Source: Chinaunix / Cool Paradise
In the field of network security, with the continuous "foolification" of hacker application technology, the status of the invasive detection system IDS is gradually increased. In a network, only the IDS is effective in implementation of IDS, so that the violations of the attacker can be sensational, in order to prevent problems! This article is a comprehensive introduction to the content of IDS's concept, behavior, and strategy, in question and answer form, expect to help managers use IDS faster and better. Q: What are the important IDS systems? Depending on the monitoring object, the IDS system is divided into many kinds. The following is a few important IDS systems: 1. Nids NIDS is the abbreviation of Network Intrusion Detection System, that is, network intrusion detection system, which is mainly used to detect Hacker or Cracker through the network. Invasion. There are two ways to run NIDS, one is running on the target host to monitor its own communication information, and the other is running on a separate machine to monitor communication information of all network devices, such as HUB, router. 2, SIV SIV is the abbreviation of System Integrity Verifiers, that is, system integrity detection, mainly used to monitor whether important information such as system files or Windows registry is modified to block the back door of the attacker. SIV is more in the form of tool software, such as the famous "TripWire", which detects the transformation of important system components, but does not produce real-time alarm information. 3, LFM LFM is the abbreviation of log file monitors, namely log file monitors, primarily to monitor log files generated by network services. The LFM determines the intrusion behavior by detecting the content of the log file and matches the keyword, such as a log file for the HTTP server, as long as the "SWATCH" keyword is searched, it can be judged whether or not there is a "pHF" attack. 4, HoneyPots honeypot system, is a tuned system, which is a system that contains a vulnerability. By simulating one or more vulnerable hosts, providing hackers with an easy attack target. Since there is no other task to be done because the honeypot is required, all connected attempts should be considered suspicious. Another use of honey tanks is to delay the attacker's attack on its true goals, so that the attacker waste time on honeyders. At the same time, the initial attack target has been protected, and the real valuable content will not be violated. One of the original purposes of honey tankers is to set evidence for prosecuting malicious hackers, which looks "trapping" feelings. Q: Who is invader? Usually we will refer to the intruder as Hacker, but in fact this is not accurate. It can be said that Hacker is to discover the system vulnerability and patch vulnerabilities, Cracker is the invader who uses the vulnerability to make the corruption destruction. In order not to confuse, it is simply unified to make an intruder. In general, intruders are divided into two categories: internal and external. Internal intruders usually use social engineering to use non-authorized accounts for illegal activities, such as using other people's machines, posing as a director or a director; external intruders should monitor the attack target with certain attack technology, check, then Take damage. There is a little, please keep in mind: Statistics show that 80% of the intrusion behavior comes from the interior. Q: How do invaders enter the system? There are three main ways: 1. Physical intrusion refers to the intruder in a physical way to disrupted, for example, the people do not need to drive into the machine room to quickly knock two down the keyboard attempt to break into the operating system, holding pliers to change the cone Remove the machine housing "Borrow" takes hard disk to carry in another machine. 2. The system intrusion refers to the damage activities that the intruder in a low-level account permission with the system. Typically, if the system does not "play" the most recent patch in time, users who have low-level privileges may use system vulnerabilities to obtain higher management privileges.
3. Remote intrusion refers to an intruder penetrates into a system over the network. In this case, intruders usually do not have any special permissions, they have to discover attack targets by vulnerability scan or port scanning, and then use related technologies to perform damage activities. NIDS is mainly targeted to this invasion. Q: What can the invader be built into the system? Flies don't focus on seamless eggs, and invaders can easily break into the system easily in the complex computer network. So understand where these sections may be, it is important for repairing them. Typically, cracks are mainly manifested in software writing, the system is configured, the password stolen, and the textual communication information is listened, and the initial design has defects. 1. Software Write the presence bug Whether it is server program, client software or operating system, as long as it is written in code, there will be different degrees of bugs. BUG is mainly divided into the following categories: Buffer overflow: Refers to the intruder in the input item of the program, inputs a string that exceeds the specified length, more than part usually the invader wants to execute the attack code, and the program writer There is no inspection of the input length, which eventually causes multiple attack code to account for the memory after the input buffer. Don't think that there is enough 200 characters to log in to the username and no longer doing the length check. The so-called anti-small people don't prevent the gentleman, and the invaders will try to try the way to try to attack. Suitable joint use Problem: A program often consists of multi-layer code different from the function, and even relates to the bottom of the underlying operating system level. Intruders usually use this feature to enter different content to achieve the purpose of stealing information. For example: For programs written by Perl, intruders can enter a string similar to "Mail
