Hacker Attack Behavior Characteristic Analysis of Anti - attack Technology Comprehensive Analysis Report
Analyst: Billows 2004/03/12
To protect the network from hackers, you must have an in-depth method of hackers, attack principles, and attack processes, detailed understanding, only in this way, more targeted, active protection. By analyzing the characteristic analysis of hacker attack methods to study how to detect and defense against hacker attack behavior.
I. Core problem of anti-attack technology
The core problem of anti-attack technology (intrusion detection technology) is how to intercept all network information. At present, it is mainly to obtain information through two ways, one is to obtain all network information (such as Sniffer, Vpacket, etc.) to obtain all network information (packet information, network traffic information, network status information, network management information) Wait, this is both an inevitable way to attack the attack, but also the necessary way to counter attacks; the other is to analyze the system logs of the operating system and the application to discover intrusion behavior and system potential security vulnerabilities.
Second, the main way of hacker attack
Hackers have a variety of ways to attack the network. Generally, the attack always uses the "system configuration defect", "operating system security vulnerability" or "security vulnerability of the" communication protocol ". So far, there have been found more than 2,000 kinds of attacks, of which there is a corresponding solution for most hacking methods, which can be divided into the following categories:
1. Deny Service Attack: In general, the denial of service attack is to overload the attacked object by enabling a system key resource that is attacked (usually a workstation or important server), so that the attacked object stops part or all services. There are hundreds of known refusal service attacks. It is the most basic intrusion attack. It is also one of the most difficult to deal with intrusion attacks. Typical examples have syn flood attacks, ping flood attacks, land attacks, Winnuke attacks, etc.
2. Non-authorized access Attempt: An attacker is a try to read, write or execute an attacker, including an attempt to obtain the protected access.
3. Preparlecting attack: In the continuous non-authorization access attempt, the attacker usually uses this attack attempt to obtain information around the information within the network, and usually use this attack attempt, typical examples include Satan scans, port scans and IP scans, etc. .
4. Suspicious activities: It is an activity outside the "standard" network communication area, or it can refer to unwanted activities on the network, such as IP UNKNOWN Protocol and Duplicate IP Address events.
5. Protocol decoding: Protocol decoding can be used in any of the above non-desired methods, network or security administrators need to decode work, and obtain corresponding results, decoded protocol information may indicate the desired activities, such as FTU User and PORTMAPPER Proxy et al.
6. System Agent Attack: This attack is usually initiated for a single host, not the entire network, which can be monitored through the RealSecure system agent.
Third, the characteristic analysis and anti-attack technology of hacker attack behavior
The most basic means of intrusion detection is to use mode matching methods to discover intrusion attacks. To effectively, attacks must first understand the principles and working mechanisms of intrusion. Only in this way can they do they know each other, so that the occurrence of intrusion attack behavior . Below we analyze several typical intrusion attacks and propose corresponding countermeasures.
1.Land attack
Attack Type: LAND Attack is a denial of service attack.
Attack feature: The source address and destination address in the packet used for the LAND attack, because when the operating system receives such a packet, do not know how to handle the communication source address and destination address in the stack The situation, or cycles and receives the packet, consumes a lot of system resources, thereby possible to cause system crash or crash. Detection method: Determine whether the source address of the network packet and the same destination address.
Anti-attack method: Appropriately configure the firewall device or filter the filter rule to prevent this attack behavior (generally discarding the data package), and audit this attack (the time of the recording event, the source host and the target host) MAC address and IP address).
2.TCP SYN Attack
Attack Type: TCP SYN Attack is a refusal service attack.
Attack characteristics: It is carried out by using the TCP client and the three handshake processes between the servers. The attacker sends a large SYN packet by the counterfeit source IP address, when the attacked host receives a large number of SYN packets, you need to use a large number of cache to handle these connections, and send the SYN ACK packet back to errors. The IP address, and waited for the response of the ACK packet, eventually caused the cache, and the other legal SYN connections can not be processed, that is, the normal service cannot be provided.
Detection method: Check whether the SYN connection received within the unit time receives the value of the system setting.
Anti-attack method: When receiving a large number of SYN packets, notify the firewall blocking the connection request or discard the packets, and perform system audits.
3.Ping of Death Attack
Attack Type: Ping of Death Attack is a denial of service attack.
