Intrusion detection actual combat
Last Update: 2004-06-15
15:32:58
Guide
What are the important IDS systems?
2. Who is intruder?
3. How do invaders enter the system?
4. What can the invader be able to break into the system?
5. How do intruders get passwords?
6. What are the typical intrusion scenes?
7. What are the modes of intrusion?
8. What did NIDS detects an intrusion behavior?
9. In addition to the IDS, what invaded countermeasure?
10. What are the IDS system should be placed onto the network?
11. How does IDS cooperate with other security measures in the network?
12. How do I detect someone in the network that uses NIDS systems?
13. How do I improve the degree of intrusion protection of the WinNT / Win2K system?
14. How to improve the incusement protection of Win9X systems?
15. Who should include the security response organization of the enterprise network?
16. If someone said they were invaded by the address from the site site, what should I do?
17. How to collect invaders' attack evidence?
In the field of network security, with the continuous "foolification" of hacker application technology, the status of the invasive detection system IDS is gradually increased. In a network, only the IDS is effective in implementation of IDS, so that the violations of the attacker can be sensational, in order to prevent problems! This article is a comprehensive introduction to the content of IDS's concept, behavior, and strategy, in question and answer form, expect to help managers use IDS faster and better.
Q: What are the important IDS systems?
Depending on the monitoring object, the IDS system is divided into many kinds. The following is a few important IDS systems:
1, NIDS
NIDS is the abbreviation of Network Intrusion Detection System, that is, network intrusion detection system, which is mainly used to detect Hacker or Cracker's intrusion behavior through the network. There are two ways to run NIDS, one is running on the target host to monitor its own communication information, and the other is running on a separate machine to monitor communication information of all network devices, such as HUB, router.
2, SIV
SIV is the abbreviation of System Integrity Verifiers, that is, system integrity detection, which is mainly used to monitor whether important information such as system files or Windows registry is modified to block attackers. SIV is more in the form of tool software, such as the famous "TripWire", which detects the transformation of important system components, but does not produce real-time alarm information.
3, LFM
LFM is the abbreviation of log file monitors, namely log file monitors, primarily to monitor log files generated by the network service. The LFM determines the intrusion behavior by detecting the content of the log file and matches the keyword, such as a log file for the HTTP server, as long as the "SWATCH" keyword is searched, it can be judged whether or not there is a "pHF" attack.
4, Honeypots
The honey tank system is also tuned the system, which is a system that contains a vulnerability. By simulating one or more vulnerable hosts, it provides hackers with an easy attack target. Since there is no other task to be done because the honeypot is required, all connected attempts should be considered suspicious. Another use of honey tanks is to delay the attacker's attack on its true goals, so that the attacker waste time on honeyders. At the same time, the initial attack target has been protected, and the real valuable content will not be violated. One of the original purposes of honey tankers is to set evidence for prosecuting malicious hackers, which looks "trapping" feelings. Q: Who is invader?
Usually we will refer to the intruder as Hacker, but in fact this is not accurate. It can be said that Hacker is to discover the system vulnerability and patch vulnerabilities, Cracker is the invader who uses the vulnerability to make the corruption destruction. In order not to confuse, it is simply unified to make an intruder. In general, intruders are divided into two categories: internal and external. Internal intruders usually use social engineering to use non-authorized accounts for illegal activities, such as using other people's machines, posing as a director or a director; external intruders should monitor the attack target with certain attack technology, check, then Take damage.
There is a little, please keep in mind: Statistics show that 80% of the intrusion behavior comes from the interior.
Q: How do invaders enter the system?
There are three main ways:
1. Physical invasion
It means that the invader is physically accessed by a machine to destroy the activity, for example, the people do not need to go into the machine room to quickly knock two down keyboards to break into the operating system, holding pliers to remove the cone Removing the machine housing "Borrow" Walk hard disk in another In-depth research on the machine.