Trust Relationship: The system in the network often establishes trust relationships to facilitate resource sharing, but this also brings the invaders to borrow cow's power, indirect attacks, for example, just attack a machine in the trusted group, it is possible to further attack Other machines. Therefore, we must strictly review trust relations to ensure true security alliances. 3, the password of the password is weak and the password: That is to say, although the password is set, but it is simple to simply, the embassy invaders can solve the power. Dictionary attack: means that the invader uses a program that is constantly trying to log in to the system with a dictionary database containing the username and password until successful entry. Undoubtedly, the key to this way is that there is a good dictionary. Violent attack: Similar to a dictionary, this dictionary is dynamic, that is, the dictionary contains all possible characters combinations. For example, a 4-character password containing case in casement is about 500,000 combinations, and one 7-character password containing case-by-case and punctuation is approximately 10 trillion combinations. For the latter, the general computer takes a few months to test it. I saw the benefits of the long pass, it's really one or two! 4. Sniffing Uncrynected Communication Data Sharing Media: Traditional Ethernet Structure It is easy to place a sniffer on the network to view communication data on the network segment, but if you use exchanging Ethernet structure, sniffing Behavior will become very difficult. Server sniffing: The exchanging network also has a significant shortcomings, and intruders can install a sniffer software on the server, especially acting as a route function, and then you can use the information it collected into the client machine and trust. Machine. For example, although you don't know the user's password, you can sniff your password when you use Telnet software to log in. Remote sniffing: Many devices have RMON (Remote Monitor, Remote Monitoring) function to manage remote debugging using public community strings. With the continuous spread of broadband, intruders are more and more interested in this backing door. 5, TCP / IP initial design defects Even if the software writes do not appear bugs, the program is executed in the correct step, but the initial design defect will still cause the invader attack. The TCP / IP protocol is now widely applying, and it is very much, but it is designed today in the invaders rampant today. Therefore, there are many shortcomings that there is a safe vulnerability, such as a Smurf attack, ICMP unreachable data package is open, IP address spoof and SYN is not. However, the biggest problem is that the IP protocol is very easy to "believe", that is, intruders can freely fake and modify IP packets without being discovered. Fortunately, the big savior IPsec protocol has been developed to overcome this shortcomings. Q: How do intruders get passwords? 1. Monitoring the Ming Document Call Information A large number of communication protocols such as Telnet, FTP, basic HTTP uses the express text, which means that they are naked in the network in uncoated formats to the server and client, while invaders only need to use The protocol analyzer can view this information, thereby further analyzing the export order to become the clone of real users. 2, listen to the encryption password information, of course, more communication protocols use encrypted information to transfer passwords. At this time, invaders need to decrypt them with a dictionary or a violent attack method. Note that we cannot detect the invader's listening behavior, because he is in the dark, is completely passive, no information on the network, the intruder's machine is only used to analyze these password information.
3. Replay Attack This is another indirect attack method, that is, intruders don't have to decrypt passwords, need to rewrite client software to use encrypted password to implement system login. 4. Stealing the password file password file usually saved in a separate file, for example, the password file of the UNIX system is / etc / passwd (or mirroring that file), the password file of the Winnt system is / Winnt / System32 / Config / SAM. Once the invader gets the password file, the weak password information can be discovered using the crack program. 5. Observing the user may be difficult to write it on a piece of paper in a piece of paper, or when you enter a password, if you have a "visitor" when you are pressing it under a piece of paper. The invader's search and memory are very good. These operation habits are simply easy to practice. So don't ignore the eyes of invaders! 6. The social project mentioned this problem, and the social project refers to illegal activities that use non-mobilized methods to steal unauthorized accounts, such as the use of other people's machines, posing as a duty or director fraud administrator trust to get a password. Remember: If someone wants your password, no matter what he said is for what, please remember him, once the case on the password, that person is the number one suspect! Q: What are the typical intrusion scenes? The so-called intrusion scene means which steps will be taken from the invaders to try to attack the system. A typical invasion picture is such a scene: 1. External research knows you know each other, and there is no war. The first step in invader attack is to do everything possible to investigate the target to obtain adequate information. The method taken includes: use the WHOIS tool to get network registration information; search the DNS table using the NSLookup or DIG tool to determine the machine name; search for the company's public news. This step is completely unknown for attackers. 2. Internal analysis determines the basic attributes of the attack target (site address, host name), and intruders will conduct in-depth analysis of them. The method is: traversing each web page search is a CGI vulnerability; use the PING tool to find "live" machine; perform UDP / TCP scan for the target machine to find available services. These behaviors belong to normal network operations, but they cannot be counted as intrusion, but the NIDS system will be able to tell managers. "Some people are shaking the door handle ..." 3, the vulnerability is now now starting to start playing! " There is a lot of destruction, and the preferred list is as follows: The security of the CGI script is tested by writing a shell command string in the input item; by sending a large amount of data to determine if there is a notorious buffer overflow vulnerability; Try using a simple password to crack the login barrier. Of course, there are many ways to use a successful use of success. 4, standing with the invaders, once successfully invaded a machine in the network, it can be said that it is standing. Intrusioners now have to do, hidden the invasion traces and manufacture the back door that needs to be attacked in the future, which requires transformation of log files or other system files, or installs Trojans, or replaces the system file as a latter program. At this time, the SIV (System Integrity Detection) system takes note of these files. Since security measures in the internal network are usually less, further, intruders will use this first machine as a springboard, attack other machines in the network, and look for the next home home.
