Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet
Mc Lc
1Mc Lc
3I - Tn cng t chi dch v (DoS):
3I.1 - Gii thiu v DoS
3I.2 - Lch s cc cuc tn cng v pht trin ca DoS
4I.3 - Mc ch ca tn cng DoS v him ha
5I.4 - Cc hnh thc tn cng DoS c bn :
54.a - Smurf :
64.b - Buffer Overflow Attack :
74. c - Ping of death :
84.d - Teardrop :
84.e - SYN Attack:
11II - Tn cng t chi dch v phn tn (DDoS) :
11II.1 - Gii thiu DDoS :
13II.2 - Cc c tnh ca tn cng DDoS:
14II.3 - Tn cng DDoS khng th ngn chn hon ton:
14II.4 - K tn cng khn ngoan:
144.a - Agent Handler Model:
154.b - Tn cng DDoS da trn nn tng IRC:
15II.5 - Phn loi tn cng DDoS:
17II.6 - Tn cng Reflective DNS (reflective - phn chiu):
176.a - Cc vn lin quan ti tn cng Reflective DNS:
186.b - Tool tn cng Reflective DNS ihateperl.pl:
18II.7 - Cc tools s dng tn cng DDoS:
19III - DRDoS (Distributed Reflection Denial of Service)
19III.1 Gii thiu DRDOS.
20III.2 - Cch Phng chng :
212.a - Ti thiu ha s lng Agent:
222.b - Tm v v hiu ha cc Handler:
222.c - Pht hin du hiu ca mt cuc tn cng:
222.d - Lm suy gim hay dng cuc tn cng:
232.e - Chuyn hng ca cuc tn cng:
232.f - Giai on sau tn cng:
242.g - Phng chng tng qut :
25IV Botnet.
25IV.1 - Gii thiu v Bot v Botnet
251.a - Bot l g ?
251.b - Ti sao gi l mng botnet ?
251.c - IRC
27IV.2 - Bot v cc ng dng ca chng
272.a - DDoS
282.b - Spamming (pht tn th rc)
282.c - Sniffing v Keylogging
282.d - n cp nhn dng
292.e - S hu phn mm bt hp php
29IV.3 - Cc kiu bot khc nhau
293.a - GT-Bot
293.b - Agobot
303.c - DSNX
30IV.4 - Cc yu t ca mt cuc tn cng.
35IV.5 - Cch phng chng Botnet:
355.a - Thu mt dch v lc Web
355.b - Chuyn i trnh duyt
365.c - V hiu ha cc kch bn
365.d - Trin khai cc h thng pht hin xm phm v ngn chn xm phm
365.e - Bo v ni dung c to bi ngi dng
375.f - S dng cng c phn mm
37V Kt Lun :
38VI Ti Liu Tham Kho
I - Tn cng t chi dch v (DoS):I.1 - Gii thiu v DoS
- Tn cng DoS l mt kiu tn cng m mt ngi lm cho mt h thng khng th s
dng, hoc lm cho h thng chm i mt cch ng k vi ngi dng bnh thng, bng
cch lm qu ti ti nguyn ca h thng .- Nu k tn cng khng c kh nng thm
nhp c vo h thng, th chng c gng tm cch lm cho h thng sp v khng c kh
nng phc v ngi dng bnh thng l tn cng Denial of Service (DoS).- Mc d
tn cng DoS khng c kh nng truy cp vo d liu thc ca h thng nhng n c th
lm gin on cc dch v m h thng cung cp. Nh nh ngha trn DoS khi tn cng
vo mt h thng s khai thc nhng ci yu nht ca h thng tn cng, nhng mc ch
ca tn cng DoS
I.2 - Lch s cc cuc tn cng v pht trin ca DoS
- Cc tn cng DoS bt u vo khong u nhng nm 90. u tin, chng hon ton
nguyn thy, bao gm ch mt k tn cng khai thc bng thng ti a t nn nhn,
ngn nhng ngi khc c phc v. iu ny c thc hin ch yu bng cch dng cc phng
php n gin nh ping floods, SYN floods v UDP floods. Sau , cc cuc tn
cng tr nn phc tp hn, bng cch gi lm nn nhn, gi vi thng ip v cc my
khc lm ngp my nn nhn vi cc thng ip tr li. (Smurf attack, IP
spoofing).
- Cc tn cng ny phi c ng b ho mt cch th cng bi nhiu k tn cng to
ra mt s ph hu c hiu qu. S dch chuyn n vic t ng ho s ng b, kt hp ny
v to ra mt tn cng song song ln tr nn ph bin t 1997, vi s ra i ca
cng c tn cng DDoS u tin c cng b rng ri, l Trinoo. N da trn tn cng
UDP flood v cc giao tip master-slave (khin cc my trung gian tham
gia vo trong cuc tn cng bng cch t ln chng cc chng trnh c iu khin t
xa). Trong nhng nm tip theo, vi cng c na c ph bin TFN (tribe flood
network), TFN2K, vaf Stacheldraht.
- Tuy nhin, ch t cui nm 1999 mi c nhng bo co v nhng tn cng nh
vy, v ti ny c cng chng bit n ch sau khi mt cuc tn cng ln vo cc site
cng cng thng 2/2000. Trong thi gian 3 ngy, cc site Yahoo.com,
amazon.com, buy.com, cnn.com v eBay.com t di s tn cng (v d nh Yahoo
b ping vi tc 1 GB/s). T cc cuc tn cng Dos thng xuyn sy ra V d : -
Vo ngy 15 thng 8 nm 2003, Microsoft chu t tn cng DoS cc mnh v lm
gin on websites trong vng 2 gi; - Vo lc 15:09 gi GMT ngy 27 thng 3
nm 2003: ton b phin bn ting anh ca website Al-Jazeera b tn cng lm
gin on trong nhiu gi.I.3 - Mc ch ca tn cng DoS v him ha
- C gng chim bng thng mng v lm h thng mng b ngp (flood), khi h
thng mng s khng c kh nng p ng nhng dch v khc cho ngi dng bnh
thng.
- C gng lm ngt kt ni gia hai my, v ngn chn qu trnh truy cp vo
dch v.
- C gng ngn chn nhng ngi dng c th vo mt dch v no
- C gng ngn chn cc dch v khng cho ngi khc c kh nng truy cp
vo.
- Khi tn cng DoS xy ra ngi dng c cm gic khi truy cp vo dch v nh
b:
+ Disable Network - Tt mng
+ Disable Organization - T chc khng hot ng
+ Financial Loss Ti chnh b mt
- Nh chng ta bit bn trn tn cng DoS xy ra khi k tn cng s dng ht
ti nguyn ca h thng v h thng khng th p ng cho ngi dng bnh thng c vy
cc ti nguyn chng thng s dng tn cng l g:
- To ra s khan him, nhng gii hn v khng i mi ti nguyn
- Bng thng ca h thng mng (Network Bandwidth), b nh, a, v CPU
Time hay cu trc d liu u l mc tiu ca tn cng DoS.
