5549421_DDoSatk Tool Analysis
1. DoS, DDoS ¼Ò°³
DoS(Denial of Service) °ø°ÝÀº 1:1 ¹æ½ÄÀ¸·Î ¸ñÇ¥ È£½ºÆ®¿¡ ´ë·®ÀÇ ³×Æ®¿öÅ© PacketÀ»
º¸³»¾î °ø°ÝÇÏ´Â °ÍÀÌ ÀϹÝÀûÀÌ´Ù. ÀÌ ¶§ ¸ñÇ¥ È£½ºÆ®´Â ÀϽÃÀûÀ¸·Î ¼ºñ½º¸¦ ÇÒ ¼ö ¾ø´Â
»óÅ°¡ µÇ±â ¶§¹®¿¡ "¼ºñ½º °ÅºÎ °ø°Ý"À̶ó´Â ¸íĪÀÌ »ý±â°Ô µÇ¾ú´Ù. À̺¸´Ù Á¶±Ý ´õ
Áøº¸µÈ °ø°Ý method´Â ºÐ»êȯ°æ¿¡¼ °ø°ÝÀ» ½ÃµµÇÏ´Â DDoS ±â¹ýÀÌ´Ù. ÀÌ ±â¹ýÀÇ °ø°ÝÀº
N:1 ¹æ½ÄÀ¸·Î½á, ºÐ»êȯ°æÀÇ Agent°¡ ¸¹À» ¼ö·Ï ±×¸¸Å, ¸ñÇ¥ È£½ºÆ®ÀÇ ÇÇÇØ´Â ½É°¢ÇØÁø´Ù.
2. Tool ºÐ¼®
model¸í 5549421Àº Distributed Denial of Service °ø°ÝÀ» Á¦°øÇÏ´Â ºÐ»ê ȯ°æÀÇ
Áß¾Ó °üÁ¦ ¼¾ÅÍ ÇÁ·Î±×·¥ÀÌ´Ù. HandlerÀÎ Oyabung ProgramÀ¸·Î Á¢¼ÓÇÏ·Á¸é ¸ÕÀú Master ¼¹ö¿¡
Telnet ÇÏ¿© »ç¿ëÇØ¾ß ÇÑ´Ù. ÇÁ·Î±×·¥À» ½ÇÇàÇϸé Master¿Í ¿¬°áµÇ¾î ÀÖ´Â ¸ðµç AgentµéÀÇ
Á¢¼Ó ¿©ºÎ¸¦ °Ë»çÇÑ´Ù. Âü°í·Î, Åë½Å½Ã¿¡´Â ¾ÏÈ£ÈÇÑ UDP ÇÁ·ÎÅäÄÝÀ» »ç¿ëÇÑ´Ù.
[»çÁø-1: °ø°Ý ±¸Á¶]
* Characteristic Analysis
1. ÇÁ·Î¼¼½º À§Àå ±â´É Á¦°ø (¾îÇø®ÄÉÀÌ¼Ç ±â¹Ý)
½ÇÇàµÇ´Â daemon processÀÇ À̸§À» °ø°ÝÀÚ°¡ ÀÓÀÇ·Î º¯°æÇÒ ¼ö ÀÖ´Ù.
½ÇÁ¦ ps ¸í·ÉÀ¸·Î °Ë»çÇغ¸¸é -bash ¶ó´Â process·Î ÀÚ½ÅÀ» À§ÀåÇÏ°í ÀÖ´Â °ÍÀ» º¼ ¼ö ÀÖ´Ù.
LinuxÀÇ °æ¿ì:
bash# ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.1 1104 460 ? S Feb05 0:04 init [3]
root 2 0.0 0.0 0 0 ? SW Feb05 0:00 [kflushd]
root 3 0.0 0.0 0 0 ? SW Feb05 0:01 [kupdate]
root 4 0.0 0.0 0 0 ? SW Feb05 0:00 [kpiod]
root 5 0.0 0.0 0 0 ? SW Feb05 0:00 [kswapd]
root 6 0.0 0.0 0 0 ? SW< Feb05 0:00 [mdrecoveryd]
root 320 0.0 0.1 1404 748 ? S Feb05 0:00 syslogd -m 0
root 331 0.0 0.1 1416 756 ? S Feb05 0:00 klogd
root 347 0.0 0.1 1120 480 ? S Feb05 0:00 inetd
root 381 0.0 0.4 3916 1788 ? S Feb05 0:00 /usr/local/apache
root 384 0.0 0.2 2232 1040 tty1 S Feb05 0:00 login -- root
root 385 0.0 0.0 1072 376 tty2 S Feb05 0:00 /sbin/mingetty tt
root 386 0.0 0.0 1072 376 tty3 S Feb05 0:00 /sbin/mingetty tt
root 387 0.0 0.0 1072 376 tty4 S Feb05 0:00 /sbin/mingetty tt
root 388 0.0 0.0 1072 376 tty5 S Feb05 0:00 /sbin/mingetty tt
root 389 0.0 0.0 1072 376 tty6 S Feb05 0:00 /sbin/mingetty tt
nobody 1376 0.0 0.6 4160 2344 ? S Feb05 0:02 /usr/local/apache
nobody 1377 0.0 0.6 4164 2340 ? S Feb05 0:02 /usr/local/apache
nobody 1378 0.0 0.5 4164 2320 ? S Feb05 0:03 /usr/local/apache
nobody 1379 0.0 0.5 4152 2320 ? S Feb05 0:02 /usr/local/apache
nobody 1380 0.0 0.5 4152 2304 ? S Feb05 0:02 /usr/local/apache
nobody 1389 0.0 0.5 4152 2300 ? S Feb05 0:02 /usr/local/apache
nobody 1390 0.0 0.6 4152 2344 ? S Feb05 0:02 /usr/local/apache
nobody 1391 0.0 0.6 4152 2328 ? S Feb05 0:02 /usr/local/apache
nobody 1392 0.0 0.5 4152 2300 ? S Feb05 0:02 /usr/local/apache
nobody 2975 0.0 0.6 4152 2340 ? S Feb05 0:02 /usr/local/apache
root 26893 0.0 0.2 1728 956 tty1 S Feb08 0:00 -bash
root 17196 0.0 0.2 1472 788 ? S 12:11 0:00 intnd: 61.18.233.
root 17197 0.0 0.2 2244 1136 pts/0 S 12:11 0:00 login -- xxx
xxx 17198 0.0 0.2 1732 960 pts/0 S 12:11 0:00 -bash
root 17221 0.0 0.2 3044 932 pts/0 S 12:11 0:00 su -
root 17222 0.0 0.2 1736 976 pts/0 S 12:11 0:00 -bash
root 17258 0.0 0.1 1604 748 pts/0 S 12:12 0:00 -bash
root 17356 0.0 0.2 2680 968 pts/0 R 15:12 0:00 ps -aux
bash#
±×·¯³ª pstree·Î È®ÀÎÇغ¸¸é, ½ÇÁ¦ processÀÇ À̸§À» º¼ ¼ö ÀÖ´Ù.
