RAW socket 和UDP Flood攻击

为了要做UDP的性能测试,需要客户端向服务器狂发UDP数据包,才能看到防火墙,操作系统的处理情况,因此做了一把研究。

由于RAW Socket能够模拟任意的IP数据包,因此比较不安全。

1.XP SP2以上禁止模拟不同的IP地址发数据包的。如果你使用了一个没有绑定本机网卡的IP来发包,Sendto会报错。
  微软官方说明是这样的:

         Restricted traffic over raw sockets

Detailed description

A very small number of Windows applications make use of raw IP sockets, which provide an industry-standard way for applications to create TCP/IP packets with fewer integrity and security checks by the TCP/IP stack. The Windows implementation of TCP/IP still supports receiving traffic on raw IP sockets. However, the ability to send traffic over raw sockets has been restricted in two ways:

  • TCP data cannot be sent over raw sockets.

  • UDP datagrams with invalid source addresses cannot be sent over raw sockets. The IP source address for any outgoing UDP datagram must exist on a network interface or the datagram is dropped.

Why is this change important? What threats does it help mitigate?

This change limits the ability of malicious code to create distributed denial-of-service attacks and limits the ability to send spoofed packets, which are TCP/IP packets with a forged source IP address.

2. 但是,XP\2000\2003都支持模拟不同的IP数据包发送。利用这个原理,甚至可以开发出一个UDP Flood攻击。在一台老的服务器上,100M带宽,C++ 开发的,可以做到3万PPS,就是每秒钟3万个数据包,大概占了50M带宽。

3. 这种方式是否能够模拟DDOS攻击,模拟TCP栈建立TCP 连接。本人没有测试过,有兴趣的同学可以自己尝试下。









你可能感兴趣的:(socket)