Trabalho Paulo Licio - Tarefa 2

UNIVERSIDADE ESTADUAL DE CAMPINAS
INSTITUTO DE COMPUTAO
Especializao em Redes de Computadores
INF-528 GESTO DA SEGURANA DE REDES DE COMPUTADORES I
Tarefa 1
Mariana Luz Ges

Iran Bezerra do Nascimento
CAMPINAS SP
2014
SUMRIO
1.INTRODUO....................................................................................................................3
2.Pratica.................................................................................................................................4
2.1.Instalar Uma Ferramenta Que Permita A Injeo De Pacotes (hping, T50) Na Mquina ATACANTE
(host)............................................................................................................................................................ 4
2.2.Instalar Um Servidor Web Na Mquina ALVO........................................................................................4
2.3.Verificar O Tempo Do Download Do Index.html Desse Servidor Web A Partir Da Mquina USURIO,
Capturando Pacotes De Rede...................................................................................................................... 6

2.4.Verificar O Status Da Mquina ALVO..................................................................................................... 7
2.5.Testar A Ferramenta De Injeo De Pacotes Contra A Mquina ALVO A Partir Da Mquina
ATACANTE................................................................................................................................................... 8
2.6.Verificar A Situao Da Mquina ALVO Durante O Ataque...................................................................11
2.7.Questes.............................................................................................................................................. 13
2.8.Habilitar SYN Cookies Na Mquina ALVO............................................................................................ 14
2.9.Repetir Os Passos 3 At 6................................................................................................................... 14
2.10.Resultados Observados..................................................................................................................... 18
1. INTRODUO
Neste laboratrio analisaremos a alterao de trafego utilizando ou no o Syn
Cookies.
Como ambiente foram utilizadas as mquinas criadas em um ambiente virtual
sendo identificado abaixo o que cada uma seria no experimento:
SP como usurio.
MS como atacante.
Mg como alvo.
2. PRATICA
Todas as mquinas iniciam por padro com o syncookies desabilitado.

Roteiro:
2.1. Instalar Uma Ferramenta Que Permita A Injeo De Pacotes (hping, T50) Na
Mquina ATACANTE (host)
ms@ms:~$ sudo apt-get install hping3
Reading package lists... Done
Building dependency tree
Reading state information... Done
hping3 is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 134 not upgraded.
2.2. Instalar Um Servidor Web Na Mquina ALVO.

mg@mg:~$ sudo apt-get update
[sudo] password for mg:
Ign http://us.archive.ubuntu.com trusty InRelease
Ign http://security.ubuntu.com trusty-security InRelease
Ign http://us.archive.ubuntu.com trusty-updates InRelease
Get:1 http://security.ubuntu.com trusty-security Release.gpg [933 B]
Ign http://us.archive.ubuntu.com trusty-backports InRelease
Get:2 http://us.archive.ubuntu.com trusty Release.gpg [933 B]
Get:3 http://us.archive.ubuntu.com trusty-updates Release.gpg [933 B]
Get:4 http://us.archive.ubuntu.com trusty-backports Release.gpg [933 B]
Get:5 http://security.ubuntu.com trusty-security Release [59.7 kB]
Get:6 http://us.archive.ubuntu.com trusty Release [58.5 kB]
Get:7 http://us.archive.ubuntu.com trusty-updates Release [59.7 kB]
Get:8 http://us.archive.ubuntu.com trusty-backports Release [59.7 kB]
Get:9 http://security.ubuntu.com trusty-security/main Sources [44.3 kB]
Get:10 http://us.archive.ubuntu.com trusty/main Sources [1,064 kB]
Get:11 http://security.ubuntu.com trusty-security/restricted Sources [14 B]
Get:12 http://security.ubuntu.com trusty-security/universe Sources [10.8 kB]
Get:13 http://security.ubuntu.com trusty-security/multiverse Sources [700 B]
Get:14 http://security.ubuntu.com trusty-security/main i386 Packages [133 kB]
Get:15 http://us.archive.ubuntu.com trusty/restricted Sources [5,433 B]
Get:16 http://us.archive.ubuntu.com trusty/universe Sources [6,399 kB]
Get:17 http://security.ubuntu.com trusty-security/restricted i386 Packages [14 B]
Get:18 http://security.ubuntu.com trusty-security/universe i386 Packages [47.0 kB]
Get:19 http://security.ubuntu.com trusty-security/multiverse i386 Packages [1,398 B]
Get:20 http://security.ubuntu.com trusty-security/main Translation-en [68.0 kB]

