V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
Distributions
Ubuntu
Fedora
CentOS
中文资源站
网易开源镜像站
thekll
V2EX  ›  Linux

linux8080 端口被攻击,这是怎么做到的?

  •  
  •   thekll · 2014-07-16 23:22:36 +08:00 · 19406 次点击
    这是一个创建于 3781 天前的主题,其中的信息可能已经有所发展或是发生改变。
    tcpdump显示众多源ip,而且来自不同地方,24小时不间断的刷啊
    ……
    22:59:53.757199 IP 111.8.62.3.8038 > my_server_name.webcache: R 1002659497:1002659497(0) ack 1 win 0
    22:59:53.758036 IP 110.205.143.219.broad.bj.bj.dynamic.163data.com.cn.5029 > my_server_name.webcache: S 2851863028:2851863028(0) win 1480
    22:59:53.774206 IP 130.76.181.60.broad.wz.zj.dynamic.163data.com.cn.36426 > my_server_name.webcache: S 2831028411:2831028411(0) win 1480
    22:59:53.776075 IP 123.139.209.184.30137 > my_server_name.webcache: S 4017635361:4017635361(0) win 1480
    22:59:53.776839 IP 121.34.221.119.9908 > my_server_name.webcache: S 837044024:837044024(0) win 1480
    22:59:53.781730 IP 144.0.193.26.27286 > my_server_name.webcache: R 2655450285:2655450285(0) ack 1 win 0
    22:59:53.783780 IP 221.234.18.213.18438 > my_server_name.webcache: S 3902858610:3902858610(0) win 1480
    22:59:53.783793 IP 221.234.18.213.18438 > my_server_name.webcache: S 3902858610:3902858610(0) win 1480
    22:59:53.789409 IP 206.82.184.183.adsl-pool.sx.cn.8488 > my_server_name.webcache: S 13292673:13292673(0) win 1480
    22:59:53.803736 IP 166.105.183.60.broad.sx.zj.dynamic.163data.com.cn.59965 > my_server_name.webcache: R 2434986321:2434986321(0) ack 1 win 0
    22:59:53.817055 IP 14.154.201.202.dxmessagebase2 > my_server_name.webcache: S 2422988313:2422988313(0) win 1480
    22:59:53.817658 IP 180.115.186.7.39709 > my_server_name.webcache: R 3067036612:3067036612(0) ack 1 win 0
    22:59:53.818075 IP 153.37.55.209.57890 > my_server_name.webcache: S 2647351680:2647351680(0) win 1480
    22:59:53.818087 IP 153.37.55.209.57890 > my_server_name.webcache: S 2647351680:2647351680(0) win 1480
    22:59:53.824919 IP 144.0.193.26.27385 > my_server_name.webcache: S 1679616443:1679616443(0) win 1480
    22:59:53.824932 IP 144.0.193.26.27385 > my_server_name.webcache: S 1679616443:1679616443(0) win 1480
    22:59:53.832040 IP 27.185.89.240.8278 > my_server_name.webcache: S 2250297298:2250297298(0) win 1480
    22:59:53.842221 IP 175.169.242.165.51397 > my_server_name.webcache: R 966327137:966327137(0) ack 1 win 0
    22:59:53.858841 IP 58.217.15.160.9770 > my_server_name.webcache: R 3874420565:3874420565(0) ack 1 win 0
    22:59:53.863049 IP 119.39.100.149.20802 > my_server_name.webcache: R 1758236370:1758236370(0) ack 1 win 0
    22:59:53.898999 IP 115.239.101.28.33431 > my_server_name.webcache: S 1548454999:1548454999(0) win 1480
    22:59:53.902565 IP 125.110.164.254.9133 > my_server_name.webcache: S 3853615462:3853615462(0) win 1480
    22:59:53.902580 IP 49.74.31.167.8254 > my_server_name.webcache: S 1346836169:1346836169(0) win 1480
    22:59:53.911242 IP 27.224.112.168.bmc-messaging > my_server_name.webcache: S 297943441:297943441(0) win 1480
    22:59:53.929590 IP dns112.online.tj.cn.32535 > my_server_name.webcache: S 2075983090:2075983090(0) win 1480
    22:59:53.935222 IP 16.71.65.222.broad.xw.sh.dynamic.163data.com.cn.8449 > my_server_name.webcache: S 2913705709:2913705709(0) win 1480
    22:59:53.946193 IP 222.45.49.113.8390 > my_server_name.webcache: S 3781919088:3781919088(0) win 1480
    22:59:53.947681 IP 66.207.116.112.broad.km.yn.dynamic.163data.com.cn.33159 > my_server_name.webcache: S 2209899657:2209899657(0) win 1480
