Xfocus.com.cn Network Attack Mechanism and Technology Development Summary
1. Overview In this world, human beings continue to study and develop new information security mechanisms and engineering practice, and have paid arduous efforts to defeat computer network security threats. It seems that if a computer attack method is no longer refurbished, the war against information security will end quickly. Although the attack techniques of most underground organizations are amazing, it is: worm, back door, rootkits, dos, and snifer, etc. But these means reflect their amazing power. By this year, the situation has become more intensified. These new variants of these types of attacks have more intelligent, attack targets, which are more intelligent, attack targets, which have occurred last year. From the control program of the web program to the kernel-level rootkits, hackers 'attack techniques continue to upgrade, and constantly initiate challenges to users' information security. (Note: Rootkits, is an attack script, modified system program, or a set of attack scripts and tools for illegal access to the system in a target system.) In the contestation of long-term and information security experts, Hackers have more heart to develop hidden computer network attack technology. At the same time, these tools are applied more and more simple. Previously, the attack tools of the command line were written into the kernel-level rootkit of the GUI (graphical interface), and these highly strange attack weapons were armed to those hot in the "playing script", these killed hackers tools Make the "script rookie" become awesome hackers. Of course, the tool itself does not endanger the system safe - the bad things are people. Information security professionals also use the scanning and monitoring tools used by the invaders, and the system security is subject to public audit. Before using malicious users, those new penetration test tools that can illegally control the web program are also used by security personnel to test the vulnerability of the system. However, there are many tools with its complete dark side, such as worms to develop and spread, it is only used to do bad things; anti-intrusion detection tools and many rootkits are specifically used to destroy the security of the system. This article will explore the originality of some hacking tools, as well as the function of surprising ordinary people. This is important for helping users to consider adopting new technologies and traditional measures to prevent these threats: before the attacker attacks, first detect and repair systems and software vulnerabilities. Second, Web Applications: Preferences The growing network business applies to the fragile web application with a vulnerability breeding soil. Such as banks, government agencies and online business enterprises have used Web technology. These institutions often develop a complete set of web applications (ASP, JSP, and CGI, etc.), and these developers have not received professional training, resulting in hundreds of self-produced software vulnerabilities. The developer of the web program does not realize that any information passed to the browser may be utilized and manipulated by the user. Regardless of the use of SSL (safety socket), malicious users can view, modify, or insert sensitive information (including price, session tracking information, even script execution code). Attackers can endanger the security of e-commerce websites through state manipulation attacks or technologies such as SQL code embedding. The STATE MANIPULATION means that the attacker has enabled the purpose of illegal access by modifying the sensitive information transmitted to the browser in the URL. If a safety awareness is relaxing, he stores the data in the session ID without taking into account the integrity protection of critical data such as price and balance, and an attacker can modify the data. Plus if the web program believes that the data passed by the browser, then the attacker can steal the user account, modify the price, or modify the account balance.
The so-called SQL code embedding, is an attacker inserts a database query command in a normal user input. These problems are quite a few cases because the input test is not strict and caused in the wrong code layer, such as a comma "," and semicolon ";", etc. In this case, an attacker can query, modify, and delete the database, in a particular case, can also perform the system instruction. Under normal circumstances, the username form on the web page is often the entrance to such an attack. If an attacker performs such an operation using Proxy Server, the administrator will be difficult to find the source of the intruder. To prevent such attacks, it is necessary to start rectification in the self-research software development program, forming a good programming specification and code detection mechanism, only dealing with diligent patch and installation of firewalls. For more information on SQL Injection, please refer to: http://www.cnns.net/Article/db/2412.htm There is currently a new web application protection product, to prevent common from all WEB connections Application layer attacks and application layer sensitive data leakage. Such as Sanctum developed AppShield, Kavado's InterDo, Ubizen's DMZ / Shield, and SPI Dynamics WebInspect. These tools use learning mechanisms, configured to understand normal web application access behavior, in a user session, when an exception modification occurs, this attack will stop illegal modification and report an exception to the administrator behavior. On the other hand, an open source organization consisting of volunteers has developed a project called Open Web Application Security Project (OWASP), categoring the fragility of generally existed in web applications, and establishes web security applications and Service provides detailed guides. Also, OWASP is developing a Java-based "Web SCARAB), which is a tool for evaluating Web application security. If web program developers understand the threats facing their systems and build defense mechanisms, system security will get high level protection. The developer is used, and the sensitive data sent to the browser must have an integrity protection mechanism, which can be implemented by the MD5 hash function or timestamp digital signature technology; and the user input must be detailed. Filtering the special characters, scripting languages, and commands that may endanger the background database, including commas, quotes, brackets, asterisks, percent, underscore, and pipelines. These character detecting mechanisms are implemented in the web server, not on the browser side, because the attacker can bypass the client's security mechanism through various means. For these characters, you can use clear or forced replacement methods to avoid their threats of the server. Third, the ultra-hidden "sniff" lattice back door to the security of computer system security, its history has reached ten years. Through the back door, the attack can access system resources from normal security mechanisms. Recently, such attacks become more secure, more difficult to detect. This new attack is different from the traditional back door that it combines Sniffer technology and back door technology. The traditional back door is to open a convenient door to the attacker by monitoring the TCP port and UDP port. For this latter, experienced system administrators and information security can discover these newly open back door services through regular detection of port usage. The new type of back door technology excludes the way the process is built on the port, but uses the SNIFFER technology, passively captures the message sent by the rear door operator through the type matching method, thereby performing the corresponding instructions, the back door The indicator used can be a specific IP address, a TCP flag, or even a port without open (listening). Like CD00R and Sadoor are latte programs like this.
