s07-流量內(nèi)容監(jiān)控-attack-文檔資料

1、1網(wǎng)絡(luò)攻擊的檢測和預(yù)防網(wǎng)絡(luò)攻擊的檢測和預(yù)防 第七章2目錄目錄常見網(wǎng)絡(luò)攻擊的檢測和預(yù)防DoS攻擊的防范 3黑客攻擊網(wǎng)絡(luò)的一般過程黑客攻擊網(wǎng)絡(luò)的一般過程信息的收集 利用的公開協(xié)議或工具 TraceRoute程序 SNMP協(xié)議 DNS服務(wù)器 Whois協(xié)議 Ping實用程序4黑客攻擊網(wǎng)絡(luò)的一般過程黑客攻擊網(wǎng)絡(luò)的一般過程系統(tǒng)安全弱點的探測 主要探測的方式 自編程序 慢速掃描 體系結(jié)構(gòu)探測 利用公開的工具軟件5黑客攻擊網(wǎng)絡(luò)的一般過程黑客攻擊網(wǎng)絡(luò)的一般過程建立模擬環(huán)境，進行模擬攻擊 根據(jù)前面兩小點所得的信息 建立一個類似攻擊對象的模擬環(huán)境 對此模擬目標(biāo)進行一系列的攻擊6黑客攻擊網(wǎng)絡(luò)的一般過程黑客攻擊網(wǎng)絡(luò)的

2、一般過程具體實施網(wǎng)絡(luò)攻擊 根據(jù)前幾步所獲得的信息 結(jié)合自身的水平及經(jīng)驗總結(jié)相應(yīng)的攻擊方法 等待時機，以備實施真正的網(wǎng)絡(luò)攻擊7協(xié)議欺騙攻擊及防范協(xié)議欺騙攻擊及防范源IP地址欺騙攻擊 在路由器上的解決方法防止源IP地址欺騙行為的措施 拋棄基于地址的信任策略 使用加密方法 進行包過濾8協(xié)議欺騙攻擊及防范協(xié)議欺騙攻擊及防范源路由欺騙攻擊防范源路由欺騙攻擊的措施 拋棄由外部網(wǎng)進來卻聲稱是內(nèi)部主機的報文 在路由器上關(guān)閉源路由9協(xié)議欺騙攻擊及防范協(xié)議欺騙攻擊及防范拒絕服務(wù)攻擊防止拒絕服務(wù)攻擊的措施 調(diào)整該網(wǎng)段路由器上的配置 強制系統(tǒng)對超時的Syn請求連接數(shù)據(jù)包復(fù)位 縮短超時常數(shù)和加長等候隊列 在路由器的前端

3、做必要的TCP攔截 關(guān)掉可能產(chǎn)生無限序列的服務(wù)10拒絕服務(wù)攻擊拒絕服務(wù)攻擊用超出被攻擊目標(biāo)處理能力的海量數(shù)據(jù)包消耗可用系統(tǒng)，帶寬資源，致使網(wǎng)絡(luò)服務(wù)癱瘓的一種攻擊手段兩種使用較頻繁的攻擊形式 TCP-SYN flood 半開式連接攻擊 UDP flood11拒絕服務(wù)攻擊拒絕服務(wù)攻擊12拒絕服務(wù)攻擊拒絕服務(wù)攻擊UDP flood Udp在網(wǎng)絡(luò)中的應(yīng)用 如，DNS解析、realaudio實時音樂、網(wǎng)絡(luò)管理、聯(lián)網(wǎng)游戲等 基于udp的攻擊種類 如，unix操作系統(tǒng)的echo,chargen. echo服務(wù)13拒絕服務(wù)攻擊拒絕服務(wù)攻擊Trinoo 是基于UDP flood的攻擊軟件Trinoo攻擊功能的實

4、現(xiàn) 是通過三個模塊付諸實施的 攻擊守護進程 NS 攻擊控制進程 MASTER 客戶端 NETCAT，標(biāo)準(zhǔn)TELNET程序等14拒絕服務(wù)攻擊及防范拒絕服務(wù)攻擊及防范六個trinoo可用命令 Mtimer Dos Mdie Mping Mdos msize15拒絕服務(wù)攻擊拒絕服務(wù)攻擊16拒絕服務(wù)攻擊拒絕服務(wù)攻擊攻擊的實例: 被攻擊的目標(biāo)主機victim IP為:5 ns被植入三臺sun的主機里，他們的IP對應(yīng)關(guān)系分別為 client1:1 client2:2 client3:3 master所在主機為masterhos

