Summary of web Server attacks through vro bypass DDoS Defense

Instance: web servers that use routers to bypass DDoS Defense (1)

Recently, I have been studying DDOS attacks. As we all know, DDOS attacks are commonly called distributed denial-of-service (DoS) attacks. Attackers generally send a large number of packets to the ports opened by the target host through a large number of slave hosts, the data on the target host is congested, and the system crashes when resources are exhausted. In my test, I found that if some servers are deployed with a firewall on the Internet interface to filter the ports, the attack is often difficult to achieve the expected results. How to conduct attack tests on such websites? I found in the test that starting with a vro, the smooth and smooth traffic also achieves the expected results. Next, I will analyze this attack method in conjunction with a security test instance.

The target is a Japanese site with the URL http: // www. * .co.jp. After scanning and testing, we found that the other party only enabled port 80 and only provided Web access. Through the implementation of DDOS attack tests on port 80 of the WEB server, the effect is not ideal. It is estimated that the other party has deployed a hardware firewall on the Internet interface, and the WEB server implements Load Balancing through the cluster, so the attack effect is not obvious. Security Testing is deadlocked.

In the command line, a ECHO is displayed when you ping the website URL. The displayed IP address is 210. 224. *. 69, and the TTL is 44. It may be a linux-like server. The author suddenly wondered that this server is so awesome that the enterprise behind the Web must be large in size, and there must be a large number of hosts on its network. In this case, we should have professional network equipment, such as large routers and switches. Maybe we still have cisco products (who makes cisco so good ). In addition, large companies must have their own public IP segments. (Figure 1)

Based on the above considerations, I decided to use the IP Network Browser tool for the range of 210. 224. *. 1 ~~~ 210. 224. *. 254 IP segment scan to check whether a network device of a Cisco router or vswitch is used. It must be noted that IP Network Browser is a tool in the SolarWinds Network management software set. It can be used to scan Network devices in an IP segment.

So I run IP Network Browser and enter 210. 224. *. 1 ~~~ 210. 224. *. 254 network segment scan, the scan results are not as expected, the IP address is 210. 224. *. the device of 1 is a vro and cisco. It is found that the permission of Community String is private, that is, full permission.

Here, we have to talk about a security vulnerability in the cisco router. If it is a Private permission, you can download the configuration file of the router through a dedicated tool. Then, you can view the logon password of the console and Its vty in the configuration file. With the logon password, you can gain control of the vro.

You can use Config Download in the SolarWinds toolkit to Download the configuration file of the vro. In the tool, enter this IP address to download. Fortunately, the download is successful. Then, you can use the Config Viewer tool to view the downloaded vro configuration file and find that the vro's privileged password is encrypted and displayed as: enable secret 5 $ ugRE $ xe/UCBrh2uCPYRYfr6nxn1. This is the hope of md5 encryption. Continue to check and find that the console interface and vty have a password. The password is not encrypted in plaintext cisco. Using social engineering, maybe the privileged password of the router is also cisoc!

Instance: web servers that use routers to bypass DDoS Defense (2)

Open the command prompt, enter telnet 210. 224. *. 1, connect to the vro, and enter the vty password cisco to enter the user mode. Enter en at the command prompt, press enter, and then enter cisco to successfully enter the privileged mode of the cisco router! So far, the cisco router is fully controlled. During the Security period, enter the show user command in the vro to check whether other users have logged on. The results show that there are no other logins. We can perform further security tests. I have to talk about the Administrator's negligence and lack of security awareness. Although the privileged password is encrypted, it is the same as the console and vty passwords. What is the purpose of privileged password encryption? In addition, the password is relatively simple, and cisco is easy to guess. It can be seen that network security is similar to the barrel principle, and it is always broken through the weakest link. (Figure 2)

Since the vro is controlled, we cannot determine whether the vro is the company and its relationship with web servers. By entering the show ip interface brif command on the vro, it is found that almost all the serdrop (Serial Port) interfaces of the vro are activated, while the Fast Ethernet interface is only activated for fastEthernet 0/1, and the IP address of this interface is 210. 224. *. 1. The subnet mask is 255.255.255.0. Therefore, we can basically conclude that the router is the company's, and the company's WEb server is connected to the fastEthernet 0/1 vro. At the same time, we can estimate the company's network topology. There should be a hardware firewall behind the Internet. The firewall is connected to the cisco router, and the WEB server is connected to the router. Connect the vro to the Internet. (Figure 3)

Since it controls the router of the company's only device connected to the internet, let alone a web server, all the internet of the company is under control. Therefore, the author takes the web server as an example to conduct a security test. In cisco router security mode, enter the following command:

Cisco # configure terminal Enter configuration commands, one per line. end with CNTL/Z. cisco (config) # int cisco (config) # interface fastEthernet 0/1 cisco (config-if) # access-list 101 deny ip host 210. 224. *. 69 any cisco (config) # access-list 101 permit ip any
The preceding cisco command defines inbound filtering to filter out all the IP addresses targeted at 210. 224. *. in this way, the fastEthernet 0/1 pair IP address through the vro is blocked or isolated. 224. *. 69 (web Server) access. (Figure 4)

Instance: web servers that use routers to bypass DDoS Defense (3)

After the command is complete, enter http: // www. * .co.jp in the browser to access the webpage. As expected, the webpage cannot be opened. So far, we have gone through the smooth route of the vro and ended the suspension of the Japanese site's access to its website. (Figure 5)

Cisco (config) # int fastEthernet 0/1 cisco (config) # no access-list 101 deny ip host 210. 224. *. 69 any
Delete the vro filter for 210. 224. *. 69 and browse the website again. Now, our security test is complete. (Figure 6)

Summary of router bypass DDoS defense against web Servers

In this security test, the author only provides an idea to technically analyze and demonstrate how to bypass the DDOS defense system through routers and launch attacks on web servers. To sum up this security test, we should consider the following aspects:

1. Pay attention to vro security, such as password setting and permission setting. Vro is the soul of the network. Attackers control vrouters more dangerous and harmful than simply controlling a server. If the enterprise's core vro is controlled, the entire network will fall. Therefore, you must set a strong password for privileged mode access. Do not use enable password to set the password, but use enable secret to set the password, and enable Service password-encryption to encrypt the password.

2. reasonably plan the network topology. The network structure in this example is debatable. There is no special need. Generally, do not expose the public IP address of the router to the public network. Control Access to VTY. Disable it if remote access is not required. If necessary, you must set a strong password. Because VTY is not encrypted during network transmission, you must strictly control it. For example, set a strong password, control the number of concurrent connections, use the access list to strictly control the access address, and implement inbound filtering. In this example, we remotely log on to the vro through VTY.