Get:21 http://security.ubuntu.com trusty-security/multiverse Translation-en [587 B]
Hit http://security.ubuntu.com trusty-security/restricted Translation-en
Get:22 http://security.ubuntu.com trusty-security/universe Translation-en [27.0 kB]
Get:23 http://us.archive.ubuntu.com trusty/multiverse Sources [174 kB]
Get:24 http://us.archive.ubuntu.com trusty/main i386 Packages [1,348 kB]
Get:25 http://us.archive.ubuntu.com trusty/restricted i386 Packages [13.4 kB]
Get:26 http://us.archive.ubuntu.com trusty/universe i386 Packages [5,866 kB]
Get:27 http://us.archive.ubuntu.com trusty/multiverse i386 Packages [134 kB]
Get:28 http://us.archive.ubuntu.com trusty/main Translation-en [762 kB]
Get:29 http://us.archive.ubuntu.com trusty/multiverse Translation-en [102 kB]
Hit http://us.archive.ubuntu.com trusty/restricted Translation-en
Get:30 http://us.archive.ubuntu.com trusty/universe Translation-en [4,089 kB]
Get:31 http://us.archive.ubuntu.com trusty-updates/main Sources [120 kB]
Get:32 http://us.archive.ubuntu.com trusty-updates/restricted Sources [1,408 B]
Get:33 http://us.archive.ubuntu.com trusty-updates/universe Sources [84.7 kB]
Get:34 http://us.archive.ubuntu.com trusty-updates/multiverse Sources [3,527 B]
Get:35 http://us.archive.ubuntu.com trusty-updates/main i386 Packages [314 kB]
Get:36 http://us.archive.ubuntu.com trusty-updates/restricted i386 Packages [5,820 B]
Get:37 http://us.archive.ubuntu.com trusty-updates/universe i386 Packages [204 kB]
Get:38 http://us.archive.ubuntu.com trusty-updates/multiverse i386 Packages [9,545 B]
Get:39 http://us.archive.ubuntu.com trusty-updates/main Translation-en [143 kB]
Get:40 http://us.archive.ubuntu.com trusty-updates/multiverse Translation-en [4,719 B]
Get:41 http://us.archive.ubuntu.com trusty-updates/restricted Translation-en [1,736 B]
Get:42 http://us.archive.ubuntu.com trusty-updates/universe Translation-en [101 kB]
Get:43 http://us.archive.ubuntu.com trusty-backports/main Sources [4,760 B]
Get:44 http://us.archive.ubuntu.com trusty-backports/restricted Sources [14 B]
Get:45 http://us.archive.ubuntu.com trusty-backports/universe Sources [12.6 kB]
Get:46 http://us.archive.ubuntu.com trusty-backports/multiverse Sources [1,315 B]
Get:47 http://us.archive.ubuntu.com trusty-backports/main i386 Packages [6,379 B]
Get:48 http://us.archive.ubuntu.com trusty-backports/restricted i386 Packages [14 B]
Get:49 http://us.archive.ubuntu.com trusty-backports/universe i386 Packages [16.0 kB]
Get:50 http://us.archive.ubuntu.com trusty-backports/multiverse i386 Packages [945 B]
Get:51 http://us.archive.ubuntu.com trusty-backports/main Translation-en [4,216 B]
Get:52 http://us.archive.ubuntu.com trusty-backports/multiverse Translation-en [613 B]
Hit http://us.archive.ubuntu.com trusty-backports/restricted Translation-en
Get:53 http://us.archive.ubuntu.com trusty-backports/universe Translation-en [13.3 kB]
Ign http://us.archive.ubuntu.com trusty/main Translation-en_US
Ign http://us.archive.ubuntu.com trusty/multiverse Translation-en_US
Ign http://us.archive.ubuntu.com trusty/restricted Translation-en_US
Ign http://us.archive.ubuntu.com trusty/universe Translation-en_US
Fetched 21.6 MB in 1min 7s (322 kB/s)
mg@mg:~$ sudo apt-get install apache2

Building dependency tree
Reading state information... Done
The following extra packages will be installed:
apache2-bin apache2-data
Suggested packages:
apache2-doc apache2-suexec-pristine apache2-suexec-custom apache2-utils
The following packages will be upgraded:
apache2 apache2-bin apache2-data
3 upgraded, 0 newly installed, 0 to remove and 152 not upgraded.
Need to get 1,069 kB of archives.
After this operation, 4,096 B of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://us.archive.ubuntu.com/ubuntu/ trusty-updates/main apache2 i386 2.4.7-1ubuntu4.1 [87.6
kB]
Get:2
http://us.archive.ubuntu.com/ubuntu/
trusty-updates/main
apache2-bin
i386
2.4.7-1ubuntu4.1
trusty-updates/main
apache2-data
all
2.4.7-1ubuntu4.1
[821 kB]
Get:3
http://us.archive.ubuntu.com/ubuntu/
[160 kB]
Fetched 1,069 kB in 17s (62.2 kB/s)
(Reading database ... 66139 files and directories currently installed.)
Preparing to unpack .../apache2_2.4.7-1ubuntu4.1_i386.deb ...
Unpacking apache2 (2.4.7-1ubuntu4.1) over (2.4.7-1ubuntu4) ...
Preparing to unpack .../apache2-bin_2.4.7-1ubuntu4.1_i386.deb ...
Unpacking apache2-bin (2.4.7-1ubuntu4.1) over (2.4.7-1ubuntu4) ...
Preparing to unpack .../apache2-data_2.4.7-1ubuntu4.1_all.deb ...
Unpacking apache2-data (2.4.7-1ubuntu4.1) over (2.4.7-1ubuntu4) ...
Processing triggers for ureadahead (0.100.0-16) ...
ureadahead will be reprofiled on next reboot
Processing triggers for ufw (0.34~rc-0ubuntu2) ...
Processing triggers for man-db (2.6.6-1) ...
Setting up apache2-bin (2.4.7-1ubuntu4.1) ...
Setting up apache2-data (2.4.7-1ubuntu4.1) ...
Setting up apache2 (2.4.7-1ubuntu4.1) ...
* Restarting web server apache2
AH00558: apache2:
Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the
'ServerName' directive globally to suppress this message
[ OK ]
2.3. Verificar O Tempo Do Download Do Index.html Desse Servidor Web A Partir Da

