s07-流量内容监控-attack.ppt

网络攻击的检测和预防 第七章目录l常见网络攻击的检测和预防lDoS攻击的防范 黑客攻击网络的一般过程l信息的收集利用的公开协议或工具lTraceRoute程序 lSNMP协议 lDNS服务器 lWhois协议lPing实用程序黑客攻击网络的一般过程l系统安全弱点的探测主要探测的方式l自编程序 l慢速扫描 l体系结构探测 l利用公开的工具软件黑客攻击网络的一般过程l建立模拟环境，进行模拟攻击根据前面两小点所得的信息建立一个类似攻击对象的模拟环境对此模拟目标进行一系列的攻击黑客攻击网络的一般过程l具体实施网络攻击根据前几步所获得的信息结合自身的水平及经验总结相应的攻击方法等待时机，以备实施真正的网络攻击协议欺骗攻击及防范l源IP地址欺骗攻击在路由器上的解决方法l防止源IP地址欺骗行为的措施抛弃基于地址的信任策略 使用加密方法 进行包过滤协议欺骗攻击及防范l源路由欺骗攻击l防范源路由欺骗攻击的措施抛弃由外部网进来却声称是内部主机的报文在路由器上关闭源路由协议欺骗攻击及防范l拒绝服务攻击l防止拒绝服务攻击的措施调整该网段路由器上的配置强制系统对超时的Syn请求连接数据包复位缩短超时常数和加长等候队列在路由器的前端做必要的TCP拦截关掉可能产生无限序列的服务拒绝服务攻击l用超出被攻击目标处理能力的海量数据包消耗可用系统，带宽资源，致使网络服务瘫痪的一种攻击手段l两种使用较频繁的攻击形式TCP-SYN floodl半开式连接攻击UDP flood拒绝服务攻击拒绝服务攻击lUDP floodUdp在网络中的应用l如，DNS解析、realaudio实时音乐、网络管理、联网游戏等基于udp的攻击种类l如，unix操作系统的echo,chargen.echo服务拒绝服务攻击lTrinoo是基于UDP flood的攻击软件lTrinoo攻击功能的实现是通过三个模块付诸实施的攻击守护进程lNS攻击控制进程lMASTER客户端lNETCAT，标准TELNET程序等拒绝服务攻击及防范l六个trinoo可用命令MtimerDosMdieMpingMdosmsize拒绝服务攻击拒绝服务攻击l攻击的实例:被攻击的目标主机victim IP为:12.23.34.45 ns被植入三台sun的主机里，他们的IP对应关系分别为 client1:11.11.11.11 client2:22.22.22.22 client3:33.33.33.33 master所在主机为masterhost:11.22.33.44 首先我们要启动各个进程，在client1，2，3上分别执行ns，启动攻击守护进程，其次，在master所在主机启动master masterhost#./master?gOrave(系统示输入密码，输入gOrave后master成功启动)trinoo v1.07d2+f3+c Mar 20 2000:14:38:49(连接成功)拒绝服务攻击l在任意一台与网络连通的可使用telnet的设备上，执行 telnet 11.22.33.44 27665 Escape character is.betaalmostdone(输入密码)trinoo v1.07d2+f3+c.rpm8d/cb4Sx/trinoo(进入提示符)trinoo mping(我们首先来监测一下各个攻击守护进程是否成功启动)mping:Sending a PING to every Bcasts.trinoo PONG 1 Received from 11.11.11.11 PONG 2 Received from 22.22.22.22 PONG 3 Received from 33.33.33.33(成功响应)trinoo mtimer 60(设定攻击时间为60秒)mtimer:Setting timer on bcast to 60.trinoo dos 12.23.34.45 DoS:Packeting 12.23.34.45.拒绝服务攻击l至此一次攻击结束，此时ping 12.23.34.45，会得到icmp不可到达反馈，目标主机此时与网络的正常连接已被破坏 拒绝服务攻击l由于目前版本的trinoo尚未采用IP地址欺骗，因此在被攻击的主机系统日志里我们可以看到如下纪录 Mar 20 14:40:34 victim snmpXdmid:Will attempt to re-establish connection.Mar 20 14:40:35 victim snmpdx:error while receiving a pdu from 11.11.11.11.59841:The message has a wrong header type(0 x0)Mar 20 14:40:35 victim snmpdx:error while receiving a pdu from 22.22.22.22.43661:The message has a wrong header type(0 x0)Mar 20 14:40:36 victim snmpdx:error while receiving a pdu from 33.33.33.33.40183:The message has a wrong header type(0 x0)Mar 20 14:40:36 victim snmpXdmid:Error receiving PDU The message has a wrong header type(0 x0).Mar 20 14:40:36 victim snmpXdmid:Error receiving packet from agent;rc=-1.Mar 20 14:40:36 victim snmpXdmid:Will attempt to re-establish connection.Mar 20 14:40:36 victim snmpXdmid:Error receiving PDU The message has a wrong header type(0 x0).Mar 20 14:40:36 victim snmpXdmid:Error receiving packet from agent;rc=-1.