5、t:4 首先我們要啟動各個進程，在client1，2，3上分別執(zhí)行ns，啟動攻擊守護進程， 其次，在master所在主機啟動master masterhost# ./master ? gOrave (系統(tǒng)示輸入密碼，輸入gOrave后master成功啟動) trinoo v1.07d2+f3+c Mar 20 2000:14:38:49 (連接成功) 17拒絕服務(wù)攻擊拒絕服務(wù)攻擊在任意一臺與網(wǎng)絡(luò)連通的可使用telnet的設(shè)備上，執(zhí)行 telnet 4 27665 Escape character is . betaalmostdone (輸入密碼) tr

6、inoo v1.07d2+f3+c.rpm8d/cb4Sx/ trinoo (進入提示符) trinoo mping (我們首先來監(jiān)測一下各個攻擊守護進程是否成功啟動) mping: Sending a PING to every Bcasts. trinoo PONG 1 Received from 1 PONG 2 Received from 2 PONG 3 Received from 3 (成功響應(yīng)) trinoo mtimer 60 (設(shè)定攻擊時間為60秒) mtimer: Setting timer on bcast to

7、 60. trinoo dos 5 DoS: Packeting 5. 18拒絕服務(wù)攻擊拒絕服務(wù)攻擊至此一次攻擊結(jié)束，此時ping 5，會得到icmp不可到達反饋，目標(biāo)主機此時與網(wǎng)絡(luò)的正常連接已被破壞 19拒絕服務(wù)攻擊拒絕服務(wù)攻擊由于目前版本的trinoo尚未采用IP地址欺騙，因此在被攻擊的主機系統(tǒng)日志里我們可以看到如下紀(jì)錄 Mar 20 14:40:34 victim snmpXdmid: Will attempt to re-establish connection. Mar 20 14:40:35 victim snmpdx:

8、error while receiving a pdu from 1.59841: The message has a wrong header type (0 x0) Mar 20 14:40:35 victim snmpdx: error while receiving a pdu from 2.43661: The message has a wrong header type (0 x0) Mar 20 14:40:36 victim snmpdx: error while receiving a pdu from 3.401

9、83: The message has a wrong header type (0 x0) Mar 20 14:40:36 victim snmpXdmid: Error receiving PDU The message has a wrong header type (0 x0). Mar 20 14:40:36 victim snmpXdmid: Error receiving packet from agent; rc = -1. Mar 20 14:40:36 victim snmpXdmid: Will attempt to re-establish connection. Ma

10、r 20 14:40:36 victim snmpXdmid: Error receiving PDU The message has a wrong header type (0 x0). Mar 20 14:40:36 victim snmpXdmid: Error receiving packet from agent; rc = -1.20拒絕服務(wù)攻擊防范拒絕服務(wù)攻擊防范檢測系統(tǒng)是否被植入了攻擊守護程序辦法 檢測上述提到的udp端口 如netstat -a | grep udp 端口號 用專門的檢測軟件21拒絕服務(wù)攻擊及防范拒絕服務(wù)攻擊及防范下面為在一臺可疑設(shè)備運行結(jié)果， Loggin

11、g output to: LOG Scanning running processes. /proc/795/object/a.out: trinoo daemon /usr/bin/gcore: core.795 dumped /proc/800/object/a.out: trinoo master /usr/bin/gcore: core.800 dumped Scanning /tmp. Scanning /. /yiming/tfn2k/td: tfn2k daemon /yiming/tfn2k/tfn: tfn2k client /yiming/trinoo/daemon/ns:

12、 trinoo daemon /yiming/trinoo/master/master: trinoo master /yiming/trinoo/master/.: possible IP list file NOTE: This message is based on the filename being suspicious, and is not based on an analysis of the file contents. It is up to you to examine the file and decide whether it is actually an IP li

13、st file related to a DDOS tool. /yiming/stacheldrahtV4/leaf/td: stacheldraht daemon /yiming/stacheldrahtV4/telnetc/client: stacheldraht client /yiming/stacheldrahtV4/td: stacheldraht daemon /yiming/stacheldrahtV4/client: stacheldraht client /yiming/stacheldrahtV4/mserv: stacheldraht master ALERT: On

14、e or more DDOS tools were found on your system. Please examine LOG and take appropriate action. 22拒絕服務(wù)攻擊防范拒絕服務(wù)攻擊防范封掉不必要的UDP服務(wù) 如echo,chargen,減少udp攻擊的入口 23拒絕服務(wù)攻擊防范拒絕服務(wù)攻擊防范路由器阻擋一部分ip spoof, syn攻擊 通過連接骨干網(wǎng)絡(luò)的端口 采用CEF和ip verify unicast reverse-path 使用access control lists 將可能被使用的網(wǎng)絡(luò)保留地址封掉 使用CAR技術(shù) 限制 ICMP 報文大