- Tn cng vo h thng khc phc v cho mng my tnh nh: h thng iu ho, h
thng in, ht hng lm mt v nhiu ti nguyn khc ca doanh nghip. Bn th tng
tng khi ngun in vo my ch web b ngt th ngi dng c th truy cp vo my ch
khng.
- Ph hoi hoc thay i cc thng tin cu hnh.
- Ph hoi tng vt l hoc cc thit b mng nh ngun in, iu hoI.4 - Cc
hnh thc tn cng DoS c bn : - Smurf
- Buffer Overflow Attack - Ping of death - Teardrop - SYN
Attack4.a - Smurf :
- Smurf : l mt loi tn cng DoS in hnh. My ca attacker s gi rt
nhiu lnh ping n mt s lng ln my tnh trong mt thi gian ngn, trong a
ch IP ngun ca gi ICMP echo s c thay th bi a ch IP ca nn nhn, Cc my
tnh ny s tr li cc gi ICMP reply n my nn nhn.- Kt qu ch tn cng s phi
chu nhn mt t Reply gi ICMP cc ln v lm cho mng b rt hoc b chm li,
khng c kh nng p ng cc dch v khc.
4.b - Buffer Overflow Attack :
- Buffer Overflow xy ra ti bt k thi im no c chng trnh ghi lng
thng tin ln hn dung lng ca b nh m trong b nh.- K tn cng c th ghi ln
d liu v iu khin chy cc chng trnh v nh cp quyn iu khin ca mt s chng
trnh nhm thc thi cc on m nguy him.
- Qu trnh gi mt bc th in t m file nh km di qu 256 k t c th s xy
ra qu trnh trn b nh m.
4. c - Ping of death :
- K tn cng gi nhng gi tin IP ln hn s lng bytes cho php ca tin IP
l 65.536 bytes.- Qu trnh chia nh gi tin IP thnh nhng phn nh c thc
hin layer II.- Qu trnh chia nh c th thc hin vi gi IP ln hn 65.536
bytes. Nhng h iu hnh khng th nhn bit c ln ca gi tin ny v s b khi ng
li, hay n gin l s b gin on giao tip. - nhn bit k tn cng gi gi tin
ln hn gi tin cho php th tng i d dng. VD : Ping -l 65500 address -l
: buffer size Khong nm 1997-1998, li ny c fix, v vy by gi n ch mang
tnh lch s. 4.d - Teardrop :
Trong mng chuyn mch gi, d liu c chia thnh nhiu gi tin nh, mi gi
tin c mt gi tr offset ring v c th truyn i theo nhiu con ng khc nhau
ti ch. Ti ch, nh vo gi tr offset ca tng gi tin m d liu li c kt hp
li nh ban u.
Li dng iu ny, hacker c th to ra nhiu gi tin c gi tr offset trng
lp nhau gi n mc tiu mun tn cng
Kt qu l my tnh ch khng th sp xp c nhng gi tin ny v dn ti b treo
my v b "vt kit" kh nng x l.
4.e - SYN Attack:
- K tn cng gi cc yu cu (request o) TCP SYN ti my ch b tn cng. x
l lng gi tin SYN ny h thng cn tn mt lng b nh cho kt ni.
- Khi c rt nhiu gi SYN o ti my ch v chim ht cc yu cu x l ca my
ch. Mt ngi dng bnh thng kt ni ti my ch ban u thc hin Request TCP
SYN v lc ny my ch khng cn kh nng p li - kt ni khng c thc hin.M hnh
tn cng bng cc gi SYN
Bc 1: Client (my khch) s gi cc gi tin (packet cha SYN=1) n my ch
yu cu kt ni.Bc 2: Khi nhn c gi tin ny, server s gi li gi tin
SYN/ACK thng bo cho client bit l n nhn c yu cu kt ni v chun b ti
nguyn cho vic yu cu ny. Server s ginh mt phn ti nguyn h thng nh b
nh m (cache) nhn v truyn d liu. Ngoi ra, cc thng tin khc ca client
nh a ch IP v cng (port) cng c ghi nhn.Bc 3: Cui cng, client hon tt
vic bt tay ba ln bng cch hi m li gi tin cha ACK cho server v tin
hnh kt ni.
- Do TCP l th tc tin cy trong vic giao nhn (end-to-end) nn trong
ln bt tay th hai, server gi cc gi tin SYN/ACK tr li li client m
khng nhn li c hi m ca client thc hin kt ni th n vn bo lu ngun ti
nguyn chun b kt ni v lp li vic gi gi tin SYN/ACK cho client n khi
no nhn c hi p ca my client.
- Nu qu trnh ko di, server s nhanh chng tr nn qu ti, dn n tnh
trng crash (treo) nn cc yu cu hp l s b t chi khng th p ng c. C th
hnh dung qu trnh ny cng ging h khi my tnh c nhn (PC) hay b treo khi
m cng lc qu nhiu chng trnh cng lc vy .II - Tn cng t chi dch v phn
tn (DDoS) :II.1 - Gii thiu DDoS :
Trn Internet tn cng Distributed Denial of Service (DDoS) hay cn
gi l Tn cng t chi dch v phn tn l mt dng tn cng t nhiu my tnh ti mt
ch, n gy ra t chi cc yu cu hp l ca cc user bnh thng. Bng cch to ra
nhng gi tin cc nhiu n mt ch c th, n c th gy tnh trng tng t nh h
thng b shutdown.
Nhn chung, c rt nhiu bin th ca k thut tn cng DDoS nhng nu nhn di
gc chuyn mn th c th chia cc bin th ny thnh hai loi da trn mch ch tn
cng:
Lm cn kit bng thng.
Lm cn kit ti nguyn h thng.
Mt cuc tn cng t chi dch v c th bao gm c vic thc thi malware
nhm:
Lm qu ti nng lc x l, dn n h thng khng th thc thi bt k mt cng vic
no khc.
Nhng li gi tc th trong microcode ca my tnh.
Nhng li gi tc th trong chui ch th, dn n my tnh ri vo trng thi
hot ng khng n nh hoc b .
Nhng li c th khai thc c h iu hnh dn n vic thiu thn ti nguyn hoc
b thrashing. VD: nh s dng tt c cc nng lc c sn dn n khng mt cng vic
thc t no c th hon thnh c.
Gy crash h thng.
Tn cng t chi dch v iFrame: trong mt trang HTML c th gi n mt
trang web no vi rt nhiu yu cu v trong rt nhiu ln cho n khi bng thng
ca trang web b qu hn.
