DDoS và nguyên tắc phân tích gói tin - - - - HVAOnline - - PDF

10/1/2014 DDoS v nguyn tc phn tch gi tin - .:: HVAOnline ::.
http://www.hvaonline.net/hvaonline/posts/list/44935.hva 1/8
xnohat
Moderator
Joined: 30/01/2005 13:59:19
Bi gi: 1210
n t: /dev/null
Offline

English | Vietnamese

Ni Quy Din n Portal
Danh sch thnh vin Thng k Tm kim Phng c
ng k ng nhp [ http | https ]

Din n chnh Tho lun mng v thit b mng DDoS v nguyn tc phn tch gi tin
[Bi vit] DDoS v nguyn tc phn tch gi tin 10/07/2013 00:03:12 (+0700) | #1 | 277324
DDoS v nguyn tc phn tch gi tin
Nh cp bi trc http://www.hvaonline.net/hvaonline/posts/list/0/44934.hva)
Gim thiu tc hi ca DDoS c hai hng chnh:
1) Gim thiu bng cch cn lc nhng c im c th.
2) Gim thiu bng cch cn lc theo n nh s ln truy cp trong mt khon thi gian (nu khng tm ra c c
im c th).
T nhng thng tin no c th gip mnh thc hin vic gim thiu y? Cch kh nht, t m nht nhng cng chnh
xc nht l ly thng tin t nhng gi tin bt c trong lc chng trn vo mc tiu ( thc hin vic DDoS).
C l mt trong nhng cng c ph bin nht ngy nay cho cng vic bt gi tin v phn tch gi tin l Wireshark
(ngy xa c tn l Ethereal). Cng c ny cho php chng ta sp xp gi tin theo:
- thi gian gi tin i n.
- theo ngun IP ca gi tin.
- theo dng giao thc ca gi tin.
- theo chiu di ca gi tin.
- v i su vo tnh cht ca tng gi tin.
Tu nhu cu, tu hon cnh m s dng bin php sp xp phn tch. i khi cn phi i t cch sp xp gi tin
t dng ny sang dng khc c th nm bt tnh cht c xem l "c im c th".
Tt nhin, logs trn proxies, trn web server (nh Apache, Nginx, IIS..v..v..) cng c th dng phn tch nhng
chng thiu hn nhng thng tin c th v giao thc. Tuy vy chng c im li l n gin hn, d phn tch hn
nhng nu mun nm r tnh cht nhng gi tin thuc dng DDoS khng th khng dng Wireshark bt gi tin v
phn tch gi tin.
Ly mt on packets c dng tn cng mt nn nhn gn y (5/7/2013), chng ta c th thy g?
- Cc gi tin c sp xp (sort) theo ngun (IP) y ang tp trung vo phn tch ngun 113.170.184.21.
- Nu bm vo dng c giao thc l HTTP v c Info l "GET / HTTP/1.1" th s thy c gi tr "User-Agent" hin ra.
Theo thng tin y, l mt in thoi di ng dng Android v c a phng (locale) l Canada (en-ca).
- Gi tin HTTP kia c chiu di l 502 bytes (bao gm chiu di ca gi tin TCP/IP tng di).
- Nu s dng tnh nng "follow TCP stream" ca gi tin c th trn, bn s thy mt nhm cc gi tin c gi /
nhn v c rp li.
Nu xoy su xung mt cht, mnh c th thy thm y l mt gi ACK c PSH flag v c chiu di l 448 bytes.
Nu tip tc xem xt danh sch cc request i t 113.170.184.21, bn s thy nhiu gi tin c tnh cht y ht xy ra
nhiu ln. l chuyn bnh thng nhng s th s bt thng khi cng mt IP li c User-Agent khc cng gi
request trong cng 1 giy v c bit, chng gi request n cng mt a ch lp i lp li lin tc nh:
http://www.abc.com/ trong mt khong thi gian.
Nhng thng tin trn c v rt bnh thng nhng l mt bc nh mu so snh v t ra nhng cu hi gip
cho vic phn tch, v d:
a. Ti sao mt IP thuc Vit Nam m li dng bng in thoi Android c n nh a phng l Canada?
b. Ti sao mt IP nh trn li c User-Agent khc c n nh a phng l t an Mch gi nhiu request cng mt
lc n cng mt a ch URL?
c. Ti sao nhng HTTP requests kia c cng nhng nhm "length" y ht nhau v lp i lp li?
d. Ti sao chng c cng gi tr Referer, thm ch Referer y khng tn ti?
e. C bao nhiu requests xy ra trong mt giy, mt pht, 5 pht i cng mt IP c cng mt User-Agent?
f. C bao nhiu User-Agents khc nhau i t mt IP trong mt khon thi gian no ?
g. Liu nhng IP tn cng kia c phi l IP ca mt proxy c nhiu ngi dng chung hay khng?
v....v....v....
Ni chung, cng nhiu cu c t ra v tr li cng gip cung cp cc thng tin hnh thnh nhng im c th
ca dng tn cng. T mi c th hnh thnh bin php cn lc.
1. Cn lc trn tng IP:
L nhng cn lc thun tu mang tnh cht thuc v tng IP thay v nhng "string" v "text" thy c tng
application (sau khi cc packets gom li hon chnh). V d, bn thng k c c 1 triu requests nh ti
"index.php" c my chc User-Agents khc nhau v nhng requests ny thuc dng ACK-PSH v c chiu di chung l
488, 502, 515, 576, 590 (chng hn). Trong khi , cc requests (c xem l hp l v sch s) ca ngi dng
bnh thng c chiu di khc. Bn c th c hai chn la:
1.1 Cn c th cc packets ACK-PSH c chiu di nh trn v bn (bit) rng ngi dng n trang web ca bn
khng c my ai xi a phng l Canada, an Mch, Belarus...v.v.v.. Chn la ny c th cn nhm mt s
ngi nhng trong tnh trng b p nng n, l mt chn la nhm cu vn s ngi dng cn li.
quanta
Moderator
Joined: 28/07/2006 14:44:21
Bi gi: 7265
n t: $ locate `whoami`
Online

