|
|
楼主 |
发表于 2009-7-16 11:14:22
|
显示全部楼层
在测试过程中的问题:
首先说一下测试环境:172.16.13.134是syn攻击机,172.16.13.133是被攻击的对象,两台机器都同时连接在一台cisco 2960上. 机器连接在f0/6端口,133连接在f0/5端口。通过134机器上的攻击程序,攻击133的80端口,不停的建立半连接,在测试过程中输出的结果:
show inter f0/6(134机器)
FastEthernet0/6 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 001e.f69f.9e06 (bia
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 165/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsuppor
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:00, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total outp
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 65084000 bits/sec, 127095 packets/sec
show inter f0/5(133机器)
FastEthernet0/5 is up, line protocol is up (connected)
Hardware is Fast Ethernet, address is 001e.f69f.9e05 (bia
MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 163/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, media type is 10/100BaseTX
input flow-control is off, output flow-control is unsuppor
ARP type: ARPA, ARP Timeout 04:00:00
Last input never, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total outp
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 64078000 bits/sec, 125129 packets/sec
可以看出在两个端口的包输入、输出数量基本保持平衡(在show的时候有一个时间先后的问题)
从133上tcpdump 的结果,因为太多,只复制了一小部分
10:55:13.597611 IP 164.197.224.13.21603 > 172.16.13.133.http: S 690611180:690611180(0) win 512
10:55:13.597723 IP 61.41.87.243.42923 > 172.16.13.133.http: S 699360772:699360772(0) win 512
10:55:13.597827 IP 30.47.103.67.30930 > 172.16.13.133.http: S 203216334:203216334(0) win 512
10:55:13.597930 IP 189.10.222.91.54304 > 172.16.13.133.http: S 74587728:74587728(0) win 512
10:55:13.598050 IP 232.22.73.54.18660 > 172.16.13.133.http: S 101691140:101691140(0) win 512
10:55:13.598156 IP 111.113.173.165.40688 > 172.16.13.133.http: S 85001466:85001466(0) win 512
10:55:13.598263 IP 183.154.180.40.32491 > 172.16.13.133.http: S 89516327:89516327(0) win 512
10:55:13.598364 IP 250.31.159.204.24188 > 172.16.13.133.http: S 124096711:124096711(0) win 512
10:55:13.598467 IP 194.34.130.83.42319 > 172.16.13.133.http: S 93657337:93657337(0) win 512
10:55:13.598625 IP 45.11.224.171.11058 > 172.16.13.133.http: S 368614522:368614522(0) win 512
10:55:13.598756 IP 148.194.222.184.55332 > 172.16.13.133.http: S 80620632:80620632(0) win 512
10:55:13.598868 IP 119.163.224.215.58406 > 172.16.13.133.http: S 41607255:41607255(0) win 512
10:55:13.598973 IP 77.163.109.47.45359 > 172.16.13.133.http: S 343755953:343755953(0) win 512
10:55:13.599092 IP 172.82.43.139.11737 > 172.16.13.133.http: S 248746252:248746252(0) win 512
10:55:13.599223 IP 222.226.9.110.36655 > 172.16.13.133.http: S 395659885:395659885(0) win 512
10:55:13.599329 IP 39.106.88.244.3236 > 172.16.13.133.http: S 806284289:806284289(0) win 512
10:55:13.599438 IP 185.12.52.170.51420 > 172.16.13.133.http: S 538228167:538228167(0) win 512
10:55:13.599542 IP 204.128.216.189.7793 > 172.16.13.133.http: S 453958338:453958338(0) win 512
10:55:13.599644 IP 237.130.33.156.35455 > 172.16.13.133.http: S 333857718:333857718(0) win 512
10:55:13.599762 IP 66.79.64.91.53036 > 172.16.13.133.http: S 721866983:721866983(0) win 512
10:55:13.599866 IP 157.71.29.200.11817 > 172.16.13.133.http: S 157238408:157238408(0) win 512
10:55:13.599974 IP 59.61.89.195.35625 > 172.16.13.133.http: S 184874981:184874981(0) win 512
10:55:13.600082 IP 204.48.165.77.4118 > 172.16.13.133.http: S 203345840:203345840(0) win 512
10:55:13.600201 IP 23.225.125.41.23862 > 172.16.13.133.http: S 873115929:873115929(0) win 512
10:55:13.600310 IP 170.242.202.240.28869 > 172.16.13.133.http: S 318211629:318211629(0) win 512
10:55:13.600417 IP 75.9.170.153.31428 > 172.16.13.133.http: S 306970428:306970428(0) win 512
10:55:13.600534 IP 144.16.224.84.21282 > 172.16.13.133.http: S 230268742:230268742(0) win 512
10:55:13.600642 IP 172.156.109.124.26562 > 172.16.13.133.http: S 745985024:745985024(0) win 512
10:55:13.600746 IP 87.148.205.113.47477 > 172.16.13.133.http: S 730973611:730973611(0) win 512
10:55:13.600853 IP 211.164.68.117.56488 > 172.16.13.133.http: S 712377134:712377134(0) win 512
10:55:13.600974 IP 200.53.242.89.1316 > 172.16.13.133.http: S 204324230:204324230(0) win 512
10:55:13.601078 IP 244.204.149.127.34394 > 172.16.13.133.http: S 189033337:189033337(0) win 512
