对Handler使用strings命令可以看到这样一些明文字符串(做了处理)
--------------------------------------------------------------------------% strings -n 3 mastersocket streambind stream attack !listen serverssetsockopt Prints all known servers.fcntl pingYou're too idle ! ping all servers.Connection from %s whonewserver tells you the ips of the people logNew server on %s. mstreampong lets you stream more than one ip atGot pong number %d from %s who%s has disconnected (not auth'd): %s Currently Online:Invalid password from %s. Socket number %dPassword accepted for connection fr [%s]Lost connection to %s: %s pingstream Pinging all servers.Usage: stream mstreamUnable to resolve %s. Usage: mstream stream/%s/%s MStreaming %s for %s seconds.Streaming %s for %s seconds. mstream/%s/%squit fork%s has disconnected. Forked into background, pid %dservers Caught SIGHUP, ignoring.Server file doesn't exist, creating Caught SIGINT, ignoring.The following ips are known servers Segmentation Violation, Exiting clehelp Caught unknown signal, This shouldcommands Available commands:--------------------------------------------------------------------------
用lsof命令检查Agent,在这台主机上它名为"rpc.wall",Handler也用同样的名字
--------------------------------------------------------------------------COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMErpc.wall 588 root cwd DIR 3,2 1024 2 /rpc.wall 588 root rtd DIR 3,2 1024 2 /rpc.wall 588 root txt REG 3,3 17016 15765 /usr/bin/rpc.wallrpc.wall 588 root mem REG 3,2 342206 30771 /lib/ld-2.1.1.sorpc.wall 588 root mem REG 3,2 4016683 30789 /lib/libc-2.1.1.sorpc.wall 588 root 0u CHR 5,1 4952 /dev/consolerpc.wall 588 root 1w FIFO 0,0 646 piperpc.wall 588 root 2w FIFO 0,0 647 piperpc.wall 588 root 3u IPv4 656 UDP *:10498rpc.wall 588 root 4u IPv4 657 UDP *:1044rpc.wall 588 root 5u IPv4 658 UDP *:1045rpc.wall 588 root 6u raw 30219 00000000:00FF->00000000:0000 st=07rpc.wall 588 root 7r FIFO 0,0 648 piperpc.wall 588 root 8u raw 30241 00000000:00FF->00000000:0000 st=07rpc.wall 588 root 9u CHR 5,1 4952 /dev/consolerpc.wall 588 root 10u IPv4 30244 UDP *:1051rpc.wall 588 root 11u raw 30245 00000000:00FF->00000000:0000 st=07rpc.wall 588 root 21w FIFO 0,0 648 pipe--------------------------------------------------------------------------
server.c和master.c都有BUG,结果Agent多出一些raw socket、UDP socket(在这个例子中各多出两个),而Handler会多出一些打开的文件句柄以及UDP socket(Andrew
Korty曾经检查到数百个)。毫无疑问,mstream处在早期开发阶段,所以这些签名并不可靠。
当一个Agent第一次启动时,它向编译时固化进二进制文件的缺省Handlers列表发送"newserver"命令,用tcpdump可以看到如下内容
--------------------------------------------------------------------------00:04:38.530000 192.168.0.20.1081 > 192.168.0.100.6838: udp 90x0000 4500 0025 ef75 0000 4011 098a c0a8 0014 E..%.u..@.......0x0010 c0a8 0064 0439 1ab6 0011 2b63 6e65 7773 ...d.9....+cnews0x0020 6572 7665 7200 0000 0000 0000 0000 erver.........--------------------------------------------------------------------------
如果发现rootkit存在(Handler和Agent上都会使用),你不能相信标准操作系统命令的输出,比如进程、网络连接等等。所有的系统管理员都应该花点时间看看参考资源[10]以了解rootkit。
前面提到了,如果一个Agent在10498/UDP上收到一个UDP报文,其数据区包含字符串"ping",如果这个Agent此时没有处在攻击状态中,则响应一个UDP报文,目标端口6838/UDP,数据区包含字符串"pong"。下面是tcpdump的输出,结尾的0是tcpdump自己增加的,实际负载只有4个字节。
