To protect the network from hackers, you must have an in-depth method of hackers, attack principles, and attack processes, detailed understanding, only in this way, more targeted, active protection. By analyzing the characteristic analysis of hacker attack methods to study how to detect and defense against hacker attack behavior. I. The core problem of anti-attack technology (intrusion detection technology) is how to intercept all network information. At present, it is mainly to obtain information through two ways, one is to obtain all network information (such as Sniffer, Vpacket, etc.) to obtain all network information (packet information, network traffic information, network status information, network management information) Wait, this is both an inevitable way to attack the attack, but also the necessary way to counter attacks; the other is to analyze the system logs of the operating system and the application to discover intrusion behavior and system potential security vulnerabilities. Second, the main way of hacker attacks hackers have a variety of ways to attack the network. Generally, the attack always uses "system configuration defects", "security vulnerabilities" of "operating system" or "security vulnerabilities for communication protocol". ongoing. So far, there have been more than 2,000 kinds of attack methods, which have the corresponding solutions for most hacking attacks, which can be divided into the following categories: 1. Denial of service attack: Under normal circumstances, refusal service The attack is to overload the attacked object to the attack object to stop the attacked object by overloading a system-critical resource that is attacked (usually a workstation or important server). There are hundreds of known refusal service attacks. It is the most basic intrusion attack. It is also one of the most difficult to deal with intrusion attacks. Typical examples have syn flood attacks, ping flood attacks, land attacks, Winnuke attacks, etc. 2. Non-authorized access Attempt: An attacker is a try to read, write or execute an attacker, including an attempt to obtain the protected access. 3. Preparlecting attack: In the continuous non-authorization access attempt, the attacker usually uses this attack attempt to obtain information around the information within the network, and usually use this attack attempt, typical examples include Satan scans, port scans and IP scans, etc. . 4. Suspicious activities: It is an activity outside the "standard" network communication area, or it can refer to unwanted activities on the network, such as IP UNKNOWN Protocol and Duplicate IP Address events. 5. Protocol decoding: Protocol decoding can be used in any of the above non-desired methods, network or security administrators need to decode work, and obtain corresponding results, decoded protocol information may indicate the desired activities, such as FTU User and PORTMAPPER Proxy et al. 6. System Agent Attack: This attack is usually initiated for a single host, not the entire network, which can be monitored through the RealSecure system agent. Third, the characteristic analysis of hacker attack behavior and the most basic means of anti-attack technology intrusion detection is to use mode matching methods to find intrusion attack behaviors. To effectively, attacks must first understand the principle and working mechanism of intrusion, only this can be done To aware of yourself, thereby effectively preventing the occurrence of intrusion attack behavior. Below we analyze several typical intrusion attacks and propose corresponding countermeasures. 1.Land Attack Attack Type: LAND Attack is a denial of service attack. Attack feature: The source address and destination address in the packet used for the LAND attack, because when the operating system receives such a packet, do not know how to handle the communication source address and destination address in the stack The situation, or cycles and receives the packet, consumes a lot of system resources, thereby possible to cause system crash or crash. Detection method: Determine whether the source address of the network packet and the same destination address.