(0.05 ¹öÀü ÀÌ»óºÎÅÍ´Â Ä¿³Î¸ðµâ·Î ÇÁ·Î±×·¥À» ÀºÆóÇϱ⠶§¹®¿¡ process°¡ ½ÇÇà ÁßÀÎÁöÀÇ ¿©ºÎ¸¦ ¾Ë ¼ö ¾ø´Ù.)
bash# pstree
init-+-httpd---10*[httpd]
|-inetd---intnd---login---bash---su---bash---pstree
|-kflushd
|-klogd
|-kpiod
|-kswapd
|-kupdate
|-login---bash
|-mdrecoveryd
|-5*[mingetty]
|-sidabari <----- Handler program.
`-syslogd
bash#
OpenBSDÀÇ °æ¿ì:
# ps -aux
USER PID %CPU %MEM VSZ RSS TT STAT STARTED TIME COMMAND
root 23938 0.0 0.2 276 208 p0 R+ 11:45PM 0:00.00 ps -aux
root 24797 0.0 0.4 100 452 ?? Ss 22Jan03 0:01.37 syslogd
root 21135 0.0 0.3 64 400 ?? Is 22Jan03 0:00.03 inetd
root 7683 0.0 0.3 44 428 C0 Is+ 22Jan03 0:00.01 /usr/libexec/
root 12528 0.0 0.3 44 424 C1 Is+ 22Jan03 0:00.00 /usr/libexec/
root 13384 0.0 0.3 44 424 C2 Is+ 22Jan03 0:00.00 /usr/libexec/
root 27709 0.0 0.3 44 424 C3 Is+ 22Jan03 0:00.00 /usr/libexec/
root 21771 0.0 0.3 44 424 C5 Is+ 22Jan03 0:00.00 /usr/libexec/
root 4050 0.0 0.8 156 1004 ?? Ss 8:46PM 0:00.05 telnetd -k -y
xxx 5578 0.0 0.2 376 280 p0 Is 8:46PM 0:00.01 -sh (sh)
root 28977 0.0 0.2 376 284 p0 I 8:46PM 0:00.01 -sh (sh)
root 19936 0.0 0.2 440 300 p0 S 8:46PM 0:00.02 sh
root 16487 0.0 0.6 564 748 p0 I 8:47PM 0:00.04 -bash (sidab
root 1 0.0 0.2 332 200 ?? Is 22Jan03 0:00.02 /sbin/init
#
process»ó¿¡¼ sidabari ÇÁ·Î±×·¥À̶ó´Â °ÍÀ» ¹Ù·Î È®ÀÎÇÒ ¼ö ÀÖ¾ú´Ù.
2. Åë½Å ½Ã ¾ÏÈ£ÈµÈ UDP protocol »ç¿ë
¸í·É ¼öÇàÀº UDP protocolÀ» ÅëÇØ Åë½ÅÇϸç port´Â 65500¹ø, 65501¹øÀ» ±âº»À¸·Î äÅÃÇÏ¿© ¼öÇàÇÑ´Ù.
´ÙÀ½°ú °°ÀÌ °Ë»çÇغ¸¸é ¿·ÁÀÖ´Â UDP port¸¦ È®ÀÎÇغ¼ ¼ö ÀÖ´Ù.
bash# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 138 testsub2.underat:telnet 61.37.177.18:1954 ESTABLISHED
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
udp 0 0 *:65500 *:*
raw 0 0 *:icmp *:* 7
raw 0 0 *:tcp *:* 7
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 0 [ ] STREAM CONNECTED 156 @0000001c
unix 4 [ ] DGRAM 323 /dev/log
unix 0 [ ] STREAM CONNECTED 321 @00000021
unix 0 [ ] DGRAM 81087
unix 0 [ ] DGRAM 81082
unix 0 [ ] DGRAM 40024
unix 0 [ ] DGRAM 338
bash#
Åë½Å½Ã »ç¿ëÇÏ´Â ¾ÏÈ£´Â ÀÏ¹Ý crypt ÇÔ¼ö¸¦ ÀÌ¿ëÇØ 2¹®ÀÚ¸¦ SALT·Î »ç¿ëÇÏ´Â DES ¾ÏÈ£È
±â¹ýÀ» »ç¿ëÇÑ´Ù. password packet Åë½Å ½Ã¿¡´Â DES ±â¹ýÀ¸·Î ¾ÏÈ£ÈµÈ code¸¦ blowfish
¾ÏÈ£È ±â¹ýÀ¸·Î ÀÌÁß ¾ÏÈ£ÈÇÏ¿© »ç¿ëÇÑ´Ù. Âü°í·Î blowfish ¾ÏÈ£È ±â¹ýÀº ¾ç¹æÇâÀ¸·Î
¾ÏÈ£È, º¹È£È°¡ °¡´ÉÇÏ´Ù.
»ç¿ë ¿¹: shell commander, ¸ñÇ¥ È£½ºÆ® Á¤º¸ µî ...
UDP protocolÀ» °¨½ÃÇϱâ À§ÇØ °³·®µÈ passniff·Î Á¶»çÇغ» °á°ú,
¾Æ·¡¿Í °°ÀÌ ¾ÏȣȵǾî packet Åë½ÅÀ» ÇÏ°í ÀÖ´Â °ÍÀ» »ìÆì º¼ ¼ö ÀÖ¾ú´Ù.
[»çÁø-2: Sniffing data dump]
3. °ø°ÝÀÚ¿¡°Ô Á¦°øµÇ´Â remote shell commander
°ø°ÝÀÚ¿¡°Ô Agent ¸í·É¿Ü·Î ¿ø°ÝÁö¿¡¼ ÀÓÀÇÀÇ ¸í·ÉÀ» ½ÇÇàÇÒ ¼ö ÀÖµµ·Ï shell commander
±â´ÉÀ» Á¦°øÇÑ´Ù. ÀÌ ±â´ÉÀº modelÀ» »õ·Î¿î update versionÀ¸·Î download ÇÒ ¶§ »ç¿ëÇÒ ¼ö
ÀÖ°í, ¶Ç´Ù¸¥ bindshellÀ» ½ÇÇàÇÏ¿© ´Ù¸¥ ÀÛ¾÷À» ÇÒ ¼ö ÀÖ°Ô ÇÑ´Ù.
´ÙÀ½°ú °°ÀÌ Handler ÇÁ·Î±×·¥ÀÇ ¸í·É ½ÇÇà ÈÄ, ÀÛ¾÷ÀÌ ¼öÇàµÈ ¸ð½ÀÀ» º¼ ¼ö ÀÖ¾ú´Ù.