    22:59:53.976692 IP 14.218.21.6.9852 > my_server_name.webcache: S 3023885051:3023885051(0) win 1480
    22:59:53.981722 IP 221.0.170.122.14864 > my_server_name.webcache: S 3007029936:3007029936(0) win 1480
    22:59:53.985180 IP 110.255.103.153.28030 > my_server_name.webcache: S 2555479591:2555479591(0) win 1480
    22:59:53.986831 IP 183.159.3.34.8346 > my_server_name.webcache: R 2380657566:2380657566(0) ack 1 win 0
    22:59:53.994203 IP 118.117.57.14.cp-cluster > my_server_name.webcache: S 3081085765:3081085765(0) win 1480
    22:59:54.011245 IP 113.90.202.185.4836 > my_server_name.webcache: S 776337793:776337793(0) win 1480
    22:59:54.013997 IP 49.118.57.184.8258 > my_server_name.webcache: S 1156547442:1156547442(0) win 1480
    22:59:54.014009 IP 221.215.151.250.44029 > my_server_name.webcache: S 3109020875:3109020875(0) win 1480
    22:59:54.022167 IP 111.197.58.220.9137 > my_server_name.webcache: S 3907009925:3907009925(0) win 1480
    22:59:54.022184 IP 111.197.58.220.9137 > my_server_name.webcache: S 3907009925:3907009925(0) win 1480
    22:59:54.022900 IP 61.185.143.28.8284 > my_server_name.webcache: R 1173062330:1173062330(0) ack 1 win 0
    22:59:54.028399 IP 136.252.36.120.broad.xm.fj.dynamic.163data.com.cn.simco > my_server_name.webcache: S 1312027176:1312027176(0) win 1480
    22:59:54.034943 IP 61.185.143.28.8392 > my_server_name.webcache: S 1614871623:1614871623(0) win 1480
    22:59:54.034955 IP 61.185.143.28.8392 > my_server_name.webcache: S 1614871623:1614871623(0) win 1480
    22:59:54.035394 IP hn.ly.kd.adsl.8111 > my_server_name.webcache: S 1001433483:1001433483(0) win 1480
    22:59:54.039576 IP 132.197.224.121.broad.wx.js.dynamic.163data.com.cn.10336 > my_server_name.webcache: S 1342978446:1342978446(0) win 1480
    22:59:54.046402 IP 106.7.171.189.pxc-spvr-ft > my_server_name.webcache: S 1452239929:1452239929(0) win 1480
    22:59:54.052456 IP 113.13.235.78.10169 > my_server_name.webcache: S 2948772484:2948772484(0) win 1480
    22:59:54.057786 IP 221.214.165.207.28021 > my_server_name.webcache: S 4175701552:4175701552(0) win 1480
    22:59:54.057799 IP 221.214.165.207.28021 > my_server_name.webcache: S 4175701552:4175701552(0) win 1480
    22:59:54.059363 IP 75.86.249.116.broad.km.yn.dynamic.163data.com.cn.51418 > my_server_name.webcache: S 3740281310:3740281310(0) win 1480
    22:59:54.062078 IP 72.75.224.121.broad.sz.js.dynamic.163data.com.cn.7210 > my_server_name.webcache: S 4248304216:4248304216(0) win 1480
    22:59:54.069013 IP 112.236.115.118.9566 > my_server_name.webcache: S 2405441829:2405441829(0) win 1480
    22:59:54.074719 IP 118.244.255.191.netsupport > my_server_name.webcache: R 3061295251:3061295251(0) ack 1 win 0
    22:59:54.079061 IP 221.234.18.213.18438 > my_server_name.webcache: S 3902858610:3902858610(0) win 1480
    22:59:54.079764 IP 49.118.233.13.42780 > my_server_name.webcache: S 284912091:284912091(0) win 1480
    22:59:54.095316 IP 60.208.145.149.10256 > my_server_name.webcache: S 4047045660:4047045660(0) win 1480
    22:59:54.095963 IP 243.182.186.220.broad.wz.zj.dynamic.163data.com.cn.9967 > my_server_name.webcache: S 537343209:537343209(0) win 1480
    22:59:54.102875 IP 60.208.145.149.10256 > my_server_name.webcache: S 4047045660:4047045660(0) win 1480
    22:59:54.102888 IP 222.85.82.172.25527 > my_server_name.webcache: S 3426084465:3426084465(0) win 1480