2, system invasion
Refers to damage activities that the invaders will perform under a low-level account permission with the system. Typically, if the system does not "play" the most recent patch in time, users who have low-level privileges may use system vulnerabilities to obtain higher management privileges.
3. Remote invasion
It means that the intruder penetrates into a system over the network. In this case, intruders usually do not have any special permissions, they have to discover attack targets by vulnerability scan or port scanning, and then use related technologies to perform damage activities. NIDS is mainly targeted to this invasion.
Q: What can the invader be built into the system?
Flies don't focus on seamless eggs, and invaders can easily break into the system easily in the complex computer network. So understand where these sections may be, it is important for repairing them. Typically, cracks are mainly manifested in software writing, the system is configured, the password stolen, and the textual communication information is listened, and the initial design has defects.
1. Software Write a bug
Whether it is a server program, client software or operating system, as long as it is written in code, there will be different degrees of bugs. BUG is mainly divided into the following categories:
Buffer overflow: Refers to the input item of the invaditor in the input item of the program. More than the part is usually the attack code that the invader wants to execute, and the program writer does not check the input length. It eventually causes multiple attack code to account for memory after the input buffer. Don't think that there is enough 200 characters to log in to the username and no longer doing the length check. The so-called anti-small people don't prevent the gentleman, and the invaders will try to try the way to try to attack.
Suitable joint use Problem: A program often consists of multi-layer code different from the function, and even relates to the bottom of the underlying operating system level. Intruders usually use this feature to enter different content to achieve the purpose of stealing information. For example: For programs written by Perl, intruders can enter a string similar to "Mail
Do not expect the input content: Some programmers are afraid of trouble, and the input content is not expected, so that the invaders will be easily and simple. Race Conditions: Multi-task multithreaded programs are increasing, while improving operational efficiency, pay attention to Race Conditions issues. For example: procedural A and program B operate a file in the order of "reading / change / write", when A is finished and changed, B is started to execute all work "Read / Reform / Write", At this time, A continues to perform a write, the result is that A operation has no performance! Intrusioners may use the vulnerabilities in this processing order to rewrite some important files to achieve the purpose of intrusioning the system, so the programmer should pay attention to the order of the file operation and the lock.
2, system configuration is not properly configured
The default configuration: Many system has the default security configuration information after installation, is often referred to as Easy To Use. But unfortunately, Easy To Use also means Easy to Break in. So, you must work abandon the default configuration.
The administrator is lazy: one of the lazy performance is the null value of the administrator password after the system is installed, and then no modification is made. You know, the first thing that invaders must do is the machine that has such an administrator on the network.
Temporary port: Sometimes for the use of tests, the administrator will open a temporary port on the machine, but after the test is finished, it has forgotten it, so it will give the invader that there is a hole to find, there is a drain drilled. The usual solution is: unless a port must be used, otherwise it is forbidden! In general, the security audit packet can be used to discover such ports and notify the manager.
Trust Relationship: The system in the network often establishes trust relationships to facilitate resource sharing, but this also brings the invaders to borrow cow's power, indirect attacks, for example, just attack a machine in the trusted group, it is possible to further attack Other machines. Therefore, we must strictly review trust relations to ensure true security alliances.
3, password stolen
Weakly and not banned password: That is to say, although the password is set, it is simple enough, but the intruder can be broken only.
Dictionary attack: means that the invader uses a program that is constantly trying to log in to the system with a dictionary database containing the username and password until successful entry. Undoubtedly, the key to this way is that there is a good dictionary.
Violent attack: Similar to a dictionary, this dictionary is dynamic, that is, the dictionary contains all possible characters combinations. For example, a 4-character password containing case in casement is about 500,000 combinations, and one 7-character password containing case-by-case and punctuation is approximately 10 trillion combinations. For the latter, the general computer takes a few months to test it. I saw the benefits of the long pass, it's really one or two!
