Common network attack methods and defense technologies

Detect attacks:

Collect network weaknesses to further attack the network. It is divided into scanning attack and network monitoring.

Scanning attacks: port scanning, host scanning and vulnerability scanning.

Network monitoring: mainly refers to setting the mode of the user's computer network card to promiscuous mode only through software, so as to view important plaintext information through this network.

Port scanning:

According to the TCP protocol specification, when a computer receives a TCP connection establishment request message (TCP SYN), it performs the following processing:

1. If the requested TCP port is open, respond to TCP ACK message and establish TCP connection control structure (TCB);

2. If the requested TCP port is not open, respond to TCP RST message (RST flag in TCP header is set to 1) and tell the initiating computer that the port is not open.

Accordingly, if the IP protocol stack receives a UDP message, please do the following:

1. If the destination port of the message is open, send the UDP message to the upper layer protocol (UDP) for processing, and do not respond to any message (except the message that the upper layer protocol responds according to the processing result);

2. If the destination port of the message is not opened, respond to the initiator with an ICMP unreachable message and tell the initiator computer that the port of UDP message is unreachable.

Using this principle, the attacker's computer can determine which TC or UDP ports of the target computer are open by sending appropriate messages.

The process is as follows:

1. Send TCP SYN or UDP messages with increasing port numbers from 0 (the port number is 16 digits, so the maximum is 65535, and the number is very limited);

2. If the RST message of the TCP message or the ICMP unreachable message of the UDP message is received, the port is not opened;

3. On the contrary, if the ACK message of this TCP SYN message is received, or any ICMP message of this UDP message is not received, it means that the TCP port is open and the UDP port may be open (because some implementations may not respond to ICMP unreachable messages, even if the UDP port is not open).

In this way, it is easy to judge which TCP or UDP ports the target computer has opened, and then carry out the next attack according to the specific number of ports, which is the so-called port scanning attack.

Host scanning is to search for surviving hosts on the network by using ICMP principle.

Network footprint

Attackers collect information of the target in advance, and usually use tools such as whois and Finger and protocols such as DNS and LDAP to obtain some information of the target, such as domain name, IP address, network topology and related user information, which is often the first step before a hacker attacks.

Scanning attack

Scanning attacks include address scanning and port scanning. Ping command and various port scanning tools are usually used to obtain some useful information of the target computer, such as which ports are opened on the machine, so as to know which services are opened, thus laying the foundation for further intrusion.

Protocol fingerprint

Hackers send probe packets to the target host. Because there are many subtle differences in the IP protocol stack implementation of different operating system vendors (that is, each vendor usually interprets the specific RFC criteria differently when writing its own TCP/IP protocol stack), each operating system has its own unique response mode, and hackers can often determine the operating system that the target host is running.

Some commonly used protocol stack fingerprints include TTL value, TCP window size, DF flag, TOS, IP fragmentation processing, ICMP processing, TCP option processing and so on.

Information flow monitoring

This is the most commonly used method in LAN environment.

Because packets will pass through all network nodes on the network with media, the network card will only accept packets sent to the local address or the broadcast (or multicast) address where the local computer is located. However, if the network card is set to promiscuous mode, the network card will accept all packets that pass through.

Based on this principle, hackers can monitor the information flow of the network by using a sniffer device, which can be software or hardware, so as to obtain the content they are interested in, such as secret information such as passwords.

Access attack

Password attacks: password violent guessing, Trojan horse programs, packet sniffing, etc. Man-in-the-middle attack: intercepting data, eavesdropping on data content, and introducing new information into the conversation. Session hijacking takes advantage of the shortcomings of TCP protocol itself. After establishing a legal communication connection, an attacker can take over the authenticated connection by blocking or destroying the communicating party, thus pretending to be the taken-over party to communicate with another party.

Denial of service attack

Disguising a large number of reasonable service requests takes up too many service resources, so that legitimate users can not get service response.

To prevent the system from being attacked by DoS, the network administrator should actively and cautiously maintain the whole system from the first two points to ensure that there are no security risks and loopholes;

However, for malicious attacks in the fourth and fifth points, it is necessary to install security devices such as firewalls to filter DoS attacks. At the same time, it is strongly recommended that network administrators regularly check the logs of security devices to find out the behaviors that threaten the system in time.

Characteristics and defense methods of common denial of service attacks

Denial of service attack is the most common type of network attack.

Under this attack principle, many different attack methods are derived.

A correct understanding of these different denial attack methods can help us to correctly and systematically deploy a sound security protection system for our own enterprises.

The most basic means of intrusion detection is to find intrusion attacks through pattern matching.

In order to fight back effectively, we must first understand the principle and working mechanism of invasion, and only in this way can we know ourselves and ourselves, thus effectively preventing the occurrence of invasion attacks.

