前一篇是将防御,这一篇简单说一下openstack下如何发动伪造源ip的DoS攻击
1 修改iptables和ebtables的设定,例如攻击vm为100.0.0.17,那么查询相应的iptables规则:
neutron port-list |grep 17
| 091f121f-8cd7-4a02-b1d8-53866ab25d3d | | fa:16:3e:f7:9d:70 | {"subnet_id": "57b30eb5-e9ee-489f-85ea-77bcaa6249e5", "ip_address": "100.0.0.17"} |
找到iptables中含有091f121f-8的链:neutron-openvswi-s091f121f-8,neutron-openvswi-i091f121f-8,neutron-openvswi-o091f121f-8,和nova-instance-xxx(与该vm对应的)插入一条优先级最高的ACCEPT链
找到ebtables中nat表中091f121f-8的链:I-tap091f121f-8c-arp-ip,I-tap091f121f-8c-ipv4-ip,插入一条优先级最高的ACCEPT链
2 安装ruby,下载pentibox
3 启动pentibox,选择Network tools->Net DoS Tester -> 任意一种即可发动攻击
如果第1步中加了规则还是不通,请检查源主机和目的主机的安全组是否允许
下面的我写的脚本,希望对大家有所帮助
#!/bin/bash
ip=$1
echo $ip
id=`neutron port-list |grep "$ip"|awk '{print $2}'`
echo $id
if [ -z $id ]
then
echo "id null"
exit 1
fi
itid=`expr substr $id 1 10`
echo $itid
etid=`expr substr $id 1 11`
echo $etid
novarule=`iptables -L -nvx|grep $ip|grep nova |awk '{print $3}'`
echo $novarule
#clear previous rules
iptables -D neutron-openvswi-s$itid -j ACCEPT
iptables -D neutron-openvswi-i$itid -j ACCEPT
iptables -D neutron-openvswi-o$itid -j ACCEPT
iptables -D $novarule -j ACCEPT
ebtables -t nat -I I-tap$etid-arp-ip -j ACCEPT
ebtables -t nat -I I-tap$etid-ipv4-ip -j ACCEPT
#create rules
iptables -I neutron-openvswi-s$itid -j ACCEPT
iptables -I neutron-openvswi-i$itid -j ACCEPT
iptables -I neutron-openvswi-o$itid -j ACCEPT
iptables -I $novarule -j ACCEPT
ebtables -t nat -I I-tap$etid-arp-ip -j ACCEPT
ebtables -t nat -I I-tap$etid-ipv4-ip -j ACCEPT