DDoS 공격의 가능한 형태는 무엇입니까?

DDoS 공격의 가능한 형태는 무엇입니까?

제가 예전에 이런 질문을 한 적이 있어요. 내 웹사이트, DNS 및 일부 게임 서버를 제공하는 서버를 설정했습니다. 그러나 라우터 방화벽 로그를 확인하면 동일한 포트에서 들어오는 UDP 패킷이 많이 차단됩니다. 이것이 보이는 모습입니다. 포트가 정상이 아니며 열리거나 사용되지 않는다는 점에 유의하세요.

    [INFO] Sat Aug 25 21:25:09 2012 Blocked incoming UDP packet from 176.212.55.166:49001 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:25:05 2012 Blocked incoming UDP packet from 186.227.20.17:21401 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:25:05 2012 Blocked incoming UDP packet from 117.203.8.239:14090 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:25:03 2012 Blocked incoming UDP packet from 77.35.1.215:49001 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:24:53 2012 Blocked incoming UDP packet from 90.180.165.121:10011 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:24:51 2012 Blocked incoming UDP packet from 190.51.167.28:22486 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:24:45 2012 Blocked incoming UDP packet from 159.224.93.23:25946 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:24:44 2012 Blocked incoming UDP packet from 176.212.55.166:49001 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:24:43 2012 Blocked incoming UDP packet from 62.63.214.200:62348 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:24:40 2012 Blocked incoming UDP packet from 43.244.112.201:45811 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:24:30 2012 Blocked incoming UDP packet from 78.8.169.255:1236 to 84.234.160.79:28018
[INFO] Sat Aug 25 21:24:30 2012 Blocked incoming UDP packet from 91.205.238.31:16672 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:24:29 2012 Blocked incoming UDP packet from 176.212.55.166:49001 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:24:19 2012 Blocked incoming UDP packet from 213.115.74.42:50839 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:24:13 2012 Blocked incoming UDP packet from 142.68.127.231:40886 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:24:09 2012 Blocked incoming UDP packet from 176.212.55.166:49001 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:59 2012 Blocked incoming UDP packet from 87.14.231.178:21360 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:56 2012 Blocked incoming UDP packet from 109.202.150.81:53385 to 84.234.160.79:28018
[INFO] Sat Aug 25 21:23:54 2012 Blocked incoming UDP packet from 83.183.5.227:53786 to 84.234.160.79:28015
[INFO] Sat Aug 25 21:23:53 2012 Blocked incoming UDP packet from 1.228.6.35:29826 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:23:49 2012 Blocked incoming UDP packet from 176.212.55.166:49001 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:42 2012 Blocked incoming UDP packet from 109.202.150.81:53371 to 84.234.160.79:28018
[INFO] Sat Aug 25 21:23:41 2012 Blocked incoming UDP packet from 84.90.108.176:49686 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:39 2012 Blocked incoming UDP packet from 186.178.118.94:10063 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:38 2012 Blocked incoming UDP packet from 217.122.204.212:41446 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:36 2012 Blocked incoming UDP packet from 82.33.127.120:18441 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:35 2012 Blocked incoming UDP packet from 81.19.46.234:1183 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:23:33 2012 Blocked incoming UDP packet from 94.69.159.219:63959 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:31 2012 Blocked incoming UDP packet from 83.68.239.193:21808 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:29 2012 Blocked incoming UDP packet from 176.212.55.166:49001 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:22 2012 Blocked incoming UDP packet from 109.202.150.81:53370 to 84.234.160.79:28018
[INFO] Sat Aug 25 21:23:21 2012 Blocked incoming UDP packet from 188.27.241.206:55403 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:20 2012 Blocked incoming UDP packet from 189.24.110.248:61712 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:23:13 2012 Blocked incoming UDP packet from 96.50.2.51:15432 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:09 2012 Blocked incoming UDP packet from 176.212.55.166:49001 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:23:03 2012 Blocked incoming UDP packet from 37.128.216.210:57785 to 84.234.160.79:28018
[INFO] Sat Aug 25 21:22:58 2012 Blocked incoming UDP packet from 115.37.98.215:24347 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:22:50 2012 Blocked incoming UDP packet from 23.24.147.209:28970 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:22:47 2012 Blocked incoming UDP packet from 86.11.74.217:45682 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:22:46 2012 Blocked incoming UDP packet from 201.249.81.218:42176 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:22:44 2012 Blocked incoming UDP packet from 176.212.55.166:49001 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:22:41 2012 Blocked incoming UDP packet from 78.36.218.169:25903 to 84.234.160.79:14953
[INFO] Sat Aug 25 21:22:24 2012 Blocked incoming UDP packet from 176.212.55.166:49001 to 84.234.160.79:61767
[INFO] Sat Aug 25 21:22:21 2012 Blocked incoming TCP packet from 86.100.65.148:58771 to 84.234.160.79:80 as RST:ACK received but there is no active connection
[INFO] Sat Aug 25 21:22:21 2012 Blocked incoming TCP packet from 86.100.65.148:58775 to 84.234.160.79:80 as RST:ACK received but there is no active connection
[INFO] Sat Aug 25 21:22:21 2012 Blocked incoming TCP packet from 86.100.65.148:58776 to 84.234.160.79:80 as RST:ACK received but there is no active connection
[INFO] Sat Aug 25 21:22:21 2012 Blocked incoming TCP packet from 86.100.65.148:58777 to 84.234.160.79:80 as RST:ACK received but there is no active connection
[INFO] Sat Aug 25 21:22:21 2012 Blocked incoming TCP packet from 86.100.65.148:58769 to 84.234.160.79:80 as RST:ACK received but there is no active connection
[INFO] Sat Aug 25 21:22:19 2012 Blocked incoming UDP packet from 201.80.163.51:40668 to 84.234.160.79:61767

