tấn công dos ddos drdos và botnet

Don Vn Duy - Cc k thut tn cng: DoS, DDoS, DRDoS & Botnet

Mc Lc

1Mc Lc

3I - Tn cng t chi dch v (DoS):

3I.1 - Gii thiu v DoS

3I.2 - Lch s cc cuc tn cng v pht trin ca DoS

4I.3 - Mc ch ca tn cng DoS v him ha

5I.4 - Cc hnh thc tn cng DoS c bn :

54.a - Smurf :

64.b - Buffer Overflow Attack :

74. c - Ping of death :

84.d - Teardrop :

84.e - SYN Attack:

11II - Tn cng t chi dch v phn tn (DDoS) :

11II.1 - Gii thiu DDoS :

13II.2 - Cc c tnh ca tn cng DDoS:

14II.3 - Tn cng DDoS khng th ngn chn hon ton:

14II.4 - K tn cng khn ngoan:

144.a - Agent Handler Model:

154.b - Tn cng DDoS da trn nn tng IRC:

15II.5 - Phn loi tn cng DDoS:

17II.6 - Tn cng Reflective DNS (reflective - phn chiu):

176.a - Cc vn lin quan ti tn cng Reflective DNS:

186.b - Tool tn cng Reflective DNS ihateperl.pl:

18II.7 - Cc tools s dng tn cng DDoS:

19III - DRDoS (Distributed Reflection Denial of Service)

19III.1 Gii thiu DRDOS.

20III.2 - Cch Phng chng :

212.a - Ti thiu ha s lng Agent:

222.b - Tm v v hiu ha cc Handler:

222.c - Pht hin du hiu ca mt cuc tn cng:

222.d - Lm suy gim hay dng cuc tn cng:

232.e - Chuyn hng ca cuc tn cng:

232.f - Giai on sau tn cng:

242.g - Phng chng tng qut :

25IV Botnet.

25IV.1 - Gii thiu v Bot v Botnet

251.a - Bot l g ?

251.b - Ti sao gi l mng botnet ?

251.c - IRC

27IV.2 - Bot v cc ng dng ca chng

272.a - DDoS

282.b - Spamming (pht tn th rc)

282.c - Sniffing v Keylogging

282.d - n cp nhn dng

292.e - S hu phn mm bt hp php

29IV.3 - Cc kiu bot khc nhau

293.a - GT-Bot

293.b - Agobot

303.c - DSNX

30IV.4 - Cc yu t ca mt cuc tn cng.

35IV.5 - Cch phng chng Botnet:

355.a - Thu mt dch v lc Web

355.b - Chuyn i trnh duyt

365.c - V hiu ha cc kch bn

365.d - Trin khai cc h thng pht hin xm phm v ngn chn xm phm

365.e - Bo v ni dung c to bi ngi dng

375.f - S dng cng c phn mm

37V Kt Lun :

38VI Ti Liu Tham Kho

I - Tn cng t chi dch v (DoS):I.1 - Gii thiu v DoS

- Tn cng DoS l mt kiu tn cng m mt ngi lm cho mt h thng khng th s dng, hoc lm cho h thng chm i mt cch ng k vi ngi dng bnh thng, bng cch lm qu ti ti nguyn ca h thng .- Nu k tn cng khng c kh nng thm nhp c vo h thng, th chng c gng tm cch lm cho h thng sp v khng c kh nng phc v ngi dng bnh thng l tn cng Denial of Service (DoS).- Mc d tn cng DoS khng c kh nng truy cp vo d liu thc ca h thng nhng n c th lm gin on cc dch v m h thng cung cp. Nh nh ngha trn DoS khi tn cng vo mt h thng s khai thc nhng ci yu nht ca h thng tn cng, nhng mc ch ca tn cng DoS

I.2 - Lch s cc cuc tn cng v pht trin ca DoS

- Cc tn cng DoS bt u vo khong u nhng nm 90. u tin, chng hon ton nguyn thy, bao gm ch mt k tn cng khai thc bng thng ti a t nn nhn, ngn nhng ngi khc c phc v. iu ny c thc hin ch yu bng cch dng cc phng php n gin nh ping floods, SYN floods v UDP floods. Sau , cc cuc tn cng tr nn phc tp hn, bng cch gi lm nn nhn, gi vi thng ip v cc my khc lm ngp my nn nhn vi cc thng ip tr li. (Smurf attack, IP spoofing).

- Cc tn cng ny phi c ng b ho mt cch th cng bi nhiu k tn cng to ra mt s ph hu c hiu qu. S dch chuyn n vic t ng ho s ng b, kt hp ny v to ra mt tn cng song song ln tr nn ph bin t 1997, vi s ra i ca cng c tn cng DDoS u tin c cng b rng ri, l Trinoo. N da trn tn cng UDP flood v cc giao tip master-slave (khin cc my trung gian tham gia vo trong cuc tn cng bng cch t ln chng cc chng trnh c iu khin t xa). Trong nhng nm tip theo, vi cng c na c ph bin TFN (tribe flood network), TFN2K, vaf Stacheldraht.

- Tuy nhin, ch t cui nm 1999 mi c nhng bo co v nhng tn cng nh vy, v ti ny c cng chng bit n ch sau khi mt cuc tn cng ln vo cc site cng cng thng 2/2000. Trong thi gian 3 ngy, cc site Yahoo.com, amazon.com, buy.com, cnn.com v eBay.com t di s tn cng (v d nh Yahoo b ping vi tc 1 GB/s). T cc cuc tn cng Dos thng xuyn sy ra V d : - Vo ngy 15 thng 8 nm 2003, Microsoft chu t tn cng DoS cc mnh v lm gin on websites trong vng 2 gi; - Vo lc 15:09 gi GMT ngy 27 thng 3 nm 2003: ton b phin bn ting anh ca website Al-Jazeera b tn cng lm gin on trong nhiu gi.I.3 - Mc ch ca tn cng DoS v him ha

- C gng chim bng thng mng v lm h thng mng b ngp (flood), khi h thng mng s khng c kh nng p ng nhng dch v khc cho ngi dng bnh thng.

- C gng lm ngt kt ni gia hai my, v ngn chn qu trnh truy cp vo dch v.

- C gng ngn chn nhng ngi dng c th vo mt dch v no

- C gng ngn chn cc dch v khng cho ngi khc c kh nng truy cp vo.

- Khi tn cng DoS xy ra ngi dng c cm gic khi truy cp vo dch v nh b:

+ Disable Network - Tt mng

+ Disable Organization - T chc khng hot ng

+ Financial Loss Ti chnh b mt

- Nh chng ta bit bn trn tn cng DoS xy ra khi k tn cng s dng ht ti nguyn ca h thng v h thng khng th p ng cho ngi dng bnh thng c vy cc ti nguyn chng thng s dng tn cng l g:

- To ra s khan him, nhng gii hn v khng i mi ti nguyn

- Bng thng ca h thng mng (Network Bandwidth), b nh, a, v CPU Time hay cu trc d liu u l mc tiu ca tn cng DoS.