4, sniffing uncoised communication data
Shared Media: Traditional Ethernet structure is easy to place a sniffer on the network to view communication data on the network segment, but if you use a swap type Ethernet structure, sniffing behavior will become very difficult.
Server sniffing: The exchanging network also has a significant shortcomings, and intruders can install a sniffer software on the server, especially acting as a route function, and then you can use the information it collected into the client machine and trust. Machine. For example, although you don't know the user's password, you can sniff your password when you use Telnet software to log in.
Remote sniffing: Many devices have RMON (Remote Monitor, Remote Monitoring) function to manage remote debugging using public community strings. With the continuous spread of broadband, intruders are more and more interested in this backing door. 5, TCP / IP initial design defect
Even if the software writes do not appear bugs, the program is executed in the correct step, but the initial design defect will still cause the invader's attack. The TCP / IP protocol is now widely applying, and it is very much, but it is designed today in the invaders rampant today. Therefore, there are many shortcomings that there is a safe vulnerability, such as a Smurf attack, ICMP unreachable data package is open, IP address spoof and SYN is not. However, the biggest problem is that the IP protocol is very easy to "believe", that is, intruders can freely fake and modify IP packets without being discovered. Fortunately, the big savior IPsec protocol has been developed to overcome this shortcomings.
Q: How do intruders get passwords?
1. Monitor the express text password information
A large number of communication protocols such as Telnet, FTP, basic HTTP use the express text, which means that they are naked in the network in uncoated formats to the server and clients, while invaders only need to use the protocol analyzer to view To this, further analyze the export order, becoming the clone of real users.
2, listen to the encryption password information
Of course, more communication protocols use encrypted information to transfer passwords. At this time, invaders need to decrypt them with a dictionary or a violent attack method. Note that we cannot detect the invader's listening behavior, because he is in the dark, is completely passive, no information on the network, the intruder's machine is only used to analyze these password information.
3, playback attack (Replay Attack)
This is another indirect attack method, that is, intruder does not have to decrypt passwords, need to rewrite client software to log in with the encryption password.
4, stealing the password file
Password files are usually saved in a separate file, such as the password file of the UNIX system is / etc / passwd (or mirroring that file), the password file of the Winnt system is / Winnt / System32 / Config / SAM. Once the invader gets the password file, the weak password information can be discovered using the crack program.
5, observation
The user may write it to a paper on a piece of paper at any time due to the setting of the password, or when there is no matter whether there is a "visitor" when entering the password. The invader's search and memory are very good. These operation habits are simply easy to practice. So don't ignore the eyes of invaders!
6, social engineering
As mentioned earlier, social engineering refers to illegal activities that use non-mobilized methods to steal unauthorized accounts, such as using other people's machines, posing as a duty or director's defrauding administrator trust to get a password. Remember: If someone wants your password, no matter what he said is for what, please remember him, once the case on the password, that person is the number one suspect!
Q: What are the typical intrusion scenes?
The so-called intrusion scene means which steps will be taken from the invaders to try to attack the system. A typical intrusion picture is the scenery:
1, external research
Know yourself and know each other. The first step in invader attack is to do everything possible to investigate the target to obtain adequate information. The method taken includes: use the WHOIS tool to get network registration information; search the DNS table using the NSLookup or DIG tool to determine the machine name; search for the company's public news. This step is completely unknown for attackers.
2, internal analysis
The basic attributes of the attack target (site address, host name) are determined, and the intruder will conduct in-depth analysis of them. The method is: traversing each web page search is a CGI vulnerability; use the PING tool to find "live" machine; perform UDP / TCP scan for the target machine to find available services. These behaviors belong to normal network operations, but also can't be counted as intrusion behavior, but the NIDS system will be able to tell managers "Some people are shaking the door handle ..." 3, vulnerability utilization
It's time when I started to start! There is a lot of destruction, and the preferred list is as follows: The security of the CGI script is tested by writing a shell command string in the input item; by sending a large amount of data to determine if there is a notorious buffer overflow vulnerability; Try using a simple password to crack the login barrier. Of course, there are many ways to use a successful use of success.