拒绝服务攻击防范l检测系统是否被植入了攻击守护程序l办法检测上述提到的udp端口l如netstat-a|grep udp 端口号用专门的检测软件拒绝服务攻击及防范l下面为在一台可疑设备运行结果，l Logging output to:LOG Scanning running processes./proc/795/object/a.out:trinoo daemon /usr/bin/gcore:core.795 dumped /proc/800/object/a.out:trinoo master /usr/bin/gcore:core.800 dumped Scanning/tmp.Scanning/./yiming/tfn2k/td:tfn2k daemon /yiming/tfn2k/tfn:tfn2k client /yiming/trinoo/daemon/ns:trinoo daemon /yiming/trinoo/master/master:trinoo master /yiming/trinoo/master/.:possible IP list file NOTE:This message is based on the filename being suspicious,and is not based on an analysis of the file contents.It is up to you to examine the file and decide whether it is actually an IP list file related to a DDOS tool./yiming/stacheldrahtV4/leaf/td:stacheldraht daemon /yiming/stacheldrahtV4/telnetc/client:stacheldraht client /yiming/stacheldrahtV4/td:stacheldraht daemon /yiming/stacheldrahtV4/client:stacheldraht client /yiming/stacheldrahtV4/mserv:stacheldraht master l ALERT:One or more DDOS tools were found on your system.Please examine LOG and take appropriate action.拒绝服务攻击防范l封掉不必要的UDP服务如echo,chargen,减少udp攻击的入口 拒绝服务攻击防范l路由器阻挡一部分ip spoof,syn攻击通过连接骨干网络的端口l采用CEF和ip verify unicast reverse-path使用access control listsl将可能被使用的网络保留地址封掉使用CAR技术l限制 ICMP 报文大小Specific Attack TypeslAll of the following can be used to compromise your system:Packet sniffersIP weaknessesPassword attacksDoS or DDoSMan-in-the-middle attacksApplication layer attacksTrust exploitationPort redirection Virus and wormsTrojan horseOperator errorIP SpoofinglIP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer.lTwo general techniques are used during IP spoofing:A hacker uses an IP address that is within the range of trusted IP addresses.A hacker uses an authorized external IP address that is trusted.lUses for IP spoofing include the following:IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data.A hacker changes the routing tables to point to the spoofed IP address,then the hacker can receive all the network packets that are addressed to the spoofed address and reply just as any trusted user can.IP Spoofing MitigationlThe threat of IP spoofing can be reduced,but not eliminated,through the following measures:Access controlThe most common method for preventing IP spoofing is to properly configure access control.RFC 2827 filteringYou can prevent users of your network from spoofing other networks(and be a good Internet citizen at the same time)by preventing any outbound traffic on your network that does not have a source address in your organizations own IP range.Additional authentication that does not use IP-based authenticationExamples of this include the following:lCryptographic(recommended)lStrong,two-factor,one-time passwordsApplication Layer AttackslApplication layer attacks have the following characteristics:Exploit well known weaknesses,such as protocols,that are intrinsic to an application or system(for example,sendmail,HTTP,and FTP)Often use ports that are allowed through a firewall(for example,TCP port 80 