Mquina USU
RIO, Capturando Pacotes De Rede
sp@sp:~$ sudo tcpdump -r lab01_3.1.txt
reading from file lab01_3.1.txt, link-type EN10MB (Ethernet)
08:41:41.704618 IP6 fe80::a00:27ff:fe40:5ef9.521 > ff02::9.521:
ripng-resp 3: fc00::10:10:1:0/112
(2) fc00::10:10:3:0/112 (1) fc00::10:10:4:0/112 (1)

08:41:41.792880 IP ms3 > sp2: ICMP echo request, id 3016, seq 5, length 64
08:41:41.792962 IP sp2 > ms3: ICMP echo reply, id 3016, seq 5, length 64
08:41:42.219846 IP sp4.route > rip2-routers.mcast.net.route: RIPv2, Request, length: 24
08:41:42.221257 IP6 fe80::a00:27ff:fe3e:aa9.521 > ff02::9.521:
ripng-req dump
08:41:42.226052 IP sp4 > igmp.mcast.net: igmp v3 report, 1 group record(s)

08:41:42.296232 IP mg4.route > sp4.route: RIPv2, Response, length: 44
08:41:42.296399
IP6
fe80::a00:27ff:fe40:5ef9.521
>
fe80::a00:27ff:fe3e:aa9.521:
ripng-resp
3:
fc00::10:10:1:0/112 (2) fc00::10:10:3:0/112 (1) fc00::10:10:4:0/112 (1)

08:41:42.302048
IP
sp4.51889
>
mg4.http:
Flags
[S],
seq
2345363030,
win
29200,
options
[mss
1460,sackOK,TS val 189064 ecr 0,nop,wscale 6], length 0

08:41:42.303482 IP mg4.http > sp4.51889: Flags [S.], seq 2516482939, ack 2345363031, win 28960,
options [mss 1460,sackOK,TS val 417452 ecr 189064,nop,wscale 5], length 0
08:41:42.303574 IP sp4.51889 > mg4.http: Flags [.], ack 1, win 457, options [nop,nop,TS val 189064
ecr 417452], length 0
08:41:42.304566 IP sp4.51889 > mg4.http: Flags [P.], seq 1:108, ack 1, win 457, options [nop,nop,TS
val 189064 ecr 417452], length 107
08:41:42.307196 IP mg4.http > sp4.51889: Flags [.], ack 108, win 905, options [nop,nop,TS val 417452
08:41:42.310238
IP
mg4.http
>
sp4.51889:
Flags
[.],
seq
1:11585,
ack
108,
win
905,
options
[nop,nop,TS val 417453 ecr 189064], length 11584

08:41:42.310355 IP sp4.51889 > mg4.http: Flags [.], ack 11585, win 819, options [nop,nop,TS val
189066 ecr 417453], length 0
08:41:42.311100 IP mg4.http > sp4.51889: Flags [P.], seq 11585:11821, ack 108, win 905, options
189066 ecr 417453], length 0
08:41:42.524919
IP
sp4.51889
>
mg4.http:
Flags
[F.],
seq
108,
ack
Flags
[F.],
seq
11821,
11821,
win
864,
options
win
905,
options

08:41:42.526364
IP
mg4.http
>
sp4.51889:
ack
109,

189120 ecr 417507], length 0
sp@sp:~$ wget -O /dev/null 10.10.4.4

--2014-10-09 08:41:42--
http://10.10.4.4/
Connecting to 10.10.4.4:80... connected.

HTTP request sent, awaiting response... 200 OK
Length: 11510 (11K) [text/html]
Saving to: /dev/null
100%[======================================>] 11,510
--.-K/s
in 0.002s
2014-10-09 08:41:42 (6.05 MB/s) - /dev/null saved [11510/11510]
2.4. Verificar O Status Da Mquina ALVO

Quantidade de memria livre (inclusive swap)
mg@mg:~$ free -m -t
total
used
free
shared
buffers
cached
186
162
23
30
76
-/+ buffers/cache:
Mem:
55
131
Swap:
507
507
Total:
694
162
531
CPU
top - 08:54:49 up 45 min,
Tasks:
86 total,
%Cpu(s):
0.4 us,
1 user,
1 running,
8.2 sy,
load average: 0.54, 0.23, 0.23
85 sleeping,
0 stopped,
0.0 ni, 81.6 id,
0.0 wa,
0 zombie
KiB Mem:
191092 total,
184628 used,
6464 free,
KiB Swap:
520188 total,
0 used,
520188 free.
0.0 hi,
9.9 si,
0.0 st
28136 buffers
99192 cached Mem
Conexes de rede abertas

netstat -tuna | grep SYN_RECV
mg@mg:~$ netstat -tuna | grep SYN_RECV
mg@mg:~$
2.5. Testar A Ferramenta De Injeo De Pacotes Contra A Mquina ALVO A Partir Da

Mquina ATACANTE.
ms@ms:~$ sudo hping3 -V -c 20 -d 60 -S -w 64 -p 80 --flood --rand-source 10.10.4.4
[sudo] password for ms:
Sorry, try again.
[sudo] password for ms:
using eth2, addr: 10.10.3.2, MTU: 1500
HPING 10.10.4.4 (eth2 10.10.4.4): S set, 40 headers + 60 data bytes
hping in flood mode, no replies will be shown
^C
--- 10.10.4.4 hping statistic --93966 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
Aps 60 segundos de ataque, realize diversas vezes o passo 3.2.