II.2 - Cc c tnh ca tn cng DDoS:
- N c tn cng t mt h thng cc my tnh cc ln trn Internet, v thng da
vo cc dch v c sn trn cc my tnh trong mng botnet
- Cc dch v tn cng c iu khin t nhng "primary victim" trong khi cc
my tnh b chim quyn s dng trong mng Bot c s dng tn cng thng c gi l
"secondary victims".
- L dng tn cng rt kh c th pht hin bi tn cng ny c sinh ra t nhiu
a ch IP trn Internet.
- Nu mt a ch IP tn cng mt cng ty, n c th c chn bi Firewall. Nu n
t 30.000 a ch IP khc, th iu ny l v cng kh khn.
- Th phm c th gy nhiu nh hng bi tn cng t chi dch v DoS, v iu ny
cng nguy him hn khi chng s dng mt h thng mng Bot trn internet thc
hin tn cng DoS v c gi l tn cng DDoS.
II.3 - Tn cng DDoS khng th ngn chn hon ton:
- Cc dng tn cng DDoS thc hin tm kim cc l hng bo mt trn cc my tnh
kt ni ti Internet v khai thc cc l hng bo mt xy dng mng Botnet gm
nhiu my tnh kt ni ti Internet.
- Mt tn cng DDoS c thc hin s rt kh ngn chn hon ton.
- Nhng gi tin n Firewall c th chn li, nhng hu ht chng u n t nhng
a ch IP cha c trong cc Access Rule ca Firewall v l nhng gi tin hon
ton hp l.
- Nu a ch ngun ca gi tin c th b gi mo, sau khi bn khng nhn c s
phn hi t nhng a ch ngun tht th bn cn phi thc hin cm giao tip vi a
ch ngun .
- Tuy nhin mt mng Botnet bao gm t hng nghn ti vi trm nghn a ch
IP trn Internet v iu l v cng kh khn ngn chn tn cng.
II.4 - K tn cng khn ngoan:
Gi y khng mt k tn cng no s dng lun a ch IP iu khin mng Botnet tn
cng ti ch, m chng thng s dng mt i tng trung gian di y l nhng m hnh
tn cng DDoS
4.a - Agent Handler Model:
K tn cng s dng cc handler iu khin tn cng
4.b - Tn cng DDoS da trn nn tng IRC:
K tn cng s dng cc mng IRC iu khin, khuych i v qun l kt ni vi cc
my tnh trong mng Botnet.
II.5 - Phn loi tn cng DDoS:
- Tn cng gy ht bng thng truy cp ti my ch.
+ Flood attack
+ UDP v ICMP Flood (flood gy ngp lt)
- Tn cng khuch i cc giao tip
+ Smurf and Fraggle attack
Tn cng DDoS vo Yahoo.com nm 2000S phn loi tn cng DDoS:
S tn cng DDoS dng khuch i giao tip:
Nh chng ta bit, tn cng Smurf l tn cng bng cch Ping n a ch
Broadcast ca mt mng no m a ch ngun chnh l a ch ca my cn tn cng, khi
ton b cc gi Reply s c chuyn ti a ch IP ca my tnh b tn cng.
II.6 - Tn cng Reflective DNS (reflective - phn chiu):
6.a - Cc vn lin quan ti tn cng Reflective DNS:
- Mt Hacker c th s dng mng botnet gi rt nhiu yu cu ti my ch
DNS.
- Nhng yu cu s lm trn bng thng mng ca cc my ch DNS,
- Vic phng chng dng tn cng ny c th dng Firewall ngn cm nhng giao
tip t cc my tnh c pht hin ra.
- Nhng vic cm cc giao tip t DNS Server s c nhiu vn ln. Mt DNS
Server c nhim v rt quan trng trn Internet.
- Vic cm cc giao tip DNS ng ngha vi vic cm ngi dng bnh thng gi
mail v truy cp Website.
- Mt yu cu v DNS thng chim bng 1/73 thi gian ca gi tin tr li trn
my ch. Da vo yu t ny nu dng mt Tools chuyn nghip lm tng cc yu cu ti
my ch DNS s khin my ch DNS b qu ti v khng th p ng cho cc ngi dng
bnh thng c na.
6.b - Tool tn cng Reflective DNS ihateperl.pl:
- Ihateperl.pl l chng trnh rt nh, rt hiu qu, da trn kiu tn cng
DNS-Reflective
- N s dng mt danh sch cc my ch DNS lm trn h thng mng vi cc gi yu
cu Name Resolution.
- Bng mt v d n c th s dng google.com resole gi ti my ch v c th i
tn domain thnh www.vnexperts.net hay bt k mt trang web no m k tn
cng mun.
- Cch s dng cng c ny rt n gin: ta ch cn to ra mt danh sch cc my
ch DNS, chuyn cho a ch IP ca my c nhn v thit lp s lng cc giao
tip.
II.7 - Cc tools s dng tn cng DDoS:
Di y l cc Tools tn cng DDoS.
Trinoo
Tribe flood Network (TFN)
TFN2K
Stacheldraht
Shaft
Trinity
Knight
Mstream
Kaiten
Cc tools ny hon ton c th c download min ph trn Internet v lu y
ch l cc tools yu mang tnh Demo v tn cng DDoS m thi
III - DRDoS (Distributed Reflection Denial of Service)III.1 Gii
thiu DRDOS. Xut hin vo u nm 2002, l kiu tn cng mi nht, mnh nht
trong h DoS.
Nu c thc hin bi k tn cng c tay ngh th n c th h gc bt c h thng no
trn th gii trong pht chc.
DRDoS l s phi hp gia hai kiu DoS v DDoS.
Mc tiu chnh ca DRDoS l chim ot ton b bng thng ca my ch, tc l lm
tc nghn hon ton ng kt ni t my ch vo xng sng ca Internet v tiu hao
ti nguyn my ch.
Ta c Server A v Victim, gi s ta gi 1 SYN packet n Server A trong
IP ngun b gi mo thnh IP ca Victim. Server A s m 1 connection v gi
SYN/ACK packet cho Victim v ngh rng Victim mun m connection vi mnh.
V y chnh l khi nim ca Reflection ( Phn x ). Hacker s iu khin Spoof
SYN generator, gi SYN packet n tt c cc TCP Server ln, lc ny cc TCP
Server ny v tnh thnh Zombie cho Hacker cng tn cng Victim v lm nghn
ng truyn ca Victim.
Vi nhiu server ln tham gia nn server mc tiu nhanh chng b qu ti,
bandwidth b chim dng bi server ln.
