First, the preface Hot Network
In this constantly changing world, the security vulnerabilities in the network are everywhere. Even if old security breaches are made up, new vulnerabilities will continue to emerge. Network attacks use these vulnerabilities and security flaws to attack systems and resources.
Perhaps some people will be indifferent to the network security attitude, think most but is the attacker to steal account, make not much harm. They tend to think that "security" is only for those large and medium-sized enterprises and websites. In fact, the only technology, the hacker's motive is to become the host of the target. As long as they gain superuser privileges on a network host, they may be able to modify the resource configuration on that host, place "Trojan" programs, hide whereabouts, execute arbitrary processes, and so on. Who do we want others to have these privileges on our machines? Moreover, the motives of these attackers are not all so simple. Therefore, every one of us is likely to face security threats, it is necessary to understand the security of the network and to deal with some security issues.
Let's take a look at how those attackers found security holes in your computer and see how they were attacking.
Second, the network attack steps
The first step: Hide your own location
Ordinary attackers use other people's computers to hide their real IP addresses. Sophisticated attackers will also use the 800-phone drone service to connect to the ISP and then steal another person's account to surf the Internet.
Step two: Find the target host and analyze the target host
The attacker first sought the target host and analyzed the target host. On the internet can really identify the host is the IP address, domain name is to facilitate memory of the host's IP address and the name of the other, as long as the use of domain names and IP address can successfully find the target host. Of course, it is not enough to know where to attack the target, you must also have a comprehensive understanding of the host's operating system type and the services it provides. At this point, the attackers will use some scanner tools, easy to get the target host running which version of the operating system, which account system, WWW, FTP, Telnet, SMTP and other server program is what version of the information, for the invasion of the full preparation.
Step three: Get account number and password, login to host
If an attacker wants to invade a host, it must first have an account number and password for that host, or they will not even be able to log in. This often forced them to first try to steal account files, to crack, get a user's account and password, and then find the right time to enter the host. Of course, using some tools or system vulnerabilities to log on to the host is also a common technique for attackers.
Step Fourth: Get control right
Attackers use FTP, Telnet and other tools to access the system into the target host system to gain control, they will do two things: clear the record and leave the back door. He will change some system settings, put a Trojan horse in the system, or some other remote control program so that it can be entered again without being detected. Most backdoor programs are precompiled, only to find ways to modify the time and permissions can be used, and even the new file size and the original file exactly the same. Attackers typically use rep to pass these files so that no FTB records are left. After clearing the log, deleting the copied file, and so on to hide their traces, the attacker begins the next move.
Fifth step: Stealing network resources and privileges
When an attacker finds an attack target, it continues the next attack. such as: Download sensitive information, the implementation of theft account password, credit card number, such as economic theft, the network paralysis.
Third, the network attacks the principle and the method
1. Password intrusion
The so-called password intrusion refers to the use of some legitimate user's account number and password login to the destination host, and then implement the attack activities. The premise of this method is that you must first get the account number of a legitimate user on the host, and then the legal user password to decipher. There are many ways to get a common user account, such as
Use the target host's finger function: When the finger command query, the host system will save the user information (such as user name, login time, etc.) displayed in the terminal or computer;
Using the target host's X.500 service: Some hosts do not turn off the directory query service of X.500, and provide an easy way for the attackers to obtain information; Hot Network
Collect from e-mail addresses: Some users email addresses often disclose their accounts on the target host;
See whether the host has a habitual account number: Experienced users know that many systems will use some habitual account, causing the account leakage.
There are three different ways to do this:
(1) It is illegal to get user password through network monitoring, this kind of method has certain limitation, but the harmfulness is extremely. Listeners often use Midway interception method is also to obtain user account and password an effective way. Nowadays, many protocols do not use any encryption or identity authentication technology at all. In the case of Telnet, FTP, HTTP, SMTP, and other transport protocols, user accounts and password information are transmitted in clear text format, and it is easy to collect your account and password if an attacker exploits a packet interception tool. There is also a midway interception attack method more powerful, it can be completed with the server end "three handshake" to establish a connection, in the process of communication play "third party" role, fake server identity to deceive you, and then fake you to the server to send malicious requests, its consequences disastrous. In addition, attackers sometimes use software and hardware tools to monitor the work of system hosts at all times, wait to log user login information, obtain user passwords, or SUID programs with buffer overflow errors to gain superuser privileges.
