Analysis and prevention of common attack methods o

  • Detail

Analysis and prevention of common attack means of network hackers

when it comes to network security, we can't help talking about hackers. Hackers refer to people who have a deep understanding of a certain field of computer and are very keen to sneak into other people's computers and steal non-public information. Everyone who knows a lot about the Internet is likely to become a hacker. Turning to the new Hacker Dictionary published in Japan in 1998, we can see that the above definition of hacker is: "a person who likes to explore the mysteries of software programs and increase his personal talents." Obviously, the term "hacker" was originally without any derogatory element. Until later, a few people with evil intentions who attempted to use the system interrogation right obtained by illegal means to break into the transportation machine system, destroy important data, or create trouble for their own self-interest slowly tarnished the reputation of "hacker", and "hacker" gradually evolved into a synonym for intruder and saboteur. At present, "hackers" have become a special social group. There are many legal hacker organizations in Europe and the United States. Hackers often hold hacker technology exchange meetings. On the other hand, hacker organizations use their own websites on the Internet to introduce hacker attack methods, provide various hacker tools and software for free, and publish hacker magazines, This makes it easy for ordinary people to download and learn to use some simple hacker means or tools to attack the network, which further worsens the network security environment

many users on the Internet may take a casual attitude towards network security, thinking that at most it is just account theft by "hackers". They often think that "security" is only aimed at large and medium-sized enterprises and institutions, and hackers have no grudges with themselves. Why attack themselves? In fact, in the virtual network world where there is no discipline and no system, all the insidious and despicable things in real life can be seen at a glance. In this information age, almost everyone is facing security threats. It is necessary to understand network security and be able to deal with some security problems. Those who do not pay attention to security usually are often attacked by security, Only when you pay a heavy price will you regret it. In order to minimize the loss, we must have a security concept and master certain security precautions. It is forbidden to let hackers have no chance to take advantage of it. Only knowing their attack methods can we take accurate countermeasures against these hackers

1. Common attack steps of hackers

the common attack steps of hackers can be said to be unpredictable, but throughout the whole attack process, there are still certain rules to follow, which can generally be divided into several processes: attack prelude, implementation of attack, consolidation of control and further deepening. See Figure 1 below:

1.1 attack prelude

hackers lock the target, understand the network structure of the target, collect information of various target systems, etc

target locking: there are many hosts on the network. Hackers should first look for the site they are looking for. Of course, what can truly identify the host is the IP address. Hackers can use the domain name and IP address to successfully find the target host

understand the network structure of the target: after determining the target to be attacked, the hacker will try to understand its network structure, where is the gateway and route, where is the firewall, and which hosts are closely related to the target host to be attacked. The simplest way is to use the tracert command to track the path, or send some packets to see if it can guess the setting of its firewall filtering rules. Of course, sophisticated hackers will use other computers to indirectly detect when doing this, so as to hide their real IP addresses

collect system information: after collecting the first batch of network information of the target, the hacker will conduct a comprehensive system analysis on each host on the network to find the security vulnerability or vulnerability of the host. First of all, hackers should know what operating system and version the target host uses. If the target opens telnet services, it only needs telnet (target host), and "digitalunlx (.) (ttypl) login: "such system information. Then hackers will check their open ports for service analysis to see if there are services that can be used. Most hosts on the Internet provide daily network services such as WWW, mail, FTP, teinet, etc. generally, the port of Telnet service is 23, the port of WWW service is 80, and the port of FTP service is 23. Information services such as SNMP service, traceroute program and whois service can be used to consult the routing table of the network system router, so as to understand the topology and internal details of the network where the target host is located. Traceroute program can use this program to obtain the number of networks and routers to reach the target host. Whois protocol service can provide all relevant DNS domains and related management parameters, The finger protocol can use the finger service to obtain the detailed information of all users on a specified host (such as user registration name, number, last registration time, whether they have read e-mail, etc.). If there is no special need, the administrator should shut down these services Using security scanners to collect system information is of course indispensable. Hackers will use some security scanners to help them find various vulnerabilities in the system, including various system service vulnerabilities, application software vulnerabilities, weak password users, etc