[»çÁø-3~4: Remote shell commander]
4. ´Ù¾çÇÑ °ø°Ý ÇüŸ¦ Á¦°ø
* ÀÏ¹Ý UDP flooding DoS °ø°Ý (root ±ÇÇÑÀÌ ¾øÀ̵µ ½ÃÇà °¡´É)
UDP ÇÁ·ÎÅäÄÝÀ» ±â¹ÝÀ¸·Î ÇÏ¿© ƯÁ¤ Å©±âÀÇ PacketÀ» ¸ñÇ¥ È£½ºÆ®·Î ÀÏÁ¤ÇÏ°Ô º¸³½´Ù.
ÀÏ¹Ý °ø°ÝÀÇ ´ÜÁ¡Àº IP¸¦ spoofing ÇÒ ¼ö ¾ø´Ù´Â Á¡ÀÌ´Ù.
ÀÏ¹Ý UDP flooding °ø°ÝÀ» °¨½ÃÇÑ ¸ð½À:
bash# tcpdump
...
00:39:38.793629 eth0 < 61.11.17.22.1442 > 61.31.77.3.36325: udp 1500 (frag 23615:1480@0+)
00:39:38.793631 eth0 < 61.11.17.22 > 61.31.77.3: (frag 23616:28@1480)
00:39:38.793758 eth0 < 61.11.17.22.1442 > 61.31.77.3.39306: udp 1500 (frag 23616:1480@0+)
00:39:38.793760 eth0 < 61.11.17.22 > 61.31.77.3: (frag 23617:28@1480)
00:39:38.793890 eth0 < 61.11.17.22 > 61.31.77.3: (frag 23618:28@1480)
00:39:38.794020 eth0 < 61.11.17.22 > 61.31.77.3: (frag 23619:28@1480)
00:39:38.976058 eth0 < 61.11.17.22.1442 > 61.31.77.3.64902: udp 1500 (frag 25020:1480@0+)
00:39:38.976188 eth0 < 61.11.17.22.1442 > 61.31.77.3.6027: udp 1500 (frag 25021:1480@0+)
00:39:38.976190 eth0 < 61.11.17.22 > 61.31.77.3: (frag 25022:28@1480)
00:39:38.976317 eth0 < 61.11.17.22.1442 > 61.31.77.3.19458: udp 1500 (frag 25022:1480@0+)
00:39:38.976319 eth0 < 61.11.17.22 > 61.31.77.3: (frag 25023:28@1480)
00:39:38.976447 eth0 < 61.11.17.22.1442 > 61.31.77.3.25761: udp 1500 (frag 25023:1480@0+)
00:39:38.976449 eth0 < 61.11.17.22 > 61.31.77.3: (frag 25024:28@1480)
00:39:38.976578 eth0 < 61.11.17.22.1442 > 61.31.77.3.58502: udp 1500 (frag 25024:1480@0+)
00:39:38.976580 eth0 < 61.11.17.22 > 61.31.77.3: (frag 25025:28@1480)
00:39:38.976708 eth0 < 61.11.17.22.1442 > 61.31.77.3.32677: udp 1500 (frag 25025:1480@0+)
00:39:38.976710 eth0 < 61.11.17.22 > 61.31.77.3: (frag 25026:28@1480)
00:39:38.976844 eth0 < 61.11.17.22.1442 > 61.31.77.3.25090: udp 1500 (frag 25026:1480@0+)
00:39:38.976847 eth0 < 61.11.17.22 > 61.31.77.3: (frag 25027:28@1480)
00:39:38.976968 eth0 < 61.11.17.22.1442 > 61.31.77.3.39399: udp 1500 (frag 25027:1480@0+)
00:39:38.976971 eth0 < 61.11.17.22 > 61.31.77.3: (frag 25028:28@1480)
00:39:38.977098 eth0 < 61.11.17.22.1442 > 61.31.77.37.30199: udp 1500 (frag 25028:1480@0+)
00:39:38.977101 eth0 < 61.11.17.22 > 61.31.77.3: (frag 25029:28@1480)
00:39:38.977230 eth0 < 61.11.17.22.1442 > 61.31.77.3.41930: udp 1500 (frag 25029:1480@0+)
00:39:38.977232 eth0 < 61.11.17.22 > 61.31.77.3: (frag 25030:28@1480)
00:39:38.977356 eth0 < 61.11.17.22.1442 > 61.31.77.3.1149: udp 1500 (frag 25030:1480@0+)
...
bash#
ÀÏ¹Ý UDP flood °ø°ÝÀº custom packetÀ» »ç¿ëÇÏÁö ¾Ê±â ¶§¹®¿¡ root ±ÇÇÑÀ» ÇÊ¿ä·Î ÇÏÁö ¾ÊÁö¸¸,
°ø°ÝÀÚÀÇ IPÁÖ¼Ò(61.11.17.22)°¡ ±×´ë·Î °¨ÁöµÈ °ÍÀ» º¼ ¼ö ÀÖ´Ù.
* ICMP flooding IP spoof DoS °ø°Ý (root ±ÇÇÑ ÇÊ¿ä)
ICMP ÇÁ·ÎÅäÄÝÀ» ±â¹ÝÀ¸·Î ÇÏ¿© ¸ñÇ¥ È£½ºÆ®¿¡ ´ë·®ÀÇ ICMP echo requesting PacketÀ»
º¸³½´Ù. °ø°ÝÀÇ ÀåÁ¡Àº IP¸¦ spoofing ÇÒ ¼ö ÀÖ´Ù´Â Á¡ÀÌ´Ù.
IP spoofingÀ» ½ÃµµÇÏ¿© PacketÀ» º¸³¾ °æ¿ì, ¸ñÀûÁö´Â Ãâ¹ßÁöÀÇ Á¶ÀÛµÈ IP ÁÖ¼Ò¸¦
¹Þ°Ô µÈ´Ù.
ICMP flooding °ø°ÝÀ» °¨½ÃÇÑ ¸ð½À:
bash# tcpdump
...