--------------------------------------------------------------------------00:05:16.457239 192.168.0.100.65364 > 192.168.0.20.10498: udp 50x0000 4500 0021 f412 0000 4011 04f1 c0a8 0064 E..!....@......d0x0010 c0a8 0014 ff54 2902 000d 6ce3 7069 6e67 .....T)...l.ping0x0020 0a .00:05:16.458214 192.168.0.20.1083 > 192.168.0.100.6838: udp 40x0000 4500 0020 ef8c 0000 4011 0978 c0a8 0014 E.......@..x....0x0010 c0a8 0064 043b 1ab6 000c 8045 706f 6e67 ...d.;.....Epong0x0020 0000 0000 0000 0000 0000 0000 0000 ..............-------------------------------------------------------------------------
可以用ngrep [14]、snort [18](附录B介绍了snort规则)做签名匹配,或者用rid[15](附录C有一个RID模板)搜索空闲(未做攻击)Agents。
# ngrep "p[oi]ng" udp port 6838 or udp port 10498
如果攻击者修改了源代码,这条ngrep命令所用端口也要修改。
攻击报文固定在40字节大小,或许是规避某些IDS的大包检测规则。
stream2.c对victim做TCP ACK Flooding,源IP随机化(用random()产生),源端口和TCP序列号顺序递增。参看如下源代码
--------------------------------------------------------------------------. . .for ( i = 0; ; ++i ){cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random();++packet.ip.ip_id;++packet.tcp.th_sport;++packet.tcp.th_seq;if ( !dstport ){s_in.sin_port = packet.tcp.th_dport = rand();}. . .--------------------------------------------------------------------------
由于源IP随机化,伪造得到的点分十进制源IP可能出现某些字节为0的情况。
用tcpdump抓取攻击报文
--------------------------------------------------------------------------01:39:24.701083 192.168.0.2.65527 > 192.168.0.20.10498: [bad udp cksum 3100!]udp 24 (ttl 64, id 886)0x0000 4500 0034 0376 0000 4011 f5dc c0a8 0002 E..4.v..@.......0x0010 c0a8 0014 fff7 2902 0020 556c 7374 7265 ......)...Ulstre0x0020 616d 2f31 3932 2e31 3638 2e30 2e31 3030 am/192.168.0.1000x0030 2f31 300a /10.01:40:10.132724 192.168.0.2.65526 > 192.168.0.20.10498: [bad udp cksum 3100!]udp 24 (ttl 64, id 930)0x0000 4500 0034 03a2 0000 4011 f5b0 c0a8 0002 E..4....@.......0x0010 c0a8 0014 fff6 2902 0020 556d 7374 7265 ......)...Umstre0x0020 616d 2f31 3932 2e31 3638 2e30 2e31 3030 am/192.168.0.1000x0030 2f31 300a /10.01:41:23.674796 192.168.0.2.65525 > 192.168.0.20.10498: [bad udp cksum 4a00!]udp 49 (ttl 64, id 1031)0x0000 4500 004d 0407 0000 4011 f532 c0a8 0002 E..M....@..2....0x0010 c0a8 0014 fff5 2902 0039 a9b4 6d73 7472 ......)..9..mstr0x0020 6561 6d2f 3139 322e 3136 382e 302e 313a eam/192.168.0.1:0x0030 3139 322e 3136 382e 302e 3130 303a 3139 192.168.0.100:190x0040 322e 3136 382e 302e 322f 3130 0a 2.168.0.2/10.01:41:23.675771 arp who-has 192.168.0.1 tell 192.168.0.200x0000 0001 0800 0604 0001 0010 5a99 6544 c0a8 ..........Z.eD..0x0010 0014 0000 0000 0000 c0a8 0001 0000 0000 ................0x0020 0000 0000 0000 0000 0000 0000 0000 ..............01:41:23.675772 arp who-has 192.168.0.100 tell 192.168.0.200x0000 0001 0800 0604 0001 0010 5a99 6544 c0a8 ..........Z.eD..0x0010 0014 0000 0000 0000 c0a8 0064 0000 0000 ...........d....0x0020 0000 0000 0000 0000 0000 0000 0000 ..............01:41:23.675773 77.172.43.85.38444 > 192.168.0.2.26296: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 50237)0x0000 4508 0028 c43d 0000 ff06 bdde 4dac 2b55 E..(.=......M.