s07-流量内容监控-attack.ppt

网络攻击的检测和预防 第七章 目录 常见网络攻击的检测和预防DoS攻击的防范 黑客攻击网络的一般过程 信息的收集利用的公开协议或工具TraceRoute程序SNMP协议DNS服务器Whois协议Ping实用程序 黑客攻击网络的一般过程 系统安全弱点的探测主要探测的方式自编程序慢速扫描体系结构探测利用公开的工具软件 黑客攻击网络的一般过程 建立模拟环境 进行模拟攻击根据前面两小点所得的信息建立一个类似攻击对象的模拟环境对此模拟目标进行一系列的攻击 黑客攻击网络的一般过程 具体实施网络攻击根据前几步所获得的信息结合自身的水平及经验总结相应的攻击方法等待时机 以备实施真正的网络攻击 协议欺骗攻击及防范 源IP地址欺骗攻击在路由器上的解决方法防止源IP地址欺骗行为的措施抛弃基于地址的信任策略使用加密方法进行包过滤 协议欺骗攻击及防范 源路由欺骗攻击防范源路由欺骗攻击的措施抛弃由外部网进来却声称是内部主机的报文在路由器上关闭源路由 协议欺骗攻击及防范 拒绝服务攻击防止拒绝服务攻击的措施调整该网段路由器上的配置强制系统对超时的Syn请求连接数据包复位缩短超时常数和加长等候队列在路由器的前端做必要的TCP拦截关掉可能产生无限序列的服务 拒绝服务攻击 用超出被攻击目标处理能力的海量数据包消耗可用系统 带宽资源 致使网络服务瘫痪的一种攻击手段两种使用较频繁的攻击形式TCP SYNflood半开式连接攻击UDPflood 拒绝服务攻击 拒绝服务攻击 UDPfloodUdp在网络中的应用如 DNS解析 realaudio实时音乐 网络管理 联网游戏等基于udp的攻击种类如 unix操作系统的echo chargen echo服务 拒绝服务攻击 Trinoo是基于UDPflood的攻击软件Trinoo攻击功能的实现是通过三个模块付诸实施的攻击守护进程NS攻击控制进程MASTER客户端NETCAT 标准TELNET程序等 拒绝服务攻击及防范 六个trinoo可用命令MtimerDosMdieMpingMdosmsize 拒绝服务攻击 拒绝服务攻击 攻击的实例 被攻击的目标主机victimIP为 12 23 34 45ns被植入三台sun的主机里 他们的IP对应关系分别为client1 11 11 11 11client2 22 22 22 22client3 33 33 33 33master所在主机为masterhost 11 22 33 44首先我们要启动各个进程 在client1 2 3上分别执行ns 启动攻击守护进程 其次 在master所在主机启动mastermasterhost master gOrave 系统示输入密码 输入gOrave后master成功启动 trinoov1 07d2 f3 c Mar202000 14 38 49 连接成功 拒绝服务攻击 在任意一台与网络连通的可使用telnet的设备上 执行telnet11 22 33 4427665Escapecharacteris betaalmostdone 输入密码 trinoov1 07d2 f3 c rpm8d cb4Sx trinoo 进入提示符 trinoo mping 我们首先来监测一下各个攻击守护进程是否成功启动 mping SendingaPINGtoeveryBcasts trinoo PONG1Receivedfrom11 11 11 11PONG2Receivedfrom22 22 22 22PONG3Receivedfrom33 33 33 33 成功响应 trinoo mtimer60 设定攻击时间为60秒 mtimer Settingtimeronbcastto60 trinoo dos12 23 34 45DoS Packeting12 23 34 45 拒绝服务攻击 至此一次攻击结束 此时ping12 23 34 45 会得到icmp不可到达反馈 目标主机此时与网络的正常连接已被破坏 拒绝服务攻击 由于目前版本的trinoo尚未采用IP地址欺骗 因此在被攻击的主机系统日志里我们可以看到如下纪录Mar2014 40 34victimsnmpXdmid Willattempttore establishconnection Mar2014 40 35victimsnmpdx errorwhilereceivingapdufrom11 11 11 11 59841 Themessagehasawrongheadertype 0 x0 Mar2014 40 35victimsnmpdx errorwhilereceivingapdufrom22 22 22 22 43661 Themessagehasawrongheadertype 0 x0 Mar2014 40 36victimsnmpdx errorwhilereceivingapdufrom33 33 33 33 40183 Themessagehasawrongheadertype 0 x0 Mar2014 40 36victimsnmpXdmid ErrorreceivingPDUThemessagehasawrongheadertype 0 x0 Mar2014 40 36victimsnmpXdmid Errorreceivingpacketfromagent rc 1 Mar2014 40 36victimsnmpXdmid Willattempttore establishconnection Mar2014 40 36victimsnmpXdmid ErrorreceivingPDUThemessagehasawrongheadertype 0 x0 Mar2014 40 36victimsnmpXdmid Errorreceivingpacketfromagent rc 1 拒绝服务攻击防范 检测系统是否被植入了攻击守护程序办法检测上述提到的udp端口如netstat a grepudp端口号用专门的检测软件 拒绝服务攻击及防范 下面为在一台可疑设备运行结果 Loggingoutputto LOGScanningrunningprocesses proc 795 object a out trinoodaemon usr bin gcore core 795dumped proc 800 object a out trinoomaster usr bin gcore core 800dumpedScanning tmp Scanning yiming tfn2k td tfn2kdaemon yiming tfn2k tfn tfn2kclient yiming trinoo daemon ns trinoodaemon yiming trinoo master master trinoomaster yiming trinoo master possibleIPlistfileNOTE Thismessageisbasedonthefilenamebeingsuspicious andisnotbasedonananalysisofthefilecontents ItisuptoyoutoexaminethefileanddecidewhetheritisactuallyanIPlistfilerelatedtoaDDOStool