we analyze these common hacking programs. The following program in the Ann network training software area can download www.hackervip.com/soft)

1, The Trinoo

Trinoo attack method is to attack the target host is a random port issue all-zero 4-byte UDP packet, in the processing of these than it can handle junk of data packets in the process, is to attack the host's network performance continues to decline, until can not provide normal service, or even crash. It to the IP address not false, using the communication port is:

The attacker host to the master host: 2 7 6 6 5/TCP

The master end-host to the agent host: 2 7 4 4 4/UDP

The proxy end-host to the master server host: a 3 1 3 3 5/UDP

2, the TFN

TFN by the main control end of the program and Agency-side program of two parts, it mainly adopt the method of attack: SYN storm, Ping storm, UDP bombs and SMURF, with a forged data packet capacity.

3, the TFN2K

TFN2K is by the TFN development, and in the TFN has the characteristics, TFN2K also added some properties, which the master terminal and the proxy terminal network communication is encrypted, the intermediate may also mix a number of false data packets, and the TFN of the ICMP communication is not encrypted. Attack method increases the Mix and Targa3 it. And TFN2K can be configured to proxy the end of the process port.

4, the Stacheldraht

Stacheldraht is also from the TFN derived, so it has the TFN properties. In addition it adds the master end and agent end encrypted communications capabilities, its command source is false, you can prevent some routers RFC2267 filtering. Stacheldrah has a built-in Agent upgrade module, you can automatically download and install the latest Agent.

The above few paragraph, although now the function is not very practical, but are more classicDDOSto attack the program.

Fourth, theDDoSmonitoring

Now online usingDDoSway to attack the attackers is increasing, we only have early found themselves under attack in order to avoid suffering heavy losses.

DetectionDDoSattack the main methods are the following:

1, According to the abnormal situation analysis

When the network traffic suddenly increased dramatically, more than the usual limit, You can be sure to be vigilant, to detect at this time communication; when the website of a particular service always fails, you have to pay more attention; when found to have large ICP and UDP packets to pass through or packet content suspicious when you want to watch it. In short, when your machine appear abnormal situation, your best analysis of these situations before they occur.

2, UsingDDoSDetection Tool

When the attacker wants to make its attack power to do that, he first of all to scan the system vulnerabilities, currently on the market some of the networkintrusion detectionsystem, you can eliminate the attacker's scanning behavior. In addition, some scanner tools can be found in an attacker implant system of the agent, and can have it removed from the system.

Five, theDDoSattack defense policy

Due to theDDoSthe attack has a hidden, so far we have not found forDDoSattack of the proven solutions. So we need to strengthen security awareness, improve network security of the system. You can take the security Defense measures are the following:

1, the early detection system for the presence of vulnerabilities, the timely installation of system patches. Some of the important information such as system configuration information, establish and improve the backup mechanism. Some of the privileged account such as administrator account password is set to cautious. Through such a series of initiatives that can put the attacker's opportunity is reduced to a minimum.

2, in the network management context, to regularly check the system's physical environment, the prohibition of those unnecessary network services. The establishment of border security boundaries, to ensure that the output of the packet subjected to the correct limit. Often the detection system configuration information, and note view daily security logs.

3, The use of network security devices for example: firewall to reinforcing the security of the network, configure their security rules, to filter out all of the possible falsification of data packets.

4, a good Defense is and your network service provider coordination of the work, let them help you achieve the routing of the access control and the total bandwidth of the limit.

5, When you find yourself being subjected toDDoSwhen attacking, you should start your cope strategy as soon as possible to track attack packets, and to promptly contact the ISP and related emergency organization, and analysis of the affected system, to determine the relates to the other node, thereby blocking from known attack node traffic.

6, When you are a potentialDDoSthe victims of the attacks, you find that your computer is an attacker with a master control end and an acting end, you can't because your system is not compromised and lightly, the attacker has found your system's vulnerability, which on your system is a big threat. So once found to exist in the systemDDoSattack the software tools to timely put it clear, to avoid leaving troubles.

Next, we talk about attack combat.