--2014-10-09 09:03:17--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0.001s

--2014-10-09 09:03:18--
http://10.10.4.4/

100%[======================================>] 11,510
18.3KB/s
in 0.6s
2014-10-09 09:03:19 (18.3 KB/s) - /dev/null saved [11510/11510]

--2014-10-09 09:03:21--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0s

--2014-10-09 09:03:23--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0s

--2014-10-09 09:03:25--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0s

--2014-10-09 09:03:28--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0.001s

--2014-10-09 09:03:29--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0.03s
2014-10-09 09:03:30 (412 KB/s) - /dev/null saved [11510/11510]

--2014-10-09 09:03:32--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0s

--2014-10-09 09:03:33--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0.01s
2014-10-09 09:03:33 (919 KB/s) - /dev/null saved [11510/11510]

--2014-10-09 09:03:35--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0.002s

--2014-10-09 09:03:38--
http://10.10.4.4/

10

100%[======================================>] 11,510
--.-K/s
in 0.002s
2.6. Verificar A Situao Da Mquina ALVO Durante O Ataque
top - 09:02:39 up 53 min,

Tasks:
87 total,
%Cpu(s):
0.6 us,
1 user,
1 running,
7.4 sy,
load average: 0.32, 0.59, 0.44
86 sleeping,
0.0 ni, 76.5 id,
0 stopped,
0.0 wa,
KiB Mem:
191092 total,
184624 used,
6468 free,
KiB Swap:
520188 total,
0 used,
520188 free.
top - 09:02:42 up 53 min,

Tasks:
87 total,
%Cpu(s):
0.0 us,
1 user,
1 running,
5.3 sy,
99236 cached Mem
load average: 0.29, 0.58, 0.44
86 sleeping,
0.0 ni, 59.2 id,
0 stopped,
0.0 wa,
184624 used,
6468 free,
KiB Swap:
520188 total,
0 used,
520188 free.
Tasks:
87 total,
%Cpu(s):
0.7 us,
1 running,
6.6 sy,
99236 cached Mem
load average: 0.27, 0.57, 0.44
86 sleeping,
0.0 ni, 67.9 id,
0 stopped,
0.0 wa,
184624 used,
6468 free,
KiB Swap:
520188 total,
0 used,
520188 free.
87 total,
%Cpu(s):
2.2 us,
1 user,
1 running,
9.4 sy,
99236 cached Mem
load average: 0.27, 0.57, 0.44
86 sleeping,
0.0 ni, 71.0 id,
0 stopped,
0.0 wa,
191092 total,
184708 used,
6384 free,
520188 total,
0 used,
520188 free.
87 total,
%Cpu(s):
0.0 us,
1 user,
1 running,
6.7 sy,
99236 cached Mem
load average: 0.25, 0.56, 0.43
86 sleeping,
0.0 ni, 63.0 id,
0 stopped,
0.0 wa,
184708 used,
6384 free,
KiB Swap:
520188 total,
0 used,
520188 free.
Tasks:
87 total,
%Cpu(s):
0.0 us,
2 running,
8.6 sy,
0 zombie
0.0 hi, 30.4 si,
191092 total,
1 user,
0.0 st
28140 buffers
KiB Mem:
top - 09:02:55 up 54 min,
0 zombie
0.0 hi, 17.4 si,
KiB Swap:
Tasks:
0.0 st
28140 buffers
KiB Mem:
top - 09:02:51 up 53 min,
0 zombie
0.0 hi, 24.8 si,
191092 total,
Tasks:
0.0 st
28140 buffers
KiB Mem:
top - 09:02:48 up 53 min,
0 zombie
0.0 hi, 35.5 si,
191092 total,
1 user,
0.0 st
28140 buffers
KiB Mem:
top - 09:02:45 up 53 min,
0 zombie
0.6 hi, 14.8 si,
0.0 st
28140 buffers
99236 cached Mem
load average: 0.25, 0.56, 0.43
85 sleeping,
0.0 ni, 42.1 id,
0 stopped,
0.0 wa,
0 zombie
KiB Mem:
191092 total,
184708 used,
6384 free,
KiB Swap:
520188 total,
0 used,
520188 free.
0.0 hi, 49.3 si,
0.0 st
28140 buffers
99236 cached Mem
11
top - 09:02:58 up 54 min,

Tasks:
87 total,
%Cpu(s):
0.8 us,
1 user,
1 running,
4.9 sy,
load average: 0.23, 0.55, 0.43
86 sleeping,
0.0 ni, 73.2 id,
0 stopped,
0.0 wa,
KiB Mem:
191092 total,
184708 used,
6384 free,
KiB Swap:
520188 total,
0 used,
520188 free.
top - 09:03:01 up 54 min,

