Sisteminize yapılan DDoS ataklarına karşı yararlanabileceğiniz programlardan biri ZombieZapper isimli programdır. Programın kaynak kodu aşağıda verilmiştir. Ayrıca programı
http://www.razor.bindview.com adresinden download edebilirsiniz.
ZombieZapper, zombie kurulmuş sistemlerden kaynaklanan yoğun trafiğin durdurulması için kullanılmaktadır. Bu programın Trinioo, TFN, Stacheldraht, Trinioo for Windows ve Shaft DDoS araclarına karşı etkili olduğu belirtiliyor. ZombieZapper yazarları network yöneticilerinin bu programı kullanarak kendi network'lerinden veya dışarıdaki bir sistemden kaynaklanan flood saldırılarının tespit edilip, durdurulabileceği belirtilmekte.
/*
* zombie_zapper - distributed dos killer
* written by Simple Nomad <
[email protected]>
* Requirements: L****t 1.0 or higher (
http://www.packetfactory.net/l****t/)
* Compilation instructions:
* gcc `l****t-config --defines` -o zz zz.c -lnet
* Tested on RedHat, Slackware, but should work most places that l****t compiles
* and installs properly.
* Suggested usages:
* zz -a 1 -v 192.168.1.1
* (stops trinoo daemon at 192.168.1.1 from flooding, uses verbose mode)
* zz -u 80 -c 192.168.1.0
* (stops trinoo, tfn, stach, troj_trinoo on 192.168.1 network from
* flooding, udp source port of 80 is being used)
* zz -a 5 -m
www.whitehouse.gov -s 10.10.10.10 192.168.1.1
* (stops a shaft agent at 192.168.1.1 from flooding
www.whitehouse.gov
* using a forged source address of 10.10.10.10)
* Shouts to my homies on BindView's RAZOR team for all the help with this!
*/
#include <l****t.h>
int timer;
/*
* Based off of icmpquery, chain structs to store host names.
*/
struct hosts
{
char *hostname;
u_long hostaddr;
struct hosts *next;
};
struct hosts *hostnames;
struct hosts *hosttail;
/*
* Build the targets
*/
void build_target(char *host, u_long ip_addr)
{
if (hostnames == NULL)
{
hostnames = (struct hosts *) malloc(sizeof(*hostnames));
if (hostnames == NULL)
{
perror("hostnames malloc failed");
exit(-1);
}
hosttail = hostnames;
}
else
{
hosttail->next = (struct hosts *) malloc(sizeof(*hostnames));
if (hosttail->next == NULL)
{
perror("hosttail->next malloc failed");
exit(-1);
}
hosttail = hosttail->next;
}
hosttail->hostname = strdup(host);
if (hosttail->hostname == NULL)
{
perror("strdup failed");
exit(-1);
}
hosttail->hostaddr = ip_addr;
hosttail->next = NULL;
}
/*
* Build a class C of targets
*/
void build_class_c(u_long dst_ip)
{
int i;
u_long class_c_ips[256];
union
{
struct in_addr addr;
ulong temp_ip;
} ip;
for (i = 0; i < 256; i++)
{
class_c_ips[i] = htonl(dst_ip) + i;
class_c_ips[i] = htonl(class_c_ips[i]);
ip.temp_ip = class_c_ips[i];
build_target(inet_ntoa(ip.addr),ip.temp_ip);
}
}
/*
* Process the targets, resolve the hosts, set up the chain
*/
void process_targets(char **hostlist, int verbose)
{
int i;
u_long tmpaddr;
for (i = 0; hostlist[i]; i++)
{
tmpaddr = l****t_name_resolve(hostlist[i], L****T_RESOLVE);
/*
* if a "local" hostname is given it could "resolve" to a
* broadcast address if the local host is not set up properly,
* so we need to make sure we grab it and not send the packet
