Learn how to identify and protect the threats brought by the network server from malicious concurrent service requests
Almost at the same time in Sydney's Summer Olympics, the 2002 Salt Lake City Winter Olympics will also rise suddenly. Very significant fact is that the role of Internet is no longer important in the operation of this rough business behavior, but also as a dominant role. After the first week, the transaction on the Internet accounts for 85% of the total ticket. As the Internet takes more important positions in our lives, it is very obvious that the operators of the website are also increasingly threatened by the recent DOS (Denial) attack. Although DOS is not a new attack technique, there are too many websites in recent years to be involved in this unique, dreams with malicious websites - have been DDOS (distributed refusal service) s attack.
DDOS should be responsible for some well-known e-commerce services, including ZDNET. DOS includes DDOS to cause a number of system components to generate faults - CPU, firewall, network bandwidth - and DDo is more threatened because it is a legal communication method, so a distributed request is considered a legal communication method. Just make the website more difficult to take protective measures.
Compare DOS and DDOS attacks
DDOS attacks come from many distributed clients on the Internet, and typical DOS attacks are just an independent site to attack a separate client. The normal DOS policy adopted by Script Kiddies is to make many ping requests in the server. If there is a large enough bandwidth, it is very easy to press the network server and make it lose the ability to respond to PING requests. Fortunately, we can easily defeat the DOS attack; because the information flow of such an attack is can be identified, and it is possible to filter it. For example, a network administrator can prevent the server to prohibit the response to the PING, so it is also easy to filter out all the requests from the attacker's IP address from the firewall. In the end, when only one machine is affected, the network administrator can easily trace the origin address of the DOS attack, which is more likely to prose.
However, from another perspective, DDOS can help it attack it, so that a separate website is undergorbing. Because this harmful load is issued in many different source addresses, it is not a very easy thing to distinguish these attack information streams from legal network traffic.
In general, DDoS attacks have lost system resources to victims. For example, DDOS uses a non-directional connection protocol such as HTTP to send a request to the server, but from the request. The server will assign a thread and a memory for each request while the request is requested. Since the sending of this request is from not ending itself, the server must wait a predetermined time before release these resources. A successful DDoS attack contains such requests, each of which will occupy some resources and make legal users cannot access this server.
DDOS attack kit
DDOS attacks have not only become very common in the past year, but also experts believe that they will have an impact will continue to grow. This attack behavior will increase the prophecy that is made under the situation where the DDo toolkit is increasingly popular on the Internet. These toolkits can make an extremely mediocre hacking have the ability to implement an attack behavior. Some of these very common and document records include Tribe Force Network (TFN), TRIN00 and STACHELDRAHT.
But how is a possible attacker how to make so many computers come in? A vicious user is likely, for example, using Zombie tools designed to implement the final attack, harm to hundreds of computers for a while. Just like you guess, a Zombie program can always latenate until it is called by the hacker. Among the relatively representative is an malicious user to invade the target machine using the destruction code for an operating system or application. Many of these machines are computers managed by students in campus. They can play around here until they find weaknesses. Experience shows that if the hacksters are deciding to attack and have sufficient time, then any computer can be attacked. The campus is the target because the campus has the corresponding hardware, bandwidth, and CPU processing capabilities. And very popular is that their server can always run the released patches in time. Using TFN Toolkit and its advanced version TFN2K, hackers can be embedded in ICMP (Internet Control Message Protocol, Internet Information Control Protocol), UDP (User DataGram Protocol, User Self-Added Packet Protocol), and TCP Package Data The commands are connected to their clients on the main Zombie server that is infringed. Commands in the data domain are encrypted and is not easy to be identified. This client can use TFN2K to perform secret activities, because TFN2K can randomly specify its IP address and port, but also send a bait package, which is more difficult to identify it. This client indicates the Zombie server and gives it a goal to let it attack. It can use UDP, SYN (a flag in the TCP package), ICMP reflection signal, and ICMP broadcast packet. Its intent is just to exhaust the resources of the target - CPU, memory and bandwidth - enabling the end user to close their computer to do something more interesting, such as watching football, fishing, riding a motorcycle or something else.
The emergence of Trin00 has experienced more than a year and has considerable records. It can be divided into three parts - an harabber client, an infringed Zombie server, and an agent running on the Zombie server. The hacker client is actually a Telnet (remote login) or Netcat that zombie connects to the 27665 port. The Zombie server monitors port 27665 and broadcasts in port 31335. It uses password "betaalmostdone" and "g0rave" when connecting to the main program, and also finds the version of Windows. If the Windows system is listening to port 34555, if the UNIX system is listening to the port 27444. In the hacker client and the zombie end, the password is in contact with this protocol - the password used by UNIX is "144adsl", which is "[] .. ks" for Windows. Trin00 has six implementation attacks - Mtimer, DOS, MDIE, MDoS, MPING, MSIZE. The existence of TRIN00 can be detected by looking up the UDP packets from the same IP address and port and the data packet sent to different target ports. A field of "unacceptable port" in ICMP with the same origin IP and target IP also implies actions with port scans.
Similar to Trin00, Stacheldraht (German "Barbed wire mesh") is also divided into three parts. The hacker client is connected to the control server via port 16660 or 60001. The packet uses the password specified in the source code (a 64-bit encryption process) - usually the word "Sicken". The Communication between the Zombie server handles the client and the agent. At port 65000, ICMP, like a heartbeat, an echo signal is used as a contact signal between the main program and the agent. The ICMP package contains values 666, 667, 668, and 669, including strings such as "Skillz", "FICKEN", and "SpoofWorks" in the data domain. Zombie's agent can be instructed to implement an attack on the specified IP address and port, and can also accept the remote upgrade instruction. Identification and prevention
At present, we have no way to eliminate these destructive attacks, but some preventive measures can alleviate their impact. Website administrators should check the port and determine that those applications run on those ports. Some tools can scan the port available on the server, get a port list and make sure all exposed or open ports are what we expect. You can check the process and service records on the server, or you can also log in remotely to the port to see how they respond. For example, if it is a Web (Global Network) server, it will respond with the server's software name. You can also analyze the content in the TCP / IP packet in your system.
There are some other signs that can also indicate the upcoming attack. If all ports on a server are scanned from the machine from the same IP address, some ports may be trying to see which ports are available. Some tools can monitor such activities and warn what you might happen, but if things really happen, it is obviously a mobile network administrator to take a look at the server's record file. By viewing the record file, the administrator can determine the type of rejected on a continuous port - can find the evidence of the opening as someone attempts to find the opening on the arm armor. Most administrators only open those ports and services in absolutely necessary. Despite this, the most sophisticated administrator still has to install IDS (Intrusion Detection System, Intrusion Monitoring System). The features of these tools are very comprehensive and can warke up potential issues. Internet Security System X-Force is a very good security tool. Many large-scale companies, such as Exodus Communications, can also actively perform port scanning monitoring services. Then you, how can an ordinary home user protect yourself, do not make you a DDOS attacker? Obviously, it is very important to install and upgrade the security patches. Most virus monitoring packages can also detect similar activities similar to viruses, such as email messages or web pages that want to install programs in your system. For Windows systems, there are some good personal firewalls, such as Blackice and ZoneAlarm, which can help you monitor suspicious Internet activities. Finally, the most valuable thing you can do is to keep abreast of the source of emails and applications. Prohibiting script run is another valuable measure. Also, you don't have a very good idea that you don't run every casual access to your inbox.