Tnh ngh thut l ch ch cn vi mt my tnh vi modem 56kbps, mthacker
lnh ngh c th nh bi bt c my ch no trong giy lt m khng cn chim ot bt
c my no lm phng tin thc hin tn cng.III.2 - Cch Phng chng :C rt nhiu
gii php v tng c a ra nhm i ph vi cc cuc tn cng kiu DDoS. Tuy nhin
khng c gii php v tng no l gii quyt trn vn bi ton Anti-DDoS. Cc hnh
thi khc nhau ca DDoS lin tc xut hin theo thi gian song song vi cc
gii php i ph, tuy nhin cuc ua vn tun theo quy lut tt yu ca bo mt my
tnh: Hacker lun i trc gii bo mt mt bc.C ba giai on chnh trong qu
trnh Anti-DDoS:
- Giai on ngn nga: ti thiu ha lng Agent, tm v v hiu ha cc
Handler
- Giai on i u vi cuc tn cng: Pht hin v ngn chn cuc tn cng, lm
suy gim v dng cuc tn cng, chuyn hng cuc tn cng.
- Giai on sau khi cuc tn cng xy ra: thu thp chng c v rt kinh
nghim
Cc giai on chi tit trong phng chng DDoS:
SHAPE \* MERGEFORMAT
2.a - Ti thiu ha s lng Agent:- T pha User: mt phng php rt tt nng
nga tn cng DDoS l tng internet user s t phng khng b li dng tn cng h
thng khc. Mun t c iu ny th thc v k thut phng chng phi c ph bin rng
ri cho cc internet user. Attack-Network s khng bao gi hnh thnh nu
khng c user no b li dng tr thnh Agent. Cc user phi lin tc thc hin
cc qu trnh bo mt trn my vi tnh ca mnh. H phi t kim tra s hin din ca
Agent trn my ca mnh, iu ny l rt kh khn i vi user thng thng.
- Mt s gii php tch hp sn kh nng ngn nga vic ci t code nguy him
thng o hardware v software ca tng h thng. V pha user h nn ci t v
updat lin tc cc software nh antivirus, anti_trojan v server patch
ca h iu hnh.
- T pha Network Service Provider: Thay i cch tnh tin dch v truy
cp theo dung lng s lm cho user lu n nhng g h gi, nh vy v mt thc tng
cng pht hin DDoS Agent s t nng cao mi User. 2.b - Tm v v hiu ha cc
Handler:Mt nhn t v cng quan trng trong attack-network l Handler, nu
c th pht hin v v hiu ha Handler th kh nng Anti-DDoS thnh cng l rt
cao. Bng cch theo di cc giao tip gia Handler v Client hay handler
va Agent ta c th pht hin ra v tr ca Handler. Do mt Handler qun l
nhiu, nn trit tiu c mt Handler cng c ngha l loi b mt lng ng k cc
Agent trong Attack Network.
2.c - Pht hin du hiu ca mt cuc tn cng:C nhiu k thut c p dng:
- Agress Filtering: K thut ny kim tra xem mt packet c tiu chun
ra khi mt subnet hay khng da trn c s gateway ca mt subnet lun bit c
a ch IP ca cc my thuc subnet. Cc packet t bn trong subnet gi ra
ngoi vi a ch ngun khng hp l s b gi li iu tra nguyn nhn. Nu k thut
ny c p dng trn tt c cc subnet ca internet th khi nhim gi mo a ch IP
s khng cn tn ti.
- MIB statistics: trong Management Information Base (SNMP) ca
route lun c thng tin thng k v s bin thin trng thi ca mng. Nu ta gim
st cht ch cc thng k ca protocol mng. Nu ta gim st cht ch cc thng k
ca Protocol ICMP, UDP v TCP ta s c kh nng pht hin c thi im bt u ca
cuc tn cng to qu thi gian vng cho vic x l tnh hung.
2.d - Lm suy gim hay dng cuc tn cng:Dng cc k thut sau:
- Load balancing: Thit lp kin trc cn bng ti cho cc server trng
im s lm gia tng thi gian chng chi ca h thng vi cuc tn cng DDoS. Tuy
nhin, iu ny khng c ngha lm v mt thc tin v quy m ca cuc tn cng l
khng c gii hn.
- Throttling: Thit lp c ch iu tit trn router, quy nh mt khong ti
hp l m server bn trong c th x l c. Phng php ny cng c th c dng ngn
chn kh nng DDoS traffic khng cho user truy cp dch v. Hn ch ca k
thut ny l khng phn bit c gia cc loi traffic, i khi lm dch v b gin
on vi user, DDoS traffic vn c th xm nhp vo mng dch v nhng vi s lng
hu hn.
- Drop request: Thit lp c ch drop request nu n vi phm mt s quy
nh nh: thi gian delay ko di, tn nhiu ti nguyn x l, gy deadlock. K
thut ny trit tiu kh nng lm cn kit nng lc h thng, tuy nhin n cng gii
hn mt s hot ng thng thng ca h thng, cn cn nhc khi s dng.
2.e - Chuyn hng ca cuc tn cng:Honeyspots: Mt k thut ang c nghin
cu l Honeyspots. Honeyspots l mt h thng c thit k nhm nh la attacker
tn cng vo khi xm nhp h thng m khng ch n h thng quan trng thc s.
Honeyspots khng ch ng vai tr L Lai cu cha m cn rt hiu qu trong
vic pht hin v x l xm nhp, v trn Honeyspots thit lp sn cc c ch gim
st v bo ng.
Ngoi ra Honeyspots cn c gi tr trong vic hc hi v rt kinh nghim t
Attacker, do Honeyspots ghi nhn kh chi tit mi ng thi ca attacker
trn h thng. Nu attacker b nh la v ci t Agent hay Handler ln
Honeyspots th kh nng b trit tiu ton b attack-network l rt cao.
2.f - Giai on sau tn cng:Trong giai on ny thng thng thc hin cc
cng vic sau:
-Traffic Pattern Analysis: Nu d liu v thng k bin thin lng
traffic theo thi gian c lu li th s c a ra phn tch. Qu trnh phn tch
ny rt c ch cho vic tinh chnh li cc h thng Load Balancing v
Throttling. Ngoi ra cc d liu ny cn gip Qun tr mng iu chnh li cc quy
tc kim sot traffic ra vo mng ca mnh.
- Packet Traceback: bng cch dng k thut Traceback ta c th truy
ngc li v tr ca Attacker (t nht l subnet ca attacker). T k thut
Traceback ta pht trin thm kh nng Block Traceback t attacker kh hu
hiu. gn y c mt k thut Traceback kh hiu qu c th truy tm ngun gc ca
cuc tn cng di 15 pht, l k thut XXX.
- Bevent Logs: Bng cch phn tch file log sau cuc tn cng, qun tr
mng c th tm ra nhiu manh mi v chng c quan trng.
2.g - Phng chng tng qut :1. Khi bn pht hin my ch mnh b tn cng hy
nhanh chng truy tm a ch IP v cm khng cho gi d liu n my ch. 2. Dng
tnh nng lc d liu ca router/firewall loi b cc packet khng mong mun,
gim lng lu thng trn mng v ti ca my ch. 3. S dng cc tnh nng cho php
t rate limit trn router/firewall hn ch s lng packet vo h thng. 4.