Tasks:
87 total,
%Cpu(s):
0.8 us,
1 user,
1 running,
7.8 sy,
99236 cached Mem
load average: 0.21, 0.54, 0.43
86 sleeping,
0.0 ni, 72.1 id,
0 stopped,
0.0 wa,
184708 used,
6384 free,
KiB Swap:
520188 total,
0 used,
520188 free.
87 total,
%Cpu(s):
0.0 us,
1 user,
1 running,
5.9 sy,
99236 cached Mem
load average: 0.21, 0.54, 0.43
86 sleeping,
0.0 ni, 63.2 id,
0 stopped,
0.0 wa,
191092 total,
184708 used,
6384 free,
520188 total,
0 used,
520188 free.
87 total,
%Cpu(s):
0.6 us,
1 user,
1 running,
3.8 sy,
99236 cached Mem
load average: 0.19, 0.53, 0.43
86 sleeping,
0.0 ni, 57.2 id,
0 stopped,
0.0 wa,
184140 used,
6952 free,
KiB Swap:
520188 total,
0 used,
520188 free.
Tasks:
87 total,
%Cpu(s):
0.5 us,
2 running,
5.9 sy,
99236 cached Mem
load average: 0.18, 0.52, 0.42
85 sleeping,
0.0 ni, 44.1 id,
0 stopped,
0.0 wa,
184212 used,
6880 free,
KiB Swap:
520188 total,
0 used,
520188 free.
87 total,
%Cpu(s):
0.0 us,
1 user,
1 running,
9.2 sy,
99236 cached Mem
load average: 0.18, 0.52, 0.42
86 sleeping,
0.0 ni, 67.7 id,
0 stopped,
0.0 wa,
191092 total,
184212 used,
6880 free,
520188 total,
0 used,
520188 free.
87 total,
%Cpu(s):
0.0 us,
1 user,
1 running,
7.7 sy,
99236 cached Mem
load average: 0.16, 0.51, 0.42
86 sleeping,
0.0 ni, 62.3 id,
0 stopped,
0.0 wa,
184208 used,
6884 free,
KiB Swap:
520188 total,
0 used,
520188 free.
Tasks:
87 total,
%Cpu(s):
0.0 us,
1 running,
5.8 sy,
0 zombie
0.0 hi, 30.0 si,
191092 total,
1 user,
0.0 st
28140 buffers
KiB Mem:
top - 09:03:20 up 54 min,
0 zombie
0.0 hi, 23.1 si,
KiB Swap:
Tasks:
0.0 st
28140 buffers
KiB Mem:
top - 09:03:17 up 54 min,
0 zombie
0.0 hi, 49.5 si,
191092 total,
Tasks:
0.0 st
28140 buffers
KiB Mem:
top - 09:03:14 up 54 min,
0 zombie
0.0 hi, 38.4 si,
191092 total,
1 user,
0.0 st
28140 buffers
KiB Mem:
top - 09:03:11 up 54 min,
0 zombie
0.0 hi, 30.9 si,
KiB Swap:
Tasks:
0.0 st
28140 buffers
KiB Mem:
top - 09:03:07 up 54 min,
0 zombie
0.0 hi, 19.4 si,
191092 total,
Tasks:
0.0 st
28140 buffers
KiB Mem:
top - 09:03:04 up 54 min,
0 zombie
0.0 hi, 21.1 si,
0.0 st
28140 buffers
99236 cached Mem
load average: 0.15, 0.50, 0.42
86 sleeping,
0.0 ni, 42.7 id,
0 stopped,
0.0 wa,
0 zombie
KiB Mem:
191092 total,
184224 used,
6868 free,
KiB Swap:
520188 total,
0 used,
520188 free.
0.6 hi, 50.9 si,
0.0 st
28140 buffers
99236 cached Mem
12
top - 09:03:23 up 54 min,

Tasks:
87 total,
%Cpu(s):
1.2 us,
1 user,
2 running,
6.8 sy,
load average: 0.15, 0.50, 0.42
85 sleeping,
0.0 ni, 67.9 id,
0 stopped,
0.0 wa,
KiB Mem:
191092 total,
184256 used,
6836 free,
KiB Swap:
520188 total,
0 used,
520188 free.
top - 09:03:27 up 54 min,

Tasks:
87 total,
%Cpu(s):
0.0 us,
1 user,
1 running,
7.6 sy,
99236 cached Mem
load average: 0.14, 0.50, 0.42
86 sleeping,
0.0 ni, 50.0 id,
0 stopped,
0.0 wa,
184288 used,
6804 free,
KiB Swap:
520188 total,
0 used,
520188 free.
Tasks:
87 total,
%Cpu(s):
0.0 us,
1 running,
5.4 sy,
99236 cached Mem
load average: 0.13, 0.49, 0.41
86 sleeping,
0.0 ni, 59.9 id,
0 stopped,
0.6 wa,
184288 used,
6804 free,
KiB Swap:
520188 total,
0 used,
520188 free.
87 total,
%Cpu(s):
0.0 us,
1 user,
1 running,
6.0 sy,
99236 cached Mem
load average: 0.13, 0.49, 0.41
86 sleeping,
0.0 ni, 35.0 id,
0 stopped,
0.0 wa,
191092 total,
184288 used,
6804 free,
520188 total,
0 used,
520188 free.
87 total,
%Cpu(s):
0.0 us,
1 user,
1 running,
6.3 sy,
99236 cached Mem
load average: 0.12, 0.48, 0.41
86 sleeping,
0.0 ni, 72.0 id,
0 stopped,
0.0 wa,
184288 used,
6804 free,
KiB Swap:
520188 total,
0 used,
520188 free.
Tasks:
87 total,
%Cpu(s):
1 running,
2.9 us, 11.0 sy,
99236 cached Mem
load average: 0.12, 0.48, 0.41
86 sleeping,
0.0 ni, 52.3 id,
0 stopped,
0.0 wa,
184304 used,
6788 free,
KiB Swap:
520188 total,
0 used,
520188 free.
87 total,
%Cpu(s):
0.0 us,
1 user,
1 running,
4.4 sy,
0 zombie
0.0 hi, 33.7 si,
191092 total,
Tasks:
0.0 st
28140 buffers
KiB Mem:
top - 09:03:43 up 54 min,
0 zombie
0.0 hi, 21.7 si,
191092 total,
1 user,
0.0 st
28140 buffers
KiB Mem:
top - 09:03:40 up 54 min,
0 zombie
0.0 hi, 59.0 si,
KiB Swap:
Tasks:
0.0 st
28140 buffers
KiB Mem:
top - 09:03:37 up 54 min,
0 zombie
0.0 hi, 34.1 si,
191092 total,
Tasks:
0.0 st
28140 buffers
KiB Mem:
top - 09:03:33 up 54 min,
0 zombie
0.0 hi, 42.4 si,
191092 total,
1 user,
0.0 st
28140 buffers
KiB Mem:
top - 09:03:30 up 54 min,
0 zombie
0.0 hi, 24.1 si,
0.0 st
28140 buffers
99236 cached Mem
load average: 0.11, 0.47, 0.41
86 sleeping,
0.0 ni, 29.1 id,
0 stopped,
0.0 wa,
0 zombie
KiB Mem:
191092 total,
184304 used,
6788 free,
KiB Swap:
520188 total,
0 used,
520188 free.
0.0 hi, 66.5 si,
0.0 st
28140 buffers
99236 cached Mem
2.7. Questes
O tempo de acesso ao servidor Web muda? (Ref. o item 3).
Tempo de acesso tem uma ocilacao sim devido a injeo de pacotes.
13
Qual o impacto na memria?

