2. Network listening Technology in Linux

Corresponding data structure:

Struct arphdr
{
Unsigned short int ar_hrd;
Unsigned short int ar_pro;
Unsigned char ar_hln;
Unsigned char ar_pln;
Unsigned short int ar_op;
# If 0
Unsigned char _ ar_sha [ETH_ALEN];
Unsigned char _ ar_sip [4];
Unsigned char _ ar_tha [ETH_ALEN];
Unsigned char _ ar_tip [4];
# End if
};

This is the arp protocol header of linux, where ar_hrd is the hardware address format, ar_pro is the Protocol address format, ar_hln is the hardware address length, and ar_pln is the Protocol address length, ar_op is the arp Protocol. 0x001 is arp echo 0x0002 is arp reply. the following are the physical addresses of the source address, the source IP address, the physical address of the target IP address, and the target IP address.

Tcp Header of Tcphdr IP protocol

The following figure shows the data structure:

Struct tcphdr
{
U_int16_t source;
U_int16_t dest;
U_int32_t seq;
U_int32_t ack_seq;
# If _ BYTE_ORDER = _ LITTLE _ ENDIAN
U_int16_t resl: 4;
U_int16_t doff: 4;
U_int16_t fin: 1;
U_int16_t syn: 1;
U_int16_t rst: 1;
U_int16_t psh: 1;
U_int16_t ack: 1;
U_int16_t urg: 1;
U_int16_t res2: 2;
# Elif _ BYTE _ ORDER = _ BIG _ ENDIAN
U_int16_t doff: 4;
U_int16_t res1: 4;
U_int16_t res2: 2;
U_int16_t urg: 1;
U_int16_t ack: 1;
U_int16_t psh: 1;
U_int16_t rst: 1;
U_int16_t syn: 1;
U_int16_t fin: 1;
# Else
# Error "Adjust your defines"
# Endif
U_int16_t window;
U_int16_t check;
U_int16_t urg_ptr;
};

This is part of the tcp protocol in Linux. It is the same as the IP protocol. The source protocol is the source port, the dest protocol is the destination port, the seq protocol is the s sequence, and the ack_seq protocol is the sequence number, the other are tcp connection flags, which contain Six Flags: syn indicates connection request, urg indicates emergency information, fin indicates connection end, ack indicates connection response, and psh indicates push stack flag, rst indicates that the connection is interrupted. Window indicates the size of the received data window, check indicates the verification code, and urg ptr indicates the emergency pointer.

Udphdr. This is the udp protocol header.

Struct udphdr {
U_int16_t source;
U_int16_t dest;
U_int16_t len;
U_int16_t check;
}
　　

This is part of the udp protocol in Linux. The structure is obvious: source Port, dest destination port, len udp length, and check is the verification code.

Icmphdr this is the IP protocol's icmp protocol header

Struct icmphdr
{
U_int8_t type;
U_int8_t code;
U_int16_t checksum;
Union
{
Struct
{
U_int16_t id;
U_int16_t sequence;
} Echo;
U_int32_t gateway;
Struct
{
U_int16_t_unused;
U_int16_t mtu;
} Frag;
} Un;
}; This is the icmp protocol in linux's IP protocol. The main parameters here are the first two parameters, where type is the icmp protocol type, the code re-analyzes the type. For example, type 0x03 indicates unsearchable. Different codes indicate different unsearchable: 0x00 indicates that the network is unavailable, 0x01 indicates that the host is unavailable, and 0x02 indicates that the Protocol is unavailable, 0x03 indicates that the port is unavailable, 0x05 indicates that the source route fails, 0x06 indicates that the network is unknown, and 0x07 indicates that the host is unknown.

Igmphdr this is the igmp protocol header of the IP protocol.

Struct igmphdr
{
_ U8 type;
_ U8 code;
_ 2010csum;
_ U32 group;
};

This is the igmp protocol in Linux's IP Protocol. The Protocol mainly includes the first two attributes. Type indicates the igmp protocol information Type, and code indicates the routing code. then, assign the address of the intercepted data frame to the defined structure. we can analyze the data according to different structures to obtain the required information.

Measure the test taker's knowledge about network monitoring.

The Network listener is described in the preceding section. It is designed for system administrators to manage networks and monitor network statuses and data flows. However, because of its function of intercepting network data, it is also one of the common tricks of hackers.