00:47:55.806625 eth0 < 207.51.78.100 > 61.31.77.3: icmp: echo request
00:47:55.806639 eth0 > 61.31.77.3 > 207.51.78.100: icmp: echo reply
00:47:55.806686 eth0 < dimeg028.poliba.it > 61.31.77.3: icmp: echo request
00:47:55.806700 eth0 > 61.31.77.3 > dimeg028.poliba.it: icmp: echo reply
00:47:55.806739 eth0 < 200.241.53.0 > 61.31.77.3: icmp: echo request
00:47:55.806752 eth0 > 61.31.77.3 > 200.241.53.0: icmp: echo reply
00:47:55.806794 eth0 < 208.68.184.64 > 61.31.77.3: icmp: echo request
00:47:55.806808 eth0 > 61.31.77.3 > 208.68.184.64: icmp: echo reply
00:47:55.806851 eth0 < 82.12.234.92 > 61.31.77.3: icmp: echo request
00:47:55.806864 eth0 > 61.31.77.3 > 82.12.234.92: icmp: echo reply
00:47:55.806907 eth0 < 92.95.9.185 > 61.31.77.3: icmp: echo request
00:47:55.806921 eth0 > 61.31.77.3 > 92.95.9.185: icmp: echo reply
00:47:55.806965 eth0 < 247.241.202.247 > 61.31.77.3: icmp: echo request
00:47:55.807021 eth0 < 222.7.106.208 > 61.31.77.3: icmp: echo request
00:47:55.807035 eth0 > 61.31.77.3 > 222.7.106.208: icmp: echo reply
00:47:55.807078 eth0 < 138.16.14.132 > 61.31.77.3: icmp: echo request
00:47:55.807094 eth0 > 61.31.77.3 > 138.16.14.132: icmp: echo reply
00:47:55.807134 eth0 < 181.178.133.4 > 61.31.77.3: icmp: echo request
00:47:55.807148 eth0 > 61.31.77.3 > 181.178.133.4: icmp: echo reply
00:47:55.807190 eth0 < 185.83.201.142 > 61.31.77.3: icmp: echo request
00:47:55.807204 eth0 > 61.31.77.3 > 185.83.201.142: icmp: echo reply
00:47:55.807246 eth0 < 60.171.152.205 > 61.31.77.3: icmp: echo request
00:47:55.807260 eth0 > 61.31.77.3 > 60.171.152.205: icmp: echo reply
00:47:55.807302 eth0 < 38.254.198.81 > 61.31.77.3: icmp: echo request
...
bash#
°ø°ÝÀÚÀÇ IP°¡ ¼û°ÜÁø °ÍÀ» º¼ ¼ö ÀÖ´Ù.
ƯÈ÷, ¹«¼öÈ÷ ¸¹Àº °¡Â¥ IP·Î ¼ÓÀ̱⠶§¹®¿¡ °ø°ÝÀÚ¸¦ ÃßÀûÇϱ⠾î·Æ´Ù.
* SYN flooding IP spoof DoS °ø°Ý (root ±ÇÇÑ ÇÊ¿ä)
TCP ÇÁ·ÎÅäÄÝÀ» ±â¹ÝÀ¸·Î ÇÏ¿© ¸ñÇ¥ È£½ºÆ®¿¡ SYN flag¸¦ ¼³Á¤ÇÑ TCP PacketÀ» ´ë·®À¸·Î
º¸³½´Ù. ÀÌ °ø°Ý ¿ª½Ã IP¸¦ spoofing ÇÒ ¼ö ÀÖ´Ù.
SYN flooding °ø°ÝÀ» °¨½ÃÇÑ ¸ð½À:
bash# tcpdump
...
00:52:43.516825 eth0 < h00907f10cb26.ne.client2.attbi.com.22264 > 61.31.77.3.28409: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.516948 eth0 < 223.30.117.104.61971 > 61.31.77.3.42990: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.517084 eth0 < 150.238.55.131.3164 > 61.31.77.3.59022: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.517200 eth0 < 246.121.169.16.28691 > 61.31.77.3.33715: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.517335 eth0 < 53.228.5.74.2056 > 61.31.77.3.3739: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.517442 eth0 < 122.50.195.173.37049 > 61.31.77.3.49730: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.517573 eth0 < reserved-multicast-range-NOT-delegated.example.com.18023 > 61.31.77.37.51195: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.517699 eth0 < 124.227.247.233.12171 > 61.31.77.3.19608: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.517815 eth0 < 84.204.14.57.24713 > 61.31.77.3.24982: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.517938 eth0 < 237.219.1.104.48762 > 61.31.77.3.41324: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.518064 eth0 < 84.131.143.53.41414 > 61.31.77.3.46411: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.518182 eth0 < 98.33.58.230.20198 > 61.31.77.3.55733: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.518313 eth0 < 73.167.53.76.56840 > 61.31.77.3.21223: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.518433 eth0 < 128.203.42.17.27361 > 61.31.77.3.32948: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.518554 eth0 < 65.113.129.63.42092 > 61.31.77.3.17637: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.518674 eth0 < 120.199.83.40.12813 > 61.31.77.3.29199: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.518796 eth0 < 70.162.143.22.22225 > 61.31.77.3.45728: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.518919 eth0 < 201.191.191.193.27817 > 61.31.77.3.38138: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.519045 eth0 < 119.193.191.225.52468 > 61.31.77.3.45326: S 560993037:560994513(1476) win 65535 urg 2513
00:52:43.519163 eth0 < 22.225.29.167.18330 > 61.31.77.3.4016: S 560993037:560994513(1476) win 65535 urg 2513
...
bash#
°ø°ÝÀÚÀÇ IP°¡ Á¶ÀÛµÈ °ÍÀ» º¼ ¼ö ÀÖ´Ù. Á¢¼Ó½Ãµµ Port´Â RandomÀ¸·Î ¼±ÅÃÇÏ°í ÀÖ´Ù.
* UDP flooding IP spoof DoS °ø°Ý (root ±ÇÇÑ ÇÊ¿ä)
UDP ÇÁ·ÎÅäÄÝÀ» ±â¹ÝÀ¸·Î ÇÏ¿© Á¶ÀÛµÈ srcip¸¦ ÅëÇØ Æ¯Á¤ Å©±âÀÇ PacketÀ» ¸ñÇ¥ È£½ºÆ®·Î
º¸³½´Ù.
UDP flooding °ø°ÝÀ» °¨½ÃÇÑ ¸ð½À:
bash# tcpdump
...
00:57:10.708918 eth0 < 199.154.200.178.59675 > 61.31.77.3.19756: udp 56317
00:57:10.709038 eth0 < 140.67.1.182.35113 > 61.31.77.3.49925: udp 56317
00:57:10.709163 eth0 < 37.202.190.35.17522 > 61.31.77.3.54826: udp 56317
00:57:10.709287 eth0 < 186.14.4.70.62765 > 61.31.77.3.35125: udp 56317
00:57:10.709407 eth0 < 162.3.225.206.31690 > 61.31.77.3.65284: udp 56317
00:57:10.709529 eth0 < 167.216.14.230.47381 > 61.31.77.3.18585: udp 56317
00:57:10.709658 eth0 < 168.250.201.48.37460 > 61.31.77.3.28574: udp 56317
00:57:10.709775 eth0 < 135.155.82.191.10248 > 61.31.77.3.19836: udp 56317
00:57:10.709902 eth0 < 65.73.170.120.65216 > 61.31.77.3.33997: udp 56317
00:57:10.710023 eth0 < 119.213.100.232.39135 > 61.31.77.3.46580: udp 56317
00:57:10.710146 eth0 < 236.86.151.171.5332 > 61.31.77.3.8770: udp 56317
00:57:10.710273 eth0 < 186.187.252.9.30771 > 61.31.77.3.62881: udp 56317
00:57:10.710391 eth0 < 234.227.245.233.16329 > 61.31.77.3.13512: udp 56317
00:57:10.710519 eth0 < 189.241.230.233.23693 > 61.31.77.3.245: udp 56317
00:57:10.710639 eth0 < 93.39.193.131.8138 > 61.31.77.3.51230: udp 56317
00:57:10.710760 eth0 < 187.253.5.233.32006 > 61.31.77.3.37933: udp 56317
00:57:10.710886 eth0 < 13.60.238.130.56333 > 61.31.77.3.26015: udp 56317
00:57:10.711008 eth0 < 5.149.237.51.24610 > 61.31.77.3.11968: udp 56317
00:57:10.711130 eth0 < reserved-multicast-range-NOT-delegated.example.com.30651 > 61.31.77.3.9927: udp 56317
00:57:10.711255 eth0 < 187.212.117.101.4988 > 61.31.77.3.28208: udp 56317
00:57:10.711375 eth0 < 19.65.76.212.64106 > 61.31.77.3.15417: udp 56317
00:57:10.711498 eth0 < 83.51.191.93.48152 > 61.31.77.3.56941: udp 56317
00:57:10.711628 eth0 < 77.159.31.41.4428 > 61.31.77.3.32321: udp 56317
00:57:10.711746 eth0 < 25.44.124.80.34466 > 61.31.77.3.46441: udp 56317
00:57:10.711875 eth0 < 178.171.254.234.1355 > 61.31.77.3.23584: udp 56317
00:57:10.711991 eth0 < 138.126.54.122.26499 > 61.31.77.3.62984: udp 56317
00:57:10.712112 eth0 < 174.52.254.7.33782 > 61.31.77.3.39069: udp 56317
00:57:10.712240 eth0 < YahooBB219188111153.bbtec.net.56107 > 61.31.77.3.45644: udp 56317
...