(2) After knowing the user's account number (such as the part of the email @), using some specialized software to force the user password, this method is not limited by the network segment, but the attacker should have enough patience and time. Such as: The Use of dictionary exhaustive method (or violent law) to crack the user's password. An attacker can automatically remove a word from a computer dictionary by using a number of tool programs. As the user's password, and then input to the remote host, to apply for access to the system, if the password is wrong, the next word in order to take the next attempt, and continue to cycle until you find the correct password or dictionary words to try to finish. Because the decoding process is done automatically by a computer program, it can take a few hours to try all the words in the 100,000-record dictionary.
(3) is the use of system administrator errors. In a modern Unix operating system, the user's basic information is stored in the passwd file, and all passwords are encrypted by DES Encryption and are stored specifically in a file called Shadow. Hackers get password files, they will use a special hack des encryption procedures to solve the password. At the same time, because a large number of operating systems have many security vulnerabilities, bugs or other design flaws, once these flaws are identified, hackers can go straight. For example, a Bo that opens the back door of the WINDOWS95/98 system leverages the basic design flaws of Windows.
, placing a Trojan horse program
Trojan horse programs can directly invade the user's computer and damage, it is often disguised as a tool or game, and so on to persuade users to open a Trojan horse mail attachment or download directly from the Internet, once the user opened the attachment of these messages or after the execution of these programs, They will remain on their computers as the Trojan horses left behind enemy cities, and hide a program in their computer system that can be silently executed when Windows starts. When you connect to the Internet, the program notifies the attacker to report your IP address and the pre-set port. After receiving this information, the attacker can use the underlying program to arbitrarily modify the parameters of your computer, copy files, peek at the contents of your entire hard drive, and so on to control your computer.
3. WWW Deception Technology
Users on the Internet can use IE and other browsers to do a variety of web site visits, such as reading newsgroups, consulting product prices, subscribe to newspapers, e-commerce and so on. However, the general user may not think of these problems exist: the Web page that is being visited has been tampered with by hackers, the information on the Web page is False! For example, hackers will be the user to browse the URL of the Web page to point to the hacker's own server, when the user browsing the target page, is actually to the hacker server to make a request, then the hacker can achieve the purpose of deception.
Common web spoofing uses two technical means, namely URL rewrite technology and related information masking technology. Using the URL address, these addresses are addressed to the attacker's Web server, where an attacker can add their own web address to the front of all URL addresses. In this way, when the user is securely linked to the site, it will be defenseless into the attacker's service, so that all the information recorded is in the attacker's watch. But because browsing equipment generally has the address bar and the status bar, when the browser and a site edge, you can in the Address bar and the State sample in the connection to obtain the Web site address and its associated transmission information, the user can find the problem, so the attackers often in the Urlf address rewrite, using the relevant information to cover technology, That is, the general use of JavaScript programs to rewrite the address-like and like Fang-like, in order to achieve the purpose of its cover cheating.
4. E-mail attack
E-mail is a very wide range of communication methods used on the Internet. Attackers can use some mail-bomb software or CGI programs to send a large amount of repetitive, unwanted spam messages to the destination mailbox, so that the destination mailbox is exploded and unusable. When spam is sent in a particularly large amount of traffic, it can also cause the mail system to reflect the normal work slow, or even paralyzed. Compared with other attacking methods, this attack method has the advantages of simplicity, quick effect and so on.
E-mail attacks are mainly performed in two ways:
(1) e-mail bombing and e-mail "Snowball", which is commonly referred to as the Mail bomb, refers to the use of forged IP address and e-mail address to the same mailbox to send thousands, million or even countless content of the same junk e-mail, resulting in the victim's mailbox was "fried", A serious person may pose a risk or even paralysis to the e-mail server operating system;
(2) e-mail spoofing, an attacker pretending to be a system administrator (mail address and system administrator), sending a message to a user asking the user to modify the password (the password may be a specified string) or to load a virus or other Trojan horse in a seemingly normal attachment.
5, through a node to attack other nodes
After breaking a host, attackers often use this host as a base to attack other hosts (to conceal their intrusion paths and avoid leaving clues). They can use network sniffing to try to break other hosts within the same network, or they can attack other hosts through IP spoofing and host trust relationships.
Such attacks are tricky, but are difficult to master because of some technologies, such as TCP/IP spoofing attacks. An attacker can be implemented by pretending to be another legitimate machine through an external computer. It can gun data on communication links between two machines, and its camouflage is aimed at tricking other machines in the network into accepting them as legitimate machines and luring other machines to send them or allow them to modify data. TCP/IP spoofing can occur at all levels of the TCP/IP system, including the data Link layer, network layer, Transport layer and application layer are susceptible to impact. If the underlying layer is compromised, all protocols to the application tier are at risk. In addition, because the user does not communicate directly with the bottom layer, the attack on the bottom is more deceptive.