- Tn cng vo h thng khc phc v cho mng my tnh nh: h thng iu ho, h thng in, ht hng lm mt v nhiu ti nguyn khc ca doanh nghip. Bn th tng tng khi ngun in vo my ch web b ngt th ngi dng c th truy cp vo my ch khng.

- Ph hoi hoc thay i cc thng tin cu hnh.

- Ph hoi tng vt l hoc cc thit b mng nh ngun in, iu hoI.4 - Cc hnh thc tn cng DoS c bn : - Smurf

- Buffer Overflow Attack - Ping of death - Teardrop - SYN Attack4.a - Smurf :

- Smurf : l mt loi tn cng DoS in hnh. My ca attacker s gi rt nhiu lnh ping n mt s lng ln my tnh trong mt thi gian ngn, trong a ch IP ngun ca gi ICMP echo s c thay th bi a ch IP ca nn nhn, Cc my tnh ny s tr li cc gi ICMP reply n my nn nhn.- Kt qu ch tn cng s phi chu nhn mt t Reply gi ICMP cc ln v lm cho mng b rt hoc b chm li, khng c kh nng p ng cc dch v khc.

4.b - Buffer Overflow Attack :

- Buffer Overflow xy ra ti bt k thi im no c chng trnh ghi lng thng tin ln hn dung lng ca b nh m trong b nh.- K tn cng c th ghi ln d liu v iu khin chy cc chng trnh v nh cp quyn iu khin ca mt s chng trnh nhm thc thi cc on m nguy him.

- Qu trnh gi mt bc th in t m file nh km di qu 256 k t c th s xy ra qu trnh trn b nh m.

4. c - Ping of death :

- K tn cng gi nhng gi tin IP ln hn s lng bytes cho php ca tin IP l 65.536 bytes.- Qu trnh chia nh gi tin IP thnh nhng phn nh c thc hin layer II.- Qu trnh chia nh c th thc hin vi gi IP ln hn 65.536 bytes. Nhng h iu hnh khng th nhn bit c ln ca gi tin ny v s b khi ng li, hay n gin l s b gin on giao tip. - nhn bit k tn cng gi gi tin ln hn gi tin cho php th tng i d dng. VD : Ping -l 65500 address -l : buffer size Khong nm 1997-1998, li ny c fix, v vy by gi n ch mang tnh lch s. 4.d - Teardrop :

Trong mng chuyn mch gi, d liu c chia thnh nhiu gi tin nh, mi gi tin c mt gi tr offset ring v c th truyn i theo nhiu con ng khc nhau ti ch. Ti ch, nh vo gi tr offset ca tng gi tin m d liu li c kt hp li nh ban u.

Li dng iu ny, hacker c th to ra nhiu gi tin c gi tr offset trng lp nhau gi n mc tiu mun tn cng

Kt qu l my tnh ch khng th sp xp c nhng gi tin ny v dn ti b treo my v b "vt kit" kh nng x l.

4.e - SYN Attack:

- K tn cng gi cc yu cu (request o) TCP SYN ti my ch b tn cng. x l lng gi tin SYN ny h thng cn tn mt lng b nh cho kt ni.

- Khi c rt nhiu gi SYN o ti my ch v chim ht cc yu cu x l ca my ch. Mt ngi dng bnh thng kt ni ti my ch ban u thc hin Request TCP SYN v lc ny my ch khng cn kh nng p li - kt ni khng c thc hin.M hnh tn cng bng cc gi SYN

Bc 1: Client (my khch) s gi cc gi tin (packet cha SYN=1) n my ch yu cu kt ni.Bc 2: Khi nhn c gi tin ny, server s gi li gi tin SYN/ACK thng bo cho client bit l n nhn c yu cu kt ni v chun b ti nguyn cho vic yu cu ny. Server s ginh mt phn ti nguyn h thng nh b nh m (cache) nhn v truyn d liu. Ngoi ra, cc thng tin khc ca client nh a ch IP v cng (port) cng c ghi nhn.Bc 3: Cui cng, client hon tt vic bt tay ba ln bng cch hi m li gi tin cha ACK cho server v tin hnh kt ni.

- Do TCP l th tc tin cy trong vic giao nhn (end-to-end) nn trong ln bt tay th hai, server gi cc gi tin SYN/ACK tr li li client m khng nhn li c hi m ca client thc hin kt ni th n vn bo lu ngun ti nguyn chun b kt ni v lp li vic gi gi tin SYN/ACK cho client n khi no nhn c hi p ca my client.

- Nu qu trnh ko di, server s nhanh chng tr nn qu ti, dn n tnh trng crash (treo) nn cc yu cu hp l s b t chi khng th p ng c. C th hnh dung qu trnh ny cng ging h khi my tnh c nhn (PC) hay b treo khi m cng lc qu nhiu chng trnh cng lc vy .II - Tn cng t chi dch v phn tn (DDoS) :II.1 - Gii thiu DDoS :

Trn Internet tn cng Distributed Denial of Service (DDoS) hay cn gi l Tn cng t chi dch v phn tn l mt dng tn cng t nhiu my tnh ti mt ch, n gy ra t chi cc yu cu hp l ca cc user bnh thng. Bng cch to ra nhng gi tin cc nhiu n mt ch c th, n c th gy tnh trng tng t nh h thng b shutdown.

Nhn chung, c rt nhiu bin th ca k thut tn cng DDoS nhng nu nhn di gc chuyn mn th c th chia cc bin th ny thnh hai loi da trn mch ch tn cng:

Lm cn kit bng thng.

Lm cn kit ti nguyn h thng.

Mt cuc tn cng t chi dch v c th bao gm c vic thc thi malware nhm:

Lm qu ti nng lc x l, dn n h thng khng th thc thi bt k mt cng vic no khc.

Nhng li gi tc th trong microcode ca my tnh.

Nhng li gi tc th trong chui ch th, dn n my tnh ri vo trng thi hot ng khng n nh hoc b .

Nhng li c th khai thc c h iu hnh dn n vic thiu thn ti nguyn hoc b thrashing. VD: nh s dng tt c cc nng lc c sn dn n khng mt cng vic thc t no c th hon thnh c.

Gy crash h thng.

Tn cng t chi dch v iFrame: trong mt trang HTML c th gi n mt trang web no vi rt nhiu yu cu v trong rt nhiu ln cho n khi bng thng ca trang web b qu hn.

