Complete network common attacks and Prevention Manual

I. Preface hotspot Networks
In the ever-changing world of networks, security vulnerabilities in networks are everywhere. Even if the old security vulnerabilities are replaced, new security vulnerabilities will emerge. Network Attacks use these vulnerabilities and security defects to attack systems and resources.
Some people may have an indifferent attitude towards network security, and think that the most serious harm is caused by account theft by attackers. They often think that "security" is only for large and medium-sized enterprises and websites. In fact, technically, hackers are motivated to become the host of the target host. Once they have the superuser permissions of a network host, they may modify the resource configuration, place the "Trojan" program, hide their whereabouts, and execute arbitrary processes on the host. Who of us want others to possess these privileges without fear on our machines? What's more, these attackers are not simply motivated. Therefore, each of us may face security threats. It is necessary to understand network security and handle security issues.
Next, let's take a look at how attackers find security vulnerabilities on your computer and learn about their attack methods.
Ii. Network Attack steps
Step 1: Hide your location
Common attackers can exploit others' computers to hide their real IP addresses. Sophisticated attackers can also connect to the ISP using the 800-phone no-transfer service, and then steal others' accounts to access the Internet.
Step 2: Find the target host and analyze the target host
Attackers must first find the target host and analyze the target host. On the Internet, the host is actually identified by an IP address, and the domain name is a different name to facilitate the memory of the host's IP address, as long as the domain name and IP address can be used to find the target host smoothly. Of course, it is not enough to know where to attack the target. You must also have a comprehensive understanding of the host's operating system type and the services it provides. At this time, attackers will use some scanner tools to easily obtain which operating system the target host runs and which accounts the system has, WWW, FTP, Telnet, SMTP, and other information about the server program version, to fully prepare for intrusion.
Step 3: Get the account and password and log on to the host
If an attacker wants to intrude into a host, he must first have an account and password for the host. Otherwise, the attacker cannot log on to the host. This often forces them to first steal account files, crack them, obtain a user's account and password, and then find the right time to access the host. Of course, using some tools or system vulnerabilities to log on to the host is also a common technique used by attackers.
Step 4: obtain control
After attackers use FTP, Telnet, and other tools to exploit system vulnerabilities to access the target host system and gain control, they will do two things: clear records and leave backdoors. It will change some system settings, set a Trojan horse in the system, or some other remote manipulation programs so that you can access the system again without notice. Most Backdoor programs are pre-compiled. You only need to modify the time and permissions to use them. Even the size of the new file is the same as that of the original file. Attackers generally use rep to pass these files so that no FTB record is left. Attackers can exploit this vulnerability to hide their traces by clearing logs and deleting copied files.
Step 5: steal network resources and privileges
After the attacker finds the target, the next attack will continue. For example, downloading sensitive information; stealing account passwords, credit card numbers, and other economic theft; paralyzing the network.
Iii. Principles and Techniques of Network Attacks
1. Password intrusion
Password intrusion refers to using the accounts and passwords of some valid users to log on to the target host and then conduct attacks. The premise of this method is that you must first obtain the account of a valid user on the host, and then decrypt the valid user password. There are many ways to obtain an ordinary user account, such
Use the Finger function of the target host: when you use the Finger command to query data, the host system displays the Stored User information (such as the user name and logon time) on the terminal or computer;
The X.500 service of the target host is used: Some hosts do not close the X.500 Directory query service, which also provides attackers with a simple way to obtain information.
Collection from email addresses: Some users' email addresses often disclose their accounts on the target host;
Check whether the host has a habitual account: Experienced users know that many systems use habitual accounts, causing account leakage.
There are three methods:
(1) illegal access to user passwords through network listening. Such methods have some limitations, but are extremely harmful. Listeners often intercept user accounts and passwords. Currently, many protocols do not adopt any encryption or identity authentication technology, such as Telnet, FTP, HTTP, SMTP, and other transmission protocols, both user account and password information are transmitted in plaintext format. At this time, If attackers use the data packet capture tool, they can easily collect your account and password. Another method of intercept attack is even more powerful. It can assume the role of a "third party" in the communication process after you complete the "three-way handshake" connection with the server, the consequences of spoofing your server identity and then sending malicious requests to the server are unimaginable. In addition, Attackers sometimes use software and hardware tools to monitor the work of the system host and wait to record user logon information to obtain the user password; you can also compile SUID programs with buffer overflow errors to obtain super user permissions.
