Next I will introduce a very practical method based on the characteristics of network viruses scanning network addresses: Use the packet capture tool to find the virus source.
Are you a network administrator? Have you ever experienced a sudden decline in network performance, failure to provide network services, slow server access, or even access, the network switch port indicator lights are flashing like crazy, the router at the network exit is already working at full capacity, and the router CPU has reached of the load ...... After the restart, the problem appeared again in a few minutes.
What's the problem? Is the device broken? It is impossible for several devices to have problems at the same time. What are the large-volume data files that consume resources of network devices? How can we see them? At this time, experienced network administrators will think of using the LAN packet capture tool for analysis.
You must have heard of the notorious network killer code, Nimda, shock wave, and shock wave. That is, they have created the above evil actions. These attacks block networks and infect hosts, making network administrators miserable. How can we detect infected hosts in time when a network virus occurs? Next I will introduce a very practical method based on the characteristics of network viruses scanning network addresses: Use the packet capture tool to find the virus source.
1. Install the packet capture tool. The purpose is to use it to analyze the content of network packets. It is not difficult to find a free or trial package capture tool. I used a packet capture tool called spynet3.12, which is very small and fast to run. After the installation is complete, we have a packet capture host. You can set the packet capture type through SpyNet, for example, whether to capture an IP packet or an ARP packet. You can also set more detailed filter parameters based on the destination address.
2. Configure the network route. Does your router have a default gateway? If so, where does it point? It is dangerous to direct the default gateway to another vro when a virus outbreak occurs (unless you want to paralyze this vro ). In some enterprise networks, we often only point out the routes in the CIDR block without the default route. Then we will point the default route to the packet capture host (who will go to hell if it doesn't go to hell? Of course, the performance of this host is better than a little higher, otherwise it will be easily affected by the virus ). In this way, most of the scans sent by virus hosts are automatically sent to the door. You can also map the network egress image to the packet capture host. All the network packets that are accessed externally are analyzed.
3. Start packet capture. The packet capture host has been set and the packets in the network have been sent. Let's take a look at what is transmitted over the network. Open SpyNet and click capture. You will see a lot of data displayed. These are the captured data packets. Lists the serial number, time, MAC address, IP address, protocol type, and port number of the captured data packet. It is easy to see that the host with the IP address 10.32.000071 sends an access request to a large number of different hosts in a very short time, and the destination port is 445.
4. Identify the infected host. From the perspective of packet capture, the host 10.32.20.71 is questionable. First, let's take a look at the destination IP addresses. Do these addresses exist in our network? It is likely that the network does not have these CIDR blocks. Secondly, under normal circumstances, is it possible to initiate so many access requests in such a short period of time? Is it normal to send dozens or even hundreds of connection requests within milliseconds? Obviously, this 10.32.000071 host must be faulty. Let's take a look at the Microsoft-Ds protocol, which has a Denial of Service attack vulnerability. The connection port is 445, which further confirms our judgment. In this way, we can easily find the IP address of the infected host. The rest of the work is to patch the operating system of the host to prevent viruses.
Now that the virus package is captured, let's take a look at the binary decoding content of this package:
These data packets are 62 bytes in length. The first 12 bytes of the data packet include the destination MAC address and source MAC address information. The following two bytes indicate the data packet type. 0800 indicates the IP packet format, and 0806 indicates the ARP packet format. The next 20 bytes are the encapsulated IP address headers, including the source, destination IP address, and IP version number. The remaining 28 bytes encapsulate the TCP Header, including the source, destination port, and TCP link status information. This constitutes a 62-byte package. In addition to the packet header data, this packet does not carry any other valid data load, so this is an empty packet that TCP requires port 445 synchronization, that is, the virus host is scanning port 445. Once the infected host has no port 445 with protection measures, the system vulnerability will be exploited to spread the infection.