Upload
kaori
View
59
Download
5
Embed Size (px)
DESCRIPTION
《大规模网络中蠕虫主动防治技术研究》 --利用DNS服务抑制蠕虫传播. 作者:郑辉. 日期: 2003.12.22. 大规模网络中蠕虫主动防治技术研究 -- 利用DNS服务抑制蠕虫传播. 郑 辉 教育科研网应急响应组 [email protected]. 内容. 为什么选择 DNS 服务 利用 DNS 服务的方法 系统整体框架设计 基于配置视图方式的系统实施方案 基于端口转发方式的系统实施方案 性能分析、实施效果. 为什么选择 DNS 服务. 大部分 Internet 应用都会用到 DNS 服务; 加快染毒用户响应速度; - PowerPoint PPT Presentation
Citation preview
--DNS2003.12.22
--DNS [email protected]
DNSDNS
DNSInternetDNS
DNS
DNSBIND9viewIPDNSDNSDNSDNS
DNSDNSDNS
DNS
DNSDNSDNSIPDNSIPDNSDNSDNSDNSDNSDNS
DNSDNSDNSDNSDNS
DNS
IDSIPDNSIPIPDNSWarning Information Server
IPDNSIPIPHTTPWebTelnetSMTPPOP3
IDSconfmonitor session 1 source 9/1 destination 9/3alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"Nachi"; content:"|aaaaaa|";dsize:64;itype:8;offset:1;depth:6; reference:arachnids,154; sid:483; classtype:misc-activity; rev:2;)IP
BIND 9 (con.)ACLIP/var/named/ipacl "fakeresponse" {202.112.50.214; # the ip of one infected machine.};/var/named/fake.cn$TTL 600@IN SOA ccert.edu.cn. hostmaster.ccert.edu.cn ( 2002031801 28800 1800 604800 86400 )IN NS 127.0.0.1*.IN A 202.112.57.9 #the ip of WIS
BIND 9 (#)named.confinclude "ip";view "internal" { match-clients { "fakeresponse";}; zone "." in { type master; file "fake.cn"; };};ACL
WISInternetHTTPTelnetSMTPPOP3
Telnet (con.)telnet#!/bin/sh########################################################Fake Telnetd for warning infected machines! ## ##By Hui ZHENG. 2003.11.27 ########################################################
echo "May be your machine have been infected by Nachi worm!" echo "Please download pache software from this site!" echo "http://ccert.tsinghua.edu.cn"/root/DNS/Port23.sh
Telnet (con.)telnetd[root@spark root]# cd /etc/xinetd.d[root@spark xinetd.d]# cp telnet telnet.bak[root@spark xinetd.d]# vim telnet
Telnet (#)xinetd/etc/init.d/xinetd restart
POP3 (con.)POP3#!/usr/bin/expect
########################################################Fake POP3d for warning infected machines! ## ##By Hui ZHENG. 2003.12.10 ########################################################
send "+OK Qpopper (version 4.0.5) at ccert.edu.cn starting. \r\n"
expect {"USER" {send "+OK Password required for zhenghui.\r\n";exp_continue}"PASS" {send "+OK zhenghui has 1 visible message in 575 octets.\r\n";exp_continue}"STAT" {send "+OK 1 575\r\n";exp_continue}"UIDL" {send -- "-ERR \r\n";exp_continue}"TOP" {send -- "-ERR \r\n";exp_continue}"LIST" {send "+OK 1 visible messages 575 octets\r\n";send "1 372\r\n";send ".\r\n";exp_continue}"RETR" {send "+OK 575 octets\r\n";send "From: [email protected]\r\n"; send "Subject: warning\r\n\r\n"; send "May be your computer was infected by Nachi worm!\r\n"; send "Please download patch software from:\r\n"; send "http://www.ccert.edu.cn\r\n"; send ".\r\n";exp_continue}"DELE" {send "+OK \r\n";exp_continue}"QUIT" {send "+OK Pop server at ccert.edu.cn signing off.\r\n";close;exp_continue}}/root/DNS/Port110.sh