4, stand firm
For intruders, once a machine successfully invaded the network, it can be said that it is stationed. Intrusioners now have to do, hidden the invasion traces and manufacture the back door that needs to be attacked in the future, which requires transformation of log files or other system files, or installs Trojans, or replaces the system file as a latter program. At this time, the SIV (System Integrity Detection) system takes note of these files. Since security measures in the internal network are usually less, further, intruders will use this first machine as a springboard, attack other machines in the network, and look for the next home home.
5, enjoy the results
At this point, the invader can say that it is to complete the attack task, and the rest is to enjoy the results: or use the secret documents of theft, or abuse system resources, or tamper with the web page content, even put your machine as a springboard attack Other machine.
The above discussion is the usual behavior of an intruder. There is also an invasion scene usually referred to as "birthday attack", I think the meaning is a gift that receives many acquaintances or unknown friends when I simulate birthdays, but I have to add "attack" before the gift. . Birthday Attack's general steps are: Random search for an Internet address; search for whether there is a specified vulnerability; if there is, attack according to known vulnerabilities. There are too many vulnerabilities in the computer network, and the primary invaders can practice their hands through this method :-)
Q: What are the modes of intrusion?
1, detection
There are many ways to detect, including ping scans, weak account scans, detective emails, TCP / UDP port scans, detection web server CGI vulnerabilities, etc.
2, vulnerability utilization
Refers to the hidden function or vulnerability of the invader to obtain system control. mainly includes:
CGI Vulnerability: Writing CGI programs requires very perfect to avoid security threats. Intruders often try to access some CGI programs in the system with a well-known vulnerability to find a breakthrough. These CGI programs include: TextCounter, Guestbook, EWS, INFO2www, count.cgi, handler, webdist.cgi, php.cgi, files.pl, nph-test-cgi, nph-publish, anyform, formmail. If we don't use these files but find that someone is frequently accessing one of them, it can clearly determine that an intrusion behavior is in progress.
Web server vulnerability: such as a file name contains a series of ".." strings to access any file in the system; add ":: $ data" after the URL path can view the script source code.
Web browser vulnerability: This loophole involves the same very wide, surfers must not fall lightly. For example, if possible, the buffer overflows or executes the .lnk command URL, the malformation of the HTTP Header content, MIME type overflow (such as the Netscape browser command), always leaking the can be multiplied as a JavaScript script (such as using the file upload function to create a latter program ), Occasionally, Java code, and now is more powerful, more embarrassing ActiveX components. STMP Vulnerability: For example, using the buffer overflow attack STMP, use the vrfy command to search the user name.
IMAP Vulnerability: IMAP is the Internet Information Control Protocol, which refers to the protocol that gets Email information on the mail server or directly collects the mail. During the traditional POP3 receiving process, the user cannot know the specific information of the email, and only after the mail is downloaded to the hard disk, it can slowly browse or delete it, and the user has almost no right to control the email. This problem is solved by IMAP. But many popular IMAP servers have major vulnerabilities.
IP address spoof: Since routing does not need to judge source addresses, the intruder can replace the source address of the IP packet to hide its attacker in a period. Moreover, since it is a forged source address, the intruder does not receive the return communication information of the target machine, and truly "attack can't return."
Buffer overflow: In addition to the cushioning of the buffer overflow, there is a DNS overflow (the ultra-long DNS name is sent to the server), and statd overflows (super long file name).
3, DOS or DDOS (denial of service attack or distributed denial of service attack)
This kind of attack is the real "loss of people", do not need someone else's data, just want to wait for others to see the lively. This kind of attack is more and more, is it because this kind of person is getting more and more ... The common DOS has the death of death, SYN is annihilated, land attack.