Sniffer / Backdoors can operate in mixed mode, or in non-mixed mode. (Editor Note: Mixed mode is the working mode to be used by the network listener. It is actually changing the NIC settings, and only the network card only receives the pattern belonging to its own packet, and the mode is changed regardless of what the packet is received). The sniffing latte of the non-mixed mode is only listening to this machine, only playing the role of a threat on the victim host. The back door set to a mixed mode can monitor the communication data of other hosts on the Ethernet, which will seriously trouble the network security administrator. Imagine the following: Attackers placed a sniffing back door in the DMZ area (ceramics) to monitor the communication of another Mail server. For attackers, he can only send attack instructions to the Mail server, but the Mail server is actually unsettled, and the executor of the instruction is a web server. The administrator will find that it is also the Mail server in the Mail server, but it is difficult to think that it is actually a web server. This is a typical counterfeit site. Although the way to find open ports is not enough to deal with the latest back-door technologies, traditional dealing with the back door is still very important. In addition, since most of the backdoors are boundary servers, the system files can be checked with the integrity check tools like TripWire and Aide, which is beneficial to discover the latte programs. To understand the occupation of suspicious ports, you can use the LSOF tool (for UNIX) or Inzider Tool (for Windows). You can also use the NMAP tool from the remote to use the NMAP tool to occupy an exception port. If an unknown process takes up a port, especially the process of running with superuser rights, it should be investigated immediately, who is open this process. Close the port or kill the process can be turned off or kill the process if the investigation is unclear. To understand if the NIC is placed in a mixed mode, IFSTATUS (for Solaris) or Promiscdtect (for Windows). If you want to remotely detect Sniffer's SNIFFER, you can use PacketFactory's Sentinel tool. Finally, to ensure that the security emergency team of the user unit must master the latest computer back door technology trends. When discovers communication with the back door, the user should detect port occupancy, activity processes, and network card working modes to determine who is in the back door. The core level Rootkits rootkits is a widely used tool that allows attackers to get backports. In the past, rootkits usually refuse normal binary executors in the operating system, such as the Login program, ifconfig program, and more. But these two years have developed quickly and developed to the underlying kernels directly, and no longer need to modify a single program. By modifying the operating system core, the kernel-based rootkits makes an operating system that have been modified by the kernel looks different from the normal system, which usually contains the ability to redirect system calls. Therefore, when the user performs instructions like PS, NetStat, or ifconfig -a, the actual execution is a Troy version. These tools can also hide process, files, and port usage, etc., users will not be able to report on real system. The Rootkits currently used by the attackers have the version of Linux, Solaris, and Windows. KERNEL Intrusion System is one of the most powerful core-class rootkits. For non-kernel ROOTKITs, you can check the case where the binary executor file is modified using the previous integrity check tool. This method regards the kernel-level rootkits. To deal with the kernel ROOTKITS, you must reinforce the kernel of the critical system. St. Jude Project is a tool that monitors Linux kernel integrity, which implements monitoring of kernel integrity by monitoring the modification of the system call table.
