Denial-of-Service-Angriffe

sondo81 · 09/21/2011, 16:49

＃アカウントがハッキングされました！

sondo81 · 11/17/2011, 02:38

＃アカウントがハッキングされました！

JohnHeatz · 11/17/2011, 03:07

An english translation of this post would be awesome, as it is hard to get an accourate translation with any translator from German to English and viceversa.

This is the best translation I got, yet on any of the translators I used I could get some words....I apologize if the translation is mistaken as I got some differences on different translators.

Quote:

Here is a short explanation what this is and what one if then you can do about it.

Dos:

By and large it's web server to fill them with requests that normal users do not get to the train.
But this is a large bandwidth is required and the IP address of the attacker once determined, it is also locked out quickly. (Netstat)

There are effective firewalls that help against (D-Guard, but very expensive) There are also some freeware its effectiveness until now I still do not exactly know.

Experienced server admins also like to take back to your own scripts.

Short example: incoming Ip's record with monitor, create database with White and Black list. All normal requests in the White list forward (White List had then only access to server services)
in more than 40 seconds per move request in the Blacklist: ausgespert.

Syn Flood:

Syn-flood attacks are not aimed utilize the bandwidth, but block the system resources of the server itself.

She called to send SYN packets to the TCP port of the service from a Web server on port 80 so [...] (?)

The server registers the desired synchronization of the client specifies an entry in its tables on this and confirms the request with its own synchronization packet (SYN / ACK).

Normally, the client confirmed this with an ACK packet, and thus completes the so-called three-way handshake of a TCP connection.

SYN flood attacker can make the server with its half-open connections, append. The wait for a time and repeated its SYN / ACK packet, the first is the assumption has been lost (retransmission). Instead of answering, but only come from further connection requests.

SYN requests are stored in a special buffer, called the backlog queue. This is full it can accept any more connections on this port. (The system from locked)

Usually had the backlog queue space for 256 such request. This is all cleared Parr minutes. (The time where no one can access the system).
Half-open connections with the status show netstat SYN_RECEIVED.

But a suitably prepared system is thus not easy to force in the knee. As a first step, the administrator can increase the size of the backlog queue careful.

In the registry HKLM \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters (win server 2003! In winserver 2008/R2 these are not for whatever reason) the value of the parameter TcpMaxDataRetransmissions. To harden the system to set it to 2 (DWORD), resulting in the backlog queue for a timeout of 21 seconds for the result.

In addition, Windows has a mechanism to detect SYN flood attacks and react independently. This enabled the SynAttackProtect parameters, the values of TcpMaxHalfOpen TcpMaxHalfOpenRetried and specify the limits, beyond which the system activates protective mechanisms. If SynAttackProtect to 1, Windows sets the number of retransmission reduced and delayed the creation of entries in the routing cache. The recommended value of 2 also ensures that Windows will notify completed only after a three-way handshake, the Winsock subsystem via the incoming connection. The behavior of the system during normal operation is not changed by SynAttackProtect.

The real vulnerability that is exploited SYN flooder, the backlog queue, it also change the measures presented nothing. You can make an attack significantly, but an attacker with sufficient resources the backlog queue is still flooded with useless entries.

As you can completely eliminate this vulnerability we use the so-called SYN cookies mechanism as a fallback if the backlog queue is full. They require no adjustments to the clients, from their perspective, the server responds continue normally.

And many of these types of attacks as a confused dierekt intervention (hack) but only noise on the network / server are caused by simple scripts.

[Second post translation]

Quote:

[...]DDoS are carried out usually with the help of backdoor programs[...]

To the point of attack must be set to the 85% of all infested with knowledge Shaiya Pserver (vulnerable) server files are the way. The main address is then PSMServer_agent Sons and access via IP address via PS_Game.exe from the client are in massive amounts, it can start the booter loader or EXE in this extent.

In order to prevent this is a very simple version of Synflood you access with a very simple script to each possible IP on this EXE Limit = no DDos!

This only applies solely to this type of attack (DDoS kiddie, Or Ap .... DDoS)

I use this thread to please all alone for technical things and not flame or Hate orgy to make it otherwise you know it so CLOSED

Limitation:
One can write a simple script to query them exactly what the said Exe responded!

That each IP only every three to five seconds may make a request (in quick succession would be the remainder discarded), which under normal use, not disturbing the load during DoS attacks, but lowers considerably. Since I just Weis moment in which the attacks take place with very limited bandwidth is the solution for this to happen Fried shut out disturbing. (For high bandwidth DDoS, whole bot network or even a global network! Not! Applicable)

I put that line under the words I couldn't get a translation for; if anyone have any correction just pm it to me and I'll fix it

And as sondo said, no flamming, nor arguements or spam in here, every post that goes that way will be deleted and warned/infracted if necessary.

sondo81 · 11/17/2011, 03:20

Ich weis nun will jeder "dieses" Skript doch das kann man nicht einfach so Posten !!!!

Ich bin aber dazu bereit für einzel fälle bei genug vertrauen ein solches zu schreiben.

PS. Good Night Good Fight Shaiya Forever

~~taZツ~~ · 11/17/2011, 03:28

Q:What is a botnet?
A: A botnet is where you send a trojan to someone and when they open it a "bot" joins your channel on IRC(secretly, they don't know this)Once done the computer is now refered to as a "zombie".
Depending on the source you used, the bot can do several things.

But once again depending on the source you can :
Keylog their computer, take picutes of their screen, turn on their webcam and take pics/movies, harvest cdkeys and game keys or even cracks, passwords, aim screen names, emails, you can also spam, flood, DDoS, ping, packet, yada yada, some have built in md5 crackers, and clone functions to spamm other irc channels and overrun a channel and even perform IRC "Takeovers".
Once again depending on the bot it may be able to kill other fellow competeter bots.
Or even kill AV/FW apon startup.
Add itself to registry.
Open sites.
Open commands.
Cmd,
notepad,
html,
Anything is possible !

Theres the infected computers "bots" the attacker, the server, and the victim.

Thats what a DDOS is, and they use BOTNETS.

IF you want to avoid DDOS you need HUGE internet connection...let`s say over 10GB`s.
Maybe there is something else that you can do against them, but i don`t know exactly what.

A future cooperation maybe will get us something that might stop those attacks.

~~kalle801~~ · 11/17/2011, 12:54

Also ich hätte interesse an solch einem Script.

Schön zu wissen, das du so etwas schreiben kannst.

sondo81 · 11/19/2011, 01:33

Ich weis ganz Sicher das du das auch schreiben kannst Kalle!!!!!

Ich weis das jeder so ein Server Skript Schreiben kann!!!

Denn die sind fest in den Win servern Drin!!! ihr müst sie nur finden es gibt eine unmenge an deactivierten nützlichen server skripts die nur darauf warten in kraft zu treten!

Für die die die denoch eine selbst erstellte firewall regel wollen bitte PM und nicht im beitrag antworten.