Nu b tn cng do li ca phn mm hay thit b th nhanh chng cp nht cc bn
sa li cho h thng hoc thay th. 5. Dng mt s c ch, cng c, phn mm chng
li TCP SYN Flooding. 6. Tt cc dch v khc nu c trn my ch gim ti v c
th p ng tt hn. Nu c c th nng cp cc thit b phn cng nng cao kh nng p
ng ca h thng hay s dng thm cc my ch cng tnh nng khc phn chia ti. 7.
Tm thi chuyn my ch sang mt a ch khc. IV Botnet.
S lc lch s :
- Cui th k 19 cng nh u thin nin k mi nh du bc pht trin nhanh,
mnh ca mt s chin lc tn cng khc bit nhm vo h thng mng. DDoS, tc
Distributed Denial of Services, hnh thc tn cng t chi dch v phn tn
kht ting ra i. Tng t vi ngi anh em DoS (tn cng t chi dch v), DDoS c
pht tn rt rng, ch yu nh tnh n gin nhng rt kh b d tm ca chng. c nhiu
kinh nghim i ph c chia s, vi khi lng kin thc khng nh v n, nhng ngy
nay DDoS vn ang l mt mi e do nghim trng, mt cng c nguy him ca
hacker. Chng ta hy cng tm hiu v DDoS v sn phm k tha t n: cc cuc tn
cng botnet.
IV.1 - Gii thiu v Bot v Botnet
1.a - Bot l g ? : l nhng chng trnh tng t Trojan backdoor cho php
k tn cng s dng my ca h nh l nhng Zoombie ( my tnh thy ma my tnh b
chim quyn iu khin hon ton ) v chng ch ng kt ni vi mt Server d dng
iu khin , cc bn lu ch ch ng l mt c im khc ca bot so vi trojan
backdoor . Chnh v s ch ng ny m my tnh b ci t chng kt ni tr nn chm
chp , mt c im gip ta d dng nhn din bot .
1.b - Ti sao gi l mng botnet ? : mng botnet l mt mng rt ln gm
hng trm hng ngn my tnh Zombie kt ni vi mt my ch mIRC ( Internet
Replay Chat ) hoc qua cc my ch DNS nhn lnh t hacker mt cch nhanh
nht . Cc mng bot gm hng ngn thnh vin l mt cng c l tng cho cc cuc
chin tranh mu nh DDOS , spam, ci t cc chng trnh qung co ..
1.c - IRC -IRC l tn vit tt ca Internet Relay Chat. l mt giao thc
c thit k cho hot ng lin lc theo kiu hnh thc tn gu thi gian thc (v d
RFC 1459, cc bn update RFC 2810, 2811, 2812, 2813) da trn kin trc
client-server. Hu ht mi server IRC u cho php truy cp min ph, khng k
i tng s dng. IRC l mt giao thc mng m da trn nn tng TCP
(Transmission Control Protocol - Giao thc iu khin truyn vn), i khi
c nng cao vi SSL (Secure Sockets Layer - Tng socket bo mt). -Mt
server IRC kt ni vi server IRC khc trong cng mt mng. Ngi dng IRC c
th lin lc vi c hai theo hnh thc cng cng (trn cc knh) hoc ring t (mt
i mt). C hai mc truy cp c bn vo knh IRC: mc ngi dng (user) v mc iu
hnh (operator). Ngi dng no to mt knh lin lc ring s tr thnh ngi iu
hnh. Mt iu hnh vin c nhiu c quyn hn (tu thuc vo tng kiu ch do ngi
iu hnh ban u thit lp ) so vi ngi dng thng thng.-Cc bot IRC c coi nh
mt ngi dng (hoc iu hnh vin) thng thng. Chng l cc quy trnh daemon, c
th chy t ng mt s thao tc. Qu trnh iu khin cc bot ny thng thng da
trn vic gi lnh thit lp knh lin lc do hacker thc hin, vi mc ch chnh
l ph hoi. Tt nhin, vic qun tr bot cng i hi c ch thm nh v cp php. V
th, ch c ch s hu chng mi c th s dng. -Mt thnh phn quan trng ca cc
bot ny l nhng s kin m chng c th dng pht tn nhanh chng ti my tnh
khc. Xy dng k hoch cn thn cho chng trnh tn cng s gip thu c kt qu tt
hn vi thi gian ngn hn (nh xm phm c nhiu my tnh hn chng hn). Mt s n
bot kt ni vo mt knh n ch lnh t k tn cng th c gi l mt botnet. -Cch y
cha lu, cc mng zombie (mt tn khc ca my tnh b tn cng theo kiu bot)
thng c iu khin qua cng c c quyn, do chnh nhng k chuyn b kho c tnh
pht trin. Tri qua thi gian, chng hng ti phng thc iu khin t xa. IRC
c xem l cng c pht ng cc cuc tn cng tt nht nh tnh linh hot, d s dng
v c bit l cc server chung c th c dng nh mt phng tin lin lc. IRC
cung cp cch thc iu khin n gin hng trm, thm ch hng nghn bot cng lc
mt cch linh hot. N cng cho php k tn cng che y nhn dng tht ca mnh vi
mt s th thut n gin nh s dng proxy nc danh hay gi mo a ch IP. Song
cng chnh bi vy m chng li du vt cho ngi qun tr server ln theo.
-Trong hu ht cc trng hp tn cng bi bot, nn nhn ch yu l ngi dng my
tnh n l, server cc trng i hc hoc mng doanh nghip nh. L do l bi my
tnh nhng ni ny khng c gim st cht ch v thng h hon ton lp bo v mng.