You can also configure the system into the form of a curing kernel, establish a system kernel that does not support LKMS (Loadable Kernel Modules). Such system efficiency is higher because memory management is simpler. Another way is to reinforce the kernel. The Pitbull Tools provided by the Argus Systems Group will protect the kernels of Solaris by limiting the user access system programs and kernels. An additional kernel protection feature is provided in systems such as SELINUX and Trusted Solaris. The kernel protection mechanism cannot be abused, otherwise the system management is complicated and may affect the normal operation of other programs. Pulse Snake God and other DDOS tricks, can command large batons to engage the enemy to attack. The DDOS attack control tool used to describe TFN2K is not yet. After hijacking thousands of computers and implanted with a DOS agent, it can almost invincible. These DOS Agents will send a large number of packets to a host under the command of the attacker, so that the other party is paralyzed, so that this host floods in a large number of packets. In the past, ISP can still be tracked for some DDoS attacks, quickly track the packets through counterflow, and can find an activity attack source. Last year, an attack called "pulse zombie" makes the network management difficult to trace the source of attacks. An attacker can make multiple DDoS agents to alternately send a flood packet, which is like electron pulses. If the attacker has thousands such agents, trace the "Zombie" will become a few. There is also more absolute. Early this year, an attack method called "reflective DDOS" appears on the Internet. This new method uses the idea of killing people, at least two parties will be victimized. The principle of reflective DDOS is SYNFLOOD ingenious deformation. It fully utilizes the "Advantages" of TCP three-time handshake mechanism, a DDoS agent, with a fake source address, send a TCP SYN packet to a high-bandwidth server, after the server receives this package, will address this source address Rewire a SYN-ACK response package. The attacker can set this false source address to the host address he wants to attack before the package, which has become a high-performance / high-bandwidth server DOS target host. If an attacker uses multiple threads, the same source address, constantly packed multiple high bandwidth servers, the target host will be attacked by multiple servers, and the target host is almost "must die". In this way, in the current Internet environment, attackers can let Yahoo or Microsoft's web server go to DDOS a host he wants to attack. And in this case, it is too difficult to trace the source of the attacker. Figure. In order to deal with DDOS attacks, commercial anti-DOS products and solutions have been commercialized. It is divided into two categories, one is a probe-based tool, such as the peakflow from the Vantage System and Arbor NetWorks' of ASTA NetWorks, which allows administrators to deploy these probes to each node of the network, with an exception-based scan technology Find unusual flood packets, and then adjust the routers and firewalls in real time after filtering. On the other hand, Appsafe, which is like Captus NetWorks, is directly discovered and blocked DOS packets at the network boundary. Even with these technologies, the network bandwidth will also be consumed soon even if the system does not stop responding. No tools can prevent bandwidth consumption. Therefore, if the online connection and click quantity of the user unit is very important, then the user is necessary to request the ISP's emergency team to fully cooperate, eliminate the flood packet from the upstream. When choosing ISP, about this problem, ask the ISP how the ISP is handled on the DOS attack.
Scanner development safety scan is an important technology in network security defense. The principle is to use the simulation hacker invasion to test the system without a safe vulnerability, and check the known security vulnerability of the target. . The target can be various objects such as workstations, servers, switches, database applications. Then provide a careful and reliable security analysis report to the system administrator according to the scan results. The scanner basically includes the following three types: port scanning tool, such as port scanner NMAP, etc., which can not only detect operating system types, but also support hidden scans. However, the system vulnerability cannot be detected. Vulnerability Scanning Tools, such as Web Vulnerability Scanner Whisker2.0. This tool detects known Web-based security vulnerabilities, such as CGI, ASP, etc. The new version includes built-in SSL support, easy to use. The last class is an enterprise-class distributed security testing assessment system such as CNNS Scanner. It can directly submit requests directly from the browser to implement multi-scan user rights management. The final security report can help the system administrator understand the security vulnerabilities on the system and how to fix these vulnerabilities and provide local download upgrade programs or patches. To avoid malicious user threats, we must: § By closing all the necessary services and installation system patch reinforcement systems; § Maintain tracking for the latest patches and security announcements, download the patch to test after the experimental environment, after testing Install on the host. § Check the safety vulnerability of the system with a hacker, and regularly detect the system regularly through the port scanner and vulnerability scanner, at least once a month. Sniffer became active in the last two years, and the network monitoring (SNIFFER) has new important features. Traditional SNIFFER technology is passively listening to network communication, username, and passwords. The new SNIFFER technology has actively controlled the characteristics of communication data, and the SNIFFER technology is extended to a new field. DUG SONG Writing DSNIFF is the first to expand the listening tools for traditional Sniffer concepts. The DSNIFF manufacturing packet is injected into the network and redirects the communication data to the attacker's machine. In this manner, DSNIFF allows the attacker to listen to data in the network of the environments, even in the case of the attacker and the attack target, the attacker can collect the data he wants. In order to implement SNIFF in the exchange environment, DSNIFF is rewritten by rewriting the ARP cache, which rewrites the map of the IP address -> MAC address on the target machine, so the packet will be transmitted to the monitors via the switch. . In addition, the attacker can also reach the communication packet through DNS spoof, IP / name spoof, etc.. DSNIFF also includes a "middleman" attack kit for SSH and SSL. Obviously, for active monitoring tools like DSNIFF, simply use switches to prevent monitors from being not enough. To prevent ARP cache rewriting, you must hardcode all host ARP cache tables in the sensitive network, including online websites, DNS, and Mail servers, firewalls and DMZ routers. You should also use IPSec, VPN, and other encryption techniques to protect sensitive information. If you want to remotely manage the system, it is recommended to use SSH-2 or updated versions (SSH-1 "risk of" intermediaries attack "). Wireless SNIFFER is a powerful tool that threatens wireless network security. Wi-Fi commonly used WEP (Wired Equivalent Privacy) encryption means, security is very fragile. An attacker only has a wireless Sniffer tool with a laptop similar to NetStumbler and a cheap Sniffer tool similar to AIRSNORT or Java-based Mognet. Subsequent attackers can also decrypt information on WEP decryption functions using AIRSNORT. After listening to a packet of millions of wireless networks, the AIRSNORT can determine the key used to protect user data.