bash#
Á¶ÀÛµÈ IP ÁÖ¼Ò¿Í Random ¼±ÅÃµÈ port·Î °ø°ÝÀ» ½ÃµµÇÏ°í ÀÖ´Ù.
* SMURF flooding IP spoof DoS °ø°Ý (root ±ÇÇÑ ÇÊ¿ä)
SMURF °ø°ÝÀÇ °æ¿ì Ãâ¹ßÁöÀÇ ÁÖ¼Ò¸¦ °ø°ÝÇÏ°íÀÚ ÇÏ´Â ¸ñÇ¥ È£½ºÆ®ÀÇ ÁÖ¼Ò·Î ¼³Á¤ÇÑ ÈÄ,
Broadcast ÁÖ¼Ò·Î ICMP ping request PacketÀ» º¸³½´Ù. °ø°ÝÀÚ¿¡ ÀÇÇØ IPÁÖ¼Ò´Â Á¶ÀÛµÉ
¼ö ÀÖ´Ù.
SMURFING °ø°ÝÀ» °¨½ÃÇÑ ¸ð½À:
bash# tcpdump
...
02:13:28.175335 eth0 < 61.31.77.255 > 61.31.77.3: icmp: echo reply
...
bash#
4. IP Spoofing Á¡°Ë ±â´É (*Ư¼ö±â´É)
ÀϹÝÀûÀ¸·Î °ø°Ý½Ã °ø°ÝÀÚÀÇ IP¸¦ ¼û±â´Â °ÍÀº ´ç¿¬ÇÏ´Ù. ±×·¯³ª ƯÁ¤ ³×Æ®¿öÅ©¿¡¼´Â
router¿¡¼ src ip°¡ À§ÀåµÇ¾î ³ª°¡Áö ¸øÇϵµ·Ï ¼³Á¤Çسõ´Â °æ¿ì°¡ ÀÖ´Ù.
¸¸¾à °ø°ÝÀ» ½ÃµµÇÏ´Â Agent serverÀÇ IP°¡ ¹ß°¢µÈ´Ù¸é Attacker°¡ ÃßÀû ´çÇÒ ¼ö ÀÖ´Â °¡´É¼ºÀÌ
»ý±â±â ¶§¹®¿¡ ÀÌ modelÀº °ø°ÝÀ» ½ÃµµÇÏ´Â Agent serverÀÇ IP°¡ spoof µÇ´Â Áö Master
server·Î ƯÁ¤ PacketÀ» º¸³»¾î È®ÀÎÇÏ´Â ±â´ÉÀÌ Á¸ÀçÇÑ´Ù.
Attacker°¡ fakechk (f)¶ó´Â ¸í·ÉÀ» Handler¿¡¼ Áö½ÃÇϸé Handler´Â Agent server¿¡°Ô
ICMP PacketÀ» º¸³»¶ó´Â ½ÅÈ£¸¦ º¸³»°í Agent server´Â Master server¿¡ Á¶ÀÛÇÑ ICMP PacketÀ»
º¸³»¾î, ÃÖÁ¾ÀûÀ¸·Î Attacker°¡ È®ÀÎÇÒ ¼ö ÀÖµµ·Ï ÀÚ½ÅÀÇ IP¿Í Á¶ÀÛÇÑ IP¸¦ ȸ鿡 ´ëÁ¶ Ãâ·Â½ÃŲ´Ù.
°á°úÀûÀ¸·Î ½ÇÁ¦ Agent serverÀÇ IP address¿Í RandomÀ¸·Î Á¶ÀÛÇÑ IP°¡ Ʋ¸± °æ¿ì,
Attacker¿¡°Ô IP spoofingÀ» ¼º°øÇß´Ù´Â message¸¦ ¶ç¿î´Ù.
[»çÁø-5: Fake IP spoofing check]
5. Domain¿¡ ¿¬°áµÈ IP °Ë»ç ±â´É (*Ư¼ö±â´É)
ClientÀÇ Service ¿äûÀÌ ¸¹Àº host´Â Server ¿©·¯´ë¸¦ linkÇÏ¿© ÇϳªÀÇ domainÀ¸·Î ¹¾î
°úºÎÈ°¡ ¾øµµ·Ï °ü¸®ÇÏ´Â °ÍÀÌ º¸ÅëÀÌ´Ù. (¿¹: www.yahoo.com, www.daum.net)
ÀÌ¿Í °°ÀÌ °ü¸®ÇÒ °æ¿ì, °ø°ÝÀÌ ¹ß»ýÇÏ¿´À» Áö¶óµµ ¼¹ö´Â Áö¼ÓÀûÀÎ ¼ºñ½º¸¦ ¿î¿µÇÒ ¼ö
Àֱ⠶§¹®¿¡ ¸¶Ä¡ DoS °ø°ÝÀ» È¿À²ÀûÀ¸·Î º¸¾ÈÇÒ ¼ö ÀÖ´Â ¼Ö·ç¼ÇÀÎ °Íó·³ º¸ÀδÙ.
ÇÏÁö¸¸, linkµÈ ¸ðµç ServerµéÀÌ µ¿½Ã¿¡ °ø°ÝÀ» ¹ÞÀ» °æ¿ì, host´Â ¼ºñ½º ¿î¿µÀ» ÇÒ ¼ö
¾ø´Â »óÅ¿¡ À̸£°Ô µÈ´Ù. °á±¹, ÃÖÁ¾ÀûÀÎ ´Ü°èÀÇ DDoS °ø°ÝÀº º¸¾ÈÇϱâ Èûµé´Ù.