II.2 - Cc c tnh ca tn cng DDoS:

- N c tn cng t mt h thng cc my tnh cc ln trn Internet, v thng da vo cc dch v c sn trn cc my tnh trong mng botnet

- Cc dch v tn cng c iu khin t nhng "primary victim" trong khi cc my tnh b chim quyn s dng trong mng Bot c s dng tn cng thng c gi l "secondary victims".

- L dng tn cng rt kh c th pht hin bi tn cng ny c sinh ra t nhiu a ch IP trn Internet.

- Nu mt a ch IP tn cng mt cng ty, n c th c chn bi Firewall. Nu n t 30.000 a ch IP khc, th iu ny l v cng kh khn.

- Th phm c th gy nhiu nh hng bi tn cng t chi dch v DoS, v iu ny cng nguy him hn khi chng s dng mt h thng mng Bot trn internet thc hin tn cng DoS v c gi l tn cng DDoS.

II.3 - Tn cng DDoS khng th ngn chn hon ton:

- Cc dng tn cng DDoS thc hin tm kim cc l hng bo mt trn cc my tnh kt ni ti Internet v khai thc cc l hng bo mt xy dng mng Botnet gm nhiu my tnh kt ni ti Internet.

- Mt tn cng DDoS c thc hin s rt kh ngn chn hon ton.

- Nhng gi tin n Firewall c th chn li, nhng hu ht chng u n t nhng a ch IP cha c trong cc Access Rule ca Firewall v l nhng gi tin hon ton hp l.

- Nu a ch ngun ca gi tin c th b gi mo, sau khi bn khng nhn c s phn hi t nhng a ch ngun tht th bn cn phi thc hin cm giao tip vi a ch ngun .

- Tuy nhin mt mng Botnet bao gm t hng nghn ti vi trm nghn a ch IP trn Internet v iu l v cng kh khn ngn chn tn cng.

II.4 - K tn cng khn ngoan:

Gi y khng mt k tn cng no s dng lun a ch IP iu khin mng Botnet tn cng ti ch, m chng thng s dng mt i tng trung gian di y l nhng m hnh tn cng DDoS

4.a - Agent Handler Model:

K tn cng s dng cc handler iu khin tn cng

4.b - Tn cng DDoS da trn nn tng IRC:

K tn cng s dng cc mng IRC iu khin, khuych i v qun l kt ni vi cc my tnh trong mng Botnet.

II.5 - Phn loi tn cng DDoS:

- Tn cng gy ht bng thng truy cp ti my ch.

+ Flood attack

+ UDP v ICMP Flood (flood gy ngp lt)

- Tn cng khuch i cc giao tip

+ Smurf and Fraggle attack

Tn cng DDoS vo Yahoo.com nm 2000S phn loi tn cng DDoS:

S tn cng DDoS dng khuch i giao tip:

Nh chng ta bit, tn cng Smurf l tn cng bng cch Ping n a ch Broadcast ca mt mng no m a ch ngun chnh l a ch ca my cn tn cng, khi ton b cc gi Reply s c chuyn ti a ch IP ca my tnh b tn cng.

II.6 - Tn cng Reflective DNS (reflective - phn chiu):

6.a - Cc vn lin quan ti tn cng Reflective DNS:

- Mt Hacker c th s dng mng botnet gi rt nhiu yu cu ti my ch DNS.

- Nhng yu cu s lm trn bng thng mng ca cc my ch DNS,

- Vic phng chng dng tn cng ny c th dng Firewall ngn cm nhng giao tip t cc my tnh c pht hin ra.

- Nhng vic cm cc giao tip t DNS Server s c nhiu vn ln. Mt DNS Server c nhim v rt quan trng trn Internet.

- Vic cm cc giao tip DNS ng ngha vi vic cm ngi dng bnh thng gi mail v truy cp Website.

- Mt yu cu v DNS thng chim bng 1/73 thi gian ca gi tin tr li trn my ch. Da vo yu t ny nu dng mt Tools chuyn nghip lm tng cc yu cu ti my ch DNS s khin my ch DNS b qu ti v khng th p ng cho cc ngi dng bnh thng c na.

6.b - Tool tn cng Reflective DNS ihateperl.pl:

- Ihateperl.pl l chng trnh rt nh, rt hiu qu, da trn kiu tn cng DNS-Reflective

- N s dng mt danh sch cc my ch DNS lm trn h thng mng vi cc gi yu cu Name Resolution.

- Bng mt v d n c th s dng google.com resole gi ti my ch v c th i tn domain thnh www.vnexperts.net hay bt k mt trang web no m k tn cng mun.

- Cch s dng cng c ny rt n gin: ta ch cn to ra mt danh sch cc my ch DNS, chuyn cho a ch IP ca my c nhn v thit lp s lng cc giao tip.

II.7 - Cc tools s dng tn cng DDoS:

Di y l cc Tools tn cng DDoS.

Trinoo

Tribe flood Network (TFN)

TFN2K

Stacheldraht

Shaft

Trinity

Knight

Mstream

Kaiten

Cc tools ny hon ton c th c download min ph trn Internet v lu y ch l cc tools yu mang tnh Demo v tn cng DDoS m thi

III - DRDoS (Distributed Reflection Denial of Service)III.1 Gii thiu DRDOS. Xut hin vo u nm 2002, l kiu tn cng mi nht, mnh nht trong h DoS.

Nu c thc hin bi k tn cng c tay ngh th n c th h gc bt c h thng no trn th gii trong pht chc.

DRDoS l s phi hp gia hai kiu DoS v DDoS.

Mc tiu chnh ca DRDoS l chim ot ton b bng thng ca my ch, tc l lm tc nghn hon ton ng kt ni t my ch vo xng sng ca Internet v tiu hao ti nguyn my ch.

Ta c Server A v Victim, gi s ta gi 1 SYN packet n Server A trong IP ngun b gi mo thnh IP ca Victim. Server A s m 1 connection v gi SYN/ACK packet cho Victim v ngh rng Victim mun m connection vi mnh. V y chnh l khi nim ca Reflection ( Phn x ). Hacker s iu khin Spoof SYN generator, gi SYN packet n tt c cc TCP Server ln, lc ny cc TCP Server ny v tnh thnh Zombie cho Hacker cng tn cng Victim v lm nghn ng truyn ca Victim.

Vi nhiu server ln tham gia nn server mc tiu nhanh chng b qu ti, bandwidth b chim dng bi server ln.