Devido a injeo de pacotes e o aumento de requisies a memria sofre o impacto pois precisa
trabalhar dobrado para atender as requisies proveniente de um suposto ataque.
Qual o impacto na CPU?
Tem o consumo maior da cpu para fazer o todo o processamento.
Como esto as conexes de rede?
Quando observadas na hora em que est se efetuando o ataque ddos, existe uma lentido e por
isso e passvel de queda de conexo.
2.8. Habilitar SYN Cookies Na Mquina ALVO

Descomentar a linha net.ipv4.tcp_syncookies=1 em /etc/sysctl.conf
2.9. Repetir Os Passos 3 At 6.

Verificar o tempo do download do index.html desse servidor Web a partir da mquina USURIO,
capturando pacotes de rede

sp@sp:~$ sudo tcpdump -r lab01_3.1.syn.txt
reading from file lab01_3.1.syn.txt, link-type EN10MB (Ethernet)
10:02:25.610611 IP sp2.ssh > ms3.59642: Flags [P.], seq 3801157454:3801157486, ack 1546722342, win
453, options [nop,nop,TS val 1399891 ecr 1645160], length 32
10:02:25.614033 IP ms3.59642 > sp2.ssh: Flags [.], ack 32, win 457, options [nop,nop,TS val 1645349
10:02:25.615667 IP ms3.59642 > sp2.ssh: Flags [P.], seq 1:26, ack 32, win 457, options [nop,nop,TS
val 1645349 ecr 1399891], length 25
10:02:25.616215 IP sp2.ssh > ms3.59642: Flags [.], ack 26, win 453, options [nop,nop,TS val 1399892
10:02:25.618219 IP ms3.59642 > sp2.ssh: Flags [F.], seq 26, ack 32, win 457, options [nop,nop,TS val
1645350 ecr 1399891], length 0
10:02:25.631124 IP sp2.ssh > ms3.59642: Flags [.], seq 32:1480, ack 27, win 453, options [nop,nop,TS
val 1399896 ecr 1645350], length 1448
10:02:25.631176
IP
sp2.ssh
>
ms3.59642:
Flags
[P.],
seq
1480:1680,
ack
27,
win
453,
options

10:02:25.635818 IP ms3.59642 > sp2.ssh: Flags [R], seq 1546722368, win 0, length 0
10:02:25.656666 IP ms3 > pr2: ICMP echo request, id 6463, seq 2, length 64
10:02:26.332856 IP6 fe80::a00:27ff:fe3e:aa9.521 > ff02::9.521:
ripng-req dump

10:02:26.412933
IP6
fe80::a00:27ff:fe40:5ef9.521
>
fe80::a00:27ff:fe3e:aa9.521:
ripng-resp
3:
fc00::10:10:1:0/112 (2) fc00::10:10:3:0/112 (1) fc00::10:10:4:0/112 (1)

14
10:02:26.601273 IP sp4.route > rip2-routers.mcast.net.route: RIPv2, Request, length: 24

10:02:26.608351 IP mg4.route > sp4.route: RIPv2, Response, length: 44
10:02:26.667927 IP ms3 > pr2: ICMP echo request, id 6463, seq 3, length 64
10:02:27.153303 IP sp4 > ms3: ICMP host pr2 unreachable, length 68
10:02:28.451798
IP
sp4.51909
>
mg4.http:
Flags
[S],
seq
3716617581,
win
29200,
options
[mss
1460,sackOK,TS val 1400601 ecr 0,nop,wscale 6], length 0