Nhng i tng ngi dng ny thng khng xy dng cho mnh chnh sch bo mt, hoc
nu c th khng hon chnh, ch cc b mt s phn. Hu ht ngi dng my tnh c nhn
kt ni ng truyn ADSL u khng nhn thc c cc mi nguy him xung quanh v
khng s dng phn mm bo v nh cc cng c dit virus hay tng la c nhn.IV.2
- Bot v cc ng dng ca chng
-Kh nng s dng bot v cc ng dng ca chng cho my tnh b chim quyn iu
khin hon ton ph thuc vo sc sng to v k nng ca k tn cng. Chng ta hy
xem mt s ng dng ph bin nht. 2.a - DDoS -Cc botnet c s dng thng xuyn
trong cc cuc tn cng Distributed Denial of Service (DDoS). Mt k tn
cng c th iu khin s lng ln my tnh b chim quyn iu khin ti mt trm t
xa, khai thc bng thng ca chng v gi yu cu kt ni ti my ch. Nhiu mng
tr nn ht sc ti t sau khi hng chu cc cuc tn cng kiu ny. V trong mt s
trng hp, th phm c tm thy ngay khi ang tin hnh cuc ph hoi (nh cc cuc
chin dotcom). Tn cng t chi dch v phn tn (DDoS) -Tn cng DDoS l mt
bin th ca Foolding DoS (Tn cng t chi dch v trn). Mc ch ca hnh thc
ny l gy trn mng ch, s dng tt c bng thng c th. K tn cng sau s c ton
b lng bng thng khng l trn mng lm trn website ch. l cch pht ng tn
cng tt nht t c nhiu my tnh di quyn kim sot. Mi my tnh s a ra bng
thng ring (v d vi ngi dng PC c nhn ni ADSL). Tt c s c dng mt ln, v
nh , phn tn c cuc tn cng vo website ch. Mt trong cc kiu tn cng ph
bin nht c thc hin thng qua s dng giao thc TCP (mt giao thc hng kt
ni), gi l TCP syn flooding (trn ng b TCP). Cch thc hot ng ca chng l
gi ng thi cng lc mt s lng khng l yu cu kt ni TCP ti mt Web Server
(hoc bt k dch v no khc), gy trn ti nguyn server, dn n trn bng thng
v ngn khng cho ngi dng khc m kt ni ring ca h. Qu l n gin nhng thc s
nguy him! Kt qu thu c cng tng t khi dng giao thc UDP (mt giao thc
khng kt ni).- Gii tin tc cng b ra kh nhiu thi gian v cng sc u t nhm
nng cao cch thc tn cng ca chng. Hin nay, ngi dng mng my tnh nh chng
ta ang phi i mt vi nhiu k thut tinh vi hn xa so kiu tn cng DDoS
truyn thng. Nhng k thut ny cho php k tn cng iu khin mt s lng cc k
ln my tnh b chim quyn iu khin (zombie) ti mt trm t xa m n gin ch cn
dng giao thc IRC.2.b - Spamming (pht tn th rc)
- Botnet l mt cng c l tng cho cc spammer (k pht tn th rc). Chng
, ang v s c dng va trao i a ch e-mail thu thp c, va iu khin c ch
pht tn th rc theo cng mt cch vi kiu tn cng DDoS. Th rc c gi ti
botnet, sau phn phi qua cc bot v t pht tn ti my tnh ang b chim quyn
iu khin. Tt c spammer u ly tn nc danh v mi hu qu th my tnh b ph hoi
gnh chu.2.c - Sniffing v Keylogging
- Cc bot cng c th c s dng mt cch hiu qu nng cao ngh thut c in ca
hot ng sniffing. Nu theo di lu lng d liu truyn i, bn c th xc nh c
con s kh tin lng thng tin c truyn ti. c th l thi quen ca ngi dng,
trng ti gi TCP v mt s thng tin th v khc (nh mt khu, tn ngi dng).
Cng tng t nh vy vi keylogging, mt hnh thc thu thp tt c thng tin trn
bn phm khi ngi dng g vo my tnh (nh e-mail, password, d liu ngn hng,
ti khon PayPal,). 2.d - n cp nhn dng
- Cc phng thc c cp trn cho php k tn cng iu khin botnet thu thp
mt lng thng tin c nhn khng l. Nhng d liu c th c dng xy dng nhn dng
gi mo, sau li dng c th truy cp ti khon c nhn hoc thc hin nhiu hot
ng khc (c th l chun b cho nhiu cuc tn cng khc) m ngi gnh chu hu qu
khng ai khc chnh l ch nhn ca cc thng tin . 2.e - S hu phn mm bt hp
php
- y l hnh thc cui cng, nhng cha phi l kt thc. Cc my tnh b tn cng
theo kiu bot c th c dng nh mt kho lu tr ng ti liu bt hp php (phn mm
n cp bn quyn, tranh nh khiu dm,). D liu c lu tr trn cng trong khi
ngi dng ADSL khng h hay bit. - Cn rt nhiu, rt nhiu kiu ng dng khc
na c pht trin da trn botnet (nh tr tin cho mi ln kch chut s dng mt
chng trnh, phishing, hijacking kt ni HTTP/HTTPS), nhng lit k ra c
ht c l s phi mt hng gi. Bn thn bot ch l mt cng c vi kh nng lp ghp v
thch ng d dng cho mi hot ng i hi t quyn kim sot n ln mt s lng ln my
tnh. IV.3 - Cc kiu bot khc nhau
- Nhiu kiu bot c xy dng v cho php download c cung cp nhan nhn
khp Internet. Mi kiu c nhng thnh phn c bit ring. Chng ta s xem xt
mt s bot ph bin nht v tho nhng thnh phn chnh v cc yu t phn bit ca
chng.3.a - GT-Bot - Tt c cc bot GT (Global Threat) u da trn kiu
client IRC ph bin dnh cho Windows gi l mIRC. Ct li ca cc bot ny l
xy dng tp hp script (kch bn) mIRC, c dng iu khin hot ng ca h thng t
xa. Kiu bot ny khi chy mt phin client nng cao vi cc script iu khin
v dng mt ng dng th hai, thng thng l HideWindows n mIRC trc ngi dng
my tnh ch. Mt file DLL b sung s thm mt s thnh phn mi vo mIRC cc
script c th chi phi nhiu kha cnh khc nhau trn my tnh b chim quyn iu
khin. 3.b - Agobot - Agobot l mt trong nhng kiu bot ph bin nht thng
c cc tay b kho (craker) chuyn nghip s dng. Chng c vit trn nn ngn ng
C++ v pht hnh di dng bn quyn GPL. im th v Agobot l m ngun. c modul
ho mc cao, Agobot cho php thm chc nng mi vo d dng. N cng cung cp
nhiu c ch n mnh trn my tnh ngi dng. Thnh phn chnh ca Agobot gm:
NTFS Alternate Data Stream (Xp lun phin dng d liu NTFS), Antivirus
Killer (b dit chng trnh chng virus) v Polymorphic Encryptor Engine
(c ch m ho hnh dng). Agobot cung cp tnh nng sp xp v sniff lu lng.
Cc giao thc khc ngoi IRC cng c th c dng iu khin kiu bot ny. 3.c -
DSNX - Dataspy Network X (DSNX) cng c vit trn nn ngn ng C++ v m
ngun da trn bn quyn GPL. kiu bot ny c thm mt tnh nng mi l kin trc
plug-in n gin.
3.d - SDBot - SDBot c vit trn nn ngn ng C v cng s dng bn quyn
GPL. Khng ging nh Agobot, m ngun ca kiu bot ny rt r rng v bn thn
phn mm c mt lng gii hn chc nng. Nhng SDBot rt ph bin v c pht trin
ra nhiu dng bin th khc nhau.