1.2 Cn tng qut da trn s ln truy cp trong 1 giy (hoc mt pht, hoc mt khon thi gian no ). L l
ngi dng bnh thng chng c ai lin tc truy cp hng chc ln n trang ch trong mi giy hoc vi trm ln
n mt hoc nhiu URL trong mt pht. Chng c ai c th c nhanh nh th.
2, Cn lc trn tng application:
L nhng cn lc c th v chnh xc nhng "string" v "text" thy c trn logs ca cc web server. V d, bn
thng k c c 1 triu requests nh ti "index.php" c my chc User-Agents khc nhau v bn bit rng nhng
User-Agents y trc gi t xut hin v khng c my ai xi a phng l Canada, an Mch, Belarus...v.v.v.. Bn
cng c hai chn la:
2.1 Cn c th cc User-Agents l nh thng k. Chn la ny c th cn nhm mt s ngi nhng trong tnh
trng b p nng n, l mt chn la nhm cu vn s ngi dng cn li. Ngy nay, bin php cn lc trn tng
application c v s cc cng c, tin ch, plugins, modules...v..v... gip cho vic ny.
2.2 Cn tng qut da trn s ln truy cp trong 1 giy (hoc mt pht, hoc mt khon thi gian no ), y ht vi
nguyn tc phn 1.2 trn.
Conmale

C bn no hng th tr li my cu hi ny khng nh?
e. C bao nhiu requests xy ra trong mt giy, mt pht, 5 pht i t cng mt IP v c cng mt User-Agent?

Let's build on a great foundation!

mylove14129
Member
0
Joined: 27/04/2008 19:07:19
Bi gi: 106
Offline

xnohat
Moderator
Joined: 30/01/2005 13:59:19
Bi gi: 1210
n t: /dev/null
Offline

quanta wrote:

Khng r quanta c tool no t ng thc hin vic ny khng, thng mnh hay s dng splunk filter kh tt nhng
nu yu cu phc tp qu th c l nn lm mt ci script c khi tt hn

mylove14129 wrote:
quanta wrote:

