Attack and Defense: hacker information collection attacks and false message attacks

Currently, information collection attacks are a mainstream attack type. Information Collection attacks do not pose harm to the target, as shown in the name, this type of hacker attack is used to provide useful information for further intrusion. Fake message attacks are messages that are used to attack targets with incorrect configurations. They mainly include scanning technology, architecture spying, and information service exploitation.

Information collection attacks against hacker attacks

1. Scan Technology

(1) address scanning

Overview: Use a program such as ping to detect the target address and respond to it to indicate its existence.

Defense: filters out ICMP response messages on the firewall.

(2) Port Scanning

Overview: some software is usually used to connect a series of TCP ports to a large range of Hosts. The scan software reports that it has successfully established the port opened by the host for the connection.

Defense: many firewalls detect scanning and automatically block scanning attempts.

(3) response ing

Overview: a hacker sends a false message to the host, and then determines which hosts exist based on the message feature "hostunreachable. At present, because normal scanning activities are easy to be detected by the firewall, hackers turn to common message types that do not trigger firewall rules, including RESET messages, SYN-ACK messages, DNS response packets.

Defense: NAT and non-route proxy servers can automatically defend against such attacks, or filter "hostunreachable" ICMP responses on the firewall.

(4) slow scanning

Overview: Generally, A scan detector is used to monitor the number of connections initiated by a specific host (for example, 10 times per second) in a certain period of time to determine whether the scan is being performed, in this way, hackers can scan by using scanning software with slower scanning speed.

Defense: uses the lure service to detect slow scans.

2. Architecture Detection

Overview: hackers use automatic tools for databases with known response types to check the responses from the target host to bad packet transmission. Because each operating system has its own unique response method (for example, the TCP/IP stack implementation of NT and Solaris is different ), by comparing this unique response with the known response in the database, hackers are often able to determine the operating system running on the target host.

Defense: removes or modifies various Banner types, including operating systems and various application services, and blocks attack plans that disrupt the other party through identified ports.

3. DNS domain Conversion

Overview: the DNS protocol does not authenticate the switch or information update, which allows the Protocol to be used in different ways. If you maintain a public DNS server, hackers only need to perform a domain conversion operation to obtain the names and internal IP addresses of all your hosts.

Defense: filters out domain conversion requests from the firewall.

4. Finger Service

Overview: a hacker uses the finger command to probe a finger server to obtain information about users of the system.

Defense: Shut down the finger service and record the IP address of the other party attempting to connect to the service, or filter the IP address on the firewall.

5. LDAP Service

Overview: hackers use the LDAP protocol to snoop information about systems and their users in the network.

Defense: blocks and records LDAP on the internal network. If the LDAP service is provided on a public machine, put the LDAP server into DMZ.

Hacker attack and defense-fake message attack

1. DNS high-speed cache pollution

Overview: Because the DNS server does not perform identity verification when exchanging information with other name servers, hackers can add incorrect information and direct the user to the hacker's host.

Defense: Filter inbound DNS updates on the firewall. The external DNS server should not be able to change your internal server's understanding of internal machines.

2. Counterfeit email

Overview: because SMTP does not authenticate the identity of the sender of the email, hackers can forge an email to your internal customer, claiming to be a person recognized and trusted by a customer, A Trojan program that can be installed or a connection to a malicious website is attached.

Defense: use security tools such as PGP and install email certificates.