    22:59:54.105697 IP 183.4.78.98.13468 > my_server_name.webcache: S 2301594782:2301594782(0) win 1480
    22:59:54.107782 IP 183.4.78.98.13468 > my_server_name.webcache: S 2301594782:2301594782(0) win 1480
    22:59:54.107796 IP 223.245.221.200.7679 > my_server_name.webcache: S 2689566425:2689566425(0) win 1480
    22:59:54.108961 IP 183.37.240.190.gdp-port > my_server_name.webcache: S 4051266830:4051266830(0) win 1480
    22:59:54.117948 IP 203.40.160.220.broad.fz.fj.dynamic.163data.com.cn.10441 > my_server_name.webcache: R 578534989:578534989(0) ack 1 win 0
    22:59:54.124967 IP 125.80.164.76.25311 > my_server_name.webcache: S 451547197:451547197(0) win 1480
    22:59:54.135321 IP 4.196.161.222.adsl-pool.jlccptt.net.cn.10157 > my_server_name.webcache: S 4105966441:4105966441(0) win 1480
    22:59:54.146985 IP 1.30.208.122.10451 > my_server_name.webcache: S 1245850958:1245850958(0) win 1480
    22:59:54.156400 IP 213.81.23.175.adsl-pool.jlccptt.net.cn.9796 > my_server_name.webcache: R 3580832085:3580832085(0) ack 1 win 0
    22:59:54.183885 IP 50.136.164.60.dail.ww.gs.dynamic.163data.com.cn.9686 > my_server_name.webcache: S 3016376764:3016376764(0) win 1480
    22:59:54.186629 IP 110.18.37.197.10133 > my_server_name.webcache: S 2034068461:2034068461(0) win 1480
    22:59:54.196794 IP 110.18.37.197.10133 > my_server_name.webcache: S 2034068461:2034068461(0) win 1480
    22:59:54.204207 IP 115.197.77.171.48161 > my_server_name.webcache: S 2814195837:2814195837(0) win 1480
    22:59:54.208412 IP 119.127.11.57.43422 > my_server_name.webcache: S 2900665168:2900665168(0) win 1480
    22:59:54.217071 IP 213.81.23.175.adsl-pool.jlccptt.net.cn.sctp-tunneling > my_server_name.webcache: S 1115400968:1115400968(0) win 1480
    22:59:54.217084 IP 213.81.23.175.adsl-pool.jlccptt.net.cn.sctp-tunneling > my_server_name.webcache: S 1115400968:1115400968(0) win 1480
    22:59:54.217496 IP 222.169.69.157.4871 > my_server_name.webcache: S 4075432759:4075432759(0) win 1480
    22:59:54.218155 IP 106.123.253.121.35167 > my_server_name.webcache: S 3729309272:3729309272(0) win 1480
    22:59:54.219195 IP 60.215.9.53.7635 > my_server_name.webcache: S 424080732:424080732(0) win 1480
    22:59:54.227259 IP 113.140.203.200.davsrcs > my_server_name.webcache: R 3002732680:3002732680(0) ack 1 win 0
    22:59:54.234954 IP 113.63.193.231.9946 > my_server_name.webcache: R 3908004795:3908004795(0) ack 1 win 0
    22:59:54.243492 IP 101.68.10.163.15661 > my_server_name.webcache: F 75140799:75140799(0) ack 1 win 65392
    22:59:54.267196 IP 222.188.196.139.56758 > my_server_name.webcache: S 1991756040:1991756040(0) win 1480
    22:59:54.268158 IP 115.202.32.23.9255 > my_server_name.webcache: S 89562150:89562150(0) win 1480
    22:59:54.268174 IP 115.202.32.23.9255 > my_server_name.webcache: S 89562150:89562150(0) win 1480
    22:59:54.273537 IP 124.67.140.33.20199 > my_server_name.webcache: S 500945474:500945474(0) win 1480
    22:59:54.276398 IP 14.146.43.25.9707 > my_server_name.webcache: S 160170707:160170707(0) win 1480
    22:59:54.279003 IP 14.146.43.25.9707 > my_server_name.webcache: S 160170707:160170707(0) win 1480
    22:59:54.280061 IP 183.3.16.119.8064 > my_server_name.webcache: R 2011629550:2011629550(0) ack 1 win 0
    22:59:54.296037 IP 113.8.223.196.aironetddp > my_server_name.webcache: S 167678558:167678558(0) win 1480
    …….
    第 1 条附言  ·  2014-07-19 18:44:58 +08:00
    怀疑受到基于P2P的DDoS攻击,这种攻击类型只能在应用层防御?
    第 2 条附言  ·  2014-07-19 18:48:51 +08:00
    sar四次结果:

    18时46分35秒 IFACE rxpck/s txpck/s rxbyt/s txbyt/s rxcmp/s txcmp/s rxmcst/s
    18时46分36秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    18时46分36秒 eth0 256.00 0.00 15616.00 0.00 0.00 0.00 0.00

    18时46分36秒 IFACE rxpck/s txpck/s rxbyt/s txbyt/s rxcmp/s txcmp/s rxmcst/s
    18时46分37秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    18时46分37秒 eth0 262.00 4.00 15720.00 844.00 0.00 0.00 5.00

    18时46分37秒 IFACE rxpck/s txpck/s rxbyt/s txbyt/s rxcmp/s txcmp/s rxmcst/s
    18时46分38秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    18时46分38秒 eth0 264.00 2.00 15840.00 684.00 0.00 0.00 0.00

    18时46分38秒 IFACE rxpck/s txpck/s rxbyt/s txbyt/s rxcmp/s txcmp/s rxmcst/s
    18时46分39秒 lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    18时46分39秒 eth0 277.00 2.00 16636.00 684.00 0.00 0.00 1.00

    Average: IFACE rxpck/s txpck/s rxbyt/s txbyt/s rxcmp/s txcmp/s rxmcst/s
    Average: lo 0.00 0.00 0.00 0.00 0.00 0.00 0.00
    Average: eth0 264.75 2.00 15953.00 553.00 0.00 0.00 1.50
    16 条回复    2014-07-21 08:26:31 +08:00
    pp3182429
        1
    pp3182429  
       2014-07-17 11:11:59 +08:00   ❤️ 1
    关注。
    wzxjohn
        2
    wzxjohn  
       2014-07-17 12:01:45 +08:00
    难道不是DDoS?有什么好奇怪的???
    thekll
        3
    thekll  
    OP
       2014-07-19 02:21:56 +08:00
    @wzxjohn

    tcpdump显示大量不同的源ip,如果这些ip是随机伪造的,应该不可能完成三次握手,为什么通过netstat查看状态有大量ESTABLISHED?
    我理解的伪造源ip的攻击主要用于SYN Flood,所以不清楚我目前遇到的属于哪种。

