Академический Документы
Профессиональный Документы
Культура Документы
rea de contedo atualizada em Wednesday, 2003April09 03:52:37 GMT3 (So Paulo, Brazil, South
America)
Objetivos Estratgia
Back to Home
Home
Apresentao
:: Objetivos
Estratgia
:: Dados do Autor
Viso Geral
:: Scripts com o
Iptables
:: Malformed Packets
ARP Poisoning
:: ARP Poisoning
default gateway
:: ARP Poisoning
Iptables
Denial of Service
:: TCP SYN FLOOD:
caractersticas
:: Syn Flood:
Resultados
:: Syn Flood: reaes
mais comuns
:: Syn Flood: reao
vivel atualmente
:: Syn Flood Netfilter
:: Denial of Service
(DoS): outros tipos
Objetivos
rea de contedo atualizada em Wednesday, 2003April09 04:37:39 GMT3 (So Paulo, Brazil, South
America)
Objetivos Estratgia
Dados do Autor
Back to Home
Home
Apresentao
:: Objetivos Estratgia
:: Dados do Autor
Viso Geral
:: Scripts com o Iptables
:: Malformed Packets
ARP Poisoning
:: ARP Poisoning default
gateway
:: ARP Poisoning Iptables
Denial of Service
:: TCP SYN FLOOD:
caractersticas
:: Syn Flood: Resultados
:: Syn Flood: reaes
mais comuns
:: Syn Flood: reao
vivel atualmente
:: Syn Flood Netfilter
:: Denial of Service
(DoS): outros tipos
rea de contedo atualizada em Wednesday, 2003April09 07:12:05 GMT3 (So Paulo, Brazil, South
America)
Dados do Autor
iptables N logmalform
iptables A logmalform m limit limit 10/s limitburst 4 j LOG \
logprefix "[MALFORMED] "
iptables A logmalform j DROP
iptables N malfgroup
#$PRGDIR/malfgroup.sh
iptables A malfgroup
iptables A malfgroup
iptables A malfgroup
iptables A malfgroup
p
p
p
j
j logmalform
j logmalform
j logmalform
###############################################
# INPUT chain groups
###############################################
iptables N inbestgroup
#$PRGDIR/inbestgroup.sh
iptables A inbestgroup j RETURN
# iptables N inpreidsgroup
# $PRGDIR/inpreidsgroup.sh
# iptables A inpreidsgroup j RETURN
iptables N inmalfgroup
#$PRGDIR/inmalfgroup.sh
iptables A inmalfgroup j malfgroup
iptables A inmalfgroup j RETURN
iptables N inbadgroup
#$PRGDIR/inbadgroup.sh
iptables A inbadgroup j RETURN
iptables N ingoodgroup
#$PRGDIR/ingoodgroup.sh
iptables A ingoodgroup j RETURN
iptables N indenygroup
#$PRGDIR/indenygroup.sh
iptables A indenygroup j RETURN
iptables N inacceptgroup
#$PRGDIR/inacceptgroup.sh
iptables A inacceptgroup j RETURN
iptables N indsggroup
#$PRGDIR/indsggroup.sh
iptables A indsggroup j RETURN
iptables N incustomergroup
#$PRGDIR/incustomergroup.sh
iptables A incustomergroup j RETURN
# iptables N inidsgroup
# $PRGDIR/inidsgroup.sh
# iptables A inidsgroup j RETURN
iptables N infwgroup
$PRGDIR/infwgroup.sh
iptables A infwgroup j RETURN
###############################################
# FORWARD chain groups
###############################################
# iptables N fwdbestgroup
# $PRGDIR/fwdbestgroup.sh
# iptables A fwdbestgroup j RETURN
# iptables N fwdmalfgroup
#$PRGDIR/fwdmalfgroup.sh
# iptables A fwdmalfgroup j malfgroup
# iptables A fwdmalfgroup j RETURN
# iptables N fwdbadgroup
# $PRGDIR/fwdbadgroup.sh
# iptables A fwdbadgroup j RETURN
# iptables N fwdgoodgroup
# $PRGDIR/fwdgoodgroup.sh
# iptables A fwdgoodgroup j RETURN
# iptables N fwddenygroup
#$PRGDIR/fwddenygroup.sh
# iptables A fwddenygroup j RETURN
# iptables N fwdacceptgroup
#$PRGDIR/fwdacceptgroup.sh
# iptables A fwdacceptgroup j RETURN
# iptables N fwddsggroup
#$PRGDIR/fwdacceptgroup.sh
