流量内容监控_第1页
流量内容监控_第2页
流量内容监控_第3页
流量内容监控_第4页
流量内容监控_第5页
已阅读5页,还剩40页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

网络攻击的检测和预防第七章目录常见网络攻击的检测和预防DoS攻击的防范黑客攻击网络的一般过程信息的收集利用的公开协议或工具TraceRoute程序SNMP协议DNS服务器Whois协议Ping实用程序黑客攻击网络的一般过程系统安全弱点的探测主要探测的方式自编程序慢速扫描体系结构探测利用公开的工具软件黑客攻击网络的一般过程建立模拟环境,进行模拟攻击根据前面两小点所得的信息建立一个类似攻击对象的模拟环境对此模拟目标进行一系列的攻击黑客攻击网络的一般过程具体实施网络攻击根据前几步所获得的信息结合自身的水平及经验总结相应的攻击方法等待时机,以备实施真正的网络攻击协议欺骗攻击及防范源IP地址欺骗攻击在路由器上的解决方法防止源IP地址欺骗行为的措施抛弃基于地址的信任策略使用加密方法进行包过滤协议欺骗攻击及防范源路由欺骗攻击防范源路由欺骗攻击的措施抛弃由外部网进来却声称是内部主机的报文在路由器上关闭源路由协议欺骗攻击及防范拒绝服务攻击防止拒绝服务攻击的措施调整该网段路由器上的配置强制系统对超时的Syn请求连接数据包复位缩短超时常数和加长等候队列在路由器的前端做必要的TCP拦截关掉可能产生无限序列的服务拒绝服务攻击用超出被攻击目标处理能力的海量数据包消耗可用系统,带宽资源,致使网络服务瘫痪的一种攻击手段两种使用较频繁的攻击形式TCP-SYNflood半开式连接攻击UDPflood拒绝服务攻击拒绝服务攻击UDPfloodUdp在网络中的应用如,DNS解析、realaudio实时音乐、网络管理、联网游戏等基于udp的攻击种类如,unix操作系统的echo,chargen.echo服务拒绝服务攻击Trinoo是基于UDPflood的攻击软件Trinoo攻击功能的实现是通过三个模块付诸实施的攻击守护进程NS攻击控制进程MASTER客户端NETCAT,标准TELNET程序等拒绝服务攻击及防范六个trinoo可用命令MtimerDosMdieMpingMdosmsize拒绝服务攻击拒绝服务攻击攻击的实例:

被攻击的目标主机victimIP为:5

ns被植入三台sun的主机里,他们的IP对应关系分别为client1:1

client2:2

client3:3

master所在主机为masterhost:4

首先我们要启动各个进程,在client1,2,3上分别执行ns,启动攻击守护进程,其次,在master所在主机启动master

masterhost#./master

??gOrave(系统示输入密码,输入gOrave后master成功启动)

trinoov1.07d2+f3+c[Mar202000:14:38:49](连接成功)拒绝服务攻击在任意一台与网络连通的可使用telnet的设备上,执行

telnet427665

Escapecharacteris'^]'.

betaalmostdone(输入密码)

trinoov1.07d2+f3+c..[rpm8d/cb4Sx/]

trinoo>(进入提示符)

trinoo>mping(我们首先来监测一下各个攻击守护进程是否成功启动)

mping:SendingaPINGtoeveryBcasts.

trinoo>PONG1Receivedfrom1

PONG2Receivedfrom2

PONG3Receivedfrom3(成功响应)

trinoo>mtimer60(设定攻击时间为60秒)

mtimer:Settingtimeronbcastto60.

trinoo>dos5

DoS:Packeting5......拒绝服务攻击至此一次攻击结束,此时,会得到icmp不可到达反馈,目标主机此时与网络的正常连接已被破坏拒绝服务攻击由于目前版本的trinoo尚未采用IP地址欺骗,因此在被攻击的主机系统日志里我们可以看到如下纪录

Mar2014:40:34victimsnmpXdmid:Willattempttore-establishconnection.

Mar2014:40:35victimsnmpdx:errorwhilereceivingapdufrom1.59841:Themessagehasawrongheadertype(0x0)

Mar2014:40:35victimsnmpdx:errorwhilereceivingapdufrom2.43661:Themessagehasawrongheadertype(0x0)

Mar2014:40:36victimsnmpdx:errorwhilereceivingapdufrom3.40183:Themessagehasawrongheadertype(0x0)

Mar2014:40:36victimsnmpXdmid:ErrorreceivingPDUThemessagehasawrongheadertype(0x0).

Mar2014:40:36victimsnmpXdmid:Errorreceivingpacketfromagent;rc=-1.

Mar2014:40:36victimsnmpXdmid:Willattempttore-establishconnection.

Mar2014:40:36victimsnmpXdmid:ErrorreceivingPDUThemessagehasawrongheadertype(0x0).

Mar2014:40:36victimsnmpXdmid:Errorreceivingpacketfromagent;rc=-1.拒绝服务攻击防范检测系统是否被植入了攻击守护程序办法检测上述提到的udp端口如netstat-a|grepudp端口号用专门的检测软件拒绝服务攻击及防范下面为在一台可疑设备运行结果,

Loggingoutputto:LOG

Scanningrunningprocesses...

/proc/795/object/a.out:trinoodaemon

/usr/bin/gcore:core.795dumped

/proc/800/object/a.out:trinoomaster

/usr/bin/gcore:core.800dumped

Scanning"/tmp"...

Scanning"/"...

