Network Attack Analysis and Prevention Policy

I. Preface

In the ever-changing world of networks, security vulnerabilities in networks are everywhere. Even if the old security vulnerabilities are replaced, new security vulnerabilities will emerge. Network Attacks use these vulnerabilities and security defects to attack systems and resources.

Some people may have an indifferent attitude towards network security, and think that the most serious harm is caused by account theft by attackers. They often think that "security" is only for large and medium-sized enterprises and websites. In fact, technically, hackers are motivated to become the host of the target host. Once they have the superuser permissions of a network host, they may modify the resource configuration, place the "Trojan" program, hide their whereabouts, and execute arbitrary processes on the host. Who of us want others to possess these privileges without fear on our machines? What's more, these attackers are not simply motivated. Therefore, each of us may face security threats. It is necessary to understand network security and handle security issues.

Next, let's take a look at how attackers find security vulnerabilities on your computer and learn about their attack methods.

Ii. Network Attack steps

Step 1: Hide your location

Common attackers can exploit others' computers to hide their real IP addresses. Sophisticated attackers can also connect to the ISP using the 800-phone no-transfer service, and then steal others' accounts to access the Internet.

Step 2: Find the target host and analyze the target host

Attackers must first find the target host and analyze the target host. On the Internet, the host is actually identified by an IP address, and the domain name is a different name to facilitate the memory of the host's IP address, as long as the domain name and IP address can be used to find the target host smoothly. Of course, it is not enough to know where to attack the target. You must also have a comprehensive understanding of the host's operating system type and the services it provides. At this time, attackers will use some scanner tools to easily obtain which operating system the target host runs and which accounts the system has, WWW, FTP, Telnet, SMTP, and other information about the server program version, to fully prepare for intrusion.

Step 3: Get the account and password and log on to the host

If an attacker wants to intrude into a host, he must first have an account and password for the host. Otherwise, the attacker cannot log on to the host. This often forces them to first steal account files, crack them, obtain a user's account and password, and then find the right time to access the host. Of course, using some tools or system vulnerabilities to log on to the host is also a common technique used by attackers.

Step 4: obtain control

After attackers use FTP, Telnet, and other tools to exploit system vulnerabilities to access the target host system and gain control, they will do two things: clear records and leave backdoors. It will change some system settings, set a Trojan horse in the system, or some other remote manipulation programs so that you can access the system again without notice. Most Backdoor programs are pre-compiled. You only need to modify the time and permissions to use them. Even the size of the new file is the same as that of the original file. Attackers generally use rep to pass these files so that no FTB record is left. Attackers can exploit this vulnerability to hide their traces by clearing logs and deleting copied files.

Step 5: steal network resources and privileges

After the attacker finds the target, the next attack will continue. For example, downloading sensitive information; stealing account passwords, credit card numbers, and other economic theft; paralyzing the network.

Iii. Principles and Techniques of Network Attacks

1. Password intrusion

Password intrusion refers to using the accounts and passwords of some valid users to log on to the target host and then conduct attacks. The premise of this method is that you must first obtain the account of a valid user on the host, and then decrypt the valid user password. There are many ways to obtain a common user account, such as using the Finger function of the target host: when you use the Finger command to query, the host system will save the user information (such as the user name and logon time) displayed on a terminal or computer;

The X.500 service of the target host is used: Some hosts do not close the X.500 Directory query service, which also provides an easy way for attackers to obtain information;

Collection from email addresses: Some users' email addresses often disclose their accounts on the target host;

Check whether the host has a habitual account: Experienced users know that many systems use habitual accounts, causing account leakage.

There are three methods:

(1) illegal access to user passwords through network listening. Such methods have some limitations, but are extremely harmful. Listeners often intercept user accounts and passwords. Currently, many protocols do not adopt any encryption or identity authentication technology, such as Telnet, FTP, HTTP, SMTP, and other transmission protocols, both user account and password information are transmitted in plaintext format. At this time, If attackers use the data packet capture tool, they can easily collect your account and password. Another method of intercept attack is even more powerful. It can assume the role of a "third party" in the communication process after you complete the "three-way handshake" connection with the server, the consequences of spoofing your server identity and then sending malicious requests to the server are unimaginable. In addition, Attackers sometimes use software and hardware tools to monitor the work of the system host and wait to record user logon information to obtain the user password; you can also compile SUID programs with buffer overflow errors to obtain super user permissions.