10:02:28.455161 IP mg4.http > sp4.51909: Flags [S.], seq 379705590, ack 3716617582, win 28960,
options [mss 1460,sackOK,TS val 1628981 ecr 1400601,nop,wscale 5], length 0
10:02:28.455361 IP sp4.51909 > mg4.http: Flags [.], ack 1, win 457, options [nop,nop,TS val 1400602
10:02:28.457246 IP sp4.51909 > mg4.http: Flags [P.], seq 1:108, ack 1, win 457, options [nop,nop,TS
val 1400602 ecr 1628981], length 107
10:02:28.459139 IP mg4.http > sp4.51909: Flags [.], ack 108, win 905, options [nop,nop,TS val
1628982 ecr 1400602], length 0
10:02:28.478505
IP
mg4.http
>
sp4.51909:
Flags
[P.],
seq
1:11821,
ack
108,
win
905,
options

1400608 ecr 1628984], length 0
10:02:28.479250 IP mg4.http > sp4.51909: Flags [P.], seq 11585:11821, ack 108, win 905, options
1400608 ecr 1628987,nop,nop,sack 1 {11585:11821}], length 0
10:02:28.884532
IP
sp4.51909
>
mg4.http:
Flags
[F.],
seq
108,
ack
[F.],
seq
11821,
11821,
win
826,
options
win
905,
options

10:02:29.010225
IP
mg4.http
>
sp4.51909:
Flags
ack
109,

1400741 ecr 1629120], length 0
10:02:30.249204 IP6 fe80::a00:27ff:fe40:5ef9.521 > ff02::9.521:
ripng-resp 3: fc00::10:10:1:0/112
(2) fc00::10:10:3:0/112 (1) fc00::10:10:4:0/112 (1)

--2014-10-09 10:02:28--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0.001s
15
Verificar o status da mquina ALVO

Quantidade de memria livre (inclusive swap)
mg@mg:~$ free -m -t
total
used
free
shared
buffers
cached
186
181
17
98
-/+ buffers/cache:
Mem:
66
120
Swap:
507
507
Total:
694
181
513
CPU
top - 10:11:02 up
Tasks:
92 total,
%Cpu(s):
0.6 us,
2:02,
3 users,
2 running,
5.2 sy,
load average: 0.54, 0.35, 0.29
90 sleeping,
0 stopped,
0.0 ni, 87.5 id,
0.6 wa,
0 zombie
KiB Mem:
191092 total,
185784 used,
5308 free,
KiB Swap:
520188 total,
0 used,
520188 free.
0.0 hi,
6.0 si,
0.0 st
17532 buffers
100396 cached Mem
Testar a ferramenta de injeo de pacotes contra a mquina ALVO a partir da mquina ATACANTE.
ms@ms:~$ sudo hping3 -V -c 20 -d 60 -S -w 64 -p 80 --flood --rand-source 10.10.4.4
using eth2, addr: 10.10.3.2, MTU: 1500
HPING 10.10.4.4 (eth2 10.10.4.4): S set, 40 headers + 60 data bytes
hping in flood mode, no replies will be shown
^C
--- 10.10.4.4 hping statistic --9086 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
ms@ms:~$
Realize diversas vezes o passo 3.2.

--2014-10-09 10:24:04--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0.001s

--2014-10-09 10:24:06--
http://10.10.4.4/

16
100%[======================================>] 11,510
--.-K/s
in 0.006s

--2014-10-09 10:24:07--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0s

--2014-10-09 10:24:08--
http://10.10.4.4/

100%[======================================>] 11,510
--.-K/s
in 0.002s

sp@sp:~$
Status da Maquina Alvo

mg@mg:~$ top -b
top - 10:24:00 up
Tasks:
92 total,
%Cpu(s):
0.6 us,
2:15,
3 users,
1 running,
5.2 sy,
load average: 0.04, 0.22, 0.30
91 sleeping,
0.0 ni, 87.5 id,
0 stopped,
0.6 wa,
KiB Mem:
191092 total,
182148 used,
8944 free,
KiB Swap:
520188 total,
0 used,
520188 free.
top - 10:24:04 up
Tasks:
92 total,
%Cpu(s):
0.6 us,
2:15,
3 users,
3 running,
7.7 sy,
load average: 0.03, 0.22, 0.29
89 sleeping,
0.0 ni, 60.8 id,
0 stopped,
0.0 wa,
182148 used,
8944 free,
520188 total,
0 used,
520188 free.
%Cpu(s):
0.0 us,
2:15,
3 users,
1 running,
6.3 sy,
97488 cached Mem
load average: 0.03, 0.22, 0.29
91 sleeping,
0.0 ni, 55.7 id,
0 stopped,
0.0 wa,
182212 used,
8880 free,
KiB Swap:
520188 total,
0 used,
520188 free.
Tasks:
92 total,
3 users,
1 running,
0 zombie
0.6 hi, 37.3 si,
191092 total,
2:15,
0.0 st
16800 buffers
KiB Mem:
top - 10:24:10 up
0 zombie
0.0 hi, 30.9 si,
191092 total,
92 total,
0.0 st
97488 cached Mem
KiB Swap:
Tasks:
6.1 si,
16800 buffers
KiB Mem:
top - 10:24:07 up
0 zombie
0.0 hi,
0.0 st
16800 buffers
97488 cached Mem
load average: 0.03, 0.21, 0.29
91 sleeping,
0 stopped,
0 zombie
17
%Cpu(s):
0.7 us,
6.0 sy,
0.0 ni, 46.7 id,
0.0 wa,
191092 total,
182240 used,
8852 free,
KiB Swap:
520188 total,
0 used,
520188 free.
0.0 hi, 46.7 si,
KiB Mem:
0.0 st
16808 buffers
97492 cached Mem
mg@mg:~$
2.10. Resultados Observados.