Khng r quanta c tool no t ng thc hin vic ny khng, thng mnh hay s dng splunk filter kh tt nhng nu yu cu
phc tp qu th c l nn lm mt ci script c khi tt hn
Vi lu lng DDoS ln v kch thc log ph i nhanh khng khip th vic dng script phn tch log c v l thiu
whisky9x
Member
0
Joined: 07/07/2013 10:29:09
Bi gi: 6
Offline

mylove14129
Member
0
Joined: 27/04/2008 19:07:19
Bi gi: 106
Offline

hiu qu v cng
iJust clear, "What I need to do and how to do it"/i
br
brBox tn gu di v: http://www.facebook.com/hvaonline

Em ngh ta xy dng mt h thng lu tr log ca tt c cc dch v (Hadoop chng hn). Khi cn th li ra
phn tch.

xnohat wrote:
mylove14129 wrote:
quanta wrote:
e. C bao nhiu requests xy ra trong mt giy, mt pht, 5 pht i t cng mt IP v c cng mt User-
Agent?

Khng r quanta c tool no t ng thc hin vic ny khng, thng mnh hay s dng splunk filter kh tt nhng nu yu
cu phc tp qu th c l nn lm mt ci script c khi tt hn
Vi lu lng DDoS ln v kch thc log ph i nhanh khng khip th vic dng script phn tch log c v l thiu hiu qu v
cng
ng vy, nhng y chng ta ang ni n vic dng wireshark capture gi tin lc ang b tn cng phn
tch( nhn dng chnh xc thng tin cc trng ca gi tin), mnh ngh vic s dng wireshark( hoc tcp dump)
alphax
Member
0
Joined: 02/07/2013 09:52:12
Bi gi: 6
Offline

explorer88
Member
0
Joined: 06/11/2010 22:32:47
Bi gi: 75
Offline

quanta
Moderator
Joined: 28/07/2006 14:44:21
Bi gi: 7265
n t: $ locate `whoami`
Online

capture mt lng gi tin qu ln s c th s nh hng n ti nguyn ca my ch. Nn gii php dng script s
dng tt trong trng hp ny( capture bng wireshark mt vi pht sau chy script thng k).
Trng hp lu thnh log, khi lng d liu l cc ln. Chng ta bt buc phi s dng mt cng c c kh
nng index cc nhanh trong trng hp ny s dng splunk l hp l.

Bi vit ny c chnh thnh dng "n" v vi phm ni quy ca din n
hoc ang c iu chnh thch hp vi ni quy ca din n.

quanta wrote:

Cu hi ca anh quanta c ai tr li khng ? By gi em cng mun thu thp cc thng k kiu ny t wireshark m
khng bit cch ?

explorer88
Member
0
Joined: 06/11/2010 22:32:47
Bi gi: 75
Offline

explorer88 wrote:
By gi em cng mun thu thp cc thng k kiu ny t wireshark m khng bit cch ?
Bn th dng `tshark` http://www.wireshark.org/docs/man-pages/tshark.html) kt hp vi `awk`, `sort`, `uniq`,
... xem.
Let's build on a great foundation!

Theo tinh thn open source, em chia s s qua cch thc:
Trc ht chy tcpdump capture gi tin:
sudo tcpdump -vv -x -w file.pcap | strings
-vv thu thp cng nhiu thng tin cng tt
-x ly c data packet
y strings l lnh quan trng convert data ca tcp packet ra http packet hon chnh
V d hin th tt c user agent, bn cn chuyn i file pcap thnh file text dng tshark sau thc hin awk,
grep, sed, uniq, sort... trn file :
tshark -r file.pcap -T fields -e http.user_agent | strings | sort | uniq
L do c strings loi b cc dng rng. V vi nhng dng khng c user agent (v d tcp three way handshake) th
tshark s hin th dng rng.
Tu vo nhu cu phn tch m bn s truyn gi tr tham s -e khc nhau v p dng cc c php grep, cat, sed...
khc nhau

Chuyn n: Tho lun mng v thit b mng
Cc thnh vin ang hin din y
1 Khch
Powered by JForum - Extended by HVAOnline
hvaonline.net | hvaforum.net | hvazone.net | hvanews.net | vnhacker.org
1999 - 2013 v2012|0504|218|

DDoS và nguyên tắc phân tích gói tin - - - - HVAOnline - - PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DDoS và nguyên tắc phân tích gói tin - - - - HVAOnline - - PDF

Uploaded by

Copyright:

Available Formats

10/1/2014 DDoS v nguyn tc phn tch gi tin - .:: HVAOnline ::.

You might also like