+U0x0010 c0a8 0002 962c 66b8 ea97 d237 0000 0000 .....,f....7....0x0020 5010 4000 7c74 0000 0000 0000 0000 P.@.|t........01:41:23.675774 88.148.222.45.39212 > 192.168.0.2.10342: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 51005)0x0000 4508 0028 c73d 0000 ff06 fd1d 5894 de2d E..(.=......X..-0x0010 c0a8 0002 992c 2866 ed97 d237 0000 0000 .....,(f...7....0x0020 5010 4000 f705 0000 0000 0000 0000 P.@...........01:41:23.675775 0.18.219.113.39980 > 192.168.0.2.41622: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 51773)0x0000 4508 0028 ca3d 0000 ff06 555c 0012 db71 E..(.=....U...q0x0010 c0a8 0002 9c2c a296 f097 d237 0000 0000 .....,.....7....0x0020 5010 4000 d213 0000 0000 0000 0000 P.@...........01:41:23.675776 121.161.140.109.40748 > 192.168.0.2.16749: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 52541)0x0000 4508 0028 cd3d 0000 ff06 27d1 79a1 8c6d E..(.=....'.y..m0x0010 c0a8 0002 9f2c 416d f397 d237 0000 0000 .....,Am...7....0x0020 5010 4000 02b2 0000 0000 0000 0000 P.@...........01:41:23.675777 79.238.213.72.41516 > 192.168.0.2.46276: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 53309)0x0000 4508 0028 d03d 0000 ff06 05a9 4fee d548 E..(.=......O..H0x0010 c0a8 0002 a22c b4c4 f697 d237 0000 0000 .....,.....7....0x0020 5010 4000 6a32 0000 0000 0000 0000 P.@.j2........01:41:23.675778 104.24.203.64.42284 > 192.168.0.2.61623: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 54077)0x0000 4508 0028 d33d 0000 ff06 f486 6818 cb40 E..(.=......h..@0x0010 c0a8 0002 a52c f0b7 f997 d237 0000 0000 .....,.....7....0x0020 5010 4000 1a1d 0000 0000 0000 0000 P.@...........01:41:23.675779 37.60.73.50.43052 > 192.168.0.2.51311: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 54845)0x0000 4508 0028 d63d 0000 ff06 b671 253c 4932 E..(.=.....q%0x0010 c0a8 0002 a82c c86f fc97 d237 0000 0000 .....,.o...7....0x0020 5010 4000 0150 0000 0000 0000 0000 P.@..P........01:41:23.675780 142.14.73.40.43820 > 192.168.0.2.8979: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 55613)0x0000 4508 0028 d93d 0000 ff06 4aa9 8e0e 4928 E..(.=....J...I(0x0010 c0a8 0002 ab2c 2313 ff97 d237 0000 0000 .....,#....7....0x0020 5010 4000 37e4 0000 0000 0000 0000 P.@.7.........01:41:23.676748 144.19.212.69.44588 > 192.168.0.2.51668: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 56381)0x0000 4508 0028 dc3d 0000 ff06 ba86 9013 d445 E..(.=.........E0x0010 c0a8 0002 ae2c c9d4 0298 d237 0000 0000 .....,.....7....0x0020 5010 4000 fdff 0000 0000 0000 0000 P.@...........01:41:23.676749 155.176.45.2.45356 > 192.168.0.2.32793: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 57149)0x0000 4508 0028 df3d 0000 ff06 532d 9bb0 2d02 E..(.=....S-..-.0x0010 c0a8 0002 b12c 8019 0598 d237 0000 0000 .....,.....7....0x0020 5010 4000 dd61 0000 0000 0000 0000 P.@..a........01:41:23.676750 10.98.211.13.46124 > 192.168.0.2.1995: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 57917)0x0000 4508 0028 e23d 0000 ff06 3b70 0a62 d30d E..(.=....;p.b..0x0010 c0a8 0002 b42c 07cb 0898 d237 0000 0000 .....,.....7....0x0020 5010 4000 3af3 0000 0000 0000 0000 P.