Tnh ngh thut l ch ch cn vi mt my tnh vi modem 56kbps, mthacker lnh ngh c th nh bi bt c my ch no trong giy lt m khng cn chim ot bt c my no lm phng tin thc hin tn cng.III.2 - Cch Phng chng :C rt nhiu gii php v tng c a ra nhm i ph vi cc cuc tn cng kiu DDoS. Tuy nhin khng c gii php v tng no l gii quyt trn vn bi ton Anti-DDoS. Cc hnh thi khc nhau ca DDoS lin tc xut hin theo thi gian song song vi cc gii php i ph, tuy nhin cuc ua vn tun theo quy lut tt yu ca bo mt my tnh: Hacker lun i trc gii bo mt mt bc.C ba giai on chnh trong qu trnh Anti-DDoS:

- Giai on ngn nga: ti thiu ha lng Agent, tm v v hiu ha cc Handler

- Giai on i u vi cuc tn cng: Pht hin v ngn chn cuc tn cng, lm suy gim v dng cuc tn cng, chuyn hng cuc tn cng.

- Giai on sau khi cuc tn cng xy ra: thu thp chng c v rt kinh nghim

Cc giai on chi tit trong phng chng DDoS:

SHAPE \* MERGEFORMAT

2.a - Ti thiu ha s lng Agent:- T pha User: mt phng php rt tt nng nga tn cng DDoS l tng internet user s t phng khng b li dng tn cng h thng khc. Mun t c iu ny th thc v k thut phng chng phi c ph bin rng ri cho cc internet user. Attack-Network s khng bao gi hnh thnh nu khng c user no b li dng tr thnh Agent. Cc user phi lin tc thc hin cc qu trnh bo mt trn my vi tnh ca mnh. H phi t kim tra s hin din ca Agent trn my ca mnh, iu ny l rt kh khn i vi user thng thng.

- Mt s gii php tch hp sn kh nng ngn nga vic ci t code nguy him thng o hardware v software ca tng h thng. V pha user h nn ci t v updat lin tc cc software nh antivirus, anti_trojan v server patch ca h iu hnh.

- T pha Network Service Provider: Thay i cch tnh tin dch v truy cp theo dung lng s lm cho user lu n nhng g h gi, nh vy v mt thc tng cng pht hin DDoS Agent s t nng cao mi User. 2.b - Tm v v hiu ha cc Handler:Mt nhn t v cng quan trng trong attack-network l Handler, nu c th pht hin v v hiu ha Handler th kh nng Anti-DDoS thnh cng l rt cao. Bng cch theo di cc giao tip gia Handler v Client hay handler va Agent ta c th pht hin ra v tr ca Handler. Do mt Handler qun l nhiu, nn trit tiu c mt Handler cng c ngha l loi b mt lng ng k cc Agent trong Attack Network.

2.c - Pht hin du hiu ca mt cuc tn cng:C nhiu k thut c p dng:

- Agress Filtering: K thut ny kim tra xem mt packet c tiu chun ra khi mt subnet hay khng da trn c s gateway ca mt subnet lun bit c a ch IP ca cc my thuc subnet. Cc packet t bn trong subnet gi ra ngoi vi a ch ngun khng hp l s b gi li iu tra nguyn nhn. Nu k thut ny c p dng trn tt c cc subnet ca internet th khi nhim gi mo a ch IP s khng cn tn ti.

- MIB statistics: trong Management Information Base (SNMP) ca route lun c thng tin thng k v s bin thin trng thi ca mng. Nu ta gim st cht ch cc thng k ca protocol mng. Nu ta gim st cht ch cc thng k ca Protocol ICMP, UDP v TCP ta s c kh nng pht hin c thi im bt u ca cuc tn cng to qu thi gian vng cho vic x l tnh hung.

2.d - Lm suy gim hay dng cuc tn cng:Dng cc k thut sau:

- Load balancing: Thit lp kin trc cn bng ti cho cc server trng im s lm gia tng thi gian chng chi ca h thng vi cuc tn cng DDoS. Tuy nhin, iu ny khng c ngha lm v mt thc tin v quy m ca cuc tn cng l khng c gii hn.

- Throttling: Thit lp c ch iu tit trn router, quy nh mt khong ti hp l m server bn trong c th x l c. Phng php ny cng c th c dng ngn chn kh nng DDoS traffic khng cho user truy cp dch v. Hn ch ca k thut ny l khng phn bit c gia cc loi traffic, i khi lm dch v b gin on vi user, DDoS traffic vn c th xm nhp vo mng dch v nhng vi s lng hu hn.

- Drop request: Thit lp c ch drop request nu n vi phm mt s quy nh nh: thi gian delay ko di, tn nhiu ti nguyn x l, gy deadlock. K thut ny trit tiu kh nng lm cn kit nng lc h thng, tuy nhin n cng gii hn mt s hot ng thng thng ca h thng, cn cn nhc khi s dng.

2.e - Chuyn hng ca cuc tn cng:Honeyspots: Mt k thut ang c nghin cu l Honeyspots. Honeyspots l mt h thng c thit k nhm nh la attacker tn cng vo khi xm nhp h thng m khng ch n h thng quan trng thc s.

Honeyspots khng ch ng vai tr L Lai cu cha m cn rt hiu qu trong vic pht hin v x l xm nhp, v trn Honeyspots thit lp sn cc c ch gim st v bo ng.

Ngoi ra Honeyspots cn c gi tr trong vic hc hi v rt kinh nghim t Attacker, do Honeyspots ghi nhn kh chi tit mi ng thi ca attacker trn h thng. Nu attacker b nh la v ci t Agent hay Handler ln Honeyspots th kh nng b trit tiu ton b attack-network l rt cao.

2.f - Giai on sau tn cng:Trong giai on ny thng thng thc hin cc cng vic sau:

-Traffic Pattern Analysis: Nu d liu v thng k bin thin lng traffic theo thi gian c lu li th s c a ra phn tch. Qu trnh phn tch ny rt c ch cho vic tinh chnh li cc h thng Load Balancing v Throttling. Ngoi ra cc d liu ny cn gip Qun tr mng iu chnh li cc quy tc kim sot traffic ra vo mng ca mnh.

- Packet Traceback: bng cch dng k thut Traceback ta c th truy ngc li v tr ca Attacker (t nht l subnet ca attacker). T k thut Traceback ta pht trin thm kh nng Block Traceback t attacker kh hu hiu. gn y c mt k thut Traceback kh hiu qu c th truy tm ngun gc ca cuc tn cng di 15 pht, l k thut XXX.

- Bevent Logs: Bng cch phn tch file log sau cuc tn cng, qun tr mng c th tm ra nhiu manh mi v chng c quan trng.