POP3 (con.)POP3[root@spark root]# cd /etc/xinetd.d[root@spark xinetd.d]# cp ipop3 ipop3.bak[root@spark xinetd.d]# vim ipop3
POP3 (#)xinetd/etc/init.d/xinetd restart
IPIPIPDNSDNSDNSIPDNSDNSHTTPWebTelnetSMTPPOP3
(con.)DNSIPIPIPIPDNSDNS
(#)Perl#!/usr/bin/perl -w
#############################################DNS isolation concept samples. ## ##Program Name: Trans.pl ## ##Funciton Desription: ##Listening on a port(53), as a DNS server, ##response normal DNS query. If client in ##black list, a fake response packet given. ## ##By zhenghui_at_ccert.edu.cn. 2003.10.29 ## #############################################
DNS
DNSDNS
1DNS
Chart2
686
674
648
653
711
746
887
764
706
998
934
886
904
916
931
901
892
812
859
899
833
741
743
723
615
636
683
671
704
736
623
622
627
691
649
688
654
646
631
656
658
609
521
529
566
471
521
588
645
699
633
615
523
570
693
732
725
706
577
500
484
448
435
449
421
424
330
321
95_254
37,895686
37,896674
37,897648
37,898653
37,899711
37,900746
37,901887
37,902764
37,903706
37,904998
37,905934
37,906886
37,907904
37,908916
37,909931
37,910901
37,911892
37,912812
37,913859
37,914899
37,915833
37,916741
37,917743
37,918723
37,919615
37,920636
37,921683
37,922671
37,923704
37,924736
37,925623
37,926622
37,927627
37,928691
37,929649
37,930688
37,931654
37,932646
37,933631
37,934656
37,935658
37,936609
37,937521
37,938529
37,939566
37,940471
37,941521
37,942588
37,943645
37,944699
37,945633
37,946615
37,947523
37,948570
37,949693
37,950732
37,951725
37,952706
37,953577
37,954500
37,955484
37,956448
37,957435
37,958449
37,959421
37,960424
37,961330
37,962321
95_254
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
2DNSI(k) IPB(k) (WIS)IPDNSS=B(k)/I(K) DNSACLDNS
3DNS
Chart2
0.2439716312
0.2447916667
0.2264529058
0.2505175983
0.2572706935
0.2557603687
0.140625
0.1738095238
0.1820330969
0.2158054711
0.2
DNS
b_I
37,9521727050.2439716312
37,9531415760.2447916667
37,9541134990.2264529058
37,9551214830.2505175983
37,9561154470.2572706935
37,9571114340.2557603687
37,958634480.140625
37,959734200.1738095238
37,960774230.1820330969
37,961713290.2158054711
37,962643200.2
b_I
DNS
4DNSWISIPDNSWISDNS
5DNS3~480%
Chart1
0.55813953490.59574468090.5575221239
0.40116279070.41134751770.3539823009
0.33139534880.32624113480.2566371681
0.26744186050.27659574470.185840708
0.2267441860.19148936170.1592920354
0.18604651160.1702127660.1327433628
0.15116279070.12765957450.1327433628
0.12209302330.07801418440.0530973451
1127
1128
1129
Sheet1
0.55813953490.59574468090.55752212390
0.40116279070.41134751770.35398230091
0.33139534880.32624113480.25663716812
0.26744186050.27659574470.1858407083
0.2267441860.19148936170.15929203544
0.18604651160.1702127660.13274336285
0.15116279070.12765957450.13274336286
0.12209302330.07801418440.05309734517
Sheet1
1127
1128
1129
Sheet2
Sheet3
NachiDNSCCERT Paul Albitz & Cricket Liu DNSBIND2002RFC1939POP3http://www.fanqiang.com/a6/b9/20010929/1305001372.html
Thanks !