(2) It is necessary to use some special software to forcibly crack the user's password after knowing the user's account (such as the email @). This method is not restricted by the network segment, however, attackers must have enough patience and time. For example, the dictionary brute force (or brute force) is used to crack the user's password. Attackers can use some tool programs to automatically extract a word from the computer dictionary as a user's password, and then input it to the remote host to apply for entry into the system. If the password is incorrect, take out the next word in order, try the next word, and keep repeating until the correct password or dictionary word is found. Since this deciphering process is automatically completed by a computer program, you can try all the words in the dictionary of the last 100,000 records in a few hours.
(3) System Administrator errors. In modern Unix operating systems, users' basic information is stored in the passwd file, and all passwords are encrypted by the DES encryption method and stored in a file called shadow. After obtaining the password file, hackers will use a program dedicated to crack the DES encryption method to crack the password. At the same time, because many operating systems have many security vulnerabilities, bugs, or some other design defects, once these defects are identified, hackers can drive them into the system. For example, BO, which exposes Windows 95/98 System backdoors, takes advantage of the basic design defects of Windows.
, Trojan Horse placement
A Trojan horse can directly intrude into a user's computer and destroy it. It is often disguised as a tool program or a game, which induces the user to open an email attachment with a Trojan horse or download it directly from the Internet, once a user opens attachments to these emails or executes these programs, they will remain on their computers like a Trojan horse full of soldiers left out of the enemy's city, and hide a program that can be quietly executed during windows Startup in your computer system. When you connect to the Internet, this program will notify attackers to report your IP addresses and preset ports. After receiving the information, attackers can use the program lurking in it to modify the parameter settings of your computer, copy files, and view the content of your entire hard disk, to control your computer.
3. WWW spoofing technology
Online users can use IE and other browsers to access various WEB sites, such as reading news groups, consulting product prices, subscribing to newspapers, and e-commerce. However, users may not think of these problems: the accessed webpage has been tampered with by hackers, and the information on the webpage is false! For example, a hacker changes the URL of a web page to point to the hacker's own server. When a user browses a target web page, a request is actually sent to the hacker server, then hackers can achieve the purpose of deception.
Generally, Web spoofing uses two technical means: URL address Rewriting Technology and Related Information masking technology. By using URL addresses, these addresses are directed to the attacker's Web server. That is, attackers can add their own Web addresses to the front of all URL addresses. In this way, when a user makes a secure connection to the site, the user enters the attacker's server with no defense, so all the information recorded is under the surveillance of the attacker. However, browsing devices generally have address bars and status bars. When the browser is connected to a site, you can obtain the connected Web site address and its related transmission information in the address bar and status samples, the user can discover the problem. Therefore, attackers often overwrite the URLf address and use the relevant information layout technology, that is, they generally use javascript programs to overwrite the address samples and the like samples, in order to achieve its goal of blocking.
4. Email attacks
Email is a widely used communication method on the Internet. Attackers can use some email bomb software or CGI programs to send a large number of duplicate and useless spam emails to the target mailbox, making the target mailbox unusable. When the sending traffic of spam is very large, the mail system may slow or even paralyze normal operations. Compared with other attack methods, this method is simple and effective.
Email attacks are mainly manifested in two ways:
(1) email bombing and email "snowball", which are commonly referred to as mail bombs, it refers to sending thousands of identical spam mails with the same content to the same mailbox using forged IP addresses and email addresses, resulting in the victim's mailbox being "bombed ", serious cases may cause danger or even paralysis to the operating system of the email server;
(2) The attacker pretends to be a system administrator (the email address is the same as that of the system administrator) and sends an email to the user asking the user to change the password (the password may be a specified string) or load viruses or other Trojans in seemingly normal attachments.
5. Use one node to attack other nodes
After breaking through a host, attackers often use this host as a base to attack other hosts (to conceal their intrusion paths and avoid leaving clues ). They can use network listening methods to attack other hosts in the same network. They can also attack other hosts through IP Spoofing and host trust relationships.
These attacks are tricky, but some technologies are hard to grasp, such as TCP/IP spoofing attacks. Attackers can use external computers to pretend to be another legitimate machine. It can damage the data on the communication links between two machines. Its disguise is to trick other machines in the network into mistakenly accepting the attackers as legitimate machines, entice another machine to send data to him or allow it to modify the data. TCP/IP spoofing can occur at all layers of the TCP/IP System, including the data link layer, network layer, transport layer, and application layer. If the underlying layer is damaged, all protocols at the application layer will be in danger. In addition, because the user does not directly communicate with the underlying layer, the attacks on the underlying layer are more deceptive.
