Copyleft of this document belongs to skipjack and can be freely copied and reproduced when published using GPL. It is strictly prohibited to be used for any commercial purposes.
Email: skipjack@163.com
Source: http://skipjack.cublog.cn
This idea is
Http://www.bkjia.com/hack/wxia/200505/4911.html
Organize and improve attack ideas without intention to develop new attackers. The advent of attack software using this principle has nothing to do with my own skipjack.
The first paragraph of the article (Haha... this paragraph is enough)
Insert a forged TCP packet after three-way TCP handshake
I. It indicates that the Socket API Connect is used to complete the three-way handshake for TCP connection establishment. At the same time, the sub-process captures the packet, after the three-way handshake packet is captured, insert the fourth packet, from the fifth packet returned by the peer end, the insertion is successful, but the subsequent connection will be chaotic because a TCP packet is inserted. You can set the Data of the inserted packet to HTTP Request and submit the Request to the WEB server. If the TCP serial number of the target system can be pre-calculated, whether the Blind TCP three-time handshakes with pseudo source address can be inserted or not is worth testing!
In fact, the experiment I did does not explain anything. I just verified the TCP protocol serial number and the test and calculation functions.
I think the author is inspired by the CC attack principle and cannot figure out the proxy method to achieve the CC attack effect. However, it is not feasible to tell the truth about the sequence number prediction step. The Synchronous Serial number used by the normal TCP protocol is a random value. In the available space of 4.3 billion, the prediction at the speed of Mbps will also be a cup of water. But ......
To defend against ddos attacks, many vendors have implemented stateless syn cookie algorithms on their security devices. This algorithm uses the cookie serial number to determine the validity of connection requests in the way of ack packet return under a large number of syn attacks. Therefore, the handshake part of their TCP protocol is not a healthy implementation. After this idea is modified, it will be good to attack such devices. The following describes how attackers can exchange 64-byte ACK packets in exchange for the server's 1518 large data packet retransmission. If the source IP address is forged successfully, the attacker will theoretically obtain a bandwidth amplification attack of more than 20 times. If there are two target websites, this method will be one by one.
Attack principle: Fast retransmission mechanism after ACK is received using TCP
One of the serial numbers: attacks against normal TCP/IP protocol stacks
When we get an http response, we immediately reply to an ack packet. The seq value of this ack packet is the ack seq value in the http response packet, the ack seq value is the seq sequence number of the http response packet. In this way, when the server receives this ack packet, it will think that the http response packet sent just now has been lost in the network and will be re-transmitted using the fast retransmission mechanism. If we try to send a large number of ack packets, the server will re-transmit them continuously. The size of the Ack packet is only 64 bytes, but the http response is usually about 512 bytes, up to 1518 bytes.
Because the serial numbers of normal tcp Protocols are unpredictable, We have exposed our real IP addresses in this attack.
Screen. width * 0.7) {this. resized = true; this. width = screen. width * 0.7; this. style. cursor = hand; this. alt = Click here to open new windowCTRL + Mouse wheel to zoom in/out;} "onclick =" if (! This. resized) {return true;} else {window. open (/UpLoadFiles/NewsPhoto/13003749.jpg );} "alt =" Click here to open new window CTRL + Mouse wheel to zoom in/out "src =" http://www.bkjia.com/uploads/allimg/131129/1203591437-0.jpg "width = 716 onload =" if (this. width> screen. width * 0.7) {this. resized = true; this. width = screen. width * 0.7; this. alt = Click here to open new windowCTRL + Mouse wheel to zoom in/out ;} "border = 0 pop =" Click here to open new window CTRL + Mouse wheel to zoom in/out "resized =" true ">
Number 2: static syn cookie is the seq value in the reply syn ack based on the syn Packet of the client request as the parameter, in addition, the method used to determine the connection legality during ack packet re-transmission is adopted by ddos manufacturers in large quantities and obtained a considerable number of national invention patents ..... You will often hear people from ddos vendors say they have more devices than firewalls, and they can easily defend against syn attacks at a speed of Mbit/s, but they can defend against attacks at a rate of 30 Mbit/s, I can bet that 80% of their devices use the syn cookie algorithm.
The advantage of the Syn cookie algorithm is that it only consumes CPU resources during synflood attacks, which is suitable for powerful general-purpose CPUs in X86.