Six, DDoSattack tool combat

DDOSattack in technical terms is very not easy to be the master, but now the emergence of a range of attack tools to make the novices very easy you can initiate this attack, we use a simpleDDOSattack tools to explain it.

First we need to understand the attack quality. Puppet machine say is we control the network server. This broadband General in 10MB or more of the rate. A puppet machine can deal with 56K---640K ADSL; the two puppet machine can deal with 2M, and so on.

  1. Awareness of the Autocrat (dictatorDDoSattack Controller)

Autocrat is a TCP/IP-based ProtocolDDoSdistributed denial of service attack tool, it uses a remote control way allows you to easily joint multiple serversDDoSattack.

Download back of the Autocrat consists of 4 files:

Server.exe -Server end, this do not own the machine running.

Client.exe -the control terminal, use it to operate the Autocrat.

Mswinsck. ocx-the control end of the required network interface

Richtx32. ocx-the control end of the desired text box control

Some friends will be unable to start, in fact you have to do is right those command button only, the left list is the Client can control all the main machine, the Client will automatically read the list on the left, without user intervention.

  1. Add a host

You can use Autocrat of the scan function scan, but currently this method is undoubtedly in a haystack in. So we better do-it-yourself installation Server. First of all on the other side of the computer running the server end.

Click on the“Add”button, enter the destination IP can be

  1. Check the Server status

Launched before the attack, in order to ensure the Server is valid, our best for it to handshake response process, the useless Server kick out, click on the“Check status”button, the Client will be on the IP list to scan checks, and finally will generate a report

  1. Clean up invalid host

The point of the“switch”button to enter invalid host list, use the“cleanup host”button to void the waste machine kick out, and then press once the“switch”back to host list

  1. Check the file

Don't forget to wsock32s/l/p. dll three DLL, they are attacking the key, use the“check Files”button to view the status of a file, if found file is gone, you may want to note, you can use the extract command to release the file

  1. Attack

Well, after the previous detection, we can now launch an attack.

SYN attack: the source can just input the target IP to fill you want to attack IP or domain name, source-port 1---6 5 5 3 5 Select you want to attack one target port: 8 0--attack HTTP, 2 1--attack FTP, 2 3--attack Telnet, 25/110-the attack E-MAIL.

LAND attack: enter the destination IP and destination port with the SYN)

FakePing attack: source IP anywhere, destination IP fill you want to attack the IP, then you will have a large number of ICMP data blocked on his network.

Of Fury Ping attack: directly fill in the target IP can be, the principle is the same FakePing

  1. Stop

The attack after the point of“stop the attack”can be, don't too long time with the puppet machine to send large amounts of attack data, this will make the puppet machine and the other network blockage.

  1. Manual Command

If you only want to control a broiler, it is in the IP list you want to control broilers IP on the tap, and then in the“Manual Command”back“alone”, right now:

stop -- stop

helo ID -- check the status of the

syn [ip] [port] [ip] [port] -- SYN attacks

land [ip] [port] -- LAND attack

fakeping [ip] [ip] -- FakePing attack

angryping [ip] - the fury of the Ping

extract-the release file

  1. Messenger service

You can use the windows Messenger functions to the puppet machine to send information.

  1. HTTP control

This method is the most simple, directly in the IE input http://IP:8 5 3 5 You can directly use the Server to attack, without the Client can also perform the attack.

The dictatorDDoSthe attack controller to control a large number of ServerDDoSthe tool supports 4 attack methods: SYN, LAND, FakePing, the fury of the Ping, the high degree of risk, and with caution.

The program is divided into Client and Server, the Server in the broiler on after the execution of the automatically installed as a NT Service Program and deletes itself, after the will use the NT Service mode in the broiler as the Trojan is running, you can Telnet/HTTP to control, method: directly in the IE input http://ip:8535 can be.

The Server side is automatically compatible with the system environment, in 9 8/Me/2 0 0 0/XP can be installed, the 9 8/Me can be launched of Fury Ping attack, 2 0 0 0/XP can use all the features.