# iptables A fwddsggroup j RETURN
# iptables N fwdcustomergroup
# $PRGDIR/fwdcustomergroup.sh
# iptables A fwdcustomergroup j RETURN
# iptables N fwdfwgroup
#$PRGDIR/fwdfwgroup.sh
# iptables A fwdfwgroup j RETURN
###############################################
# OUTPUT chain groups
###############################################
iptables N outmalfgroup
$PRGDIR/outmalfgroup.sh
iptables A outmalfgroup j malfgroup
iptables A outmalfgroup j RETURN
iptables N outgoodgroup
$PRGDIR/outgoodgroup.sh
iptables A outgoodgroup j RETURN
iptables N outfwgroup
$PRGDIR/outfwgroup.sh
iptables A outfwgroup j RETURN
## SYNFLOOD
#
iptables N synflood
iptables A synflood m limit limit 50/s limitburst 4 j RETURN
iptables A synflood j logdrop
###############################################
# INPUT
###############################################
# The conventional chains
iptables A INPUT i lo j ACCEPT
# Best Group
iptables A INPUT j inbestgroup
# PreIDS Group
# iptables A INPUT j inpreidsgroup
# Malformed
iptables A INPUT j inmalfgroup
# Bad VIP
iptables A INPUT j inbadgroup
# Good VIP
iptables A INPUT j ingoodgroup
# Deny Group
iptables A INPUT j indenygroup
# Accept Group
iptables A INPUT j inacceptgroup
# Deny Services Group
iptables A INPUT j indsggroup
# Customer Group
iptables A INPUT j incustomergroup
# Syn Flood
iptables A INPUT p tcp syn j synflood
# Firewall
iptables A INPUT j infwgroup
# DEFAULT DROP
iptables A INPUT m limit limit 10/s limitburst 4 j LOG \
logprefix "[INPUT FW] "
iptables A INPUT j DROP
# IDS Group
# iptables A INPUT j inidsgroup
# iptables A INPUT j DROP
###############################################
# FORWARD
###############################################
# Best VIP
# iptables A FORWARD j fwdbestgroup
# Malformed
# iptables A FORWARD j fwdmalfgroup
# Bad VIP
# iptables A FORWARD j fwdbadgroup
# Good VIP
# iptables A FORWARD j fwdgoodgroup
# Deny Group
# iptables A FORWARD j fwddenygroup
# Accept Group
# iptables A FORWARD j fwdacceptgroup
# Deny Services Group
# iptables A FORWARD j fwddsggroup
# Customer VIP
# iptables A FORWARD j fwdcustomergroup
# Syn Flood
# iptables A FORWARD p tcp syn j synflood
# Firewall
# iptables A FORWARD j fwdfwgroup
# DEFAULT ACCEPT
#iptables A FORWARD m limit limit 10/s limitburst 4 j LOG \
# logprefix "[FORWARD FW] "
# iptables A FORWARD j ACCEPT
###############################################
# OUTPUT
###############################################
iptables A OUTPUT o lo j ACCEPT
# Malformed
iptables A OUTPUT j outmalfgroup
# Good VIP
iptables A OUTPUT j outgoodgroup
# Deny Group
# Accept Group
# Deny Services Group
# SynFlood
iptables A OUTPUT p tcp syn j synflood
# Firewall
iptables A OUTPUT j outfwgroup
# DEFAULT ACCEPT
iptables A OUTPUT j ACCEPT
# THE END
# ==================================================================
rea de contedo atualizada em Wednesday, 2003April09 10:35:50 GMT3 (So Paulo, Brazil, South
America)
Exemplo de regras
iptables N logmalform
iptables A logmalform m limit limit 10/s limitburst 4 j LOG \
logprefix "[MALFORMED] "
iptables A logmalform j DROP
iptables N malfgroup
#$PRGDIR/malfgroup.sh
iptables A malfgroup
iptables A malfgroup
iptables A malfgroup
iptables A malfgroup
p
p
p
j
j logmalform
j logmalform
j logmalform
Denial of
Service
:: TCP SYN
FLOOD:
caractersticas
:: Syn Flood:
Resultados
:: Syn Flood:
reaes mais
comuns
:: Syn Flood:
reao vivel
atualmente
:: Syn Flood
Netfilter
:: Denial of
Service (DoS):
outros tipos
10
arp na
rea de contedo atualizada em Wednesday, 2003April09 02:22:17 GMT3 (So Paulo, Brazil, South
America)
11
A ferramenta est a... para colocar em produo de forma escalvel, podese criar uma
poltica e implantla tecnicamente fazendo scripts que consultam a tabela do arpwatch:
/var/lib/arpwatch/eth0.dat
ARP Poisoning Iptables
12
/var/lib/arpwatch/eth1.dat
Podese utilizar esta chain arpfwgroup que criamos nas seguintes chains
prdefinidas:
rea de contedo atualizada em Wednesday, 2003April09 03:34:07 GMT3 (So Paulo, Brazil, South
America)
13
Caractersticas tpicas:
Apresentao
:: Objetivos Estratgia
:: Dados do Autor
Viso Geral
:: Scripts com o Iptables
:: Malformed Packets
ARP Poisoning
:: ARP Poisoning default
gateway
:: ARP Poisoning Iptables
Denial of Service
:: TCP SYN FLOOD:
caractersticas
:: Syn Flood: Resultados
:: Syn Flood: reaes mais
comuns
:: Syn Flood: reao vivel
atualmente
:: Syn Flood Netfilter
:: Denial of Service (DoS): outros
tipos
14
rea de contedo atualizada em Wednesday, 2003April09 10:52:00 GMT3 (So Paulo, Brazil, South
America)
15
2 a 3 K pacotes/segundo j so suficientes
para causar DoS em todos os firewalls
conhecidos (nem precisa dos 30 a 100 K
pkts/s).
Firewall est em DoS => toda a estrutura de
rede abaixo dele est em DoS, e no somente
o endereo IP destinatrio do ataque.
O recurso que os firewalls e equipamentos de
rede costumam chamar de Syn Flood
Defender no passa de um portscan
defender, e ainda faz com que estes
equipamentos entrem em DoS mais
rapidamente. Portscan tipicamente originado
por IP de origem verdadeiro (no "spoofado").
Aps alguns segundos sob TCP Syn Flood,
todos os firewalls conhecidos precisam de um
boot manual porque no conseguem retornar
sozinhos sua condio normal, aps cessado
o ataque.
Se colocarmos o OpenBSD, FreeBSD e Linux
configurados em bridge (2 interfaces ethernet
em srie com o trfego IP), os 2 primeiros
atingem 100% de CPU no incio de um DoS
do tipo Syn Flood. O Linux mantm o
consumo mdio em torno de 15%.
16
rea de contedo atualizada em Wednesday, 2003April09 10:48:36 GMT3 (So Paulo, Brazil, South
America)
17
rea de contedo atualizada em Wednesday, 2003April09 10:58:07 GMT3 (So Paulo, Brazil, South
America)
18
Denial of Service
:: TCP SYN FLOOD:
caractersticas
:: Syn Flood: Resultados
:: Syn Flood: reaes mais
comuns
:: Syn Flood: reao vivel
atualmente
:: Syn Flood Netfilter
:: Denial of Service (DoS):
outros tipos
rea de contedo atualizada em Wednesday, 2003April09 06:24:07 GMT3 (So Paulo, Brazil, South
America)
19
Regras de iptables
Chains criadas para a deteo:
## SYNFLOOD
#
iptables N synflood
iptables A synflood m limit limit 500/s limitburst 4 j RETURN
iptables A synflood j logdrop
iptables N logdrop
iptables A logdrop m limit limit 10/s limitburst 4 j LOG \
logprefix "[SYN FLOOD] "
iptables A logdrop j DROP
rea de contedo atualizada em Wednesday, 2003April09 10:59:59 GMT3 (So Paulo, Brazil, South
America)
20
Denial of Service
:: TCP SYN FLOOD:
caractersticas
:: Syn Flood: Resultados
:: Syn Flood: reaes
mais comuns
:: Syn Flood: reao
vivel atualmente
:: Syn Flood Netfilter
:: Denial of Service
(DoS): outros tipos
rea de contedo atualizada em Wednesday, 2003April09 06:55:13 GMT3 (So Paulo, Brazil, South
America)
21