@.:.........01:41:23.676751 214.235.187.89.46892 > 192.168.0.2.14172: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 58685)0x0000 4508 0028 e53d 0000 ff06 839a d6eb bb59 E..(.=.........Y0x0010 c0a8 0002 b72c 375c 0b98 d237 0000 0000 .....,7...7....0x0020 5010 4000 508c 0000 0000 0000 0000 P.@.P.........01:41:23.676752 90.193.127.8.47660 > 192.168.0.2.64812: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 59453)0x0000 4508 0028 e83d 0000 ff06 3916 5ac1 7f08 E..(.=....9.Z...0x0010 c0a8 0002 ba2c fd2c 0e98 d237 0000 0000 .....,.,...7....0x0020 5010 4000 3d37 0000 0000 0000 0000 P.@.=7........01:41:23.676753 160.176.42.60.48428 > 192.168.0.2.17432: . [tcp sum ok]ack 0 win 16384 [tos 0x8] (ttl 255, id 60221)0x0000 4508 0028 eb3d 0000 ff06 44f3 a0b0 2a3c E..(.=....D...*<0x0010 c0a8 0002 bd2c 4418 1198 d237 0000 0000 .....,D....7....0x0020 5010 4000 ff28 0000 0000 0000 0000 P.@..(........--------------------------------------------------------------------------
对Cisco Net Flows产生的日志使用如下命令(过滤点分十进制中含有0的IP地址)可以发觉攻击的存在
--------------------------------------------------------------------------% grep "[ .]0[ .(]" ddos-000415Apr 15 04:12:08 tcp 82.0.151.5(29497) -> 192.168.10.5(27072), 1 packetApr 15 04:12:18 tcp 207.0.149.32(21893) -> 192.168.10.5(3913), 1 packetApr 15 04:12:33 tcp 0.147.151.82(10473) -> 10.4.152.237(2810), 1 packetApr 15 04:13:39 tcp 60.0.33.36(41079) -> 10.4.152.237(31754), 1 packetApr 15 04:14:03 tcp 103.140.148.0(4247) -> 10.4.152.237(29689), 1 packetApr 15 04:14:15 tcp 214.1.99.0(46714) -> 10.4.152.237(22524), 1 packetApr 15 04:15:11 tcp 10.148.60.0(12276) -> 192.168.10.5(31122), 1 packetApr 15 04:15:20 tcp 0.112.67.108(4550) -> 192.168.10.5(63787), 1 packetApr 15 04:15:33 tcp 13.0.16.2(39092) -> 10.4.152.237(57998), 1 packet. . .Apr 15 06:45:24 tcp 18.167.171.0(54104) -> 10.200.5.8(32779), 1 packetApr 15 06:45:52 tcp 0.23.15.38(45621) -> 10.200.5.8(20780), 1 packetApr 15 06:46:14 tcp 0.12.109.77(38670) -> 10.200.5.8(47776), 1 packetApr 15 07:19:12 tcp 199.120.0.72(64912) -> 10.4.152.237(45151), 1 packetApr 15 07:27:37 tcp 0.28.232.21(52533) -> 10.4.152.237(338), 1 packetApr 15 07:28:13 tcp 99.61.233.0(20951) -> 10.4.152.237(58427), 1 packetApr 15 07:31:23 tcp 195.0.3.111(17193) -> 10.4.152.237(14601), 1 packetApr 15 07:32:19 tcp 61.108.245.0(24309) -> 10.4.152.237(32809), 1 packet--------------------------------------------------------------------------
应该提醒的是某些伪造得到的源IP是广播地址、组播地址、子网地址,这将产生一些其它问题(参考资源[12])。
分析stream2.c的源代码,IP、TCP层的很多头部信息被随机化了,但还是有一些静态值
packet.ip.ip_id = rand();. . .packet.tcp.th_win = htons(16384);. . .packet.tcp.th_seq = random();. . .packet.tcp.th_sport = rand();packet.tcp.th_dport = rand();. . .while ( time( 0 ) <= endtime ){if ( floodtype != 0 ){i = 0;/** until list exhausted*/while ( arg4[i] != NULL ){/** valid ip*/if ( strchr( arg4[i], '.' ) != NULL ){packet.ip.ip_dst.s_addr = inet_addr(arg4[i]);cksum.pseudo.daddr = inet_addr(arg4[i]);s_sin.sin_addr.s_addr = inet_addr(arg4[i]);cksum.pseudo.saddr = packet.ip.ip_src.s_addr = random();packet.ip.ip_id++;packet.tcp.th_sport++;packet.tcp.th_seq++;s_in.sin_port = packet.tcp.th_dport = rand();. . .}}}}