2.g - Phng chng tng qut :1. Khi bn pht hin my ch mnh b tn cng hy nhanh chng truy tm a ch IP v cm khng cho gi d liu n my ch. 2. Dng tnh nng lc d liu ca router/firewall loi b cc packet khng mong mun, gim lng lu thng trn mng v ti ca my ch. 3. S dng cc tnh nng cho php t rate limit trn router/firewall hn ch s lng packet vo h thng. 4. Nu b tn cng do li ca phn mm hay thit b th nhanh chng cp nht cc bn sa li cho h thng hoc thay th. 5. Dng mt s c ch, cng c, phn mm chng li TCP SYN Flooding. 6. Tt cc dch v khc nu c trn my ch gim ti v c th p ng tt hn. Nu c c th nng cp cc thit b phn cng nng cao kh nng p ng ca h thng hay s dng thm cc my ch cng tnh nng khc phn chia ti. 7. Tm thi chuyn my ch sang mt a ch khc. IV Botnet.

S lc lch s :

- Cui th k 19 cng nh u thin nin k mi nh du bc pht trin nhanh, mnh ca mt s chin lc tn cng khc bit nhm vo h thng mng. DDoS, tc Distributed Denial of Services, hnh thc tn cng t chi dch v phn tn kht ting ra i. Tng t vi ngi anh em DoS (tn cng t chi dch v), DDoS c pht tn rt rng, ch yu nh tnh n gin nhng rt kh b d tm ca chng. c nhiu kinh nghim i ph c chia s, vi khi lng kin thc khng nh v n, nhng ngy nay DDoS vn ang l mt mi e do nghim trng, mt cng c nguy him ca hacker. Chng ta hy cng tm hiu v DDoS v sn phm k tha t n: cc cuc tn cng botnet.

IV.1 - Gii thiu v Bot v Botnet

1.a - Bot l g ? : l nhng chng trnh tng t Trojan backdoor cho php k tn cng s dng my ca h nh l nhng Zoombie ( my tnh thy ma my tnh b chim quyn iu khin hon ton ) v chng ch ng kt ni vi mt Server d dng iu khin , cc bn lu ch ch ng l mt c im khc ca bot so vi trojan backdoor . Chnh v s ch ng ny m my tnh b ci t chng kt ni tr nn chm chp , mt c im gip ta d dng nhn din bot .

1.b - Ti sao gi l mng botnet ? : mng botnet l mt mng rt ln gm hng trm hng ngn my tnh Zombie kt ni vi mt my ch mIRC ( Internet Replay Chat ) hoc qua cc my ch DNS nhn lnh t hacker mt cch nhanh nht . Cc mng bot gm hng ngn thnh vin l mt cng c l tng cho cc cuc chin tranh mu nh DDOS , spam, ci t cc chng trnh qung co ..

1.c - IRC -IRC l tn vit tt ca Internet Relay Chat. l mt giao thc c thit k cho hot ng lin lc theo kiu hnh thc tn gu thi gian thc (v d RFC 1459, cc bn update RFC 2810, 2811, 2812, 2813) da trn kin trc client-server. Hu ht mi server IRC u cho php truy cp min ph, khng k i tng s dng. IRC l mt giao thc mng m da trn nn tng TCP (Transmission Control Protocol - Giao thc iu khin truyn vn), i khi c nng cao vi SSL (Secure Sockets Layer - Tng socket bo mt). -Mt server IRC kt ni vi server IRC khc trong cng mt mng. Ngi dng IRC c th lin lc vi c hai theo hnh thc cng cng (trn cc knh) hoc ring t (mt i mt). C hai mc truy cp c bn vo knh IRC: mc ngi dng (user) v mc iu hnh (operator). Ngi dng no to mt knh lin lc ring s tr thnh ngi iu hnh. Mt iu hnh vin c nhiu c quyn hn (tu thuc vo tng kiu ch do ngi iu hnh ban u thit lp ) so vi ngi dng thng thng.-Cc bot IRC c coi nh mt ngi dng (hoc iu hnh vin) thng thng. Chng l cc quy trnh daemon, c th chy t ng mt s thao tc. Qu trnh iu khin cc bot ny thng thng da trn vic gi lnh thit lp knh lin lc do hacker thc hin, vi mc ch chnh l ph hoi. Tt nhin, vic qun tr bot cng i hi c ch thm nh v cp php. V th, ch c ch s hu chng mi c th s dng. -Mt thnh phn quan trng ca cc bot ny l nhng s kin m chng c th dng pht tn nhanh chng ti my tnh khc. Xy dng k hoch cn thn cho chng trnh tn cng s gip thu c kt qu tt hn vi thi gian ngn hn (nh xm phm c nhiu my tnh hn chng hn). Mt s n bot kt ni vo mt knh n ch lnh t k tn cng th c gi l mt botnet. -Cch y cha lu, cc mng zombie (mt tn khc ca my tnh b tn cng theo kiu bot) thng c iu khin qua cng c c quyn, do chnh nhng k chuyn b kho c tnh pht trin. Tri qua thi gian, chng hng ti phng thc iu khin t xa. IRC c xem l cng c pht ng cc cuc tn cng tt nht nh tnh linh hot, d s dng v c bit l cc server chung c th c dng nh mt phng tin lin lc. IRC cung cp cch thc iu khin n gin hng trm, thm ch hng nghn bot cng lc mt cch linh hot. N cng cho php k tn cng che y nhn dng tht ca mnh vi mt s th thut n gin nh s dng proxy nc danh hay gi mo a ch IP. Song cng chnh bi vy m chng li du vt cho ngi qun tr server ln theo. -Trong hu ht cc trng hp tn cng bi bot, nn nhn ch yu l ngi dng my tnh n l, server cc trng i hc hoc mng doanh nghip nh. L do l bi my tnh nhng ni ny khng c gim st cht ch v thng h hon ton lp bo v mng. Nhng i tng ngi dng ny thng khng xy dng cho mnh chnh sch bo mt, hoc nu c th khng hon chnh, ch cc b mt s phn. Hu ht ngi dng my tnh c nhn kt ni ng truyn ADSL u khng nhn thc c cc mi nguy him xung quanh v khng s dng phn mm bo v nh cc cng c dit virus hay tng la c nhn.IV.2 - Bot v cc ng dng ca chng