ÀÌ model¿¡¼´Â °ø°ÝÀÚµéÀÌ °ø°ÝÀ» ½ÃµµÇÒ ¶§, domain nameÀ» °¡Áø host°¡ ¸î °³ÀÇ Server·Î
Á¸ÀçÇÏ´Â Áö IP¸¦ °Ë»çÇÏ´Â ±â´ÉÀ» °¡Áö°í ÀÖ´Ù. getip (g) Handler ¸í·ÉÀ» ÅëÇØ ÃÑ 50¹øÀ»
°Ë»çÇÑ ÈÄ, ³ª¿Â °á°ú¸¦ °ø°ÝÀÚ¿¡°Ô ¾Ë·ÁÁØ´Ù. (DDoS °ø°Ý ÇÁ·Î±×·¥À¸·Î½á óÀ½ µµÀÔµÈ ½Ã½ºÅÛÀÌ´Ù.)
[»çÁø-6: Get IP address check]
* version 0.05 À̻󿡼 °³¹ßµÈ ±â´É: LKM (Loadable Kernel Module)
ÀϹÝÀûÀ¸·Î DDoS ÅøÀº º¸¾ÈÀÌ Àû¿ëµÈ ¼¹ö³»¿¡ ¼³Ä¡ÇÏ¿© »ç¿ëÇÏ´Â °ÍÀÌ ¸Å¿ì ¾î·Æ´Ù.
±×·¡¼ ÀÌ modelÀÇ ¹öÀüºÎÅÍ´Â º¸¾È °ü¸®ÀÚ¸¦ ¼ÓÀ̱â À§Çؼ application levelÀÌ ¾Æ´Ñ
kernel level¿¡¼ ÇÁ·Î±×·¥À» °ü¸®ÇÑ´Ù. (DDoS °ø°Ý ÇÁ·Î±×·¥À¸·Î½á LKMÀº óÀ½ µµÀÔµÈ ½Ã½ºÅÛÀÌ´Ù.)
kernel levelÀÇ Æ¯Â¡Àº °ü¸®ÀÚ°¡ ÅøÀÌ ¼³Ä¡µÇ¾ú´ÂÁöÀÇ ¿©ºÎ¸¦ ÆÇ´Ü Á¶Â÷ ÇÒ ¼ö ¾ø°Ô ÇÑ´Ù´Â Á¡ÀÌ´Ù.
´ÙÀ½Àº ½ÇÁ¦ LKMÀ» ÅëÇØ model¸í 5549421ÀÇ Agent¿Í Handler¸¦ ¿Ïº®ÇÏ°Ô ÀºÆóÇÏ´Â ¸ð½ÀÀÌ´Ù.
[Âü°í-1: ¸ðµâÀÌ ½É¾îÁö±â Àü »óȲ]
[Âü°í-2: ¸ðµâÀÌ ½É¾îÁø ÈÄ, ÀºÆóµÈ ¸ð½À]
Ư¡: 1. ÇÁ·Î±×·¥ÀÇ µð·ºÅ丮¸¦ ¼û±ä´Ù. (ls,dir ¸í·É¾î)
2. Agent ÇÁ·Î±×·¥°ú Handler ÇÁ·Î±×·¥À» ¼û±ä´Ù. (ls,dir ¸í·É¾î)
3. Agent ÇÁ·Î¼¼½º¿Í Handler ÇÁ·Î¼¼½º¸¦ ¼û±ä´Ù. (ps,pstree,top ¸í·É¾î)
4. ¼³Ä¡µÈ kernel moduleÀ» ¼û±ä´Ù. (lsmod ¸í·É¾î)
5. ¿¸° port¸¦ ¼û±ä´Ù. (netstat ¸í·É¾î)
* ÀÌ¿Í °°ÀÌ Kernel ¸ðµâ ±â¹ÝÀ¸·Î ¼³°èµÇ¾î ÇÁ·Î±×·¥À» ÀºÆóÇϹǷÎ, º¸´Ù ¾ÈÀüÇÏ°Ô ÇÁ·Î±×·¥À» ÀÌ¿ëÇÒ ¼ö ÀÖ´Ù.
* Handler Command
Handler ÇÁ·Î±×·¥Àº ºñ±³Àû ÀÏ¹Ý »ç¿ëÀÚ À§ÁÖÀÇ Æí¸®ÇÑ ÀÎÅÍÆäÀ̽º¸¦ Áö¿øÇÑ´Ù.
±×·³, ¸í·É(ÃÑ 18°¡Áö)À» ¼Ò°³Çϵµ·Ï ÇÏ°Ú´Ù.
0x82> help
help information:
<+>=================<* command list *>=================<+>
(h) help - help information.
(g) getip - Inform IP that's linked to Domain.
(f) fakechk - examine IP spoofing possibility.
(m) minish - shell command.
(c) check - check server stat.
(r) ready - cron program remote setting.
(sa) satkcfg - setting attack config.
(la) latkcfg - listing attack config.
(a) attack - DDoS attack.
(k) kill - kill DDoS daemon. [Temporary]
(sk) skill - skill, remove tool. [Dangerous]
(li) listip - listing host.
(w) wrtip - adding host.
(d) delip - delete host.
(o) outclean - display clear.
(e) exit - program exit.
(q) quit - program exit.
(v) version - engine version.
<+>=================<* command list *>=================<+>
0x82>
help:
»ç¿ë ¼³¸í¼¸¦ Ãâ·ÂÇÑ´Ù.
fakechk:
IP spoofingÀÌ °¡´ÉÇÑÁö ¿©ºÎ¸¦ °Ë»çÇÑ´Ù.
minish:
Agent server¿¡¼ ½ÇÇàÇÒ shell ¸í·ÉÀ» ÀÔ·ÂÇÑ´Ù. (shell commander)
check:
ÇöÀç Á¢¼ÓÇÒ ¼ö ÀÖ´Â ¸ðµç Agent serverµéÀ» °Ë»öÇÏ°í »óŸ¦ Á¡°ËÇÑ´Ù.
ready:
Agent serverÀÇ daemonÀÌ Á×À» °æ¿ì¸¦ ´ëºñÇÏ¿©, cron daemonÀ» ¿ø°Ý¿¡¼ ¼³Á¤ÇÑ´Ù.
satkcfg:
°ø°ÝÀ» À§ÇØ °ø°ÝÇÒ ¸ñÇ¥ È£½ºÆ®ÀÇ ÁÖ¼Ò¿Í broadcast ÁÖ¼Ò, time out, ÆÐŶ Å©±â¸¦ ¼³Á¤ÇÑ´Ù.
attack:
¼³Á¤µÈ Á¤º¸¸¦ ÅëÇØ DDoS °ø°ÝÀ» ½ÃµµÇÑ´Ù.