(2) It is necessary to use some special software to forcibly crack the user's password after knowing the user's account (such as the email @). This method is not restricted by the network segment, however, attackers must have enough patience and time. For example, the dictionary brute force (or brute force) is used to crack the user's password. Attackers can use some tool programs to automatically extract a word from the computer dictionary as a user's password, and then input it to the remote host to apply for entry into the system. If the password is incorrect, take out the next word in order, try the next word, and keep repeating until the correct password or dictionary word is found. Since this deciphering process is automatically completed by a computer program, you can try all the words in the dictionary of the last 100,000 records in a few hours.

(3) System Administrator errors. In modern Unix operating systems, users' basic information is stored in the passwd file, and all passwords are encrypted by the DES encryption method and stored in a file called shadow. After obtaining the password file, hackers will use a program dedicated to crack the DES encryption method to crack the password. At the same time, because many operating systems have many security vulnerabilities, bugs, or some other design defects, once these defects are identified, hackers can drive them into the system. For example, BO, which exposes Windows 95/98 System backdoors, takes advantage of the basic design defects of Windows.

2. Place the Trojan Horse program

A Trojan horse can directly intrude into a user's computer and destroy it. It is often disguised as a tool program or a game, which induces the user to open an email attachment with a Trojan horse or download it directly from the Internet, once a user opens attachments to these emails or executes these programs, they will remain on their computers like a Trojan horse full of soldiers left out of the enemy's city, and hide a program that can be quietly executed during windows Startup in your computer system. When you connect to the Internet, this program will notify attackers to report your IP addresses and preset ports. After receiving the information, attackers can use the program lurking in it to modify the parameter settings of your computer, copy files, and view the content of your entire hard disk, to control your computer.

3. WWW spoofing technology

Online users can use IE and other browsers to access various WEB sites, such as reading news groups, consulting product prices, subscribing to newspapers, and e-commerce. However, users may not think of these problems: the accessed webpage has been tampered with by hackers, and the information on the webpage is false! For example, a hacker changes the URL of a web page to point to the hacker's own server. When a user browses a target web page, a request is actually sent to the hacker server, then hackers can achieve the purpose of deception.

Generally, Web spoofing uses two technical means: URL address Rewriting Technology and Related Information masking technology. By using URL addresses, these addresses are directed to the attacker's Web server. That is, attackers can add their own Web addresses to the front of all URL addresses. In this way, when a user makes a secure connection to the site, the user enters the attacker's server with no defense, so all the information recorded is under the surveillance of the attacker. However, browsing devices generally have address bars and status bars. When the browser is connected to a site, you can obtain the connected Web site address and its related transmission information in the address bar and status samples, the user can discover the problem. Therefore, attackers often overwrite the URLf address and use the relevant information layout technology, that is, they generally use javascript programs to overwrite the address samples and the like samples, in order to achieve its goal of blocking.

4. Email attacks

Email is a widely used communication method on the Internet. Attackers can use some email bomb software or CGI programs to send a large number of duplicate and useless spam emails to the target mailbox, making the target mailbox unusable. When the sending traffic of spam is very large, the mail system may slow or even paralyze normal operations. Compared with other attack methods, this method is simple and effective.

Email attacks are mainly manifested in two ways:

(1) email bombing and email "snowball", which are commonly referred to as mail bombs, it refers to sending thousands of identical spam mails with the same content to the same mailbox using forged IP addresses and email addresses, resulting in the victim's mailbox being "bombed ", serious cases may cause danger or even paralysis to the operating system of the email server;

(2) The attacker pretends to be a system administrator (the email address is the same as that of the system administrator) and sends an email to the user asking the user to change the password (the password may be a specified string) or load viruses or other Trojans in seemingly normal attachments.

5. Use one node to attack other nodes

After breaking through a host, attackers often use this host as a base to attack other hosts (to conceal their intrusion paths and avoid leaving clues ). They can use network listening methods to attack other hosts in the same network. They can also attack other hosts through IP Spoofing and host trust relationships.

These attacks are tricky, but some technologies are hard to grasp, such as TCP/IP.