Percebe-se atravs dos testes, que com o SynCookies habilitado, tem-se um maior controle de
trfego, e com isto a oscilao bem menor.
aconselhado que habilitemos o syncookies para evitar ataques do tipo de ataques que usam o
envio de requisies TCP a fim de travar a outra mquina.
Com o Syncookies habilitado, tem-se o controle de requisies TCP, ou seja, quando alguma
mquina pede conexo, ele responde, e fica aguardando uma confirmao deste pacote a fim de s depois
desta liberar a conexo, ou seja, aps ter uma solicitao, responder esta e pedir confirmao, ele exige que
o cliente que est se conectando a ele, envie uma nova confirmao para ento obter a conexo com aquela
mquina. V-se isto claramente no teste realizado com o syncookies habilitado no momento do download do
usurio com a mquina servidora web.
Quanto temos o syncookies habilitado notamos nitidamente que a conexo passa por filtros maiores
e, por exemplo, no caso do wget, ele fica bem mais estvel, pois ele cria uma conexo segura e garante a
entrega do servio, por entender que aquilo no est sendo um ataque.
18

Trabalho Paulo Licio - Tarefa 2

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Trabalho Paulo Licio - Tarefa 2

Enviado por

Direitos autorais:

Formatos disponíveis

UNIVERSIDADE ESTADUAL DE CAMPINAS

Mariana Luz Ges

Capturando Pacotes De Rede...................................................................................................................... 6

Todas as mquinas iniciam por padro com o syncookies desabilitado.

2.2. Instalar Um Servidor Web Na Mquina ALVO.

Get:20 http://security.ubuntu.com trusty-security/main Translation-en [68.0 kB]

mg@mg:~$ sudo apt-get install apache2

2.3. Verificar O Tempo Do Download Do Index.html Desse Servidor Web A Partir Da

(2) fc00::10:10:3:0/112 (1) fc00::10:10:4:0/112 (1)

08:41:42.226052 IP sp4 > igmp.mcast.net: igmp v3 report, 1 group record(s)

fc00::10:10:1:0/112 (2) fc00::10:10:3:0/112 (1) fc00::10:10:4:0/112 (1)

1460,sackOK,TS val 189064 ecr 0,nop,wscale 6], length 0

[nop,nop,TS val 417453 ecr 189064], length 11584

[nop,nop,TS val 189119 ecr 417453], length 0

[nop,nop,TS val 417507 ecr 189119], length 0

sp@sp:~$ wget -O /dev/null 10.10.4.4

Connecting to 10.10.4.4:80... connected.

2014-10-09 08:41:42 (6.05 MB/s) - /dev/null saved [11510/11510]

2.4. Verificar O Status Da Mquina ALVO

load average: 0.54, 0.23, 0.23

0.0 ni, 81.6 id,

Conexes de rede abertas

2.5. Testar A Ferramenta De Injeo De Pacotes Contra A Mquina ALVO A Partir Da

Aps 60 segundos de ataque, realize diversas vezes o passo 3.2.

Connecting to 10.10.4.4:80... connected.

2014-10-09 09:03:17 (12.2 MB/s) - /dev/null saved [11510/11510]

Connecting to 10.10.4.4:80... connected.

HTTP request sent, awaiting response... 200 OK

2014-10-09 09:03:19 (18.3 KB/s) - /dev/null saved [11510/11510]

Connecting to 10.10.4.4:80... connected.

2014-10-09 09:03:21 (24.4 MB/s) - /dev/null saved [11510/11510]

Connecting to 10.10.4.4:80... connected.

2014-10-09 09:03:23 (32.6 MB/s) - /dev/null saved [11510/11510]

Connecting to 10.10.4.4:80... connected.

2014-10-09 09:03:26 (33.7 MB/s) - /dev/null saved [11510/11510]

Connecting to 10.10.4.4:80... connected.

2014-10-09 09:03:28 (11.1 MB/s) - /dev/null saved [11510/11510]

Connecting to 10.10.4.4:80... connected.

2014-10-09 09:03:30 (412 KB/s) - /dev/null saved [11510/11510]

Connecting to 10.10.4.4:80... connected.

2014-10-09 09:03:32 (47.2 MB/s) - /dev/null saved [11510/11510]

Connecting to 10.10.4.4:80... connected.

2014-10-09 09:03:33 (919 KB/s) - /dev/null saved [11510/11510]

Connecting to 10.10.4.4:80... connected.

2014-10-09 09:03:35 (6.40 MB/s) - /dev/null saved [11510/11510]

Connecting to 10.10.4.4:80... connected.

Length: 11510 (11K) [text/html]

2014-10-09 09:03:38 (5.85 MB/s) - /dev/null saved [11510/11510]

2.6. Verificar A Situao Da Mquina ALVO Durante O Ataque

top - 09:02:39 up 53 min,

load average: 0.32, 0.59, 0.44

0.0 ni, 76.5 id,

top - 09:02:42 up 53 min,

99236 cached Mem

load average: 0.29, 0.58, 0.44

0.0 ni, 59.2 id,

99236 cached Mem

load average: 0.27, 0.57, 0.44

0.0 ni, 67.9 id,

99236 cached Mem

load average: 0.27, 0.57, 0.44

0.0 ni, 71.0 id,

99236 cached Mem