15、小24Specific Attack TypesAll of the following can be used to compromise your system: Packet sniffers IP weaknesses Password attacks DoS or DDoS Man-in-the-middle attacks Application layer attacks Trust exploitation Port redirection Virus and worms Trojan horse Operator error25IP SpoofingIP spoofing o

16、ccurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. Two general techniques are used during IP spoofing: A hacker uses an IP address that is within the range of trusted IP addresses. A hacker uses an authorized external IP address that is trusted.Uses

17、 for IP spoofing include the following: IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data. A hacker changes the routing tables to point to the spoofed IP address, then the hacker can receive all the network packets that are addressed to the

18、 spoofed address and reply just as any trusted user can.26IP Spoofing MitigationThe threat of IP spoofing can be reduced, but not eliminated, through the following measures: Access controlThe most common method for preventing IP spoofing is to properly configure access control. RFC 2827 filteringYou

19、 can prevent users of your network from spoofing other networks (and be a good Internet citizen at the same time) by preventing any outbound traffic on your network that does not have a source address in your organizations own IP range. Additional authentication that does not use IP-based authentica

20、tionExamples of this include the following: Cryptographic (recommended) Strong, two-factor, one-time passwords27Application Layer AttacksApplication layer attacks have the following characteristics: Exploit well known weaknesses, such as protocols, that are intrinsic to an application or system (for

21、 example, sendmail, HTTP, and FTP) Often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall) Can never be completely eliminated, because new vulnerabilities are always being discovered28Application LayerAttacksMitigationSo

22、me measures you can take to reduce your risks are as follows: Read operating system and network log files, or have them analyzed by log analysis applications. Subscribe to mailing lists that publicize vulnerabilities. Keep your operating system and applications current with the latest patches. IDSs

23、can scan for known attacks, monitor and log attacks, and in some cases, prevent attacks.29Network ReconnaissanceNetwork reconnaissance refers to the overall act of learning information about a target network by using publicly available information and applications. 30Network Reconnaissance Mitigatio

24、n Network reconnaissance cannot be prevented entirely. IDSs at the network and host levels can usually notify an administrator when a reconnaissance gathering attack (for example, ping sweeps and port scans) is under way.31Virus and Trojan HorsesViruses refer to malicious software that are attached

25、to another program to execute a particular unwanted function on a users workstation. End-user workstations are the primary targets.A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool. A Trojan horse is mitigated b

26、y antivirus software at the user level and possibly the network level.32DOS/DDOSDOS 拒絕服務(wù)攻擊DDOS 分布式拒絕服務(wù)攻擊利用TCP/IP缺陷33常見常見DOS工具工具Bonk通過發(fā)送大量偽造的UDP數(shù)據(jù)包導(dǎo)致系統(tǒng)重啟動 TearDrop通過發(fā)送重疊的IP碎片導(dǎo)致系統(tǒng)的TCP/IP棧崩潰 SynFlood通過發(fā)送大量偽造源IP的基于SYN的TCP請求導(dǎo)致系統(tǒng)重啟動 Bloop 通過發(fā)送大量的ICMP數(shù)據(jù)包導(dǎo)致系統(tǒng)變慢甚至凝固 Jolt 通過大量偽造的ICMP和UDP導(dǎo)致系統(tǒng)變的非常慢甚至重新啟動 34SynF

27、lood原理原理Syn 偽造源地址()IP:(TCP連接無法建立，造成TCP等待超時）Ack 大量的偽造數(shù)據(jù)包發(fā)向服務(wù)器端35DDOS攻擊攻擊黑客控制了多臺服務(wù)器，然后每一臺服務(wù)器都集中向一臺服務(wù)器進行DOS攻擊36DDOS攻擊示意圖攻擊示意圖37分布式拒絕服務(wù)攻擊分布式拒絕服務(wù)攻擊38分布式拒絕服務(wù)攻擊步驟分布式拒絕服務(wù)攻擊步驟1ScanningProgram不安全的計算機不安全的計算機Hacker攻擊者使用掃描攻擊者使用掃描工具探測掃描大工具探測掃描大量主機以尋找潛量主機以尋找潛在入侵目標(biāo)。在入侵目標(biāo)。1Internet39分布式拒絕服務(wù)攻擊步驟分布式拒絕服務(wù)攻擊步驟2Hacker被控制的計算機被控制的計算機(代理端代理端)黑客設(shè)法入侵有安全漏洞黑客設(shè)法入侵有安全漏洞的主機并獲取控制權(quán)。這的主機并獲取控制權(quán)。這些主機將被用于放置后門、些