Q: What does NIDS do after an intrusion behavior?
When an intrusion behavior is found, the NIDS system will take many powerful measures to deal with attacks, which mainly includes:
* Reconfigure the firewall to prohibit intruder IP address to enter
* Play a paragraph. WAV music reminder manager
* Send SNMP TRAP packets to the management console
* Record events into the system log file
* Send an email to the administrator to invade the invading
* Inform the administrator with a paging mode (BP machine)
* Save the attack information, such as attack time, intruder IP address, victim IP address, port, protocol information, related data package
* Start special procedures to handle intrusion events
* Forbidden TCP FIN packets to force the connection to avoid the tragedy to continue
Q: In addition to IDS, what invaded countermeasure?
1, firewall
There is a point of view: The firewall is the first defense line of safety guards. As long as it breaks through it, the intruder will randomly galloped the broken network. But a better statement should be: The firewall is the last line of security guards. Under the premise of correctly configuring machines and good run intrusion detection systems, use firewalls to avoid Script Kiddies's naive and simple attacks. There are two points to pay attention: First, many routers can now be configured into firewall filtering. Second, firewalls usually only resist external attacks, which seems to be strong for internal damage.
2, password verification system
The secureness of the guaranteed password verification system is another measure to take. Or use the system built-in password verification strategy, such as Win2K Kerberos authentication, or consider purchasing a separate product to integrate enhanced password systems, such as RADIUS (remote identification dial-up user service) or TACACS (TACACS is used for historical in UNIX) Authentication protocol, which transmits the remote access server to the user's login information to the authentication server to determine if the user can access a given system). These verification systems help to eliminate the apparent password issues brought about protocols such as Telnet, FTP, IMAP, or POP. 3, virtual private network VPN
VPN creates a secure connection pipe environment for remote access via Internet, where the main protocol used is PPTP and IPSec. PPTP is PPP over TCP, using it, you can assign 2 IP addresses for a machine, one for Internet, and another for virtual network. IPsec is a new protocol for Win2K system, which improves the security of traditional IP protocols. However, VPN has its obvious weaknesses, although the pipe has been verified and encrypted is safe, but the two ends of the pipeline are open, which may cause invaders from a home user machine that is installed in the back door. In-access safety pipelines are not checked.
4, encryption system
With the continuous attention of personal privacy, the encryption system is now more and more "fashionable". Encrypted emails can use PGP (PRETTY Good Privacy) and SMIME (encrypted dedicated multi-purpose Internet mail extensions), encrypted files can also use PGP, encrypted file systems can use BestCrypt or PGP.
Q: What is the IDS system should be placed on the network?
1, network host
In the non-mixed mode network, the NIDS system can be installed on the host, thereby monitoring whether there is an attack between the machines located on the same switch.
2, network boundary
IDs is ideal for installation of both ends of the network, such as both ends of the firewall, near the dial server, and the connection to other networks. Since the bandwidth of these locations is not high, the IDS system can keep up the speed of the communication stream.
3. WAN
Since cases that often occur from the core position of the remote zone attack WAN, the bandwidth of the WAN is usually not high, and the IDS system is installed in the backbone area of WAN. It is also increasingly important.
4, server group
The server varies, the communication speed is also different. For application servers that are not very high traffic, install IDS is a very good choice; for a server that is fast but especially important, you can consider installing a dedicated IDS system for monitoring.
5, local area network
The IDS system is usually not well applied to the LAN because its bandwidth is very high, and the IDS is difficult to catch up with the rushing data stream, which cannot complete the work of re-constructing the packet. If you must use, then you can't have too high of the performance requirements of IDS, you should be satisfied with the purpose of detecting the simple attack.
Q: How does IDS cooperate with other security measures in the network?
1. Establish a continuous improvement of security strategy. This is important! Who is responsible for? How to do it after the invasion occurs? With this, there is a guide to the correct action.