yiming stacheldrahtV4 leaf td stacheldrahtdaemon yiming stacheldrahtV4 telnetc client stacheldrahtclient yiming stacheldrahtV4 td stacheldrahtdaemon yiming stacheldrahtV4 client stacheldrahtclient yiming stacheldrahtV4 mserv stacheldrahtmasterALERT OneormoreDDOStoolswerefoundonyoursystem PleaseexamineLOGandtakeappropriateaction 拒绝服务攻击防范 封掉不必要的UDP服务如echo chargen 减少udp攻击的入口 拒绝服务攻击防范 路由器阻挡一部分ipspoof syn攻击通过连接骨干网络的端口采用CEF和ipverifyunicastreverse path使用accesscontrollists将可能被使用的网络保留地址封掉使用CAR技术限制ICMP报文大小 SpecificAttackTypes Allofthefollowingcanbeusedtocompromiseyoursystem PacketsniffersIPweaknessesPasswordattacksDoSorDDoSMan in the middleattacksApplicationlayerattacksTrustexploitationPortredirectionVirusandwormsTrojanhorseOperatorerror IPSpoofing IPspoofingoccurswhenahackerinsideoroutsideanetworkimpersonatestheconversationsofatrustedcomputer TwogeneraltechniquesareusedduringIPspoofing AhackerusesanIPaddressthatiswithintherangeoftrustedIPaddresses AhackerusesanauthorizedexternalIPaddressthatistrusted UsesforIPspoofingincludethefollowing IPspoofingisusuallylimitedtotheinjectionofmaliciousdataorcommandsintoanexistingstreamofdata AhackerchangestheroutingtablestopointtothespoofedIPaddress thenthehackercanreceiveallthenetworkpacketsthatareaddressedtothespoofedaddressandreplyjustasanytrustedusercan IPSpoofingMitigation ThethreatofIPspoofingcanbereduced butnoteliminated throughthefollowingmeasures Accesscontrol ThemostcommonmethodforpreventingIPspoofingistoproperlyconfigureaccesscontrol RFC2827filtering Youcanpreventusersofyournetworkfromspoofingothernetworks andbeagoodInternetcitizenatthesametime bypreventinganyoutboundtrafficonyournetworkthatdoesnothaveasourceaddressinyourorganization sownIPrange AdditionalauthenticationthatdoesnotuseIP basedauthentication Examplesofthisincludethefollowing Cryptographic recommended Strong two factor one timepasswords ApplicationLayerAttacks Applicationlayerattackshavethefollowingcharacteristics Exploitwellknownweaknesses suchasprotocols thatareintrinsictoanapplicationorsystem forexample sendmail HTTP andFTP Oftenuseportsthatareallowedthroughafirewall forexample TCPport80usedinanattackagainstawebserverbehindafirewall Canneverbecompletelyeliminated becausenewvulnerabilitiesarealwaysbeingdiscovered ApplicationLayerAttacksMitigation Somemeasuresyoucantaketoreduceyourrisksareasfollows Readoperatingsystemandnetworklogfiles orhavethemanalyzedbyloganalysisapplications Subscribetomailingliststhatpublicizevulnerabilities Keepyouroperatingsystemandapplicationscurrentwiththelatestpatches IDSscanscanforknownattacks monitorandlogattacks andinsomecases preventattacks NetworkReconnaissance Networkreconnaissancereferstotheoverallactoflearninginformationaboutatargetnetworkbyusingpubliclyavailableinformationandapplications NetworkReconnaissanceMitigation Networkreconnaissancecannotbepreventedentirely IDSsatthenetworkandhostlevelscanusuallynotifyanadministratorwhenareconnaissancegatheringattack forexample pingsweepsandportscans isunderway VirusandTrojanHorses Virusesrefertomalicioussoftwarethatareattachedtoanotherprogramtoexecuteaparticularunwantedfunctiononauser