6. Network listening
Network listening is a kind of working mode of the host. In this mode, the host can receive all the information transmitted on the same physical channel in this segment, regardless of the sender and receiver of the information. When the system performs password verification, the user-Entered password needs to be transmitted from the user end to the server end, and the attacker can perform data monitoring between the two ends. If the communication information of the two hosts is not encrypted, you only need to use some network listening tools (such as NetXRay for Windows95/98/NT, Sniffit for Linux, Solaries, and so on) you can easily intercept information including passwords and accounts. Although the user accounts and passwords obtained by network listeners have certain limitations, the listeners often obtain all the user accounts and passwords in their network segments.
7. hacker software attacks
Hackers use software to attack the internet. Back Orifice2000, glaciers, and so on are well-known Trojan horses. They can illegally obtain the superuser-level rights of users' computers and fully control them. Apart from file operations, you can also capture images and obtain passwords on the desktop. These hacking software is divided into server and client. When hackers initiate attacks, they will use the client program to log on to the computer where the server program has been installed. These server programs are relatively small, it is usually attached to some software. It is possible that when a user downloads a small game and runs it, the server side of the hacker software is installed, and most hacker software has a strong ability to regenerate, it causes some trouble to clear the user. In particular, there has recently been a TXT file spoofing method. It looks like a TXT file, but it is actually an executable program with a hacker program, in addition, some programs may pretend to be images and files in other formats.
8. Security Vulnerability attacks
Many systems have such security vulnerabilities (Bugs ). Some of them are owned by the operating system or application software. Such as buffer overflow attacks. Many systems accept data input of any length without checking the changes between the program and the buffer, store the overflow data in the stack, and execute commands as usual. In this way, the system enters an unstable state as long as the attacker sends an instruction that exceeds the buffer length. If an attacker configures a string of characters to be used as attack characters, the attacker can even access the root directory to gain absolute control over the entire network. Others are attacks by exploiting protocol vulnerabilities. For example, attackers must exploit this vulnerability in the root directory of POP3 to launch an attack, destroy the root directory, and obtain the permissions of Super Users. For example, ICMP is often used to launch DoS attacks. The specific method is to send a large number of data packets to the target server, which occupies almost all the network bandwidth of the server, thus making it unable to process normal service requests, as a result, the website cannot be accessed, the website response speed is greatly reduced, or the server is paralyzed. Currently, common worms or similar viruses can attack the server against denial-of-service attacks. Generally, Microsoft's Outlook software is used to send virus-infected emails to many mailboxes, making the mail server unable to handle such a huge amount of data processing. Individual Internet users may also be attacked by a large number of data packets, making them unable to perform normal network operations.
9. Port Scan attacks
Port Scanning uses Socket programming to establish TCP connections with certain ports of the target host and verify the transmission protocol, in this way, you can check whether the scan port of the target host is active, what services are provided by the host, and whether the services contain certain defects. Common scanning methods include Connect () scan. Fragmentation scan.
Iv. Common attack tools used by attackers
1. D. O.S attack tool:
For example, WinNuke causes the system blue screen by sending the OOB vulnerability; Bonk causes the system to restart by sending a large number of forged UDP packets; TearDrop causes the system's TCP/IP stack to crash by sending overlapping IP fragments; winArp generates a large number of windows by sending special packets on the other machine; Land resends the system by sending a large number of SYN-based TCP requests with spoofed source IP addresses; fluShot causes system solidification by sending specific IP packets; Bloo causes system slowdown or even solidification by sending a large number of ICMP packets; PIMP causes system blue screen or even restart through IGMP vulnerability; jolt causes the system to slow down or even restart through a large number of forged ICMP and UDP requests.
2. Trojan program
(1) BO2000 (BackOrifice): it is the most comprehensive TCP/IP framework attack tool. It can collect information, execute system commands, and reset machines, redirect the Client/Server application of the network. BO2000 supports multiple network protocols, which can be transmitted using TCP or UDP, and can also be encrypted using XOR or a more advanced 3DES encryption algorithm. After BO2000 is infected, the machine is completely under the control of others. hackers become super users and all your operations can be recorded as "videotape" by the "secret camera" of BO2000 ".