2. Lite the firewall reasonably according to different safety requirements. For example, between the internal network and the external network, place between the server and the client, placed between the company network and partner network.
3. Use the network vulnerability scanner to check the firewall vulnerability.
4. Using the Host Policy Scanner to ensure the maximum security of critical devices such as servers, such as see if they have already played the latest patches.
5. Use the NIDS system and other packet sniffing software to see if there is a "black" flow in the network.
6. Use the host-based IDS system and viral scanning software to mark the successful intrusion behavior.
7. Use the network management platform to set alarm for suspicious activity. At the very least, all SNMP devices should be able to send TRAP information of "Verification Fail" and then the administrator alarms from the management console. Q: How do I detect someone in the network to use NIDS systems?
The NIDS system is actually a sniffier, so any standard sniffer detection tool can be used to discover its existence. These tools are:
1, Antisniff (http://www.l0pht.com/antisniff/)
2, NEPED (http://www.securiteam.com/tools/nepe_-_dtect_sniffers_on_your_local_network.html)
3, SENTINEL (http://www.packetfactory.net/projects/sentinel/)
4, IFSTATUS (ftp://andrew.triumf.ca/pub/security/ifstatus2.0.tar.gz)
Q: How do I improve the intrusion protection of Winnt / Win2K system?
There have been many Zhuge Liang out of this question, and I will choose the key points and listed as follows:
1. Visit http://www.microsoft.com/security/ download and install the latest SP and HotFix.
2. When installing the file system selects the NTFS format, and each disk uses NTFS (do not start the disk is FAT, the other disc is NTFS). NTFs can not only achieve permission settings for a single file and a single directory, but also audit them.
3. Create a new administrator account, limit the function of the Administrator to the minimum to set the trap, see if someone tries to steal its permissions; prohibit the guest account or create a Guest account to create a new guest account, the purpose is also the same as monitoring? Some people try to use it intrusion system.
4. Remove the default permissions to% systemroot% / system32 directory: Everyone / Write.
5. Start the RegedT32 program Open the "HKEY_LOCAL_MACHINE / Security" item to detect remote registry browsing behavior.
6. When installing the system, the default directory does not select "C: / Winnt", so that the invader costs some minds to guess the location of the system file. There is also a better way to install it first in the C: / Winnt directory, then reinstall the system to another directory, and add a audit function to the C: / Winnt directory so that someone wants to access C: / Winnt Directory. The so-called true fake, fake vacation is really true, you are constantly peek, I have countless traps.
7. Start the partition only to store system files, data and applications to other partitions, and even store data and applications. In short, isolation is the best way to avoid "fire joint".
8. Screen protection uses "Blank Screen" and sets password protection, so that both security purposes also saves server handlers. Note that if you use an unknown screen saver, be careful that it may be a back door program.
9. Start the regedt32 program, modify the AutoShaRexxx parameter shutdown system default automatic shared directory, such as Admin $, C $, D $, etc. For Winnt, the location of this parameter is:
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / LANMANSERVER / Parameters / AutoShareserver
For Winnt WorkStation, the location is:
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Services / LanmanServer / Parameters / AutoShaRewks10, disables anonymous access account, the method is to set the value of 1:
HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / Control / LSA / Restrictanonymous
11. For domain controllers, allocate the authority of "From Network Access Computer" to authorized users instead of the default Everyone, which prohibits remote access using the machine's local account, only allows access by domain accounts.
12. Set an account lock policy for the administrator account to make the intruder speculate that the password failure is defined and automatically locked. Of course, we can use the administrator account to enter the system locally. In order to be safer, it is also possible to completely disable the remote usage administrator account, and the method is to remove the administrator account from the "slave network access computer" permissions.
Q: How do I improve the degree of intrusion protection of Win9X systems?
