How to use network intrusion detection system to prevent hacker attack

This paper aims at the vulnerabilities of intrusion detection system to understand the hacker's intrusion methods. Once the network intrusion detection system is installed, the network intrusion detection system will analyze the hacker attacks on the Internet, and you can use the counterattack function of this intrusion detection system to kill or block the online. You can also work with the firewall settings, the intrusion detection system automatically for you to dynamically modify the access rules firewall, to reject the subsequent online action from this IP! This wonderful "prospect" may be the usual selling tactic of many intrusion detection system providers, and the general enterprise or organization will have this intended purpose in establishing its own intrusion detection system. Admittedly, intrusion detection system can have good ability to monitor and detect intrusion, and can also provide good assistance to the security of enterprise or organization. However, as the thief's approach will be the design of the lock and constantly "update", as the intrusion detection system, many of the network intrusion detection system to circumvent the method has been "upgraded." Today, hackers have a more complete intrusion detection system. Below we will look at the intrusion detection system vulnerabilities to understand the hacker's intrusion techniques.

one, the design flaw of the recognition way

1. Compared with the known attacks and intrusion detection system to monitor the online occurrence of the string, most of the network intrusion detection system will take a way. For example, the PHF CGI program on the early Apache Web server version was one of the tools used by hackers to read a password file (/etc/password) on a server system, or to have the server execute arbitrary instructions for it. When a hacker exploits this tool, a string similar to "GET/CGI-BIN/PHF?....." appears in most of its URL request requests. Therefore, many intrusion detection systems will directly compare all URL request to see if the/CGI-BIN/PHF string, in order to determine whether there is phf attack behavior.

2. This type of inspection, although applicable to a variety of different intrusion detection systems, but those different intrusion detection systems, because of the design of different ideas, the use of the contrast will be different. Some intrusion detection system can only carry on the simple string contrast, some can carry on the detailed TCP session reconstruction and the inspection work. These two design methods, one considers the performance, one considers the recognition ability. In the attack, an attacker may take evasive action to conceal its intent in order to avoid discovery of its behavior by the intrusion detection system. For example, an attacker would encode the characters in the URL into a%xx alert 6, at which point the "Cgi-bin" would become "%63%67%69%2d%62%69%6e", and a simple string comparison would ignore the meaning of the encoded value inside. Attackers can also hide their true intentions through the attributes of the directory structure, such as in the directory structure, "./" For this directory, ". /"represents the top-level directory, the Web server may be"/CGI-BIN/././PHF ","//CGI-BIN//PHF ","/cgi-bin/blah/... /PHF? " These URL request all resolves to "/CGI-BIN/PHF", but the pure intrusion detection system may only judge whether these request contains "/CGI-BIN/PHF" the string, but did not discover behind it the meaning which represents.

3. The entire request in the same TCP session to cut into a number of only a few characters in a small packet, network intrusion detection if the entire TCP session is not rebuilt, the intrusion detection system will only see similar "get", "/CG", "I", "-bin", " /PHF "The individual packet, and can not find the result of reorganization back, because it simply checks the individual packet whether there is a similar attack string. Similar evasion method also has the IP fragmentation overlap, the TCP overlap and so on each kind of more complex deception technique.

Ii. "Hunting" and the loopholes in the policy of re-regulation of security

The so-called "hunting", that is, set a trap in the server, such as intentionally open a port, with the detection system for its 24-hour rigorous stare, when hackers try to invade through the port, the detection system will be blocked in a timely manner. Network intrusion detection system "hunting" and the Reset firewall security policy settings function, although the attack action can be immediately blocked, but this blocking action can only apply TCP session, to fully limit, you must rely on the Reset firewall security policy settings, It could also be counter-productive: an immediate blocking action would allow an attacker to detect the presence of IDs, and attackers would often look for ways to circumvent them or turn to attack IDs. The security policy of the reset firewall, if improperly set, may also cause an attacker to interrupt service (Denial's service) attacks: properly designed, if network intrusion detection is not enough, attackers can disguise as other normal IP source for attack action, Intrusion detection systems that rashly restrict the IP of these sources will cause those legitimate users to be unable to use them because of an attacker's attack. The design of the method of identification, or the so-called "hunting" and the setting up of firewall security policy, all have its advantages and disadvantages. It will be helpful to improve the operation of intrusion detection system to understand the identification mode of intrusion detection system or to adjust its recognition technique. For the use of "hunting" and the reset of firewall security policy, it is necessary to evaluate its benefit and the corresponding loss, so as to effectively play the function of network intrusion detection system.