kill:
Agent server¸¦ Àӽà Á¾·áÇÑ´Ù.
skill:
Agent server¸¦ Á¾·áÇÑ ÈÄ °ü·ÃµÈ src code¿Í ¼³Á¤ÆÄÀϵîÀ» ¿µ±¸ Á¦°ÅÇÑ´Ù.
quit:
Handler¸¦ Á¾·áÇÑ´Ù.
exit:
Handler¸¦ Á¾·áÇÑ´Ù.
wrtip:
Agent server list¿¡ »õ·Î¿î È£½ºÆ® ÁÖ¼Ò, port, password µîÀÇ Á¤º¸¸¦ µî·ÏÇÑ´Ù.
delip:
Agent server list¿¡¼ È£½ºÆ®ÀÇ ÁÖ¼Ò¸¦ Á¦°ÅÇÑ´Ù.
listip:
Agent server list¿¡ µî·ÏµÈ ÁÖ¼Ò¸¦ Ãâ·ÂÇÑ´Ù.
outclean:
HandlerÀÇ È¸éÀ» clear ½ÃŲ´Ù.
latkcfg:
ÇöÀç ¼³Á¤µÇ¾î ÀÖ´Â ¸ñÇ¥ È£½ºÆ®¿¡ ´ëÇÑ ¼³Á¤ ³»¿ëÀ» Ãâ·ÂÇÑ´Ù.
version:
»ç¿ë ÁßÀÎ ¿£Áø ¹öÀüÀ» Ãâ·ÂÇÑ´Ù.
3. Test DDoS Attack
1. Agent ½ÇÇà
ÇöÀç ÇÁ·Î±×·¥Àº Linux, OpenBSD, FreeBSD¸¦ Áö¿øÇÑ´Ù.
´ÙÀ½°ú °°ÀÌ make ÄÄÆÄÀÏ ÇÒ ¼ö ÀÖ´Ù.
bash# make
ÄÄÆÄÀÏ ÈÄ, Agent daemonÀ» ½ÇÇàÇϱâ Àü¿¡ ¸ÕÀú Password¸¦ »ý¼ºÇØ¾ß ÇÑ´Ù.
bash# ./sidabari -P
0x82-Ssagazi - Distributed Denial of Service Attack tool v0.01.
Sidabari - Slave (Agent) Program.
New password:
Retype new password again:
passwd: all authentication tokens updated successfully
bash#
¸¸¾à ¼º°øÀûÀ¸·Î ÀÔ·ÂÀÌ µÇ¾ú´Ù¸é, `0x82-5549421-pass' ÆÄÀÏÀÌ »ý¼ºµÈ °ÍÀ» º¼ ¼ö ÀÖ´Ù.
bash# ls -al 0x82-5549421-pass
-rw-r--r-- 1 root root 14 Jan 8 21:40 0x82-5549421-pass
bash# cat 0x82-5549421-pass
82.IwbCh3KKOw
bash#
2¹®ÀÚÀÇ SALT Key´Â º¯°æÀÌ °¡´ÉÇÏ´Ù.
ÀÚ, ÀÌÁ¦ ´ÙÀ½°ú °°ÀÌ daemonÀ» ½ÇÇàÇÑ´Ù.
bash# ./sidabari -D
0x82-Ssagazi - Distributed Denial of Service Attack tool v0.01.
Sidabari - Slave (Agent) Program.
bash#
ÀÌ¿Í °°ÀÌ Agent¸¦ ¾ÈÀüÇÏ°Ô ¼³Á¤ÇÒ ¼ö ÀÖ¾ú´Ù.
2. Handler ½ÇÇà
Handler command´Â ÀÌ¹Ì À§¿¡¼ ¼³¸íÇ߱⠶§¹®¿¡ Ưº°È÷ ¾î·Á¿î Á¡À» ¾øÀ» °ÍÀÌ´Ù.
¸ÕÀú, »õ·Î¿î Agent server¸¦ µî·ÏÇÑ´Ù.
bash# ./oyabung
0x82-Ssagazi - Distributed Denial of Service Attack tool v0.01.
Oyabung - Master (Handler) Program.
0x82>
Agent server ¼³Á¤³»¿ëÀº list (li) ¸í·ÉÀ» ÅëÇØ Ãâ·ÂÇÏ¿© ¾Ë ¼ö ÀÖ´Ù.
[»çÁø-7: list (li) command]
¾ÆÁ÷Àº ¼³Á¤µÈ ³»¿ëÀÌ ¾ø´Ù. ÀÚ, ±×·¯¸é Ãß°¡Çغ¸µµ·Ï ÇÏÀÚ.
°ø°Ý¿¡ »ç¿ëÇϱâ À§ÇÑ Agent¸¦ µî·ÏÇÏ´Â ¸í·ÉÀº wrtip (w) ÀÌ´Ù.
[»çÁø-8: wrtip (w) command]
sidabari¸¦ ½ÇÇàÇÏ¿´´ø Agent serverÀÇ IP¿Í password¸¦ ÀÔ·ÂÇÏ¿´´Ù.
È®ÀÎÇغ¸ÀÚ.
[»çÁø-9: list (li) & check (c) command]
±× °á°ú, ÀÔ·ÂÀÌ ¼º°øÇÏ¿© ¸ñ·Ï¿¡ µî·ÏµÈ °ÍÀ» º¼ ¼ö ÀÖ´Ù.
check (c) ¸í·ÉÀ» ÅëÇØ Agent serverÀÇ ¿¬°á °¡´É ¿©ºÎ¸¦ Á¡°ËÇغ¼ ¼ö ÀÖ´Ù.
oyabung ÇÁ·Î±×·¥À» Á¾·áÇÑ ÈÄ, `0x82-5549421-list' ÆÄÀÏÀÌ »ý¼ºµÈ °ÍÀ» È®ÀÎÇϱ⠹ٶõ´Ù.
0x82> q
program exit.
bash# ls -al 0x82-5549421-list
-rw-r--r-- 1 root root 33 Jan 8 21:50 0x82-5549421-list
bash# cat 0x82-5549421-list
61.22.33.11:65500:82.IwbCh3KKOw
bash#
ÀÚ, ÀÌÁ¦ ¸ðÀÇ ½ÃÇè °ø°ÝÀ» ½ÃµµÇغ¸µµ·Ï ÇÏ°Ú´Ù.
3. Test DDoS Attack
¸ðÀÇ ½ÃÇè °ø°ÝÀ» À§ÇØ ¼¹ö 3´ë¸¦ Agent·Î ±¸¼ºÇÑ ÈÄ, Master 1´ë·Î Á¶Á¤ÇÏ¿© °¡»ó °ø°ÝÀ»
½ÃµµÇغ¸¾Ò´Ù. ¹°·Ð °ø°ÝÀ» ´çÇÏ´Â ¸ñÇ¥ È£½ºÆ®¿¡´Â snort IDS¸¦ ¼³Ä¡ÇÑ ÈÄ, ³×Æ®¿öÅ© ½Ç½Ã°£
°¨½Ã¸¦ À§ÇØ tcpdump¸¦ »ç¿ëÇÏ¿© PacketÀÇ °æ·Î¸¦ »ìÆ캸¾Ò´Ù.