차단되는 공통 포트는 "61767"이며 "14953"을 사용하여 시작되었습니다. 그리고 계속해서 들어오고, 로그에는 이보다 더 많은 내용이 있는데 어떻게 해야 합니까? 서비스용으로 열려 있는 포트는 1996:Remote Desktop, 143:imap, 110:pop3, 25:smtp, 80:http, 443:https, 53:dns입니다. 그리고 gameservers ort의 경우 Team Fortress 2용 Srcds 서버를 사용하므로 27000-27900 범위를 열었습니다. 그러면 어떻게 해야 합니까? 어제부터 계속 오는데 왜 그럴까요? 몰라.


UDP 61767에서 하나의 UDP 패킷을 캡처했습니다.

00000000  64 31 3A 61 64 32 3A 69  64 32 30 3A 77 97 D9 57   d1:ad2:i d20:w..W 
00000010  FD 9B 37 AD 46 7A 55 32  C8 81 04 A7 36 D9 CE E1   ..7.FzU2 ....6... 
00000020  36 3A 74 61 72 67 65 74  32 30 3A 77 9D 1A BA E9   6:target 20:w.... 
00000030  FF 51 96 85 6E 0A 7C A6  FA 59 C0 69 40 37 36 65   .Q..n.|. .Y.i@76e 
00000040  31 3A 71 39 3A 66 69 6E  64 5F 6E 6F 64 65 31 3A   1:q9:fin d_node1: 
00000050  74 34 3A F2 0A 00 00 31  3A 76 34 3A 55 54 40 76   t4:....1 :v4:UT@v 
00000060  31 3A 79 31 3A 71 65                               1:y1:qe

패킷 2

00000000  64 31 3A 61 64 32 3A 69  64 32 30 3A A4 C6 64 B6   d1:ad2:i d20:..d. 
00000010  60 41 16 2E 34 E3 71 0F  34 4B DE 45 DB 27 BE E4   `A..4.q. 4K.E.'.. 
00000020  39 3A 69 6E 66 6F 5F 68  61 73 68 32 30 3A 77 9D   9:info_h ash20:w. 
00000030  1C A3 5B C9 67 67 97 1B  4D 4D D0 82 98 5F B8 6B   ..[.gg.. MM..._.k 
00000040  B2 7F 36 3A 6E 6F 73 65  65 64 69 31 65 36 3A 73   .6:nose edi1e6:s 
00000050  63 72 61 70 65 69 31 65  34 3A 77 61 6E 74 6C 32   crapei1e 4:wantl2 
00000060  3A 6E 34 32 3A 6E 36 65  65 31 3A 71 39 3A 67 65   :n42:n6e e1:q9:ge 
00000070  74 5F 70 65 65 72 73 31  3A 74 32 3A D8 B2 31 3A   t_peers1 :t2:..1: 
00000080  76 34 3A 5A 6F 00 06 31  3A 79 31 3A 71 65         v4:Zo..1 :y1:qe


Posted 02:24 am UTC + 01:00: 끝난 것 같으니 멈추면 좋아요.

답변1

BitTorrent 피어 쿼리 트래픽처럼 보입니다.

시스템이 추적기에 등록되었을 수 있습니다. BitTorrent 클라이언트가 컴퓨터(또는 NAT를 통해 그 뒤에 있는 것)에서 실행될 가능성이 있습니까?

그런데 시스템에서 요청하는 파일의 해시는 두 번째 패킷에 있습니다. 나는 그것이 어떤 파일인지 찾기 위해 독자들에게 연습으로 남겨두겠습니다.

관련 정보