Detection rule Definition

The listener is used to obtain the required network information. However, the information traffic in the network may be large. For example, a network with hundreds of computers generally uses the monitoring log calculated in MB every minute, it is not easy to find the information we need from such a large amount of data, so I added the definition of detection rules to the program, in this way, users can define their own detection rules to find and operate the desired data from a large amount of data. The definition includes most of the data packet attributes we are interested in: including the source address, Destination Address, source IP address, destination IP address, source port, destination port, protocol type, connection flag, the number of data packets and the time limit.

For example, we can define to store data with the source physical address 172.16.11.148 and the source port is 25, and the tcp connection mark is syn in the relevant log file, and adopt a chain rule during detection, that is, we can define a lot of rules, and data will be processed through the detection of various rules like a pipeline. This function is similar to the rule definition of most intrusion detection systems, with this function, network listening is more targeted and can meet the needs of different users.

Generally, you can use the following methods to detect network listeners:

Network listeners are hard to find. Because the host that runs the listener only passively receives information transmitted over Ethernet during the process of listening, it will not exchange information with other hosts, you cannot modify the information packages transmitted over the network. This shows that the detection of network listeners is troublesome.

In general, you can use ps-ef or ps-aux to detect. However, most listeners will modify the ps command to prevent ps-ef attacks.

As mentioned above. When a listener is running, the host response is generally affected and slow, so someone proposes to determine whether the listener is listened based on the response rate. If you suspect that a computer on the internet is implementing a listener, you can ping it with the correct IP address and the wrong physical address, so that the running listener will respond. This is because normal machines generally do not receive ping information from the wrong physical address. But the machine that is listening can receive it. If its IP stack does not perform reverse checks again, it will respond. However, this method does not work for many systems because it depends on the system's IP stack.

The other is to send a large number of non-existent physical address packets to the network, and the listener will often process these packets, which will lead to a decline in machine performance, you can use icmp echo delay to judge and compare it. You can also search for programs running on all hosts in the network, but the difficulty of doing so can be imagined, because this is not only a large workload, but also cannot fully check the processes on all hosts at the same time. However, if the Administrator does this, it is necessary to determine whether a process is started from the Administrator's machine. In Unix, you can use the ps-aun or ps-augx command to generate a list of all processes: the owner of the process and the time and memory occupied by these processes. These are output as standard tables on STDOUT. If a process is running, it will be listed in this list. However, many hackers will politely modify ps or other running programs into Trojan Horse programs when running the listeners, because they can do this completely. If this is the case, the above method will not produce any results. However, to a certain extent, this is still useful. On Unix and Windows NT, you can easily get the list of current processes.

There is also a way that relies on luck. Because most of the listening programs used by hackers are obtained online for free, they are not professional listeners. Therefore, you can search for listeners as administrators. You can use Unix to write such a search tool. There is a tool named Ifstatus running in Unix that can identify whether the network interface is under debugging or loading. If the network interface runs in this mode, it is likely to be under attack by the listener. Ifstatus generally does not produce any output. It returns the output only when it detects that the network interface is in listening mode. The administrator can set the cron parameter of the system to regularly run Ifstatus. If a good cron process exists, the administrator can send the output to the person executing the cron task by mail, to implement this, add the ***/usr/local/etc/ifstatus line parameter under the crontab directory. If this is not the case, you can use a script program under crontab 00 *****/usr/local/etc/run-ifstatus.

Generally, listening is only sensitive to user password information (it is a waste of time for no boring hackers to listen to chat information between two machines ). Therefore, it is necessary to encrypt user information and password information. Prevents listening for plaintext transmission. In modern networks, SSH communication protocols have been used all the time. The port used by SSH is 22, which eliminates the possibility of communication on insecure channels and uses the RAS Algorithm for listening, after the authorization process is completed, all transmission is encrypted using IDEA technology. However, SSH is not completely secure. Therefore, in general, monitoring detection is a security precaution and requires comprehensive knowledge and skills for analysis and design.

Security considerations

DOS attack detection and prevention

China is still in the development stage of the network. Naturally, there are "hacker" and "crack" networks. It is precisely because they are in the development stage that their attack methods generally rely on some tools, these tools are generally divided into brute-force and destructive tools. They take a long time to crack and become less powerful. destructive tools are popular in line with these people's personalities. DOS attack tools are easy to attack and have a high success rate, it is generally the first choice for "hacker.