Below we briefly analyze several typical denial-of-service attack principles and put forward corresponding countermeasures.

Ping (the ping of death attack.

Because in the early stage, routers have restrictions on the maximum packet size, many operating system TCP/IP stacks stipulate that the size of internet control message protocol is limited to 64KB.

After reading the header of the Internet control message protocol, a buffer is generated for the payload according to the information contained in the header.

When the size of an ICMP packet exceeds 64KB, there will be a memory allocation error, which will lead to the collapse of the TCP/IP stack, thus making the receiver's computer down.

This is the principle of death attack.

According to this attack principle, hackers can send more than 64KB packets to the target through the Ping command, which will cause the TCP/IP protocol stack of the target computer to crash and cause the receiver to stop.

Defense methods:

At present, all standard TCP/IP protocols have the ability to handle packets larger than 64KB, and most firewalls can automatically filter these attacks by analyzing the information and time interval in the packets.

Windows 98, Windows NT 4.0 (after SP3), Windows 2000/XP/Server 2003, Linux, Solaris and Mac OS all have the ability to resist the general "Ping of death" denial of service attack.

In addition, configuring the firewall to block ICMP and any unknown protocol packets can prevent such attacks.

Teardrop attack

For some large IP packets, it is often necessary to split the transmission, which is to meet the requirements of link layer MTU (Maximum Transmission Unit).

For example, when a 6000-byte IP packet is transmitted on a link with MTU of 2000, it needs to be divided into three IP packets.

The IP header contains an offset field and a split flag (MF).

If the MF flag is set to 1, the IP packet is a fragment of a large IP packet, and the offset field indicates the position of the fragment in the entire IP packet.

For example, if you split a 6000-byte IP packet (MTU is 2000), the values of the offset field in the three fragments are 0, 2000 and 4000 in turn.

In this way, after receiving all IP packets, the receiver can recombine incorrect values according to this information, so that after receiving these split packets, the receiver can't correctly superimpose these split packets according to the offset field values in the packets, but will keep trying, which may cause the target computing operating system to crash due to resource exhaustion.

Teardrop attack realizes its own attack by modifying the information contained in the packet header in the trust IP fragment in the TCP/IP stack implementation.

An IP segment contains information indicating which segment of the original packet it contains. TCP/IP of some operating systems (such as Windows NT 4.0 before SP4) will crash when receiving forged segments with overlapping offset, but the new operating system can basically resist this attack by itself.

Defense methods:

Use the latest operating system as much as possible, or set up the segmentation reorganization function on the firewall, so that the firewall can receive all the fragmented packets in the same original packet first, and then complete the reorganization work, instead of directly forwarding.

Because firewalls can set rules when overlapping fields appear.

TCP SYN flood attack.

The TCP/IP stack can only wait for a limited number of ack messages, because the memory buffer used by each computer to create TCP/IP connections is very limited.

If this buffer is full of initial information waiting for a response, the computer will stop responding to the next connection until the connection in the buffer times out.

TCP SYN flood attack is to exploit this system vulnerability to carry out attacks.

Attackers use forged IP addresses to make multiple connection (SYN) requests to the target.

After receiving the request, the target system will send a confirmation message and wait for a reply.

Because the IP address sent by the hacker for instructions is forged, the confirmation message will not reach any computer, and of course no computer will reply to this confirmation message.

Before receiving the reply, the target computer system will not give up voluntarily, and will continue to save the corresponding connection information in the buffer and wait.

When a certain number of waiting connections are reached, the memory resources in the buffer are exhausted, so that the buffer begins to refuse to receive any other connection requests, including those originally belonging to normal applications, which is the ultimate goal of hackers.

Defense methods:

Filter subsequent connections from the same host on the firewall.

However, "SYN flood attack" is still very worrying, because this kind of attack does not seek response, so it cannot be identified from simple large-capacity transmission.

The specific methods for firewall to resist TCP SYN flood attack are introduced in detail in the firewall user manual.

Land attack

In this attack, the source address and destination address of the data packet are the same. When the operating system receives such data packets, it doesn't know what to do, or it sends and receives data packets circularly, which consumes a lot of system resources and may cause the system to crash or crash.

Defense methods:

This kind of attack detection method is relatively easy, because it can directly judge whether the source address and target address of network packets are the same, and whether it is an attack.

Of course, the anti-attack method is to correctly configure the packet filtering rules of firewall devices or packet filtering routers.

And audit this kind of attack, record the time of the incident, the MAC address and IP address of the source host and the target host, so as to effectively analyze and track the source of the attacker.

Smurf attack

This is a denial of service attack named after interesting cartoon characters.

Smurf attacks take advantage of the ability of most routers to broadcast requests to multiple computers at the same time.