IV.4 - Cc yu t ca mt cuc tn cng.Hnh 1 th hin cu trc ca mt botnet
in hnh:
Hnh 1: Cu trc ca mt botnet in hnh
u tin k tn cng s pht tn trojan horse vo nhiu my tnh khc nhau. Cc
my tnh ny tr thnh zombie (my tnh b chim quyn iu khin) v kt ni ti
IRC server nghe thm nhiu lnh sp ti. Server IRC c th l mt my cng cng
mt trong cc mng IRC, nhng cng c th l my chuyn dng do k tn cng ci t
ln mt trong cc my b chim quyn iu khin.
Cc bot chy trn my tnh b chim quyn iu khin, hnh thnh mt
botnet.
Mt v d c th
Hot ng ca k tn cng c th chia thnh bn giai on khc nhau: + To + Cu
hnh + Tn cng + iu khin - Giai on To ph thuc ln vo k nng v i hi ca k
tn cng. Nu l ngi b kho chuyn nghip, h c th cn nhc gia vic vit m bot
ring hoc n gin ch l m rng, tu bin ci c. Lng bot c sn l rt ln v kh
nng cu hnh cao. Mt s cn cho php thao tc d dng hn qua mt giao din
ho. Giai on ny khng c g kh khn, thng dnh cho nhng k mi vo ngh. -
Giai on Cu hnh l cung cp server IRC v knh thng tin. Sau khi ci t ln
mt my tnh c kim sot, bot s kt ni ti host c chn. u tin k tn cng nhp
d liu cn thit vo gii hn quyn truy cp bot, bo v an ton cho knh v cui
cng cung cp mt danh sch ngi dng c cp php (nhng ngi c th iu khin
bot). giai on ny, bot c th c iu chnh su hn, nh nh ngha phng thc tn
cng v ch n.
- Giai on Tn cng l s dng nhiu k thut khc nhau pht tn bot, c trc
tip v gin tip. Hnh thc trc tip c th l khai thc l hng ca h iu hnh
hoc dch v. Cn gin tip thng l trin khai mt s phn mm khc phc v cho
cng vic en ti, nh s dng file HTML d dng khai thc l hng Internet
Explorer, s dng mt s phn mm c hi khc phn phi qua cc mng ngang hng
hoc qua trao i file DCC (Direct ClienttoClient) trn IRC. Tn cng trc
tip thng c thc hin t ng thng qua cc su (worm). Tt c cng vic nhng su
ny phi lm l tm kim mng con trong h thng c l hng v chn m bot vo. Mi
h thng b xm phm sau s tip tc thc hin chng trnh tn cng, cho php k tn
cng ghi li ti nguyn dng trc v c c nhiu thi gian tm kim nn nhn khc.
- C ch c dng phn phi bot l mt trong nhng l do chnh gy nn ci gi l tp
nhiu nn Internet. Mt s cng chnh c dng cho Windows, c th l Windows
2000, XP SP1 (xem Bng 1). Chng dng nh l ch ngm yu thch ca hacker, v
rt d tm ra mt my tnh Windows cha c cp nht bn v y hoc khng ci t phn
mm tng la. Trng hp ny cng rt ph bin vi ngi dng my tnh gia nh v cc
doanh nghip nh, nhng i tng thng b qua vn bo mt v lun kt ni Internet
bng thng rng.
Cng Dch v42 WINS (Host Name Server)80 HTTP (l hng IIS hay
Apache)135 RPC (Remote Procedure Call) 137 NetBIOS Name Service 139
NetBIOS Session Service 445 MicrosoftDSService1025 Windows
Messenger 1433 MicrosoftSQLServer 2745 Bagle worm backdoor3127
MyDoom worm backdoor 3306 MySQL UDF (User Definable Functions) 5000
UPnP (Universal Plug and Play)Danh sch cc cng gn vi l hng dch v-
Giai on iu khin gm mt s hot ng thc hin sau khi bot c ci t ln my ch
trong mt th mc chn. khi ng vi Windows, bot update cc kho ng k, thng
thng
lKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\.
- Vic u tin bot thc hin sau khi c ci t thnh cng l kt ni ti mt
server IRC v lin kt vi knh iu khin thng qua s dng mt mt khu.
Nickname trn IRC c to ngu nhin. Sau , bot trng thi sn sng ch lnh t
ng dng ch. K tn cng cng phi s dng mt mt khu kt ni ti botnet. iu ny
l cn thit khng ai khc c th s dng mng botnet c cung cp.
- IRC khng ch cung cp phng tin iu khin hng trm bot m cn cho php
k tn cng s dng nhiu k thut khc nhau n nhn dng thc ca chng. iu khin
vic i ph trc cc cuc tn cng tr nn kh khn. Nhng may mn l, do c im t
nhin ca chng, cc botnet lun to ra lu lng ng ng, to iu kin d dng c
th d tm nh mt s kiu mu hay m hnh bit. iu gip cc qun tr vin IRC pht
hin v can thip kp thi, cho php h g b cc mng botnet v nhng s lm dng
khng ng c trn h thng ca h. - Trc tnh hnh ny, nhng k tn cng buc phi
ngh ra cch thc khc, ci tin k thut C&C (Control and Command - iu
khin qua lnh) thnh botnet hardening. k thut mi ny, cc bot thng c cu
hnh kt ni vi nhiu server khc nhau, s dng mt hostname nh x ng. Nh ,
k tn cng c th chuyn bot sang server mi d dng, vn hon ton nm quyn
kim sot ngay c khi bot b pht hin. Cc dch v DNS ng nh dyndns.com hay
no-IP.com thng c dng trong kiu tn cng ny. DNS ng - Mt DNS ng (nh
RFC 2136) l mt h thng lin kt tn min vi a ch IP ng. Ngi dng kt ni
Internet qua modem, ADSL hoc cp thng khng c a ch IP c nh. Khi mt i
tng ngi dng kt ni ti Internet, nh cung cp dch v mng (ISP) s gn mt a
ch IP cha c s dng ly ra t vng c chn. a ch ny thng c gi nguyn cho ti
khi ngi dng ngng s dng kt ni . - C ch ny gip cc hng cung cp dch v
mng (ISP) tn dng c ti a kh nng khai thc a ch IP, nhng cn tr i tng
ngi dng cn thc hin mt s dch v no qua mng Internet trong thi gian
di, song khng phi s dng a ch IP tnh. gii quyt vn ny, DNS ng c cho
ra i. Hng cung cp s to cho dch v mt chng trnh chuyn dng, gi tn hiu
ti c s d liu DNS mi khi a ch IP ca ngi dng thay i.- n hot ng, knh
IRC c cu hnh gii hn quyn truy cp v n thao tc. Cc m hnh IRC in hnh
cho knh botnet l: +k (i hi phi nhp mt khu khi dng knh); +s (khng c
hin th trn danh sch cc knh cng cng); +u (ch c ngi iu hnh (operator)
l c hin th trn danh sch ngi dng); +m (ch c ngi dng trng thi s dng m
thanh +v mi c th gi tin n knh). Hu ht mi chuyn gia tn cng u dng
server IRC c nhn, m ho tt c lin lc trn knh dn. Chng cng c khuynh
hng s dng nhiu bin th c nhn ho ca phn mm IRC server, c cu hnh nghe
trn cc cng ngoi tiu chun v s dng phin bn c chnh sa ca giao thc, mt
IRC client thng thng khng th kt ni vo mng.IV.5 - Cch phng chng
Botnet:
- Botnet l mt mi e da ang ngy mt lan rng, tuy nhin chng ta c
nhiu cch i ph gim c cc tc hi gy ra t n, chng ti s gii thiu 6 cch kh
chuyn nghip c th chng tr li c botnet.