-Kh nng s dng bot v cc ng dng ca chng cho my tnh b chim quyn iu khin hon ton ph thuc vo sc sng to v k nng ca k tn cng. Chng ta hy xem mt s ng dng ph bin nht. 2.a - DDoS -Cc botnet c s dng thng xuyn trong cc cuc tn cng Distributed Denial of Service (DDoS). Mt k tn cng c th iu khin s lng ln my tnh b chim quyn iu khin ti mt trm t xa, khai thc bng thng ca chng v gi yu cu kt ni ti my ch. Nhiu mng tr nn ht sc ti t sau khi hng chu cc cuc tn cng kiu ny. V trong mt s trng hp, th phm c tm thy ngay khi ang tin hnh cuc ph hoi (nh cc cuc chin dotcom). Tn cng t chi dch v phn tn (DDoS) -Tn cng DDoS l mt bin th ca Foolding DoS (Tn cng t chi dch v trn). Mc ch ca hnh thc ny l gy trn mng ch, s dng tt c bng thng c th. K tn cng sau s c ton b lng bng thng khng l trn mng lm trn website ch. l cch pht ng tn cng tt nht t c nhiu my tnh di quyn kim sot. Mi my tnh s a ra bng thng ring (v d vi ngi dng PC c nhn ni ADSL). Tt c s c dng mt ln, v nh , phn tn c cuc tn cng vo website ch. Mt trong cc kiu tn cng ph bin nht c thc hin thng qua s dng giao thc TCP (mt giao thc hng kt ni), gi l TCP syn flooding (trn ng b TCP). Cch thc hot ng ca chng l gi ng thi cng lc mt s lng khng l yu cu kt ni TCP ti mt Web Server (hoc bt k dch v no khc), gy trn ti nguyn server, dn n trn bng thng v ngn khng cho ngi dng khc m kt ni ring ca h. Qu l n gin nhng thc s nguy him! Kt qu thu c cng tng t khi dng giao thc UDP (mt giao thc khng kt ni).- Gii tin tc cng b ra kh nhiu thi gian v cng sc u t nhm nng cao cch thc tn cng ca chng. Hin nay, ngi dng mng my tnh nh chng ta ang phi i mt vi nhiu k thut tinh vi hn xa so kiu tn cng DDoS truyn thng. Nhng k thut ny cho php k tn cng iu khin mt s lng cc k ln my tnh b chim quyn iu khin (zombie) ti mt trm t xa m n gin ch cn dng giao thc IRC.2.b - Spamming (pht tn th rc)

- Botnet l mt cng c l tng cho cc spammer (k pht tn th rc). Chng , ang v s c dng va trao i a ch e-mail thu thp c, va iu khin c ch pht tn th rc theo cng mt cch vi kiu tn cng DDoS. Th rc c gi ti botnet, sau phn phi qua cc bot v t pht tn ti my tnh ang b chim quyn iu khin. Tt c spammer u ly tn nc danh v mi hu qu th my tnh b ph hoi gnh chu.2.c - Sniffing v Keylogging

- Cc bot cng c th c s dng mt cch hiu qu nng cao ngh thut c in ca hot ng sniffing. Nu theo di lu lng d liu truyn i, bn c th xc nh c con s kh tin lng thng tin c truyn ti. c th l thi quen ca ngi dng, trng ti gi TCP v mt s thng tin th v khc (nh mt khu, tn ngi dng). Cng tng t nh vy vi keylogging, mt hnh thc thu thp tt c thng tin trn bn phm khi ngi dng g vo my tnh (nh e-mail, password, d liu ngn hng, ti khon PayPal,). 2.d - n cp nhn dng

- Cc phng thc c cp trn cho php k tn cng iu khin botnet thu thp mt lng thng tin c nhn khng l. Nhng d liu c th c dng xy dng nhn dng gi mo, sau li dng c th truy cp ti khon c nhn hoc thc hin nhiu hot ng khc (c th l chun b cho nhiu cuc tn cng khc) m ngi gnh chu hu qu khng ai khc chnh l ch nhn ca cc thng tin . 2.e - S hu phn mm bt hp php

- y l hnh thc cui cng, nhng cha phi l kt thc. Cc my tnh b tn cng theo kiu bot c th c dng nh mt kho lu tr ng ti liu bt hp php (phn mm n cp bn quyn, tranh nh khiu dm,). D liu c lu tr trn cng trong khi ngi dng ADSL khng h hay bit. - Cn rt nhiu, rt nhiu kiu ng dng khc na c pht trin da trn botnet (nh tr tin cho mi ln kch chut s dng mt chng trnh, phishing, hijacking kt ni HTTP/HTTPS), nhng lit k ra c ht c l s phi mt hng gi. Bn thn bot ch l mt cng c vi kh nng lp ghp v thch ng d dng cho mi hot ng i hi t quyn kim sot n ln mt s lng ln my tnh. IV.3 - Cc kiu bot khc nhau

- Nhiu kiu bot c xy dng v cho php download c cung cp nhan nhn khp Internet. Mi kiu c nhng thnh phn c bit ring. Chng ta s xem xt mt s bot ph bin nht v tho nhng thnh phn chnh v cc yu t phn bit ca chng.3.a - GT-Bot - Tt c cc bot GT (Global Threat) u da trn kiu client IRC ph bin dnh cho Windows gi l mIRC. Ct li ca cc bot ny l xy dng tp hp script (kch bn) mIRC, c dng iu khin hot ng ca h thng t xa. Kiu bot ny khi chy mt phin client nng cao vi cc script iu khin v dng mt ng dng th hai, thng thng l HideWindows n mIRC trc ngi dng my tnh ch. Mt file DLL b sung s thm mt s thnh phn mi vo mIRC cc script c th chi phi nhiu kha cnh khc nhau trn my tnh b chim quyn iu khin. 3.b - Agobot - Agobot l mt trong nhng kiu bot ph bin nht thng c cc tay b kho (craker) chuyn nghip s dng. Chng c vit trn nn ngn ng C++ v pht hnh di dng bn quyn GPL. im th v Agobot l m ngun. c modul ho mc cao, Agobot cho php thm chc nng mi vo d dng. N cng cung cp nhiu c ch n mnh trn my tnh ngi dng. Thnh phn chnh ca Agobot gm: NTFS Alternate Data Stream (Xp lun phin dng d liu NTFS), Antivirus Killer (b dit chng trnh chng virus) v Polymorphic Encryptor Engine (c ch m ho hnh dng). Agobot cung cp tnh nng sp xp v sniff lu lng. Cc giao thc khc ngoi IRC cng c th c dng iu khin kiu bot ny. 3.c - DSNX - Dataspy Network X (DSNX) cng c vit trn nn ngn ng C++ v m ngun da trn bn quyn GPL. kiu bot ny c thm mt tnh nng mi l kin trc plug-in n gin.

3.d - SDBot - SDBot c vit trn nn ngn ng C v cng s dng bn quyn GPL. Khng ging nh Agobot, m ngun ca kiu bot ny rt r rng v bn thn phn mm c mt lng gii hn chc nng. Nhng SDBot rt ph bin v c pht trin ra nhiu dng bin th khc nhau.