The attacker forged a legitimate IP address, and then all routers on the network would broadcast a request for an answer to the address of the attacked computer.

Because these packets seem to be legitimate requests from a known address, all systems in the network reply to this address, and the final result may cause all hosts in the network to reply to this ICMP reply request, resulting in network congestion and achieving the goal pursued by hackers.

This Smurfs attack is one or two orders of magnitude higher than the "level of death" flood mentioned above, and it is easier to attack successfully.

There are also some new Smurf attacks, which change the source address to the victim of the third party (no longer use disguised IP address), and eventually lead to an avalanche of the third party.

Defense methods:

Turn off the broadcast address function of the external router or firewall, and set rules on the firewall to discard packets of ICMP protocol type.

Vulnerable attack

Fraggle attack is only a simple modification of Smurf attack, and uses UDP reply message instead of ICMP protocol (because hackers know that UDP protocol is more difficult to be completely banned by users).

At the same time, the Fraggle attack uses a specific port (usually port 7, but there are many other ports that implement the Fraggle attack), and the attack mode is basically similar to the Smurf attack, so I will not repeat it here.

Defense methods:

Turn off the broadcast address function of the external router or firewall. Filter UDP packets on the firewall, or block some ports that hackers often use to attack Fraggle.

E-mail bomb

E-mail bomb is one of the oldest anonymous attacks, which can be achieved by setting up a computer to send a large number of e-mails to the same address continuously. This kind of attack will exhaust the bandwidth resources of the mail receiver's network.

Defense methods:

Configure filtering rules for e-mail addresses and automatically delete excessive or duplicate messages from the same host.

Virtual terminal (VTY) exhaustion attack

This is an attack on network devices such as routers and switches.

In order to facilitate the remote management of these network devices, some TELNET user interfaces are generally set up, that is, users can TELNET to the devices and manage them.

Generally speaking, the number of TELNET user interfaces for these devices is limited. Such as 5 or 10 and so on.

In this way, if an attacker establishes five or 10 TELNET connections to the same network device at the same time.

The remote management interfaces of these devices are occupied, so if legitimate users manage these devices remotely again, they will fail because the TELNET connection resources are occupied.

ICMP flood

Under normal circumstances, in order to diagnose the network, some diagnostic programs, such as PING, will send out ICMP ECHO request messages. After receiving the ICMP echo, the receiving computer will respond to the ICMP echo reply message.

This process requires CPU processing and may consume a lot of resources in some cases.

Such as when dealing with fragmentation. In this way, if an attacker sends a large number of ICMP ECHO messages to the target computer (resulting in ICMP flooding), the target computer will be busy processing these ECHO messages and cannot continue to process other network data messages, which is also a denial of service attack (DOS).

Wennuk attack

NetBIOS, as a basic network resource access interface, is widely used in file sharing, print sharing, IPC (inter-process communication) and data exchange between different operating systems.

Generally speaking, NetBIOS runs on LLC2 link protocol and is a multicast-based network access interface.

In order to realize NetBIOS on TCP/IP protocol stack, RFC specifies a series of interaction standards and several commonly used TCP/UDP ports:

139: TCP port of NetBIOS session service;

137: UDP port of NetBIOS name service;

136: UDP port of NetBIOS datagram service.

Network services (file sharing, etc. Earlier versions of WINDOWS operating system (WIN95/98/NT) were all based on NetBIOS.

Therefore, these operating systems have opened the port of 139 (the latest version of WINDOWS 2000/XP/2003, etc. For compatibility, the NetBIOS over TCP/IP function is realized, and the port of 139 is opened).

WinNuke attack takes advantage of a vulnerability in WINDOWS operating system and sends some packets with TCP out-of-band (OOB) data to this 139 port.

However, these attack messages are different from those that normally carry OOB data, because their pointer fields are inconsistent with the actual location of the data, that is, there is overlap, so that the WINDOWS operating system will crash when processing these data.

Fragmented IP message attack

In order to transmit large IP messages, the IP protocol stack needs to segment IP messages according to the MTU of the link interface. The receiving computer can easily assemble these IP fragment messages by filling the fragment indication field in the appropriate IP header.

When the target computer processes these fragmented messages, it will cache the first fragmented message and then wait for the subsequent fragmented messages.

This process will consume some memory and some data structures of IP protocol stack.

If the attacker sends only one fragment message to the target computer, but not all fragments, the attacker's computer will wait (until the internal timer times out).

If an attacker sends a large number of fragmented messages, it will consume the resources of the target computer and lead to the failure of the corresponding normal IP messages, which is also a DOS attack.

T

Segmentation attack. With recombination errors, the target system crashes or hangs by overlapping each segment.

Welcome to pay attention to my headline number, exchange private messages and learn more network technology!