    以下是tcpdump加参数-nnX的输出结果:

    01:55:04.500822 IP 180.111.189.20.8707 > 172.16.201.201.8080: S 598833600:598833600(0) win 1480
    0x0000: 4500 0028 ed6a 0000 fe06 e806 b46f bd14 E..(.j.......o..
    0x0010: ac10 c9c9 2203 1f90 23b1 79c0 0000 0000 ...."...#.y.....
    0x0020: 5002 05c8 e3b7 0000 0000 0000 0000 P.............
    01:55:04.500839 IP 180.111.189.20.8707 > 172.16.201.201.8080: S 598833600:598833600(0) win 1480
    0x0000: 4500 0028 eaaf 0000 fe06 eac1 b46f bd14 E..(.........o..
    0x0010: ac10 c9c9 2203 1f90 23b1 79c0 0000 0000 ...."...#.y.....
    0x0020: 5002 05c8 e3b7 0000 0000 0000 0000 P.............
    01:55:04.511716 IP 39.65.237.157.10156 > 172.16.201.201.8080: S 1194565532:1194565532(0) win 1480
    0x0000: 4500 0028 e880 0000 fe06 4996 2741 ed9d E..(......I.'A..
    0x0010: ac10 c9c9 27ac 1f90 4733 9f9c 0000 0000 ....'...G3......
    0x0020: 5002 05c8 f155 0000 0000 0000 0000 P....U........
    01:55:04.522350 IP 119.115.113.83.8002 > 172.16.201.201.8080: R 1449166068:1449166068(0) ack 1 win 0
    0x0000: 4500 0028 2e47 0000 3406 f9e8 7773 7153 E..(.G..4...wsqS
    0x0010: ac10 c9c9 1f42 1f90 5660 84f4 0000 0001 .....B..V`......
    0x0020: 5014 0000 3708 0000 0000 0000 0000 P...7.........
    01:55:04.546348 IP 27.38.53.206.19385 > 172.16.201.201.8080: S 3372241407:3372241407(0) win 1480
    0x0000: 4500 0028 ed04 0000 fe06 08fd 1b26 35ce E..(.........&5.
    0x0010: ac10 c9c9 4bb9 1f90 c900 51ff 0000 0000 ....K.....Q.....
    0x0020: 5002 05c8 5d03 0000 0000 0000 0000 P...].........
    01:55:04.548370 IP 218.59.187.45.30950 > 172.16.201.201.8080: R 2916263863:2916263863(0) ack 1 win 0
    0x0000: 4500 0028 68ca 0000 2e06 18c3 da3b bb2d E..(h........;.-
    0x0010: ac10 c9c9 78e6 1f90 add2 a7b7 0000 0001 ....x...........
    0x0020: 5014 0000 b68b 0000 0000 0000 0000 P.............
    01:55:04.569272 IP 220.249.184.116.9025 > 172.16.201.201.8080: S 3974400993:3974400993(0) win 1480
    0x0000: 4500 0028 ee98 0000 fe06 c2ee dcf9 b874 E..(...........t
    0x0010: ac10 c9c9 2341 1f90 ece4 8be1 0000 0000 ....#A..........
    0x0020: 5002 05c8 e33a 0000 0000 0000 0000 P....:...…..


    sar命令查看每秒大概100多次攻击,暂时通过iptable封掉了一些ip段,只是缓解了一些服务器的压力,还是没法根本上解决问题。
    thekll
        4
    thekll  
    OP
       2014-07-19 13:39:45 +08:00
    @wzxjohn