5.a - Thu mt dch v lc Web- Dch v lc Web l mt trong nhng cch tt
nht u tranh vi bot. Cc dch v ny qut website khi thy xut hin hnh vi
khng bnh thng hoc c cc hnh ng m nguy him v kha site t ngi dng.
- Websense, Cyveillance v FaceTime Communications l cc v d in
hnh. Tt c s kim tra Internet theo thi gian thc tm cc website b nghi
ng c hnh ng nguy him nh ti JavaScript v cc tr la o khc ngoi ranh
gii ca vic duyt web thng thng. Cyveillance v Support Intelligence
cng cung cp dch v cho bit v cc t chc website v ISP pht hin l c
malware, v vy cc my ch b tn cng c th c sa cha kp thi.
5.b - Chuyn i trnh duyt- Mt cch khc ngn chn s xm nhp ca bot l
khng nn s dng mt trnh duyt. Internet Explorer hay Mozilla Firefox l
hai trnh duyt ph bin nht v v vy chng cng l cc trnh duyt m malware
tp trung tn cng ti. Chng ta c th dng Apple Safari, Google Chrome,
Opera, Netscape, ... Tng t nh vy i vi cc h iu hnh. Theo thng k th
Macs l h iu hnh an ton vi botnet bi v hu ht chng u nhm vo Windows.
Ngoi c th s dng h iu hnh h *nix ngn chn cc phn mm m c nh virus,
trojan, spyware , sworm .... v cc phn mm m c ny ch chy trn h iu hnh
ph bin nht l Windows.
5.c - V hiu ha cc kch bn- Mt cch na l v hiu ha trnh duyt khi cc
kch bn ni chung (script), iu ny c th gy kh khn cho mt s nhn vin s
dng ng dng ty chnh v da trn nn web trong cng vic ca h.
5.d - Trin khai cc h thng pht hin xm phm v ngn chn xm phm- Mt
phng php khc l iu chnh cc IDS v ISP chng c th tm kim c cc hot ng
tng t nh botnet.
- V d, mt my tnh no bt ng gp vn s c trn Internet Relay Chat l
hon ton ng nghi ng. Cng ging nh vic kt ni vo cc a ch IP xa hoc a ch
DNS khng hp l. Tuy vn ny l kh pht hin nhng chng ta c cch pht gic
khc khi pht hin thy s thu ht bt ng trong lu lng SSL trn mt my tnh,
c bit trong cc cng khng bnh thng. iu c th l knh m botnet chim quyn
iu khin b kch hot.
- Chnh v vy chng ta cn mt ISP kim tra v nhng hnh vi khng bnh
thng ch th cnh bo cc tn cng da trn HTTP v th tc gi t xa, Telnet- v
gi mo giao thc gii php a ch, cc tn cng khc. Mc d vy chng ta phi nn
ch rng nhiu b cm bin ISP s dng pht hin da trn ch k, iu ngha l cc tn
cng ch c b sung vo c s d liu khi no chng c pht hin. Chnh v vy cc
ISP phi cp nht kp thi nhn ra c cc tn cng ny, bng khng b pht hin s
khng cn gi tr.
5.e - Bo v ni dung c to bi ngi dng- Cc hot ng website ca ring bn
cng phi c bo v trnh tr thnh k tng phm khng ch tm i vi nhng k vit
malware. Cc blog cng cng v forum ca cng ty nn c hn ch ch dng vn
bn.
- Nu site ca bn cn cho cc thnh vin trao i file th n phi c thit
lp cho php cc kiu file c gii hn v m bo an ton, v d vi cc file c ui
m rng .jpeg hoc .mp3. (Tuy vy nhng k vit malware cng bt u nhm vo i
tng ngi chi MP3)
5.f - S dng cng c phn mm
- Nu bn pht hin thy my tnh b tim nhim m h thng khng c cch no tt
nht gii quyt vi tnh hung ny. Bn khng phi lo s iu v cc cng ty nh
Symantec xc nhn rng h c th pht hin v xa sch s tim nhim rootkit nguy
him nht. Cng ty ny a ra mt cng ngh mi trong Veritas, VxMS (Dch v bn
ha Veritas Veritas Mapping Service), a ra b qut chng virus b qua
Windows File System API, thnh phn c iu khin bi h iu hnh c th gy ra
l hng bi mt rootkit. VxMS truy cp trc tip vo cc file th ca h thng
Windows NT File System. Bn cnh cc hng phn mm chng virus khc cng ang
c gng trong vic chng li rootkit ny gm c McAfee v FSecure.
V Kt Lun : Nhn chung, tn cng t chi dch v khng qu kh thc hin,
nhng rt kh phng chng do tnh bt ng v thng l phng chng trong th b ng
khi s vic ri. Vic i ph bng cch tng cng phn cng cng l gii php tt,
nhng thng xuyn theo di pht hin v ngn chn kp thi ci gi tin IP t cc
ngun khng tin cy l hu hiu nht.
Ty m hnh, quy m c th ca h thng m c cc bin php bo v, phng chng
khc nhau.
Cc k thut trn ang v vn l vn nn nguy hi ln cho nn Internet ton
cu. C rt nhiu vic phi lm v chun b kim sot c chng. Chng ta phi c
nhng bc i c th v mnh m hn cng khng ch loi hnh tn cng ny.
VI Ti Liu Tham Kho1 - Books:
[1] Tactical Perimeter Defense
[2] Slide An Ton Mng Th.s T Nguyn Nht Quang.
2 Internet :
[1] www.hvaonline.net
[2] - www.ceh.vn
[3] - www.24hcongnghe.net
[4] - www.wikipedia.org
Throttling
Drop Request
DDoS
Countermeasures
Detect and
Neutralize
handler
Detect and Prevent Agent
Detect/Prevent
Potential Attack
Mitigate/Stop
Attack
Deflect Attack
Post attack Forensic
Egress Filtering
MIB Statistic
Invidual
user
Network Service Provider
Install Software Patch
Build in defense
Cost
Traffic Pattern Analysis
Packet Traceback
Event Log
Honeyspots
Shadow Real Network
Study Attack
Load Balancing
36