Readers may wonder why such mature technology firewalls are not used, and ddos vendors are congested all day long? There are several reasons for this:
1: The firewall also uses syn cookies for synflood defense, but most of them are not static syn cookies, but strictly record the connection status using dynamic syn cookies. Therefore, when syn flood attacks do not only consume CPU resources, it also consumes a large amount of memory. This is why the method mentioned at the beginning of this article can attack most ddos vendors and a small number of Firewall vendors.
2: syn cookie/syn proxy is part of the bsd system kernel source code. In the latest Linux 2.6 kernel, syn proxy is not included yet. Therefore, most ddos devices are composed of bsd systems. Of course, bsd is open-source, and porting is not a big problem.
3: Most firewalls are based on the Linux open-source software netfilter. However, the hash algorithm and connection table design in netfilter are not very good. This is the bottleneck of firewall forwarding performance, if the syn proxy table item is added, the data packet processing capability is further reduced or the volume of the connected table is increased. Most of the high-end firewalls support millions of connections, and the millions of table items are enough for the firewall to drink a pot, plus a syn proxy table item, what is the performance that cannot be dropped?
4: a very important network function of the firewall is DNAT. Before the DNAT operation, the firewall does not know whether the final destination of these syn packets is itself or a server in the DMZ zone, therefore, the syn packet must be DNAT before you can determine whether to enable syn cookie protection. But now we have entered the netfilter Processing framework, and the performance will certainly not be able to keep up. Have you seen several ddos devices that support NAT? If it is supported, its performance will also decrease a lot. If the firewall works in the bridge mode and does not pass through the netfilter Processing Framework, the firewall will be able to become a high-performance anti-ddos device, and its functions will not be available. Of course, it is easy to use. Haha... However, if you buy a firewall, will it be so easy to use?
To put it bluntly, A ddos device that uses static syn cookies only needs to replay an ack packet to achieve three-way handshake with the server. Therefore, the source IP address can be disguised. (This disguised source IP address is a source IP address that you have used before and has communicated with the ddos device and saved it. Now, it is replayed. If you don't understand what I'm talking about, refer to my article "technical comments on domestic ddos manufacturers" and capture the packet to analyze it ). The second step is to send a normal http request, followed by a large number of false ack requests.
God knows who is using the disguised source IP address as a joint victim.
You may think that the victim server B will reply the rst packet to the victim server. This is possible, but if a "status detection" firewall is installed in front of server B, the reflected http response packet will be directly discarded.
Screen. width * 0.7) {this. resized = true; this. width = screen. width * 0.7; this. style. cursor = hand; this. alt = Click here to open new windowCTRL + Mouse wheel to zoom in/out;} "onclick =" if (! This. resized) {return true;} else {window. open (/UpLoadFiles/NewsPhoto/13004207.jpg );} "alt =" Click here to open new window CTRL + Mouse wheel to zoom in/out "src =" http://www.bkjia.com/uploads/allimg/131129/1203591592-1.jpg "width = 716 onload =" if (this. width> screen. width * 0.7) {this. resized = true; this. width = screen. width * 0.7; this. alt = Click here to open new windowCTRL + Mouse wheel to zoom in/out;} "border = 0 Pop = "Click here to open new window CTRL + Mouse wheel to zoom in/out" resized = "true"> the chapter is included in my blog. You are welcome to discuss it.
Skipjack
What is valuable about this idea:
1. Use a valid connection to launch downstream bandwidth attacks on the server. The current "status detection" device may not be able to detect
2. The Application Layer Program of the target server cannot detect this attack and can escape the defense mode based on the application layer traffic statistics. Because retransmission is a TCP protocol feature, the TCP protocol is automatically completed. The re-transmitted data packet is transparent to the application layer.
3. Now it is just a way of thinking, not limited to the TCP protocol. After UDP is added to the retransmission mechanism, the communication reliability can also be ensured. In addition, this protocol is developed independently by a private company or a company. The vulnerability may be larger than the TCP protocol.
4. The bandwidth amplification effect of drdos is only six times, and the uplink bandwidth is consumed.
5. The real threat is not the present, but the attack effect on the "long fat Pipeline. The wider the downlink bandwidth, the more effective the attack is. Slice is disabled for TCP, so the retransmission of data packets is large.