标签:电脑网络知识,网络基础知识,计算机网络知识,http://www.quxue6.com
拒绝服务入侵机制及处理办法(一),
unsigned int dns_cb_ptr=0;
unsigned long icmp_circbuff[ICMP_REQUEST_MAX];
unsigned int icmp_cb_ptr=0;
void add_dns (unsigned long ipadd){
dns_circbuff[dns_cb_ptr++]=ipadd;
if (dns_cb_ptr==DNS_REQUEST_MAX) dns_cb_ptr=0;}
void add_icmp (unsigned long ipadd){
icmp_circbuff[icmp_cb_ptr++]=ipadd;
if (icmp_cb_ptr==ICMP_REQUEST_MAX) dns_cb_ptr=0;}
void anti_tfn_init (void) {
unsigned int x;
for(x=0;xfor(x=0;xmy_dns=inet_addr(DNS_SERVER_IP);
printf("Ngrep with TFN detection modifications by wiretrip / www.wiretrip.netn");
printf("Watching DNS server: %sn",inet_ntoa(my_dns));
targ1=htons(16383); targ2=htons(8192);
rfp1=htons(~(ICMP_ECHO << 8)); /* hopefull this is universal ;) */
alarm(20);}
void print_circbuffs (void) {
unsigned int x;
printf("Last (%u) DNS requests:n",DNS_REQUEST_MAX);
for(x=0;xif(dns_circbuff[x]>0) printf("%sn",inet_ntoa(dns_circbuff[x]));
printf("nLast (%u) ICMP echo requests (pings):n",ICMP_REQUEST_MAX);
for(x=0;xif (icmp_circbuff[x]>0) printf("%sn",inet_ntoa(icmp_circbuff[x]));}
void reset_counters (int sig) {
udp_flood_count=syn_flood_count=targa_flood_count=icmp_flood_count=0;
alarm(10);}
void tfn_attack_detected (char* attack_type){
if(icmp_flood==0) return;
(void)time(&t);
printf("n%s",ctime(&t));
printf("A TFN2K %s attack has been detected!nn",attack_type);
print_circbuffs();
printf("nIncoming realtime ICMP echo requests (pings):n");
icmp_flood=0;}
/*********************************************************************/
int main(int argc, char **argv) {
cha
www.quxue6.com
r c;
signal(SIGINT,dealloc);
signal(SIGQUIT,dealloc);
signal(SIGABRT,dealloc);
signal(SIGPIPE,dealloc);
signal(SIGALRM,reset_counters);
anti_tfn_init();
while ((c = getopt(argc, argv, "d:")) != EOF) {
switch (c) {
case d:
dev = optarg;
break;}}
if (!dev)
if (!(dev = pcap_lookupdev(pc_err))) {
perror(pc_err);
exit(-1);}
if ((pd = pcap_open_live(dev, snaplen, promisc, to, pc_err)) == NULL) {
perror(pc_err);
exit(-1);}
if (pcap_lookupnet(dev,&net.s_addr,&mask.s_addr, pc_err) == -1) {
perror(pc_err);
exit(-1);}
printf("interface: %s (%s/", dev, inet_ntoa(net));
printf("%s)n",inet_ntoa(mask));
switch(pcap_datalink(pd)) {
case DLT_EN10MB:
case DLT_IEEE802:
link_offset = ETHHDR_SIZE;
break;
case DLT_SLIP:
link_offset = SLIPHDR_SIZE;
break;
case DLT_PPP:
link_offset = PPPHDR_SIZE;
break;
case DLT_RAW:
link_offset = RAWHDR_SIZE;
break;
case DLT_NULL:
link_offset = LOOPHDR_SIZE;
break;
default:
fprintf(stderr,"fatal: unsupported interface typen");
exit(-1);
} while (pcap_loop(pd,0,(pcap_handler)process,0));}
void process(u_char *data1, struct pcap_pkthdr* h, u_char *p) {
struct ip* ip_packet = (struct ip *)(p + link_offset);