10:55:13.601183 IP 140.47.120.235.35393 > 172.16.13.133.http: S 317868211:317868211(0) win 512
10:55:13.601285 IP 15.165.5.15.42944 > 172.16.13.133.http: S 299284243:299284243(0) win 512
10:55:13.601426 IP 141.162.162.125.54122 > 172.16.13.133.http: S 134030251:134030251(0) win 512
10:55:13.601544 IP 179.242.63.24.45762 > 172.16.13.133.http: S 75231057:75231057(0) win 512
10:55:13.601646 IP 65.57.138.10.33631 > 172.16.13.133.http: S 20216053:20216053(0) win 512
10:55:13.601750 IP 50.172.217.4.49356 > 172.16.13.133.http: S 439777314:439777314(0) win 512
10:55:13.601854 IP 26.170.223.10.58487 > 172.16.13.133.http: S 267967363:267967363(0) win 512
10:55:13.601960 IP 32.127.213.18.52853 > 172.16.13.133.http: S 111445248:111445248(0) win 512
10:55:13.602090 IP 24.60.229.32.15259 > 172.16.13.133.http: S 251876173:251876173(0) win 512
10:55:13.602194 IP 91.60.120.182.43685 > 172.16.13.133.http: S 753159292:753159292(0) win 512
10:55:13.602317 IP 64.110.40.143.28839 > 172.16.13.133.http: S 810004216:810004216(0) win 512
10:55:13.602422 IP 46.188.99.127.52476 > 172.16.13.133.http: S 365196276:365196276(0) win 512
10:55:13.602524 IP 137.238.244.11.58775 > 172.16.13.133.http: S 207875193:207875193(0) win 512
10:55:13.602633 IP 46.171.158.236.5431 > 172.16.13.133.http: S 579976281:579976281(0) win 512
10:55:13.602755 IP 130.150.113.218.41953 > 172.16.13.133.http: S 706097936:706097936(0) win 512
10:55:13.602862 IP 133.225.95.23.34158 > 172.16.13.133.http: S 29898564:29898564(0) win 512
10:55:13.602969 IP 239.14.136.200.43681 > 172.16.13.133.http: S 248161489:248161489(0) win 512
10:55:13.603086 IP 1.84.43.14.16179 > 172.16.13.133.http: S 36251710:36251710(0) win 512
10:55:13.603224 IP 215.118.165.193.57062 > 172.16.13.133.http: S 823818900:823818900(0) win 512
10:55:13.603330 IP 247.114.131.245.46362 > 172.16.13.133.http: S 850130066:850130066(0) win 512
10:55:13.603439 IP 9.12.135.182.14767 > 172.16.13.133.http: S 81884021:81884021(0) win 512
10:55:13.603593 IP 187.156.68.72.33306 > 172.16.13.133.http: S 154038939:154038939(0) win 512
10:55:13.603711 IP 213.231.69.27.48171 > 172.16.13.133.http: S 194684012:194684012(0) win 512
10:55:13.603830 IP 243.28.216.24.20430 > 172.16.13.133.http: S 889218839:889218839(0) win 512
10:55:13.603934 IP 6.71.27.143.ibm-db2 > 172.16.13.133.http: S 536310433:536310433(0) win 512
10:55:13.604047 IP 37.67.56.174.16814 > 172.16.13.133.http: S 646484685:646484685(0) win 512
10:55:13.604165 IP 65.2.237.58.58025 > 172.16.13.133.http: S 704717659:704717659(0) win 512
10:55:13.604272 IP 172.16.13.133.ssh > 172.16.13.156.5697: P 1914566501:1914566613(112) ack 2588389744 win 8576
10:55:13.604416 IP 86.79.52.3.16866 > 172.16.13.133.http: S 58201749:58201749(0) win 512
10:55:13.604541 IP 226.214.139.199.1882 > 172.16.13.133.http: S 701990496:701990496(0) win 512
10:55:13.604667 IP 236.22.126.166.58983 > 172.16.13.133.http: S 641048896:641048896(0) win 512
10:55:13.604772 IP 86.53.156.168.54193 > 172.16.13.133.http: S 471015867:471015867(0) win 512
10:55:13.604885 IP 225.103.102.122.38916 > 172.16.13.133.http: S 16444980:16444980(0) win 512
10:55:13.605006 IP 211.31.21.133.40958 > 172.16.13.133.http: S 840484646:840484646(0) win 512
10:55:13.605109 IP 25.136.156.210.ipp > 172.16.13.133.http: S 316161869:316161869(0) win 512
从以上可以看出134向133的80口发送了大量的syn。
但在133上netstat -an后的结果是:
localhost ~ # netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 :::22 :::* LISTEN
tcp 0 128 ::ffff:172.16.13.133:22 ::ffff:172.16.13.1:5697 ESTABLISHED
udp 0 0 0.0.0.0:161 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 1695 @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 165165 /tmp/ssh-JVJKC27315/agent.27315
localhost ~ # netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 :::22 :::* LISTEN
tcp 0 272 ::ffff:172.16.13.133:22 ::ffff:172.16.13.1:5697 ESTABLISHED
udp 0 0 0.0.0.0:161 0.0.0.0:*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 1695 @/org/kernel/udev/udevd
unix 2 [ ACC ] STREAM LISTENING 165165 /tmp/ssh-JVJKC27315/agent.27315
不知道为什么没有半连接标志?在第一次测试的时候系统会输出大量的半连接标志,但在我做了下面的改动后
echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog
就得到了上面的结果。。。而且在从启系统后tcp_max_syn_backlog的数值又恢复1024的情况下,也是上面类似的结果?
实在想不通了,请高人们指点。。。 |
|
IP卡
狗仔卡
发表于 2009-7-15 11:37:53
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡
发表于 2009-7-15 20:23:43