    解析的数据包中含BitTorrent.protocol,这种攻击如何防范呢?
    ultimate010
        5
    ultimate010  
       2014-07-19 18:48:47 +08:00   ❤️ 1
    我前几天搞了个代理服务器,结果没设置限制,被代理网站爬到了,ip挂到网上,n多不知道来源的ip访问我的代理。后来发现后立刻关掉,一段时间内还是有大量ip访问。
    建议把ip放到谷歌搜索一下,说不定就再某个代理服务器网站上。
    thekll
        6
    thekll  
    OP
       2014-07-19 18:56:42 +08:00
    @ultimate010

    ip之前已搜索过,没发现什么问题。
    8080端口上跑了一个基于glassfish的java企业应用,完全没有任何吸引力的啊,为什么会被这么关照?
    ultimate010
        7
    ultimate010  
       2014-07-19 19:05:26 +08:00
    @thekll 有没有可能被误判为代理,然后被别人用了,换个非常用端口。
    luo362722353
        8
    luo362722353  
       2014-07-19 23:31:25 +08:00
    @ultimate010 我建议你写一些限制..不然成为公用就不好了
    izoabr
        9
    izoabr  
       2014-07-19 23:39:24 +08:00
    你的glassfinsh应该是建立长连接,然后就保持一个或几个连接就够的吧,你加个规则,源IP连接8080第一次握手限制一下,然后是每分钟连接数超过多少就丢到一个block池里去。
    ysjdx
        10
    ysjdx  
       2014-07-20 01:02:47 +08:00   ❤️ 1
    很明显 开放8080端口 被扫描器扫到(有些只扫描端口,不测试是不是代理) 然后挂到网上给别人当代理用了
    出现BitTorrent.protocol 是因为有人尝试用代理下载p2p文件


    以前被整过,后来直接换端口
    thekll
        11
    thekll  
    OP
       2014-07-20 01:42:00 +08:00
    @ysjdx