IV.4 - Cc yu t ca mt cuc tn cng.Hnh 1 th hin cu trc ca mt botnet in hnh:

Hnh 1: Cu trc ca mt botnet in hnh

u tin k tn cng s pht tn trojan horse vo nhiu my tnh khc nhau. Cc my tnh ny tr thnh zombie (my tnh b chim quyn iu khin) v kt ni ti IRC server nghe thm nhiu lnh sp ti. Server IRC c th l mt my cng cng mt trong cc mng IRC, nhng cng c th l my chuyn dng do k tn cng ci t ln mt trong cc my b chim quyn iu khin.

Cc bot chy trn my tnh b chim quyn iu khin, hnh thnh mt botnet.

Mt v d c th

Hot ng ca k tn cng c th chia thnh bn giai on khc nhau: + To + Cu hnh + Tn cng + iu khin - Giai on To ph thuc ln vo k nng v i hi ca k tn cng. Nu l ngi b kho chuyn nghip, h c th cn nhc gia vic vit m bot ring hoc n gin ch l m rng, tu bin ci c. Lng bot c sn l rt ln v kh nng cu hnh cao. Mt s cn cho php thao tc d dng hn qua mt giao din ho. Giai on ny khng c g kh khn, thng dnh cho nhng k mi vo ngh. - Giai on Cu hnh l cung cp server IRC v knh thng tin. Sau khi ci t ln mt my tnh c kim sot, bot s kt ni ti host c chn. u tin k tn cng nhp d liu cn thit vo gii hn quyn truy cp bot, bo v an ton cho knh v cui cng cung cp mt danh sch ngi dng c cp php (nhng ngi c th iu khin bot). giai on ny, bot c th c iu chnh su hn, nh nh ngha phng thc tn cng v ch n.

- Giai on Tn cng l s dng nhiu k thut khc nhau pht tn bot, c trc tip v gin tip. Hnh thc trc tip c th l khai thc l hng ca h iu hnh hoc dch v. Cn gin tip thng l trin khai mt s phn mm khc phc v cho cng vic en ti, nh s dng file HTML d dng khai thc l hng Internet Explorer, s dng mt s phn mm c hi khc phn phi qua cc mng ngang hng hoc qua trao i file DCC (Direct ClienttoClient) trn IRC. Tn cng trc tip thng c thc hin t ng thng qua cc su (worm). Tt c cng vic nhng su ny phi lm l tm kim mng con trong h thng c l hng v chn m bot vo. Mi h thng b xm phm sau s tip tc thc hin chng trnh tn cng, cho php k tn cng ghi li ti nguyn dng trc v c c nhiu thi gian tm kim nn nhn khc. - C ch c dng phn phi bot l mt trong nhng l do chnh gy nn ci gi l tp nhiu nn Internet. Mt s cng chnh c dng cho Windows, c th l Windows 2000, XP SP1 (xem Bng 1). Chng dng nh l ch ngm yu thch ca hacker, v rt d tm ra mt my tnh Windows cha c cp nht bn v y hoc khng ci t phn mm tng la. Trng hp ny cng rt ph bin vi ngi dng my tnh gia nh v cc doanh nghip nh, nhng i tng thng b qua vn bo mt v lun kt ni Internet bng thng rng.

Cng Dch v42 WINS (Host Name Server)80 HTTP (l hng IIS hay Apache)135 RPC (Remote Procedure Call) 137 NetBIOS Name Service 139 NetBIOS Session Service 445 MicrosoftDSService1025 Windows Messenger 1433 MicrosoftSQLServer 2745 Bagle worm backdoor3127 MyDoom worm backdoor 3306 MySQL UDF (User Definable Functions) 5000 UPnP (Universal Plug and Play)Danh sch cc cng gn vi l hng dch v- Giai on iu khin gm mt s hot ng thc hin sau khi bot c ci t ln my ch trong mt th mc chn. khi ng vi Windows, bot update cc kho ng k, thng thng lKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\. - Vic u tin bot thc hin sau khi c ci t thnh cng l kt ni ti mt server IRC v lin kt vi knh iu khin thng qua s dng mt mt khu. Nickname trn IRC c to ngu nhin. Sau , bot trng thi sn sng ch lnh t ng dng ch. K tn cng cng phi s dng mt mt khu kt ni ti botnet. iu ny l cn thit khng ai khc c th s dng mng botnet c cung cp.

- IRC khng ch cung cp phng tin iu khin hng trm bot m cn cho php k tn cng s dng nhiu k thut khc nhau n nhn dng thc ca chng. iu khin vic i ph trc cc cuc tn cng tr nn kh khn. Nhng may mn l, do c im t nhin ca chng, cc botnet lun to ra lu lng ng ng, to iu kin d dng c th d tm nh mt s kiu mu hay m hnh bit. iu gip cc qun tr vin IRC pht hin v can thip kp thi, cho php h g b cc mng botnet v nhng s lm dng khng ng c trn h thng ca h. - Trc tnh hnh ny, nhng k tn cng buc phi ngh ra cch thc khc, ci tin k thut C&C (Control and Command - iu khin qua lnh) thnh botnet hardening. k thut mi ny, cc bot thng c cu hnh kt ni vi nhiu server khc nhau, s dng mt hostname nh x ng. Nh , k tn cng c th chuyn bot sang server mi d dng, vn hon ton nm quyn kim sot ngay c khi bot b pht hin. Cc dch v DNS ng nh dyndns.com hay no-IP.com thng c dng trong kiu tn cng ny. DNS ng - Mt DNS ng (nh RFC 2136) l mt h thng lin kt tn min vi a ch IP ng. Ngi dng kt ni Internet qua modem, ADSL hoc cp thng khng c a ch IP c nh. Khi mt i tng ngi dng kt ni ti Internet, nh cung cp dch v mng (ISP) s gn mt a ch IP cha c s dng ly ra t vng c chn. a ch ny thng c gi nguyn cho ti khi ngi dng ngng s dng kt ni . - C ch ny gip cc hng cung cp dch v mng (ISP) tn dng c ti a kh nng khai thc a ch IP, nhng cn tr i tng ngi dng cn thc hin mt s dch v no qua mng Internet trong thi gian di, song khng phi s dng a ch IP tnh. gii quyt vn ny, DNS ng c cho ra i. Hng cung cp s to cho dch v mt chng trnh chuyn dng, gi tn hiu ti c s d liu DNS mi khi a ch IP ca ngi dng thay i.- n hot ng, knh IRC c cu hnh gii hn quyn truy cp v n thao tc. Cc m hnh IRC in hnh cho knh botnet l: +k (i hi phi nhp mt khu khi dng knh); +s (khng c hin th trn danh sch cc knh cng cng); +u (ch c ngi iu hnh (operator) l c hin th trn danh sch ngi dng); +m (ch c ngi dng trng thi s dng m thanh +v mi c th gi tin n knh). Hu ht mi chuyn gia tn cng u dng server IRC c nhn, m ho tt c lin lc trn knh dn. Chng cng c khuynh hng s dng nhiu bin th c nhn ho ca phn mm IRC server, c cu hnh nghe trn cc cng ngoi tiu chun v s dng phin bn c chnh sa ca giao thc, mt IRC client thng thng khng th kt ni vo mng.IV.5 - Cch phng chng Botnet:

- Botnet l mt mi e da ang ngy mt lan rng, tuy nhin chng ta c nhiu cch i ph gim c cc tc hi gy ra t n, chng ti s gii thiu 6 cch kh chuyn nghip c th chng tr li c botnet.