6, Network Monitoring
Network monitoring is a mode of operation of the host, in which the host can receive all the information transmitted by the network segment on the same physical channel, regardless of the sender and receiver of the information. Because the system is in the password check, the user entered the password needs to be sent from the client to the server side, and the attacker can be between the two sides of the data monitoring. At this point, if the two host communication information is not encrypted, as long as the use of some network monitoring tools (such as NetXRay for Windows95/98/nt, Sniffit for Linux, solaries, etc.) can easily intercept including passwords and account information. Although the network listens to obtain the user account number and the password has certain limitation, but the listener often can obtain in its network segment all user account number and the password.
7. Use hacker software to attack
The use of hacker software attacks is a more aggressive approach on the Internet. Back Orifice2000, glaciers, etc. are more famous Trojan horses, they can illegally obtain the user's computer super User-level rights, it can be fully controlled, in addition to the file operation, but also can carry out the other side of the desktop capture map, access to passwords and other operations. These hacker software is divided into server side and client side, when the hacker attacks, will use the client program to log on the computer that has installed the server-side program, these server-side programs are relatively small, usually with some software attached. It is possible that when a user downloads a small game and run, the hacker software server side of the installation is completed, and most of the hacker software regeneration ability than strong, to the user to clean up caused a certain amount of trouble. In particular, recently appeared a TXT file deception, the surface appears to be a txt text file, but is actually a hacker program with the executable program, and some other programs will be disguised as pictures and other formats of the file.
8, security vulnerabilities attack
Many systems have such a security vulnerability (BUGS). Some of these are the operating system or application software itself. such as buffer overflow attacks. Since many systems do not check the changes between the program and the buffer, they arbitrarily accept arbitrary length of data input, the overflow of data on the stack, the system also executes the command. This allows an attacker to send an instruction that exceeds the length that the buffer can handle, and the system enters an unstable state. If an attacker specifically configures a string of characters to be used as an attack, he can even access the root directory, thereby having absolute control over the entire network. Others use protocol vulnerabilities to attack. If an attacker exploits POP3, it must launch an attack on the root directory, destroying the root directory, thus gaining superuser privileges. Also, ICMP protocols are often used to launch denial of service attacks. Its specific approach is to send a large number of packets to the destination server, almost all of the server's network broadband, so that it can not handle the normal service requests, which leads to the Web site can not access, the Web site response speed greatly reduced or server paralysis. Now common worms or viruses of their kind can attack a denial-of-service attack on a server. They are highly capable of reproducing, typically through Microsoft's Outlook software, sending virus-like messages to numerous mailboxes, making it impossible for the mail server to take on such a large amount of data processing. For personal Internet users, it is also possible to be attacked by a large number of packets to make it impossible for normal network operation.
9. Port scan attack
The so-called port scan, is to use the socket programming with the target host port to establish a TCP connection, transmission protocol verification, and so on, so that the target host scan port is in the activation state, the host provided which services, the provision of services whether there are some defects and so on. Commonly used scanning methods are: Connect () scan. Fragmentation Scan.
Iv. attack tools commonly used by attackers
1, D.O.s Attack tool:
such as WinNuke the system blue screen by sending a OOB vulnerability, bonk causing the system to reboot by sending a large number of spoofed UDP packets, teardrop The system's TCP/IP stack crashes by sending overlapping IP fragments The WINARP generates a large number of Windows on the other machine by sending a special packet; land causes the system to reboot by sending a SYN based TCP request that sends a large number of spoofed source IP; flushot causes the system to solidify by sending a specific IP packet Bloo the system slows down or even freezes by sending a large number of ICMP packets, pimp the system blue screen or even reboots through IGMP vulnerabilities, and jolt causes the system to become very slow or even restarted through a large number of spoofed ICMP and UDP.
2, Trojan Horse program
(1), BO2000 (BackOrifice): It is the most full-featured TCP/IP framework of the attack tool, you can gather information, execute system commands, reset machines, redirect network client/server applications. BO2000 supports multiple network protocols, which can be transmitted using TCP or UDP, and can be encrypted using an XOR encryption algorithm or a more advanced 3DES encryption algorithm. After infection BO2000 machine completely under the control of others, hackers became superuser, all of your operations can be BO2000 from the "Secret Camera" recorded as "videotape."
