427 Botnet fm qxd



Download 6,98 Mb.
Pdf ko'rish
bet262/387
Sana03.12.2022
Hajmi6,98 Mb.
#878307
1   ...   258   259   260   261   262   263   264   265   ...   387
Bog'liq
Botnets - The killer web applications

www.syngress.com
322
Chapter 9 • Advanced Ourmon Techniques
427_Botnet_09.qxd 1/8/07 4:45 PM Page 322

possible. (Ethernet packets above the Ethernet layer must have at least 46
bytes minimally.This is why the UDP packets that appeared previously have
zeros following the 10 bytes of ASCII payload.) Thus these SYN packets (as
is usually the case with DoS attacks) are small packets that have only an IP
header and a TCP header, typically only 40 bytes in all. In addition to small,
SYN packets can, of course, cause the receiving operating system to have
problems processing them because the operating system might want to
believe that the remote host is sincere about starting a TCP connection.This
can exhaust resources on the target’s operating system because there will be a
high number of half-open sockets. Of course, in this case the remote hosts
are the complete opposite of sincere.
In this case the 
drops
trigger worked, probably due to the overwhelming
nature of the attack. Most if not all of the packets received were part of the
attack. We were lucky that we were able to get the IP address and port
number of the attacked system. Evidence seems to indicate that the attackers
were from multiple sites and were in fact likely a botnet being used to launch
a DDoS attack. One must not forget that with such an attack, IP spoofing
(meaning fake IP source addresses) is a possibility. One-way attacks do not
require two-way conversations.
Notes from the Underground…
Hackers, DoS, and Packet Size
Remember the Hacker Rule of Economy we mentioned previously? It
applies to DoS attacks, too. The goals from the dark side include sending
as many useless and harmful packets as fast as possible. Sending one TCP
SYN packet a minute might work for scanning, but it would not be much
of a DoS attack. With a gigabit Ethernet connection, one can receive
approximately 1.5 million packets per second (pps). If you have a 100-
megabit Ethernet connection, divide by 10, so 150,000pps are possible.
Ten megabits means the best small packet throughput would be
15,000pps. More worrisome, a 10-gigabit Ethernet connection could
potentially receive 15 million pps! Ouch. This is a doable number with a
botnet of a certain size. On the other hand, for gigabit Ethernet, using

Download 6,98 Mb.

Do'stlaringiz bilan baham:
1   ...   258   259   260   261   262   263   264   265   ...   387



Ma'lumotlar bazasi mualliflik huquqi bilan himoyalangan ©hozir.org 2024
ma'muriyatiga murojaat qiling
kiriting | ro'yxatdan o'tish
    Bosh sahifa
юртда тантана
Боғда битган
Бугун юртда
Эшитганлар жилманглар
Эшитмадим деманглар
битган бодомлар
Yangiariq tumani
qitish marakazi
Raqamli texnologiyalar
ilishida muhokamadan
tasdiqqa tavsiya
tavsiya etilgan
iqtisodiyot kafedrasi
steiermarkischen landesregierung
asarlaringizni yuboring
o'zingizning asarlaringizni
Iltimos faqat
faqat o'zingizning
steierm rkischen
landesregierung fachabteilung
rkischen landesregierung
hamshira loyihasi
loyihasi mavsum
faolyatining oqibatlari
asosiy adabiyotlar
fakulteti ahborot
ahborot havfsizligi
havfsizligi kafedrasi
fanidan bo’yicha
fakulteti iqtisodiyot
boshqaruv fakulteti
chiqarishda boshqaruv
ishlab chiqarishda
iqtisodiyot fakultet
multiservis tarmoqlari
fanidan asosiy
Uzbek fanidan
mavzulari potok
asosidagi multiservis
'aliyyil a'ziym
billahil 'aliyyil
illaa billahil
quvvata illaa
falah' deganida
Kompyuter savodxonligi
bo’yicha mustaqil
'alal falah'
Hayya 'alal
'alas soloh
Hayya 'alas
mavsum boyicha

yuklab olish