*/
if ((tmpaddr == 0xffffffff) || (tmpaddr == -1))
{
if (verbose) printf("%s not resolved\n",hostlist[i]);
continue;
};
build_target(hostlist[i],tmpaddr);
}
}
void caughtsig(int sig)
{
timer = 0;
return;
}
/*
* build and send the icmp packets
*/
void send_packets(u_long src_ip, char *my_host, u_short sport, int antitype, int flood, int verbose)
{
int packet_size, network, i, p, count, data_len = 0;
u_char *packet;
u_short header, id, dport;
u_char proto;
char data[87],sbuf[87];
u_long dst_ip;
struct hosts *list;
for (p=0;p<87;p++) data[p] = 0;
switch (antitype)
{
case 1: /* Trinoo */
sprintf(sbuf,"d1e l44adsl d1e");
header = L****T_UDP_H;
id = 41072;
dport = 27444;
proto = IPPROTO_UDP;
break;
case 2: /* TFN */
sprintf(sbuf,"12345");
header = L****T_ICMP_ECHO_H;
id = 567;
proto = IPPROTO_ICMP;
break;
case 3: /* Stacheldraht */
header = L****T_ICMP_ECHO_H;
id = 3;
proto = IPPROTO_ICMP;
break;
case 4: /* Troj_Trinoo */
sprintf(sbuf,"d1e []..Ks l44");
header = L****T_UDP_H;
id = 41072;
dport = 34555;
proto = IPPROTO_UDP;
break;
case 5: /* Shaft, part one */
sprintf(sbuf,"alive tijgu hi 5 2621");
header = L****T_UDP_H;
id = 41072;
dport = 18753;
proto = IPPROTO_UDP;
break;
case 0: /* Shaft, part two */
sprintf(sbuf,"end tijgu %s 5 2621",my_host);
header = L****T_UDP_H;
id = 41072;
dport = 18753;
proto = IPPROTO_UDP;
break;
}
if (antitype != 3) /* no payload for stach required */
{
data_len = strlen(sbuf);
for (p=0;p<data_len;p++) data[p] = sbuf[p];
if (verbose) printf(" Payload is \"%s\"\n Data length of %d\n",data,data_len);
}
else if (verbose) printf(" Payload is NULL\n Data length of 0\n");
count = 0;
/* compute packet size */
packet_size = L****T_IP_H + header + data_len;
if (verbose) printf(" Packet size is %d\n",packet_size);
/* get mem for packet */
l****t_init_packet(packet_size, &packet);
if (packet == NULL)
{
l****t_error(L****T_ERR_FATAL, "unable to init packet mem\n");
}
/* get network ready */
network = l****t_open_raw_sock(IPPROTO_RAW);
if (network == -1)
{
l****t_error(L****T_ERR_FATAL, "unable to open network for sending\n");
}
list = hostnames;
/* main sending loop */
while (list != NULL)
{
/* get the target address */
dst_ip = list->hostaddr;
/* build target section */
switch (proto)
{
case IPPROTO_ICMP:
l****t_build_icmp_echo(ICMP_ECHOREPLY,0,id,0,data, data_len,packet + L****T_IP_H);
break;
case IPPROTO_UDP:
l****t_build_udp(sport,dport,data,data_len,packet + L****T_IP_H);
break;
}
/* build IP section */
l****t_build_ip(header,0,id,0,64,proto,src_ip,dst_ ip,NULL,0,packet);
timer = 1;
signal(SIGALRM, caughtsig);
alarm(flood);
while(timer)
{
/* send the packet */
i = l****t_write_ip(network, packet, packet_size);
if (i == -1)
{
l****t_error(L****T_ERR_FATAL, "failed to write to network\n");
}
if (i < packet_size)
{
l****t_error(L****T_ERR_FATAL, "only wrote %d bytes\n", i);
}
if (verbose == 2)
{
printf("Sent %d bytes for %s\n", i, list->hostname);
}
count++;
/*
* 1/10 sec delay between packets to prevent overflowing the local
* interface
*/
usleep(10000);
}