5.a - Thu mt dch v lc Web- Dch v lc Web l mt trong nhng cch tt nht u tranh vi bot. Cc dch v ny qut website khi thy xut hin hnh vi khng bnh thng hoc c cc hnh ng m nguy him v kha site t ngi dng.

- Websense, Cyveillance v FaceTime Communications l cc v d in hnh. Tt c s kim tra Internet theo thi gian thc tm cc website b nghi ng c hnh ng nguy him nh ti JavaScript v cc tr la o khc ngoi ranh gii ca vic duyt web thng thng. Cyveillance v Support Intelligence cng cung cp dch v cho bit v cc t chc website v ISP pht hin l c malware, v vy cc my ch b tn cng c th c sa cha kp thi.

5.b - Chuyn i trnh duyt- Mt cch khc ngn chn s xm nhp ca bot l khng nn s dng mt trnh duyt. Internet Explorer hay Mozilla Firefox l hai trnh duyt ph bin nht v v vy chng cng l cc trnh duyt m malware tp trung tn cng ti. Chng ta c th dng Apple Safari, Google Chrome, Opera, Netscape, ... Tng t nh vy i vi cc h iu hnh. Theo thng k th Macs l h iu hnh an ton vi botnet bi v hu ht chng u nhm vo Windows. Ngoi c th s dng h iu hnh h *nix ngn chn cc phn mm m c nh virus, trojan, spyware , sworm .... v cc phn mm m c ny ch chy trn h iu hnh ph bin nht l Windows.

5.c - V hiu ha cc kch bn- Mt cch na l v hiu ha trnh duyt khi cc kch bn ni chung (script), iu ny c th gy kh khn cho mt s nhn vin s dng ng dng ty chnh v da trn nn web trong cng vic ca h.

5.d - Trin khai cc h thng pht hin xm phm v ngn chn xm phm- Mt phng php khc l iu chnh cc IDS v ISP chng c th tm kim c cc hot ng tng t nh botnet.

- V d, mt my tnh no bt ng gp vn s c trn Internet Relay Chat l hon ton ng nghi ng. Cng ging nh vic kt ni vo cc a ch IP xa hoc a ch DNS khng hp l. Tuy vn ny l kh pht hin nhng chng ta c cch pht gic khc khi pht hin thy s thu ht bt ng trong lu lng SSL trn mt my tnh, c bit trong cc cng khng bnh thng. iu c th l knh m botnet chim quyn iu khin b kch hot.

- Chnh v vy chng ta cn mt ISP kim tra v nhng hnh vi khng bnh thng ch th cnh bo cc tn cng da trn HTTP v th tc gi t xa, Telnet- v gi mo giao thc gii php a ch, cc tn cng khc. Mc d vy chng ta phi nn ch rng nhiu b cm bin ISP s dng pht hin da trn ch k, iu ngha l cc tn cng ch c b sung vo c s d liu khi no chng c pht hin. Chnh v vy cc ISP phi cp nht kp thi nhn ra c cc tn cng ny, bng khng b pht hin s khng cn gi tr.

5.e - Bo v ni dung c to bi ngi dng- Cc hot ng website ca ring bn cng phi c bo v trnh tr thnh k tng phm khng ch tm i vi nhng k vit malware. Cc blog cng cng v forum ca cng ty nn c hn ch ch dng vn bn.

- Nu site ca bn cn cho cc thnh vin trao i file th n phi c thit lp cho php cc kiu file c gii hn v m bo an ton, v d vi cc file c ui m rng .jpeg hoc .mp3. (Tuy vy nhng k vit malware cng bt u nhm vo i tng ngi chi MP3)

5.f - S dng cng c phn mm

- Nu bn pht hin thy my tnh b tim nhim m h thng khng c cch no tt nht gii quyt vi tnh hung ny. Bn khng phi lo s iu v cc cng ty nh Symantec xc nhn rng h c th pht hin v xa sch s tim nhim rootkit nguy him nht. Cng ty ny a ra mt cng ngh mi trong Veritas, VxMS (Dch v bn ha Veritas Veritas Mapping Service), a ra b qut chng virus b qua Windows File System API, thnh phn c iu khin bi h iu hnh c th gy ra l hng bi mt rootkit. VxMS truy cp trc tip vo cc file th ca h thng Windows NT File System. Bn cnh cc hng phn mm chng virus khc cng ang c gng trong vic chng li rootkit ny gm c McAfee v FSecure.

V Kt Lun : Nhn chung, tn cng t chi dch v khng qu kh thc hin, nhng rt kh phng chng do tnh bt ng v thng l phng chng trong th b ng khi s vic ri. Vic i ph bng cch tng cng phn cng cng l gii php tt, nhng thng xuyn theo di pht hin v ngn chn kp thi ci gi tin IP t cc ngun khng tin cy l hu hiu nht.

Ty m hnh, quy m c th ca h thng m c cc bin php bo v, phng chng khc nhau.

Cc k thut trn ang v vn l vn nn nguy hi ln cho nn Internet ton cu. C rt nhiu vic phi lm v chun b kim sot c chng. Chng ta phi c nhng bc i c th v mnh m hn cng khng ch loi hnh tn cng ny.

VI Ti Liu Tham Kho1 - Books:

[1] Tactical Perimeter Defense

[2] Slide An Ton Mng Th.s T Nguyn Nht Quang.

2 Internet :

[1] www.hvaonline.net

[2] - www.ceh.vn

[3] - www.24hcongnghe.net

[4] - www.wikipedia.org

Throttling

Drop Request

DDoS

Countermeasures

Detect and

Neutralize

handler

Detect and Prevent Agent

Detect/Prevent

Potential Attack

Mitigate/Stop

Attack

Deflect Attack

Post attack Forensic

Egress Filtering

MIB Statistic

Invidual

user

Network Service Provider

Install Software Patch

Build in defense

Cost

Traffic Pattern Analysis

Packet Traceback

Event Log

Honeyspots

Shadow Real Network

Study Attack

Load Balancing

36

tấn công dos ddos drdos và botnet

Documents