used in an attack against a web server behind a firewall)Can never be completely eliminated,because new vulnerabilities are always being discoveredApplication LayerAttacksMitigationlSome measures you can take to reduce your risks are as follows:Read operating system and network log files,or have them analyzed by log analysis applications.Subscribe to mailing lists that publicize vulnerabilities.Keep your operating system and applications current with the latest patches.IDSs can scan for known attacks,monitor and log attacks,and in some cases,prevent attacks.Network ReconnaissancelNetwork reconnaissance refers to the overall act of learning information about a target network by using publicly available information and applications.Network Reconnaissance MitigationNetwork reconnaissance cannot be prevented entirely.IDSs at the network and host levels can usually notify an administrator when a reconnaissance gathering attack(for example,ping sweeps and port scans)is under way.Virus and Trojan HorseslViruses refer to malicious software that are attached to another program to execute a particular unwanted function on a users workstation.End-user workstations are the primary targets.lA Trojan horse is different only in that the entire application was written to look like something else,when in fact it is an attack tool.A Trojan horse is mitigated by antivirus software at the user level and possibly the network level.DOS/DDOSlDOS拒绝服务攻击lDDOS分布式拒绝服务攻击l利用TCP/IP缺陷常见DOS工具Bonk通过发送大量伪造的UDP数据包导致系统重启动 TearDrop通过发送重叠的IP碎片导致系统的TCP/IP栈崩溃 SynFlood通过发送大量伪造源IP的基于SYN的TCP请求导致系统重启动 Bloop 通过发送大量的ICMP数据包导致系统变慢甚至凝固 Jolt 通过大量伪造的ICMP和UDP导致系统变的非常慢甚至重新启动 SynFlood原理Syn 伪造源地址(1.1.1.1)IP:211.100.23.11.1.1.1(TCP连接无法建立，造成TCP等待超时）Ack 大量的伪造数据包发向服务器端DDOS攻击l黑客控制了多台服务器，然后每一台服务器都集中向一台服务器进行DOS攻击DDOS攻击示意图分布式拒绝服务攻击分布式拒绝服务攻击步骤1ScanningProgram不安全的计算机不安全的计算机Hacker攻击者使用扫描攻击者使用扫描工具探测扫描大工具探测扫描大量主机以寻找潜量主机以寻找潜在入侵目标。在入侵目标。1Internet分布式拒绝服务攻击步骤2Hacker被控制的计算机被控制的计算机(代理端代理端)黑客设法入侵有安全漏洞黑客设法入侵有安全漏洞的主机并获取控制权。这的主机并获取控制权。这些主机将被用于放置后门、些主机将被用于放置后门、sniffer或守护程序甚至是或守护程序甚至是客户程序。客户程序。2Internet分布式拒绝服务攻击步骤3Hacker 黑客在得到入侵计算机黑客在得到入侵计算机清单后，从中选出满足建清单后，从中选出满足建立网络所需要的主机，放立网络所需要的主机，放置已编译好的守护程序，置已编译好的守护程序，并对被控制的计算机发送并对被控制的计算机发送命令。命令。3被控制计算机（代理端）被控制计算机（代理端）MasterServerInternetHacker Using Client program,黑客发送控制命令给主机，准黑客发送控制命令给主机，准备启动对目标系统的攻击备启动对目标系统的攻击4被控制计算机（代理端）被控制计算机（代理端）TargetedSystemMasterServerInternet分布式拒绝服务攻击步骤4Targeted SystemHacker 主机发送攻击信号给被控主机发送攻击信号给被控制计算机开始对目标系统制计算机开始对目标系统发起攻击发起攻击。5MasterServerInternet被控制计算机（代理端）被控制计算机（代理端）分布式拒绝服务攻击步骤5分布式拒绝服务攻击步骤6TargetedSystemHacker 目标系统被无数的伪造目标系统被无数的伪造的请求所淹没，从而无法的请求所淹没，从而无法对合法用户进行响应，对合法用户进行响应，DDOS攻击成功。攻击成功。6MasterServerUserRequest DeniedInternet被控制计算机（代理端）被控制计算机（代理端）分布式拒绝服务攻击的效果l整个过程是自动化的l攻击者能够在5秒钟内入侵一台主机并安装攻击工具也就是说，在短短的一小时内可以入侵数千台主机l并使某一台主机可能要遭受1000MB/S数据量的猛烈攻击这一数据量相当于1.04亿人同时拨打某公司的一部电话号码BGP 网络DDOS攻击的解决案例l实验演示。（一定程度保密协议的案例）