/yiming/tfn2k/td:tfn2kdaemon

/yiming/tfn2k/tfn:tfn2kclient

/yiming/trinoo/daemon/ns:trinoodaemon

/yiming/trinoo/master/master:trinoomaster

/yiming/trinoo/master/...:possibleIPlistfile

NOTE:Thismessageisbasedonthefilenamebeingsuspicious,andisnot

basedonananalysisofthefilecontents.Itisuptoyoutoexaminethe

fileanddecidewhetheritisactuallyanIPlistfilerelatedtoaDDOS

tool.

/yiming/stacheldrahtV4/leaf/td:stacheldrahtdaemon

/yiming/stacheldrahtV4/telnetc/client:stacheldrahtclient

/yiming/stacheldrahtV4/td:stacheldrahtdaemon

/yiming/stacheldrahtV4/client:stacheldrahtclient

/yiming/stacheldrahtV4/mserv:stacheldrahtmaster

ALERT:OneormoreDDOStoolswerefoundonyoursystem.

PleaseexamineLOGandtakeappropriateaction.拒绝服务攻击防范封掉不必要的UDP服务如echo,chargen,减少udp攻击的入口拒绝服务攻击防范路由器阻挡一部分ipspoof,syn攻击通过连接骨干网络的端口采用CEF和ipverifyunicastreverse-path使用accesscontrollists将可能被使用的网络保留地址封掉使用CAR技术限制ICMP报文大小SpecificAttackTypesAllofthefollowingcanbeusedtocompromiseyoursystem:PacketsniffersIPweaknessesPasswordattacksDoSorDDoSMan-in-the-middleattacksApplicationlayerattacksTrustexploitationPortredirectionVirusandwormsTrojanhorseOperatorerrorIPSpoofingIPspoofingoccurswhenahackerinsideoroutsideanetworkimpersonatestheconversationsofatrustedcomputer.TwogeneraltechniquesareusedduringIPspoofing:AhackerusesanIPaddressthatiswithintherangeoftrustedIPaddresses.AhackerusesanauthorizedexternalIPaddressthatistrusted.UsesforIPspoofingincludethefollowing:IPspoofingisusuallylimitedtotheinjectionofmaliciousdataorcommandsintoanexistingstreamofdata.AhackerchangestheroutingtablestopointtothespoofedIPaddress,thenthehackercanreceiveallthenetworkpacketsthatareaddressedtothespoofedaddressandreplyjustasanytrustedusercan.IPSpoofingMitigationThethreatofIPspoofingcanbereduced,butnoteliminated,throughthefollowingmeasures:Accesscontrol—ThemostcommonmethodforpreventingIPspoofingistoproperlyconfigureaccesscontrol.RFC2827filtering—Youcanpreventusersofyournetworkfromspoofingothernetworks(andbeagoodInternetcitizenatthesametime)bypreventinganyoutboundtrafficonyournetworkthatdoesnothaveasourceaddressinyourorganization'sownIPrange.AdditionalauthenticationthatdoesnotuseIP-basedauthentication—Examplesofthisincludethefollowing:Cryptographic(recommended)Strong,two-factor,one-timepasswordsApplicationLayerAttacksApplicationlayerattackshavethefollowingcharacteristics:Exploitwellknownweaknesses,suchasprotocols,thatareintrinsictoanapplicationorsystem(forexample,sendmail,HTTP,andFTP)Oftenuseportsthatareallowedthroughafirewall(forexample,TCPport80usedinanattackagainstawebserverbehindafirewall)Canneverbecompletelyeliminated,becausenewvulnerabilitiesarealwaysbeingdiscoveredApplicationLayerAttacksMitigationSomemeasuresyoucantaketoreduceyourrisksareasfollows:Readoperatingsystemandnetworklogfiles,orhavethemanalyzedbyloganalysisapplications.Subscribetomailingliststhatpublicizevulnerabilities.Keepyouroperatingsystemandapplicationscurrentwiththelatestpatches.IDSscanscanforknownattacks,monitorandlogattacks,andinsomecases,preventattacks.NetworkReconnaissanceNetworkreconnaissancereferstotheoverallactoflearninginformationaboutatargetnetworkbyusingpubliclyavailableinformationandapplications.NetworkReconnaissanceMitigationNetworkreconnaissancecannotbepreventedentirely.IDSsatthenetworkandhostlevelscanusuallynotifyanadministratorwhenareconnaissancegatheringattack(forexample,pingsweepsandportscans)isunderway.VirusandTrojanHorsesVirusesrefertomalicioussoftwarethatareattachedtoanotherprogramtoexecuteaparticularunwantedfunctiononauser’sworkstation.End-userworkstationsaretheprimarytargets.ATrojanhorseisdifferentonlyinthattheentireapplicationwaswrittentolooklikesomethingelse,wheninfactitisanattacktool.ATrojanhorseismitigatedbyantivirussoftwareattheuserlevelandpossiblythenetworklevel.DOS/DDOSDOS拒绝服务攻击DDOS分布式拒绝服务攻击利用TCP/IP缺陷常见DOS工具Bonk通过发送大量伪造的UDP数据包导致系统重启动TearDrop通过发送重叠的IP碎片导致系统的TCP/IP栈崩溃SynFlood通过发送大量伪造源IP的基于SYN的TCP请求导致系统重启动Bloop

通过发送大量的ICMP数据包导致系统变慢甚至凝固Jolt

通过大量伪造的ICMP和UDP导致系统变的非常慢甚至重新启动SynFlood原理Syn伪造源地址()(TCP连接无法建立,造成TCP等待超时)Ack

大量的伪造数据包发向服务器端DDOS攻击黑客控制了多台服务器,然后每一台服务器都集中向一台服务器进行DOS攻击D

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

评论

0/150

提交评论