(2), "Glacier": Glacier is a domestic Trojan program, with a simple Chinese interface, and only a few popular anti-virus, firewall to detect the existence of glaciers. The function of the glacier is not inferior to the Trojan horse program abroad. It can automatically track the target machine's screen changes, you can completely simulate the keyboard and mouse input, that is, in the control of the screen changes and monitor the end of the synchronization, the monitored side of all keyboard and mouse operation will be reflected in the control of the screen. It can record a variety of password information, including the power-on password, screensaver password, a variety of shared resource passwords, and most of the password information that appears in the dialog box; it can get system information; it can also perform registry operations, including browsing of primary keys, additions and deletions, copying, renaming, and reading and writing to key values.
(3), Netspy: can run on a variety of platforms, such as windows95/98/nt/2000, it is a simple TCP/IP based file transfer software, but in fact you can consider it as an enhanced FTP server without permission control. It allows attackers to download and upload arbitrary files on the target machine without any knowledge, and to perform special operations.
(4), Glacier: The program can automatically track the target computer screen changes, access to the target computer login password and a variety of password information, access to the target computer system information, limit the target computer system functions, arbitrary operation target computer files and directories, remote shutdown, send information and other monitoring functions. Similar to BO2000.
(5), keyboardghost:windows system is a message loop (Messageloop) based operating system. The core of the system retains a certain number of bytes as the input buffer of the keyboard, whose data structure is the queue. The Phantom of the keyboard is precisely by accessing this queue directly, so that the keyboard input your email, agent's account, password password (displayed on the screen is an asterisk) can be recorded, all the symbols involving an asterisk in the form of the password window will be recorded, all the signs, And a hidden file named KG.DAT is generated under the system root directory.
(6), Exebind: This program can bind the specified attack program to any popular software, so that the host program execution, the parasitic program is also implemented in the background, and support multiple bundles. It is actually done by splitting the file multiple times and invoking the child process from the parent process multiple times.
V. Network attack Coping strategies
On the basis of the above analysis and recognition of the network attack, we should carefully formulate the targeted strategy. Clear the security object, set up a strong safety guarantee system. Targeted, in the network layer fortification, play the role of each layer of the network, so that each layer has become a checkpoint, so that the attackers without clearance can be drilled, no plan to make. must also do not rain thick Bartholomew, prevention, will be important data backup and always pay attention to the system operation status. Here are a few suggestions for some of the most worrying issues of cyber security
1. Improve Safety Awareness
(1) Do not randomly open the e-mail and documents of dubious origin, do not run the people who do not know how to give you the program, such as "Trojan" hacker programs need to cheat you run.
(2) Try to avoid downloading unknown software and game programs from the Internet. Even the software downloaded from the famous website should be scanned by software and system with the latest virus and Trojan killing software in time.
(3) Password settings as much as possible using alphanumeric mixed-line, simple English or digital can easily be exhaustive. The common password settings will be different to prevent people from detecting one, and associated with an important password. Important passwords are best replaced frequently.
(4) Download and install system patches in time.
(5) Do not run hacker programs, a lot of such programs will send out your personal information when running.
(6) In support of the HTML BBS, such as the discovery of the submission of warnings, first look at the source code, it is likely to cheat password traps.
2, the use of anti-virus, black and other firewall software.
A firewall is a barrier that prevents hackers in the network from accessing an organization's network, or it can be called a threshold for controlling incoming/outbound communications in two directions. The internal and external network is isolated by the corresponding network communication monitoring system established on the network boundary to obstruct the intrusion of external network.
3, set proxy server, hide their own IP address.
It is important to protect your own IP address. In fact, even if your machine is installed on the Trojan, without your IP address, the attacker is no way, and the best way to protect the IP address is to set the proxy server. The Proxy server can act as an intermediary for the internal network to access the external network request, which functions like a data forwarder, which mainly controls which users have access to which service types. When an external network requests some kind of network service from the internal network, the proxy server accepts the application and then forwards the request to the internal network, depending on the type of service, service content, the object being serviced, the time that the service was requested, the domain name of the requester, and so on. Hot Network
4, anti-virus, anti-black as a daily routine work, regularly updated anti-virus components, anti-virus software will remain in the permanent state to complete anti-virus.
5. Since hackers often launch attacks on specific dates, computer users should be particularly vigilant during this period.
6, for important personal information to do a rigorous protection, and to develop the habit of data backup
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.