1.2 implement attacks

when hackers have detected enough system information and understood the security weaknesses of the system, they will launch attacks. Of course, they will adopt different attack methods according to different network structures and different system conditions. Generally, the ultimate purpose of a hacker attack is to control the target system and steal confidential files. However, not every hacker attack can succeed in controlling the target host. Therefore, sometimes hackers will launch interference attacks such as denial of service attacks to make the system unable to work normally. Some specific attack methods adopted by hackers are described in detail in the following hacker attack methods, which will not be discussed in detail here

1.3 consolidating control

after hackers use various means to enter the target host system and gain control, they will not immediately carry out sabotage activities, delete data, alter pages, etc. as everyone imagined. That is what young men do. After a successful intrusion, the hacker will do two things: clear the records and leave the back door in order to retain and consolidate his control over the system for a long time without being discovered by the administrator. Logs often record traces of black attacks. Of course, hackers will not leave these "criminal evidence". They will delete it or cover it with fake logs. In order to enter the system again undetected in the future, hackers will change some system settings, put Trojans or other remote control programs in the system

1.4 continue to go deep into

clear logs, delete copied files and other means to hide their traces, and the attacker will start the next step; Steal all kinds of sensitive information on the host: software data, customer list, financial statements, credit card number, etc. it may also be that nothing is moved, but your system is used as the warehouse for storing hacker programs or data. It may also be that the hacker will use the captured host to continue his next attack, such as continuing to invade the internal network, or using the host to launch d.o.s attacks to paralyze the network

the Internet world is changing rapidly. Hackers are different, and their attack processes will not be the same. The attack steps we mentioned above are generally used by most hackers under normal circumstances

2. Dos and DDoS attack principle and its prevention

denial of service (DOS) attack is a kind of behavior to attack network devices by using the weaknesses of tcp/ip protocol and system vulnerabilities. For the purpose of consuming network bandwidth and system resources, it sends a large number of "request" information to the network server, which makes the network or server system overburdened, resulting in system paralysis and failure to provide normal network services. Distributed denial of service (DDoS) attack is a distributed and cooperative large-scale denial of service attack based on denial of service attack

at present, denial of service attack and distributed denial of service attack have become a worldwide system vulnerability attack method. Countless network users have been infringed by this attack, causing huge economic losses. Therefore, understanding dos and DDoS attack principles and basic prevention methods is of great significance to all network users, especially network managers

2.1 DoS attack

dos attack mainly uses reasonable service requests to occupy too much network bandwidth and server resources, resulting in failure to respond to normal connection requests. Common DoS attack methods include SYN Flood attack, land attack, Smurf attack, UDP attack, etc. Figure 2 shows the basic process of DoS attack

2.1.1 SYN Flood attack

syn flood attack is one of the most common DoS attacks. It uses the "triple handshake" process of tcp/ip connection to send a large number of syn packets through the false IP and source address, requesting to connect to one or more ports of the attacked party. When the attacked party sends confirmation packets to these false IP addresses as agreed, and waits for the other party to connect, the false IP source address will not respond. In this way, the connection request will remain in the system cache until it times out

if the system resources are occupied by a large number of such incomplete connections, the system performance will naturally decline. Subsequent normal TCP connection requests will also be discarded because the waiting queue is full, resulting in server denial of service

2.1.2 land attack

land attack is an attack method that sends a large number of data packets with the same source address and target address to the target host, causing the target host to occupy a large amount of system resources when parsing land packets, thus completely paralyzing the network function. The method is to set the source address and target address in a specially designed syn packet to the address of an attacked server, so that the server will send a syn-ack response packet to itself after receiving the data packet, and syn-ack will cause an ACK packet sent to itself, and create an empty connection. Each such empty connection will be temporarily stored in the server. When the queue is long enough, the normal connection request will be discarded, resulting in a server denial of service

2.1.3 Smurf attack

smurf attack is an ICMP attack method that amplifies the effect. The method is that an attacker disguises as an attacker and sends a request to a broadcast device on a network. The broadcast device will forward the request to other broadcast devices on the network, causing these devices to respond to the attacker, so as to achieve the purpose of causing a large number of attacks at a small cost. For example, if an attacker impersonates the IP of the attacker and uses Ping to send ICMP packets to the broadcast address of a class C network, 254 hosts on the network will send ICMP response packets to the IP of the attacker, thus the attacker's attack behavior is amplified by 254 times

2.1.4 UDP attack

udp attack refers to the way to launch an attack by sending UDP packets. In the UDP flood attack, an attacker sends a large number of UDP packets or malformed UD packets with false source IP addresses

Copyright © 2011 JIN SHI