Source: External region of Alibaba Cloud
Address: http://www.bkjia.com/Article/200903/36545.html
The recent large-scale modeling and addressing event was caused by the large scale of film, which caused comments from all parties,O0o. nuFyodor yarochkin (fygrave mouse o0o point nu) andArmsWayne, who previously did some research on this issue and「 Big specification website Website: Wei Yun has not been removed, but I guess all the experts have guessed it 」According to the packets we sent, we described our views on the event. We do not think this is related to DNS, nor does it prove thatZxarpsThe ARP attack method of the tool is related. From the packets we sent, this is typical. Since 1990s, the current IP spoofing has been used.
In the past two days, after some research and analysis, we can confirm the seat of the attack program on the route, and we have already fully notified the relevant units yesterday, I will share my results with you here today, and I will also share with you the information provided by Peter Yen and other friends.
Most of the traffic on large websites is no longer accessible. However, we have been observing this day, until yesterday (today we haven't completed the attack), all attack programs still exist, but we don't need to worry about spoofing for large websites, but we need to do spoofing for certain websites, we think that founder is doing a lot of marketing and school communications, and the allocation volume makes spoofed packets look like normal traffic, to facilitate the next attack. Our failover method is to use a small program to send TCP packets. The packet contains http get requests, and the TTL settings are passed, the spoofed IP packet is sent back when the packet is over. Of course, we can use this sort of method, so now, after the public opens, the program will also increase the level of difficulty that is similar to the lower limit.
[Where the attacker is located]
We conduct attack operations from two ends. One of them is attacked, while the other is not attacked. The route set at these two ends is 211.22.33.225, while we run the route program at the two ends at the same time, send GET packets to webpages that are still under attack. As a result, client B will not receive spoofed packets, terminal A will receive spoofed packets when the packet passes through the sixth route point 210.65.0000241 (that is, the previous route point of 211.22.33.225. Therefore, we are certain that there are attack programs in the 210.65.20.241 branch. Due to limited resources, we only have two branches, A and B.
(Region 1)
(Issue 2)
[Change attack methods]
Html ">
「 Big specification website Website: Wei Yun has not been removed, but I guess all the experts have guessed it 」After the first article, I immediately noticed that the Attacking Tactics of the party were not fully adjusted. We did the following:
1. The id is no longer fixed at 0x0100 as we found before, and the host is started.In fact, we didn't know anything before, but I believe many network administrators will understand our post as soon as they see it, IDS, IPS, and Firewall can be directly used by the internal database to effectively block hacker attacks? For example, the id is fixed to 0x0100, or the FIN and payload exist at the same time. Unfortunately, every time we open the service, the opposite party will change accordingly.
The following statement is based on am, January 1, March 11.The fifth package is spoofed, and the sixth is the genuine package:
(Example 3)
2. It is no longer a packet to complete the attack.Setting FIN and payload for a packet at the same time is a huge feature and can be easily caught by IDS, IPS, and firewall. Therefore, the traffic generated during the past few days is, the peer does not change the mode of change, and the method is no longer used. However, it is not a single sending of two packets, one payload and one FIN, but a single sending, and the final FIN is connected. In this way, there is still only one spoofed packet (payload) for each attack, which is more efficient than the previous one, but since there is no final response (with no FIN ), therefore, the difference between the TCP/IP stack of different operating systems in the root region may result in the integration of fake and positive packets, therefore, payload needs to be specially designed to avoid the loss of the website address and the attacker may encounter a temporary failure. During our peak hours, founder does not adjust the overall payload design. In the upper part of the page, the FIN of the fifth packet is not set, the sixth is the genuine repy, and the seventh is the FIN sent by the official website.
3. Start to determine the website of the program.Although there have been many undesirable attacks in the past, however, in this attack, I have not seen any intent programs with attack capabilities exist on these websites. However, as shown below, one of the addresses in the latest attack is hxxp: // 61.218.245.190/_ vti_access/index.htm, it is determined that there are four attack-tolerant and trigger attack programs (the following are website-free anti-bot service ).
HackAlertPlane ):
(Part 4)
4. Start to attack and attack the hacker.See region,
At am, September 30, March 11. In the following example, the 51st packet is spoofed. We can see the payload in the lower-right corner. This will allow the browser to inject an animated iframe (currently google ), after four seconds, the timer will reload. Because there is no direction, this will make the victim feel that it has been waiting for a long time, but it is confirmed that the website will continue to break in, therefore, it is not easy to find the attacker. At this time, I changed the iframe to a malicious website instead of a google website. In these four seconds, the attacker successfully cracked the victim's email, implanted Trojan.
(Option 5)
5. There may be more than one attack program for the same infected segment.In April 5, 51st of the packets are spoofed, id = 0x0100, ttl = 115, and payload is a hidden google iframe, and then re-accesses the content of the original website in four seconds. 54th packets are also spoofed, id = 0 xccbb, ttl = 113, and content is directly directed to the website. The response packets of the cards are 56th and 58. This is probably because of the different attack programs implanted by the two groups of different people, or the same group may forget to turn one of the versions into a different version when installing different versions.
(6th)
6. Whether the attacking tool is
ZxarpsExtension of revision? This was the first time that we had finished the operation. However, zarpx can be used as a man-in-the-middle packet instead of a packet, in addition, the packet characteristics are very large (ttl/id/service filed/behavior, etc.), so we should use other attack programs.
[Conclusion]
Based on the information we have received, we can make the following conclusions:
1. At least the attacker can launch the attack program, which is still at 210.65.20.241. In addition, it can be determined that the website itself is not infected.
2. At present, the opponent does not offer different attack methods and makes the attack perfect. It is clearly the next wave of attacks.
3. In the first rough hacker, the peer can cause a large number of addresses, but the behavior is clear and easy for users to check. In the new wave of observation techniques, the party has been striving to become a method that users cannot perceive.
4. The other party makes improvements to the features released by us, so that IDS/IPS/firewall cannot easily recognize fake packets.
5. In a small number of hacker groups, there are already malicious websites that are attack-tolerant and can attack the website successfully.
6. As a result, the infrastructure architecture is a problem. Generally, users can only use https when they are unable to perform force repairs.
7. For problematic CIDR blocks, you can check whether the host that the vro communicates with the vro is intruded or modify the settings.
The author Fyodor Yarochkin
O0o. nuMembers
Author Wayne
ArmsCEO