/* get next address, or NULL if done */
list = list->next;
}
/* clean things up */
if (l****t_close_raw_sock(network) == -1)
{
l****t_error(L****T_ERR_WARNING, "couldn't close the interface after sending");
}
l****t_destroy_packet(&packet);
if (verbose) printf(" %d packets sent in %d seconds\n",count,flood);
}
/*
* usage
*/
void usage(char *prog)
{
fprintf(stderr,"USAGE:\n");
fprintf(stderr,"%s [-a 0-5] [-c class C] [-d dev] [-h] [-m host] [-s src] [-u udp] [-v] hosts\n\n",prog);
fprintf(stderr," -a antiddos type to kill:\n");
fprintf(stderr," 0 types 1-4 (default)\n");
fprintf(stderr," 1 trinoo\n");
fprintf(stderr," 2 tfn\n");
fprintf(stderr," 3 stacheldraht\n");
fprintf(stderr," 4 trinoo on Windows\n");
fprintf(stderr," 5 shaft (requires you use the -m option)\n");
fprintf(stderr," -c class C in x.x.x.0 form\n");
fprintf(stderr," -f time in seconds to send packets (default 1)\n");
fprintf(stderr," -d grab local IP from dev (default eth0)\n");
fprintf(stderr," -h this help screen\n");
fprintf(stderr," -m my host being flooded (used with -a 5 above, only one host)\n");
fprintf(stderr," -s spoofed source address (just in case)\n");
fprintf(stderr," -u UDP source port for trinoo (default 53)\n");
fprintf(stderr," -v verbose mode (use twice for more verbosity)\n");
fprintf(stderr," host(s) are target hosts (ignored if using -c)\n");
fprintf(stderr,"\n");
}
int main(int argc, char **argv)
{
char *prog;
extern char *optarg;
extern int optind;
extern int optopt;
extern int opterr;
char ch;
int spoof = 0, verbose = 0, setdev = 0;
int antitype = 0, class_c = 0, shaft = 0;
int flood = 1;
u_long src_ip;
char *my_host;
u_long dst_ip = 0;
u_long class_c_ip;
u_short sport = 53;
u_long CLASS_C_MASK = 0x00ffffff;
char *data[18];
char *dev;
struct l****t_link_int *l;
u_char *ebuf;
prog = argv[0];
dev = "eth0";
printf("Zombie Zapper v1.2 - DDoS killer\n");
printf("Bugs/comments to
[email protected]\n");
printf("More info and free tools at
http://razor.bindview.com\n");
printf("Copyright (c) 2000 BindView Development\n\n");
if(getuid()!=0)
{
fprintf(stderr, "=== You must be root to run %s!\n", prog);
exit(-1);
}
while ((ch = getopt(argc, argv, "hvc:a:m:s:d:u:f:")) != EOF)
switch(ch)
{
case 'c':
dst_ip = l****t_name_resolve(optarg, L****T_RESOLVE);
if (dst_ip == -1)
{
printf("=== Invalid class C %s\n", optarg);
usage(prog);
exit(-1);
}
/* get the last part of the address */
class_c_ip = ((dst_ip | CLASS_C_MASK) - CLASS_C_MASK);
/* if it is not zero make it zero */
if(class_c_ip) dst_ip = dst_ip ^ class_c_ip;
class_c = 1;
break;
case 'd':
dev = optarg;
setdev = 1;
break;
case 'f':
flood = (int) strtol(optarg, NULL, 10);
if (flood < 1) flood = 1;
if (flood > 360) flood = 360;
break;
case 'h':
usage(prog);
exit(0);
case 'a':
antitype = (int) strtol(optarg, NULL, 10);
break;
case 'm':
if (!(l****t_name_resolve(optarg, L****T_RESOLVE)))
{
fprintf(stderr,"=== Unable to resolve hostname,\n");
fprintf(stderr,"=== try using the IP address\n");
usage(prog);
exit(-1);
}
if (strlen(optarg) > 70)
{
fprintf(stderr,"=== Very long hostname, try using just an\n");