switch (ip_packet->ip_p) {
case IPPROTO_TCP: {
struct tcphdr* tcp = (struct tcphdr *)(((char *)ip_packet) + ip_packet->ip_hl*4);
if(tcp->th_flags==0x22 && ip_packet->ip_ttl > TTL_THRESHOLD){
if(++syn_flood_count > FLOOD_THRESHOLD) tfn_attack_detected("SYN");}
if(ip_packet->ip_ttl==0 &&
(ip_packet->ip_off==targ1 || ip_packet->ip_off==targ2)){
if(++targa_flood_count > FLOOD_THRESHOLD) tfn_attack_detected("TARGA");
}} break;
case IPPROTO_UDP: {
struct udphdr* udp = (struct udphdr *)(((char *)ip_packet) + ip_packet->ip_hl*4);
#ifdef HAVE_DUMB_UDPHDR
if ((ntohs(udp->source) + ntohs(udp->dest)) == 65536) {
#else
if ((ntohs(udp->uh_sport) + ntohs(udp->uh_dport)) == 65536) {
#endif
if(++udp_flood_count > FLOOD_THRESHOLD) tfn_attack_detected("UDP");}
if(ip_packet->ip_dst.s_addr==my_dns &&
#ifdef HAVE_DUMB_UDPHDR
ntohs(udp->dest) == 53) {
#else
ntohs(udp->uh_dport) == 53) {
#endif
add_dns(ip_packet->ip_src.s_addr);
}} break;
icmp_cksum==rfp1 && ip_packet->ip_ttl==0){
unsigned int targa_flood_count=0, icmp_flood_count=0;
unsigned long my_dns, targ1, targ2, rfp1, icmp_flood=1;
time_t t;
unsigned long dns_circbuff[DNS_REQUEST_MAX];
unsigned int dns_cb_ptr=0;
unsigned long icmp_circbuff[ICMP_REQUEST_MAX];
unsigned int icmp_cb_ptr=0;
void add_dns (unsigned long ipadd){
dns_circbuff[dns_cb_ptr++]=ipadd;
if (dns_cb_ptr==DNS_REQUEST_MAX) dns_cb_ptr=0;}
void add_icmp (unsigned long ipadd){
icmp_circbuff[icmp_cb_ptr++]=ipadd;
if (icmp_cb_ptr==ICMP_REQUEST_MAX) dns_cb_ptr=0;}
void anti_tfn_init (void) {
unsigned int x;
for(x=0;xfor(x=0;xmy_dns=inet_addr(DNS_SERVER_IP);
printf("Ngrep with TFN detection modifications by wiretrip / www.wiretrip.netn");
printf("Watching DNS server: %sn",inet_ntoa(my_dns));
targ1=htons(16383); targ2=htons(8192);
rfp1=htons(~(ICMP_ECHO << 8)); /* hopefull this is universal ;) */
alarm(20);}
void print_circbuffs (void) {
unsigned int x;
printf("Last (%u) DNS requests:n",DNS_REQUEST_MAX);
for(x=0;xif(dns_circbuff[x]>0) printf("%sn",inet_ntoa(dns_circbuff[x]));
printf("nLast (%u) ICMP echo requests (pings):n",ICMP_REQUEST_MA
www.quxue6.com
X);
for(x=0;xif (icmp_circbuff[x]>0) printf("%sn",inet_ntoa(icmp_circbuff[x]));}
void reset_counters (int sig) {
udp_flood_count=syn_flood_count=targa_flood_count=icmp_flood_count=0;
alarm(10);}
void tfn_attack_detected (char* attack_type){
if(icmp_flood==0) return;
(void)time(&t);
printf("n%s",ctime(&t));
printf("A TFN2K %s attack has been detected!nn",attack_type);
print_circbuffs();
printf("nIncoming realtime ICMP echo requests (pings):n");
icmp_flood=0;}
/*********************************************************************/
上一页 [1] [2] [3] [4] [5] 下一页
,拒绝服务入侵机制及处理办法(一)