    我觉得还是P2P的DDoS攻击的可能性大一些,所有的包都会出现这样的数据:
    每隔约10秒种连续发起几次请求:
    01:34:08.375341 IP (tos 0x0, ttl 52, id 11617, offset 0, flags [none], proto: TCP (6), length: 40) 221.11.4.29.8146 > 172.16.201.201.8080: R, cksum 0xe0ed (correct), 68:68(0) ack 1 win 0
    0x0000: 4500 0028 2d61 0000 3406 026d dd0b 041d E..(-a..4..m....
    0x0010: ac10 c9c9 1fd2 1f90 3b74 3172 470d 848a ........;t1rG...
    0x0020: 5014 0000 e0ed 0000 0000 0000 0000 P.............
    01:34:08.634566 IP (tos 0x0, ttl 254, id 5929, offset 0, flags [none], proto: TCP (6), length: 40) 221.11.4.29.8259 > 172.16.201.201.8080: S, cksum 0x87cc (correct), 872372089:872372089(0) win 1480
    0x0000: 4500 0028 1729 0000 fe06 4ea4 dd0b 041d E..(.)....N.....
    0x0010: ac10 c9c9 2043 1f90 33ff 5779 0000 0000 .....C..3.Wy....
    0x0020: 5002 05c8 87cc 0000 0000 0000 0000 P.............
    01:34:08.634613 IP (tos 0x0, ttl 254, id 5763, offset 0, flags [none], proto: TCP (6), length: 40) 221.11.4.29.8259 > 172.16.201.201.8080: S, cksum 0x87cc (correct), 872372089:872372089(0) win 1480
    0x0000: 4500 0028 1683 0000 fe06 4f4a dd0b 041d E..(......OJ....
    0x0010: ac10 c9c9 2043 1f90 33ff 5779 0000 0000 .....C..3.Wy....
    0x0020: 5002 05c8 87cc 0000 0000 0000 0000 P.............
    01:34:08.635147 IP (tos 0x0, ttl 254, id 4579, offset 0, flags [none], proto: TCP (6), length: 40) 221.11.4.29.8259 > 172.16.201.201.8080: ., cksum 0xdb9e (correct), 872372090:872372090(0) ack 1196319952 win 1480
    0x0000: 4500 0028 11e3 0000 fe06 53ea dd0b 041d E..(......S.....
    0x0010: ac10 c9c9 2043 1f90 33ff 577a 474e 64d0 .....C..3.WzGNd.
    0x0020: 5010 05c8 db9e 0000 0000 0000 0000 P.............
    01:34:08.659073 IP (tos 0x0, ttl 52, id 11713, offset 0, flags [none], proto: TCP (6), length: 40) 221.11.4.29.8259 > 172.16.201.201.8080: ., cksum 0xe1b1 (correct), 68:68(0) ack 1 win 65392
    0x0000: 4500 0028 2dc1 0000 3406 020d dd0b 041d E..(-...4.......
    0x0010: ac10 c9c9 2043 1f90 33ff 57be 474e 64d0 .....C..3.W.GNd.
    0x0020: 5010 ff70 e1b1 0000 0000 0000 0000 P..p..........
    01:34:08.841644 IP (tos 0x0, ttl 52, id 11732, offset 0, flags [none], proto: TCP (6), length: 108) 221.11.4.29.8259 > 172.16.201.201.8080: P, cksum 0xd7aa (correct), 0:68(68) ack 1 win 65392
    0x0000: 4500 006c 2dd4 0000 3406 01b6 dd0b 041d E..l-...4.......
    0x0010: ac10 c9c9 2043 1f90 33ff 577a 474e 64d0 .....C..3.WzGNd.
    0x0020: 5018 ff70 d7aa 0000 1342 6974 546f 7272 P..p.....BitTorr
    0x0030: 656e 7420 7072 6f74 6f63 6f6c 0000 0000 ent.protocol....
    0x0040: 0018 0005 3014 d66d 104e 0db3 a489 8180 ....0..m.N......
    0x0050: 3932 5623 1dd2 072c 2d58 4638 3731 302d 92V#...,-XF8710-
    0x0060: 7751 7164 6e34 6370 5076 4963 wQqdn4cpPvIc


    对p2p协议不是很了解,不知道这是不是p2p客户端重连机制?
    dndx
        12
    dndx  
       2014-07-20 05:03:04 +08:00
    这么多 SYN 包,难道是老掉牙的 SYN DDoS ?
    qiuai
        13
    qiuai  
       2014-07-20 09:12:37 +08:00
    可能某个基于8080端口的程序又出BUG了吧...比如说面板啊什么的...常用8080端口
    thekll
        14
    thekll  
    OP
       2014-07-20 14:42:58 +08:00
    @dndx
    没有SYN啊

    @qiuai
    从tcpdump的输出来看,应该是基于P2P的DDoS攻击。
    google发现UCLA的这篇论文提供了一种解决思路:由于p2p客户端攻击时要建立tcp连接,在握手数据包中会含有BT协议请求,此时 过滤掉它,这样就不能建立完整的tcp链路,然后采用SYN-cookie技术解决由此产生的SYN flood.
    http://oak.cs.ucla.edu/~sia/pub/cs239spring06.pdf

    正在尝试用这个办法解决。
    ultimate010
        15
    ultimate010  
       2014-07-20 22:29:07 +08:00
    @luo362722353 恩,被公用之后,我换了大号端口,限制了指定ip使用了。
    qiuai
        16
    qiuai  
       2014-07-21 08:26:31 +08:00
    @thekll 这个就没了解过了.
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   5306 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 26ms · UTC 09:00 · PVG 17:00 · LAX 01:00 · JFK 04:00
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.