A new bandwidth attacks-vulnerability warning-the black bar safety net

ID MYHACK58:6220069793
Type myhack58
Reporter 佚名
Modified 2006-06-15T00:00:00


This document Copyleft owned skipjack all, use the GPL release, you can freely copy, reprint, reproduced keep the documents for completeness, it is strictly prohibited for any commercial purposes. Email: skipjack@163.com Source: http://skipjack.cublog.cn

The idea is to http://www.xfocus.net/articles/200505/796.html Attack the idea of finishing with the increase, intended to develop new attacks. Such as the use of this principle of the attack software available, and I personally skipjack irrelevant.

The citation Chapter of the first section of the Oh...there is this paragraph enough.

In the TCP three-way handshake after the insertion of forged TCP packets A description of the available Socket API Connect TCP to establish a connection three-way handshake, while the sub-process, capture, catch the complete three-way handshake packets after the insertion of the fourth packet can be, from the end of return of the fifth package of view is inserted successfully, but because of inserted into a TCP packet, then the connection will be chaos. Can be inserted into the packet Data set for the HTTP Request to theWEB serverto submit the request. And if the target system's TCP sequence number is precomputed, then whether you can do with the pseudo-source address of Blind TCP three-time handshakes and insertion, worth experimenting!

The authors have done experiments actually what also shows no, just verify out the TCP Protocol number and the inspection and calculation function.

I think the author must have been affected by theCC attackthe principles of the inspired, can't figure out through a proxy way to achieveCC attackeffect. But in the sequence number prediction this step on, to be honest there is no feasibility. Normal TCP Protocol uses synchronization sequence number is a random value, in the 4 3 billion optional space, to hundreds of megabytes of bandwidth of speed prediction will also be a drop in the bucket. But...... In order to defenseddos, many manufacturers of security devices are to achieve a stateless syn cookies algorithm, this algorithm in a large number of syn under the impact of the use of the cookie sequence number in the ack packet back to the transmission mode determines the connection request's legitimacy. So they TCP Protocol handshake is not part of a healthy achieve, this idea was modified for the attacks on such devices will achieve good results. Following is a brief description of the attacker and how to 6 4 byte ACK ment to take server 1 5 1 8 maximum number of data packet retransmission, if the source IP forged successful, the attacker from the theory will be to obtain 2 0 more than times the bandwidth amplification attack effect. If there are two target sites, the present method will be both on. Attack principle: the use of the TCP Protocol receives the ACK after the fast retransmit mechanism

Serial number Chaos knife: attack on normal TCP/IP Protocol stack schematic When we get http response response, immediately reply to an ack packet, this ack packet the seq value is the http response data packets in the ack seq value and the ack seq value for the http response data packets the seq number value. So when the server receive this ack packet, will be considered to be your own just send the http response packets in the network has been lost, will the use of fast retransmission mechanism to be retransmitted. If we are desperately trying to send a large number of the ack packet, the server will continue to retransmit. Ack packet size of just 6 by 4 bytes, but the http response usually in the 5 1 2 bytes or so, up to a maximum of 1 5 1 8 bytes. Because the normal tcp Protocol number of the unpredictability, so we in the attack has exposed their real IP.

! Click here to open new window

Serial number Chaos blade II: attack using static syn cookieddosprotection under Server

The so-called static syn cookie is in the client request syn packet for a parameter for a reply syn ack seq value and the ack packet back to the transmission when the judging connection the legality of the method, this method isddosmanufacturers of a large number of uses, and to obtain a considerable number of national invention patent, Oh....the. You will often hearddosmanufacturers of people say that their device than the firewall of the“cattle”, you can easily reach hundreds of megabytes line speed syn Defense, but hundreds of megabytes firewall 30M attack traffic can kill, say this words ofddosto the manufacturer, I can bet their equipment 8 0% using this syn cookie algorithm. Syn cookie algorithm the benefit is only in the synflood attack when the consumption of CPU resources, which for X86 under the powerful General-purpose CPU, is applicable. Readers may feel very strange, why so Mature technology firewall is not used, and let theddosvendors all day, huddled against it? This has the following reasons: 1:A Firewall with a syn cookie synflood Defense, but mostly not static syn cookies, but strictly records the connection state using the dynamic syn cookie, so when the syn flood attack is not to consume CPU, but also consume large amounts of memory. This is my article mentioned at the beginning of the present method can attack most of theddosvendors and a small portion of the firewall vendors of reasons. 2:the syn cookie/syn proxy is a bsd system, the kernel source code of Linux the latest version of 2. 6 kernel syn proxy has not been included. Soddosdevice mostly by bsd system. Of course, bsd is open source, porting is not a big problem myself. 3:firewall is mostly under Linux open source software to netfilter as a basis, but the netfilter in the hash algorithm and the connection table design is not very good, the firewall forwarding performance bottleneck lies in this, if you then add the syn proxy table entry, will further reduce the data packet processing capabilities, or to increase the connection table size. High-end firewalls mostly support millions of connections, this millions of table entries will be enough for the firewall to drink a pot of, plus a syn proxy table entry, the performance is also not out of the dilute in WoW pull? 4:a firewall is an important network function is DNAT, in the absence of DNAT before the operation, the firewall does not know these syn packets to the final destination is itself or the DMZ zone of the server, so the syn packet must be DNAT before they know whether going to be the syn cookie protection. But then you have to enter to the netfilter framework, the performance of course can not keep up. You've seen a fewddosthe device supports NAT? If supported, his performance will fall quite a lot. If the firewall is operating in bridge mode, does not go through the netfilter processing framework, the firewall can be transformed into a high-performance anti - ddosdevices, and? functions are not, of course, one easily. Oh...but you buy is firewall, would be so overkill? Anyway, using static syn cookieddosdevice, we only need to replay a ack packet can reach the server three-way handshake effect, so you can do the source IP address of the disguise. This masquerading of the source IP address is the address you previously used, and with theddos - device communications, and preserved, it will now be reproduced. If you can't read what I'm saying, with reference to I wrote the the domesticddosvendor Technical Review of a text, packet capture analysis will know it. The second step is to send a normal http request, then that is a lot of false ack request is retransmitted. Days know, who in our disguise the source IP address, as a collateral victim. You might think that the victim Server B will reply rst packet to the victim Server A. This is possible, but if the server B front to install a“stateful inspection”firewall, it will directly discard the reflection of the http response packet.

! Click here to open new window