Use a network intrusion detection system to prevent hacker attacks

This article describes the hacker intrusion methods for the vulnerabilities in the intrusion detection system. Once the network intrusion detection system is installed, the network intrusion detection system will analyze the online hacker attack events for you, and you can use the counterattack function of this intrusion detection system, online hunting or blocking. You can also use the firewall settings to allow the intrusion detection system to dynamically modify the access rules of the firewall and reject the subsequent online actions from this ip address !" This beautiful "prospect" may be the usual sales tactics of many intrusion detection system providers. General enterprises or organizations also have this expected purpose when establishing their own intrusion detection systems. It is true that the intrusion detection system can monitor and detect intrusions, and provide assistance to the security of enterprises or organizations. However, just as the thief's tactics will be constantly updated with the lock design, with the emergence of the intrusion detection system, many methods to avoid network intrusion detection systems are also constantly "upgraded ". Today, hackers already have a complete set of intrusion techniques for the intrusion detection system. Next we will take a look at the hacker's intrusion methods for the vulnerabilities in the intrusion detection system.

I. design vulnerabilities of Recognition Methods

1. Comparing the known attack methods with the strings that appear on the Internet monitored by the intrusion detection system, most network intrusion detection systems adopt this method. For example, in the early versions of apache web server, the phf cgi program was often used by hackers to read the password files (/etc/password) on the server system ), or a tool that allows the server to execute arbitrary commands for it. When hackers use this tool, most of their url request requests will show "get/cgi-bin/phf ?....." . Therefore, many intrusion detection systems directly compare the/cgi-bin/phf strings in all url requests to determine whether phf attacks occur.

2. Although this inspection method is applicable to various intrusion detection systems, the comparison methods used for different intrusion detection systems vary according to different design ideas. Some intrusion detection systems can only compare strings, while others can perform detailed tcp session reconstruction and inspection. The two design methods take efficiency into account and the recognition capability into account. When attackers conduct attacks, to avoid being discovered by the intrusion detection system, they may adopt some preventive methods to hide their intentions. For example, an attacker will encode the characters in the url into a forward value of % xx, and "cgi-bin" will change to "% 63% 67% 69% 2d % 62% 6e ", when comparing strings, the meaning of the encoding value is ignored. Attackers can also hide their true intentions through the features of the directory structure. For example, in the directory structure, /"indicates the local directory," .. /"indicates the upper-level directory. The web server may set"/cgi-bin /. /. /phf "," // cgi-bin // phf ","/cgi-bin/blah /.. /phf?" These url requests are parsed into "/cgi-bin/phf", but the simple intrusion detection system may only determine whether these requests contain strings of "/cgi-bin/phf, without discovering the meaning behind it.

3. cut the entire request into multiple small packages containing only a few characters in the same tcp session. If Network Intrusion Detection does not reconstruct the entire tcp session, then, the intrusion detection system will only be able to see individual packages similar to "get", "/cg", "I", "-bin", and "/phf, the result of the reorganization cannot be found, because it only checks whether individual packages have strings similar to attacks. Similar methods include ip fragmentation overlap, tcp overlap, and other complex deception techniques.

Ii. "Hunting" and restructuring security policy Vulnerabilities

The so-called "Hunting" means to set a trap on the server. If you want to open a port and use the detection system to strictly guard it for 24 hours, when a hacker attempts to intrude through the port, the detection system immediately blocks it. Although the network intrusion detection system can "Hunt" and re-adjust the firewall security policy setting function, it can immediately block attack actions, but this blocking action can only be applied to tcp sessions, it must be completely limited, it is necessary to re-adjust the firewall security policy setting function, and may also cause another anti-effect: the instant blocking action will allow attackers to discover the existence of ids, attackers usually look for ways to circumvent or attack ids. Resetting firewall security policies may also result in tools used by attackers to block service (denial of service) attacks, if the network intrusion detection is insufficient, attackers can pretend to be other normal ip sources for attack. If the intrusion detection system rashly limits the ip addresses of these sources, this will cause legal users to be unable to use the service due to attacks by attackers. The Design of identification methods, the so-called "Hunting" and the setting of firewall security policies all have their own advantages and disadvantages. The ability to know the identification method of the intrusion detection system on the ground or adjust its identification method will help improve the correctness of the operation of the intrusion detection system. To effectively use the functions of the network intrusion detection system, you should carefully evaluate the benefits and corresponding losses of the "Hunting" and the use of functional tools for readjusting firewall security policy settings.