The so-called DOS attack is a Denial-of-Service attack. It does not intrude into the system, but only causes the system to crash or be in a rejected connection status, the main method of DOS attacks is to send a large number of fake syn packets so that the server is busy responding to requests waiting for fake syn and cannot respond to normal connections, or sending a large number of broadcast packets. Using a system to generate a response bug to some broadcast packets, a broadcast storm may block the network, consuming server resources to attack the network. A Distributed DOS attack tool is also available. It controls multiple extensions and sends them to attack packets at the same time, which is powerful. At the same time, DOS attacks may also be a prelude to another supply, this is an IP spoofing attack (this attack can obtain the ROOT permission and has the highest risk factor). If a DOS attack occurs but does not block the network, the attack target is unremarkable, this is probably the beginning of an IP address spoofing or TCP interception. Therefore, DOS attacks are a type of attack with high damage, obvious effects, and can be hacked and attacked.

Hot and DOS attacks are easy to detect, with obvious attacks and outstanding attack features. It is not difficult to find out through network monitoring, as mentioned above, we can listen to data frames on the network and analyze them. So we write a program that allows users to compare their own specifications with the data frames and then respond to the data that complies with the specifications, for DOS attacks, we can define a time-limited specification for detection. For example, we can define a DOS attack if more than 100 syn packets appear in 1 second, and then define the processing method, for example, MAIL, LOG, SHUTDOWN, or linkage with _ blank "> firewall.

Detection and attack of IP Spoofing

The rapid development of the network caused the original 32-bit address protocol to be unable to meet the rapidly expanding large computer group ,. Benefits cannot be evenly shared, leading to the fraudulent use of IP addresses and disordered network order.

Here we will explain the application of ARP. ARP is a protocol used to convert IP addresses into MAC addresses. It is the basis for LAN data exchange. How can a computer bind itself to a certain IP address? First, when a computer starts, it will send the ARP packet of its IP address to the LAN to prevent IP conflict. If no one answers the packet, it will send the ARP packet of its IP address, declare to the LAN to bind its physical address and ip address. If you do not use a fixed ip Address/mac table on the server, you can also bind an ip address to a computer that does not have the right to use the ip address. This means that the ip address is fraudulent.

The use of network monitoring can detect and attack ip addresses. The specific method is to obtain the ip and eth addresses in the detected arp data frame and compare them with the corresponding table we have created. For example, if ip addresses are fraudulent, then, the system sends a reverse arp packet to it to interrupt the network, which is suitable for network management that cannot control the router configuration and does not want to modify the gateway configuration. In the program, I use a passive arp query, that is, no arp query packet is sent. I can say that there is no additional burden on the network outside the attack packet. Application of listener Technology in Network Testing

Network listening is not only the basis of network management, but can also be used in network testing. Most of the current network testing tools are built on the basis of monitoring, and the types and quantities of the data frames listened to are counted, to test the network. Similarly, this listener can be used for data classification statistics to test the network.

For example, most commonly used network tests:

1) Check the load of the broadcast packet in the network, that is, check the proportion of the broadcast packet in all packets, as long as the program compares the physical address of the destination address in the data frame to ff: ff: the ratio of ff to the total number of frames. The data basis for VLAN configuration is provided.

2) Check the number of bad data frames generated by conflicts in the network, because shared Ethernet adopts the CSMA/CD protocol, when each computer sends a signal, it cannot be guaranteed that no other computer is sending the signal. However, when a conflict is detected, the system stops sending the signal. Therefore, some damaged data frames are generated, the proportion of damaged data frames in network data is an important parameter that reflects network performance. This detection is similar to the first one for listeners, but changes the statistical data packets to conflicting data frames, that is, the number of data frames smaller than 64 bytes. Similarly, network tests can be implemented through listeners, so we can analyze the cabling methods that are more suitable for specific situations.

Preliminary Implementation of spam filtering

Spam is used to filter emails that we don't want to accept and whose content is insecure. Due to the features of the email service, e-mails have become one of the most convenient ways to transmit information in contemporary society, however, some people also use this to send unsafe publicity that harms the society, So spam filtering becomes necessary. Due to the loose management of the mail server, if a computer has an IP address, a server can be set up, which makes the mail source quite complex. Therefore, it is not easy to completely filter emails, however, we can still use network listening to preliminarily filter emails.

The first method is to shield some ip address swtp connections, which can be achieved through the listener, for example, if the source IP address is set to **** and the TCP connection port is set to 25, the connection is blocked.

Method 2: because many email servers allow Email Forwarding (this is also necessary, we cannot connect to every machine ), therefore, the user's email may not be blocked through the IP address and can be forwarded through other servers. Therefore, if the first method is invalid, we can block the service through the account, because the unified commands on the email server require that you declare the user at the time of sending an email, for example, mail from XXX @ XXX, we can use a listener to discover and block users we don't like, this requires that we analyze not only the header but also the data of the data frame and compare it with the set string. If it is the same, we find the blocked connection.

Article entry: aaadxmmm responsible editor: aaadxmmm