fprintf(stderr,"=== IP address.\n");
usage(prog);
exit(-1);
}
my_host = optarg;
shaft = 1;
break;
case 's':
if (!(src_ip = l****t_name_resolve(optarg, L****T_RESOLVE)))
{
fprintf(stderr,"=== Unable to resolve source host,\n");
fprintf(stderr,"=== try spoofing with an IP address\n");
usage(prog);
exit(-1);
}
spoof = 1;
break;
case 'u':
sport = (int) strtol(optarg, NULL, 10);
break;
case 'v':
verbose++;
if (verbose > 2) verbose = 2;
break;
default:
usage(prog);
exit(-1);
}
argc -= optind;
argv += optind;
/* post arg processing */
if ((!class_c) && (!argv[0] || !strlen(argv[0])))
{
fprintf(stderr,"=== You must specify target(s) or a class C to send to\n");
usage(prog);
exit(-1);
}
if ((setdev) && (spoof))
{
fprintf(stderr, "=== You cannot specify a device for a source IP address\n");
fprintf(stderr, "=== and spoof your source IP address at the same time.\n");
usage(prog);
exit(-1);
}
if (antitype > 5 || antitype < 0)
{
fprintf(stderr,"=== Invalid or unsupported antiddos type\n");
usage(prog);
exit(-1);
}
if (antitype == 5 && (!shaft))
{
fprintf(stderr,"=== You must specify a host with the -m option when using\n");
fprintf(stderr,"=== the -a option of 5\n");
usage(prog);
exit(-1);
}
if (!spoof)
{
src_ip = l****t_get_ipaddr(l, dev, ebuf);
if ((src_ip == -1) || (src_ip == 0))
{
fprintf(stderr, "=== Grabbing address from %s failed,\n",dev);
fprintf(stderr, "=== try a different device.\n");
usage(prog);
exit(-1);
}
src_ip = htonl(src_ip);
}
/* end post arg processing */
if (verbose)
{
printf("Sending packets to stop these possible daemons from flooding\n\n");
switch(antitype)
{
case 0:
printf("\tTrinoo, TFN, Stacheldraht, Troj_Trinoo\n\n");
break;
case 1:
printf("\tTrinoo\n\n");
break;
case 2:
printf("\tTFN\n\n");
break;
case 3:
printf("\tStacheldraht\n\n");
break;
case 4:
printf("\tTroj_Trinoo\n\n");
break;
case 5:
printf("\tShaft\n\n");
break;
}
}
/* build a class C full of addresses */
if (class_c) build_class_c(dst_ip);
/* build target chain and get a count */
else process_targets(argv, verbose);
if (antitype == 0 || antitype == 1)
{
if (verbose) printf("Building anti-Trinoo packets\n");
send_packets(src_ip,NULL,sport,1,flood,verbose);
}
if (antitype == 0 || antitype == 2)
{
if (verbose) printf("Building anti-TFN packets\n");
send_packets(src_ip,NULL,sport,2,flood,verbose);
}
if (antitype == 0 || antitype == 3)
{
if (verbose) printf("Building anti-Stacheldraht packets\n");
send_packets(src_ip,NULL,sport,3,flood,verbose);
}
if (antitype == 0 || antitype == 4)
{
if (verbose) printf("Building anti-Troj_Trinoo packets\n");
send_packets(src_ip,NULL,sport,4,flood,verbose);
}
if (antitype == 5)
{
if (verbose) printf("Building first set of anti-Shaft packets\n");
send_packets(src_ip,NULL,sport,5,flood,verbose);
if (verbose) printf("Building second set of anti-Shaft packets\n");
send_packets(src_ip,my_host,sport,0,flood,verbose) ;
}
if (verbose) printf("Complete\n");
exit(0);
}
Kaynaklar
http://www.networkmagazine.com
http://razor.bindview.com
http://staff.washington.edu/dittrich/misc/ddos
http://packetstormsecurity.org/distributed