(2) "glaciers": glaciers are a trojan program made in China and have a simple chinese user interface. Only a few popular anti-virus and firewalls can detect the presence of glaciers. The functions of glaciers are not inferior to those of foreign Trojans. It can automatically track the screen changes of the target machine and completely simulate the keyboard and mouse input, that is, while synchronizing the screen changes of the controlled terminal and the monitoring terminal, all keyboard and mouse operations on the monitored side are displayed on the control side screen. It can record various password information, including the boot password, screen saver password, various shared resource passwords, and most of the password information that appears in the dialog box; it can obtain system information; it can also perform registry operations, including browsing, adding, deleting, copying, renaming, and reading and writing key values.
(3) NetSpy: it can run on Windows 95, 98, NT, 2000, and other platforms. It is a simple file transfer software based on TCP/IP, but you can actually think of it as an enhanced FTP server without permission control. Attackers can download and upload arbitrary files on the target machine, and perform some special operations.
(4) Glacier: this program can automatically track the screen changes of the target computer, obtain the logon passwords of the target computer and various password information, obtain the information of the target computer system, restrict the functions of the target computer system, operate any files on the target computer and directory, remote shutdown, sending information, and other monitoring functions. Similar to BO2000.
(5) KeyboardGhost: Windows is an operating system based on MessageLoop. The core area of the system retains certain bytes as the buffer for keyboard input. The data structure is queue. The keyboard ghost directly accesses this queue so that you can enter your email address, proxy account, and Password (an asterisk is displayed on the screen) on the keyboard to record it, all the symbols related to the password window displayed in the form of a star will be recorded, and a file named KG will be generated under the root directory of the system. DAT implicit file.
(6) ExeBind: This program can bind the specified attack program to any popular software, so that when the host Program is executed, the parasitic program is also executed in the background, multiple bindings are supported. In fact, it is implemented by splitting files multiple times and calling sub-processes from the parent process multiple times.
V. Network Attack Response Strategies
Based on the above analysis and identification of network attacks, we should carefully develop targeted policies. Define security targets and set up a strong security protection system. Targeted, provides defense at the middle layer of the network, and plays the role of each layer of the network, making each layer a level, so that attackers can drill freely and do nothing. It is also necessary to ensure that important data is backed up and the system running status is always noticed. The following are some suggestions for a wide range of worrying network security issues:
1. Improve Security Awareness
(1) do not open unknown emails or files at will, and do not run programs from people you do not know. For example, hackers of the "Trojan" type need to lie to you for running.
(2) avoid downloading unknown software and game programs from the Internet. Even software downloaded from a well-known website must be scanned using the latest virus and Trojan Scan software.
(3) try to use a mix of letters and numbers for password settings. It is easy to use only English letters or numbers. Set different common passwords to prevent them from being identified and associated with important passwords. It is best to change important passwords frequently.
(4) promptly download and install system patches.
(5) do not run hacker programs at will. Many of these programs will send your personal information.
(6) On BBS that supports HTML, if a warning is reported, check the source code first, which is likely to be a trap for obtaining a password.
2. Use anti-virus, anti-Black and other firewall software.
A firewall is a barrier used to prevent hackers from accessing the network of a certain organization. It can also be called a barrier for Controlling Inbound/outbound communication. On the network boundary, the corresponding network communication monitoring system is established to isolate the internal and external networks to prevent the intrusion of the external network.
3. Set the proxy server to hide its own IP address.
It is important to protect your own IP addresses. In fact, even if a trojan program is installed on your machine and you do not have your IP address, attackers cannot do it. The best way to protect the IP address is to set up a proxy server. The proxy server can be used for intermediate forwarding of external network requests to access the internal network. Its function is similar to a data forwarder, which mainly controls which users can access which service types. When an external network applies for a certain type of network service from an internal network, the proxy server accepts the application, then, it determines whether to accept the service based on its service type, service content, service objects, time applied by the service provider, and the domain name range of the applicant. If yes, it forwards the request to the internal network. Hotspot Network
4. Take anti-virus and anti-black as routine examples, regularly update the anti-virus components, and keep the anti-virus software in the resident status to completely prevent viruses.
5. As Hackers often launch attacks against specific dates, computer users should be particularly alerted during this period.
6. Strictly protect important personal data and develop the habit of backing up data