The protection measures are like attack methods, and it is also the most basic 3 that I think that I think is most important:
1. Install the latest patch.
2. Turn off the printer sharing printer $. After the printer is shared, the remote user can access the printer driver in the System32 directory of the shared machine. However, due to the presence of system bugs, other system files have the possibility, such as password files.
3, turn off the file sharing. If it is a home user, it usually does not need to share files at all. If you do not share, you must add a shared port to you only share it when you need to share it, and you will be closed immediately after your stuff.
Q: Who should include the security response organization of the enterprise network?
People have always been the first important! The purpose of establishing a security response organization is to determine: When the security incident occurs, what should the user seek help? What should he do? Since security issues involve every aspect, members of this organization should also come from five lakes and four seas, protect enterprises and even social forces. Usually, the personnel of the security response organization include:
1, superior supervisor
Responsible for handling major security issues. For example, for an e-commerce that is being attacked, decide whether to disconnect the network immediately to avoid greater losses.
2, supervisor of human resources
Because many attacks come from the inside, once they find their own people, I can immediately ask the comrades of the Ministry of Personnel to talk about him.
3, technical team
Responsible for organizing and analyzing security incidents, formulating countermeasures database, guiding the implementation of the person to operate correctly.
4, the implementation personnel
The real firefighter, where is the fire, where is it!
5, external resources
Some destroyed behaviors are criminally evil, the harm is serious, and their own people can't manage it. At this time, it is necessary to support social power, such as ISP, public security department. One of their deterrents, and I have come to their policy authority.
Q: If someone said that they were invaded by the address from the site of our site, what should I do?
Please imitate this situation: someone sent you an email, there is a nose to say that he suffers from the invasion of your address, and pastes a log information is as follows:
NOV 6
07:13:13
Pbreton in.telnetd [31565]: REFUSED CONNECT from xx.xx.xx.xx
Finally, politely said that they attach great importance to this, I hope that you will seriously investigate.
In the network age, this situation will be more and more. As a manager, when receiving this type of paper, the primary task is to calm down carefully analyze the true and false of the letter and the true and false evidence, which determines the behavior of the take. Typically, the following aspects can be considered:
1. First, the product (log information) is the product of the product (log information), which can happen what kind of attack behavior. In this example, log information may come from TCPWrapPers, a software that enhances the login and access control of UNIX system services; information also shows that this is just a probe behavior rather than attack. The more this information is more, the more likely depicting the "long phase" of the criminal, as if the police will draw the arrest criminal. 2, then imagine this behavior from a good side: someone may play the IP address in the "telnet xx.xx.xx.xx", it may be to knock "Telnet XX.xx.xx.xx 25 "Connect a STMP server but it is wrong into" Telnet XX.xx.xx.xx 23 "and so on. Just like the law of the United States, a case occurred, first assume that the defendant is not guilty and then finding evidence.
3, then imperative from bad aspects: It may be that your network has been captured, and intruders have executed scanning from the victim; an employee in your network does execute a scan job. This seems to be similar to Taiwan's law, a case, first assume that the defendant is guilty and then find evidence.
4, in addition, there is always an ignore that it is absolutely possible: the letter may be an intruder! how to say? By observing your payment, response speed, and possibly information, such as administrators' IP address, mail information, etc., invaders may speculate whether your network architecture is safe, whether emergency measures are proper and get Related attack information. In general, this is classified in social engineering. Be careful, shouting the thief may be a thief!
Q: How to collect evidence of invaders?
This is a very interesting and difficult problem, the Tao is one foot, the magic is one foot, the savvy invader is usually a good feeder player and Magic master, they always use other people's machines or use deceive IP addresses to complete them. Provisions Action - Attack! However, he attacked him, I am preventing myself, I think there is at least the following two types of effective methods can be taken:
1. Install the packet sniffer detector in a critical position to capture via communication data for analysis. Try this way, you will be surprised: God, my network has so many scanned packets every day in dancing!
2, install audit and log function as much as possible, this will be the best criminal site mapping when the invasion occurs.
