Network access attack and defense war on the escalating process

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

In many large enterprises and in some countries, access restrictions are usually made to restrict access to certain Web sites or to certain network applications by employees or people. Restrictive methods usually have router IP filtering and enforcing the use of proxy servers, among other ways.

Router IP filtering refers to the use of the Internet or foreign IP blacklist in the router, so that the intranet or domestic can not access the external network or foreign IP, to restrict access to the purpose. Forcing the use of proxy server filtering is usually only used in large enterprises, refers to the intranet must be through a proxy server to access the extranet, then the proxy server can be more complex filtering mechanism. This article is mainly about IP filtering attack and defense war, about proxy server attack and defense war next discussion. The following sequence of network access attack and defense war on the escalating process:

First of all, if you want to prohibit people access to certain sites, then router managers can set IP filtering rules in the router, the IP of these sites blacklist, nature people can not access these sites.

After that, people use proxy servers to bypass the restrictions in order to continue accessing these sites. The proxy server has thousands of IPs and is constantly changing, making it a passive task to restrict access to the network.

However, because the Proxy server protocol is clear, by listening to network packets and making automated collection of the program can know which proxy servers are accessed and automatically add Proxy server IP to the IP blacklist, so the use of normal proxy server bypass access restrictions are ineffective, Working around network access restrictions is a fairly passive situation.

Therefore, in order to avoid detection of proxy server address, encryption agent software came into being. The communication protocol between the user and the proxy server is encrypted, which makes it impossible to analyze the IP address of the proxy server simply by listening to the network packet. Again, the task of restricting access to the web is in a passive situation.

However, the encryption agent software also needs to communicate with the proxy server, but also need to know the IP address of the cryptographic proxy server. Therefore, the encryption agent software generally at the start to some of the encryption proxy server IP address to obtain encryption proxy server IP. Then, only need to take out a single computer, start the encryption agent software, the computer network communication monitoring, then you can know the distribution of encryption agent IP address, so that the publishing point for IP filtering. And can be made into a program to automatically start the encryption agent software, automatic monitoring of data packets, automatic encryption Agent IP publishing location of the IP blacklist, so that the encryption agent software can not obtain encryption agent IP, encryption agent software failure, bypassing the network restrictions on the work once again in a very disadvantageous position.

In order to deal with this situation, the encryption agent software needs to mix the traffic of the Access Proxy IP publishing point to the traffic that accesses the non-proxy IP publishing point. For example, the encryption agent software startup, first access to a large number of other Web sites, access to other sites in one of the IP publishing point, so that the traffic is mixed, not through a simple network packet listening to obtain the IP address of the proxy IP publishing point. If all the detected addresses are blacklisted, then many sites will be mistakenly blocked. Restricting access to your network is at a disadvantage.

Then, in order to continue restricting network access, the network administrator filters the IP of the cryptographic agent instead of the IP of the publishing point. After the start of the encryption agent software, through the encryption agent to download a large file, then the traffic is relatively large IP is the encryption agent IP. In this way, the network administrator can still make automatic blocking encryption agent software program, bypassing the network restrictions of work failed again.

Then, the encryption agent software can take the same idea, the Access agent IP traffic mixed in other traffic, and the spread of traffic evenly divided and constantly transform the agent IP, making it impossible to access the network packet traffic statistics to obtain encryption agent IP. People can again bypass network access restrictions. However, because the traffic is divided equally, so the speed is usually only a fraction of one, most of the traffic is spent on confusing the network administrator's program.

Here, network access attack and defense war seems to have gone to the end, but the Smart network administrator is not helpless. By reverse engineering The cryptographic agent software, you can still find the publishing point of the proxy IP to filter the publishing point. However, this can not be through the analysis of network traffic using the program automatically find IP filter.

Finally, in order to prevent the reverse engineering, the encryption agent software itself is encrypted by software, which makes the reverse engineering very difficult. The next is the software encryption and crack between the intelligence contest.

Summary: If the network traffic is not confused, then the program can automatically find useful IP filter. If the encryption software is not encrypted, it is also relatively easy to reverse engineering, so as to find a useful IP for filtering. Encryption agent software authors need to be constantly wary of software to be cracked, once cracked, then need to upgrade the encryption agent software, so that restrictions on network access work needs to be cracked software to continue to implement.

The author's Twitter: @davidsky2012, the author of Google reader:https://www.google.com/reader/shared/lehui99