Attack characteristics: This attack data package is greater than 65535 bytes. Since the partial operating system receives a packet of a length greater than 65535 bytes, the memory overflow, the system crashes, restarts, kernel failures, etc., thereby achieving the purpose of attack.
Detection method: Determine whether the size of the packet is greater than 65535 bytes.
Anti-attack method: Use a new patch to discard the packet when it receives a packet greater than 65535 bytes, and performs system audits.
4.winnuke attack
Attack Type: Winnuke Attack is a rejection service attack.
Attack characteristics: Winnuke attacks are also known as an external transmission attack, and its feature is that the attack target port is usually 139, 138, 137, 113, 53, and the URG is set to "1", that is, an emergency mode.
Detection method: Determine if the data packet target port is 139, 138, 137, etc., and determine if the URG bit is "1".
Anti-attack method: Adjust the firewall device or filter the router to prevent this attack (discarding the packet), and audit this attack (the time of the recording event, the source host and the target host MAC address and IP address Mac).
5. TearDrop attack
Attack Type: Teardrop Attack is a refusal service attack.
Attack characteristics: Teardrop is an attack method based on UDP-based path-sized data packets. The working principle is to send multiple slices that are transmitted by the attacker (IP slice packet included which packet And information such as location in the packet), some operating systems receive system crashes, restart, etc. when they receive a fake fragmentation packet containing overlapping offsets.
Detection method: The analysis of the received fragmentation packets is analyzed, and whether the smectic substance (OFFSET) of the data packet is incorrect.
Anti-attack method: Add system patches, discard the received pathogenesis packets and audit this attack.
6.TCP / UDP port scan
Attack Type: TCP / UDP port scan is a pre-test attack. Attack feature: Send a TCP or UDP connection request for different ports of the attacked host, and detect the type of service that is running the object.
Detection method: Statistically the external connection request for system ports, especially those other than ports other than 21, 23, 25, 53, 80, 8080, and the like.
Anti-attack method: When receiving a plurality of TCP / UDP packets to an exception port, inform the firewall blocking the connection request, and audit the attacker's IP address and MAC address.
For some complicated intrusion attacks (such as distributed attacks, combined attacks), it is necessary to use mode matching methods, but also need to use state shift, network topology and other methods to perform intrusion detection.
Fourth, some thinking about intrusion detection system
In terms of performance, a contradiction between intrusion detection systems is the compromise between system performance and functionality, that is, a comprehensive and complex test of data constitutes a big challenge for system real-time requirements.
From a technical statement, there are some problems that have been solved urgently in the intrusion detection system, mainly in the following aspects:
1. How to identify "large-scale combined, distributed intrusion attack" has no better ways and mature solutions. From Yahoo and other famous ICP attacks, we learned that the security problem has been highlighted, and the level of attackers is constantly improving, plus increasingly mature attack tools, as well as increasing complex attack techniques, so that the intrusion detection system must Continuously track the latest security technology.
2. The network intrusion detection system discovers the attack behavior by matching the network packet, and the intrusion detection system often assumes that the attack information is explicitly transmitted. Therefore, the change of the information is changed or re-coded, and the detection of the intrusion detection system, so the string matches Methods have no power to encrypting data packets.
3. Network equipment is more and more complicated, and more and more diverse requires invasive detection systems to be customized to adapt to more environmental requirements.
4. The evaluation of the intrusion detection system has no objective standards, and the standard is not uniform to make the intrusion detection system is not easy to interconnect. Intrusion detection system is an emerging technology, with the development of technology and the increase in new attack identification, the intrusion detection system requires constant upgrade to ensure the security of the network.
5. Inappropriate automatic reactions, there is also a risk of intrusion detection systems. Intrusion detection systems can usually work together with the firewall. When the intrusion detection system discovers attack behavior, filter out all IP packets from the attacker, when an attacker fake a large number of different IPs, intrusion detection system automatic Configuring the firewall will filter out these actually do not perform any attacks, so it causes a new rejection service access.
6. Attack on IDS itself. Like other systems, IDS itself also has security vulnerabilities. If the attack is successful, the alarm is uninterested, and the intruder will not be recorded, so the system should be required to take a variety of safety protection means.
7. As the network's bandwidth is increasing, how to develop a high-speed network-based detector (event analyzer) still has many technical difficulties.
The intrusion detection system serves as a network security critical defense system, and many of the countries worthy of further research have to be further improved, providing effective safety means for future network development.