[»çÁø-10: °ø°ÝÀ» ´çÇÒ ¸ñÇ¥ È£½ºÆ® ¼³Á¤ ȸé]
[»çÁø-11: °ø°ÝÀ» ½ÃµµÇÒ Master ȸé]
ÀÌÁ¦ Áغñ°¡ ³¡³µÀ¸´Ï °ø°ÝÇÒ ¸ñÇ¥ È£½ºÆ®¸¦ ¼³Á¤ ÈÄ, °ø°ÝÀ» ½ÃµµÇغ¸µµ·Ï ÇÏ°Ú´Ù.
¸ñÇ¥ È£½ºÆ®¸¦ ¼³Á¤ÇÏ´Â ¸í·ÉÀº satkcfg (sa) ÀÌ´Ù.
[»çÁø-12: °ø°ÝÀ» ¼³Á¤ÇÏ´Â Master ȸé]
[»çÁø-13: ¼³Á¤µÈ ³»¿ëÀ» È®ÀÎ]
[»çÁø-14: °ø°Ý °³½Ã]
attack (a) ¸í·ÉÀ» ÅëÇØ °ø°ÝÀ» ½ÃµµÇÏ¿´´Ù.
°ø°ÝÀ» ÇÑ ÈÄ, IP°¡ spoofingµÈ PacketÀ» ĸÃÄÇÏ°í ÀÖ´Â ¸ñÇ¥ È£½ºÆ® ¼¹ö(61.22.133.10)ÀÇ
tcpdump ȸéÀÌ´Ù.
[»çÁø-15: ¸ñÇ¥ È£½ºÆ®°¡ °ø°ÝÀ» ´çÇϴ ȸé]
ÀÌÀ¹°í, snort IDS´Â µð·ºÅ丮¿¡ ¸¹Àº log directory, fileµéÀ» ³²±â°í ¼¹ö¿Í ÇÔ²² 3 ºÐ¿©¸¸¿¡
´Ù¿îµÇ¹ö¸®°í ¸»¾Ò´Ù. ¾Æ·¡ ȸéÀº ¼¹ö ÀçºÎÆà Àü¿¡ snort°¡ ³²±ä, °ø°ÝÀÚÀÇ °¡Â¥ IP log
ÈçÀûµéÀÌ´Ù.
[»çÁø-16: IDS¿¡ °¨ÁöµÈ °¡Â¥ °ø°Ý IP logµé]
ÀÌ¹Ì ÀçºÎÆÃµÈ ¼¹ö¿¡¼ ½ÇÁ¦ °ø°ÝÀÚÀÇ IP¸¦ ÃßÀûÇϱâ¶õ ÇÏ´ÃÀÇ º°µû±â¿Í ¸¶Âù°¡Áö´Ù.
¸¸¾à ÀÌ¿Í °°ÀÌ ¼¹ö ¿î¿µÀ» ÇÏ°í ÀÖ´Ù¸é, °ø°Ý¿¡´Â ¹«¹æºñ³ª ´Ù¸§ÀÌ ¾øÀ» °ÍÀÌ´Ù.
ƯÈ÷, Agent¸¦ ¸¹ÀÌ ¼ÒÀ¯ÇÑ ÇØÄ¿°¡ DNS server³ª, mail server, web http server,
firewall server, VPN ¿¬°á server, routerµîÀÇ Áß¿ä ¼¹ö½Ã¼³µéÀ» °ø°Ý ´ë»óÀ¸·Î ÇÒ °æ¿ì.
ÇϳªÀÇ ³×Æ®¿öÅ©¿¡¼ Áö¿ª ³×Æ®¿öÅ©, ÇÑ ±¹°¡¸ÁÀÇ ³×Æ®¿öÅ©±îÁö À§ÇùÀ» ¹ÞÀ» ¼ö ÀÖ´Â °¡´É¼ºÀº
ÃæºÐÇÏ´Ù.
¶ÇÇÑ, ÇöÀç±îÁö´Â DDoS °ø°ÝÀ» ŽÁöÇÏ´õ¶óµµ 90% ÀÌ»óÀÇ °ÅÁþ °á°ú ´öÅÿ¡ °ø°ÝÀÚ¸¦ ÃßÀû¿¡
¾î·Æ°í, ½ÇÁúÀûÀ¸·Î ¹æ¾î¸¦ ÇÏ´Â ¹æ¹ýÀº ¾ø´Â °ÍÀ¸·Î ¾Ë·ÁÁ® ÀÖ´Ù.
4. °á ·Ð
È®½ÇÈ÷ ±âÁ¸ÀÇ °ø°³µÇ¾î ÀÖ´Â IDS·Î´Â ½ÇÁ¦ °ø°ÝÀÚ¸¦ ÃßÀûÇÏ´Â µ¥ ¹«¸®°¡ ÀÖ´Ù.
DDoS °ø°ÝÀ» ½ÃµµÇÏ·Á¸é, ¸¹Àº ¼öÀÇ AgentµéÀ» ÇÊ¿ä·Î Çϱ⠶§¹®¿¡ ¾ÆÁ÷±îÁö´Â ±×¸® À§ÇùÀûÀÎ
¼öÁØÀÇ °ø°Ý½Ãµµ´Â ÀÌ·ç¾îÁöÁö ¾Ê´Â °ÍÀ¸·Î ¿¹»óµÈ´Ù. ÇÏÁö¸¸, ¾ðÁ¨°¡´Â w0rm virus³ª ±âŸ ÀÚµ¿È
tool µéÀ» ÅëÇØ Àü¼¼°è ³×Æ®¿öÅ©°¡ »çÀ̹ö Å×·¯ÀÇ À§ÇùÀ» ¹Þ´Â »óȲÀÌ ¿Ã Áöµµ ¸ð¸¥´Ù.
±×¸®ÇÏ¿©, ¿ì¸® INetCop Security TeamÀº À§ÇùÀûÀÎ »çÀ̹ö Å×·¯ °ø°ÝÀ» º¸¾ÈÇϱâ À§ÇØ DDoS °ø°ÝÀ» ¹æÁöÇÒ ¼ö
ÀÖ´Â Project¸¦ ÃßÁø ÁßÀÌ´Ù. ¾ÕÀ¸·Î ÀÌ ¿¬±¸´Â ±¹°¡¸¦ À§ÇØ Áö¼ÓµÇ¾ß ÇÒ °ÍÀÌ´Ù.
¹ßÀüÇÏ´Â »çÀ̹ö °ø°Ý¿¡ ´ëÀÀÇϱâ À§Çؼ´Â ´Ù¸¥ À̺¸´Ù ¸ÕÀú, ÇØÄ¿°¡ µÇ¾î¾ß ÇÑ´Ù.