What was the Mongol invasion like?

The history of the Mongolian army’s Western Expeditions

Historically, the Mongolian army launched several large-scale Western expeditions in the 13th century. Smaller troops and long logistical supplies defeated all enemies (the defeat of the Battle of Aingalut against the Muslims in 1260 was not included), changed the history of the entire Asia and Europe, and also promoted the military revolution in Europe and the Near East. .

In several western expeditions, the number of Mongolian troops was usually very small, with a total number of only about 200,000 at most (the European battlefield never exceeded 150,000). The number of people in a single battle was even smaller, and did not appear in The scene of the battle between the Central Plains and Jin Dynasty in Junzhou with "layers upon layers, 20 miles thick". What are the reasons for this? I would like to analyze it from the following aspects. The Mongol Invasion of Fu Wu Rat

The strength was the worst in the Three Kingdoms era, average in the Four Kingdoms era, and medium in the Five Kingdoms era. The people were hardworking and united and resisted several attacks from the Cat Kingdom.

King: Rat King

Marshal: Fufu Rat

Military Advisor: Confucian Master, Confucian Rat

General: Yiyi Rat, Xiangxiang Rat, Jiji Rat

Special Forces: Ghost Troops, King Kong Troops (the original Hammer Troops, which became very powerful after being trained by Fufu Rats.)

Commander-in-Chief of Special Forces: How Princess Alan and Fu Fu Mouse’s network was invaded

Therefore, it is necessary to understand the general process of network intrusion, and only on this basis can we formulate defense strategies to ensure network security. Advertisement: d_text Network security issues Generally speaking, computer network security issues are the vulnerabilities of the computer system itself and other human factors that constitute potential threats to the computer network. On the one hand, computer system hardware and communication facilities are extremely vulnerable to the effects of the natural environment (such as temperature, humidity, electromagnetic fields, etc.) as well as natural disasters and man-made physical damage (including intentional and unintentional damage); on the other hand, the software in the computer Resources and data are vulnerable to attacks such as illegal theft, copying, tampering and destruction; at the same time, the natural wear and tear of the computer system's hardware and software will also affect the normal operation of the system, causing damage, loss and security accidents to information in the computer network system. Network intrusion process The network intrusion process is: information collection→system security detection→implementation of attacks. For example, first use the Ping tool to obtain the IP address, and then use port scanning to find vulnerabilities and invade the server. The network intrusion diagram is as shown in the attached figure: the user on node B is trying to establish a Tel connection with a host on node A. Network attack techniques Currently commonly used network attack techniques for illegal intrusions are: 1. Exploiting trust and dependence on networks and protocols and transmission vulnerabilities. Such as IP spoofing: using trust in IP and DNS during network transmission; packet sniffer: using network information to transmit in plain text; stealing passwords: dictionary attack (the attacker uses words in the dictionary to try the user's password), Sniff (network eavesdropping) ). 2. Exploit defects and configuration errors in the service process. 3. Exploit vulnerabilities in the operating system itself. People are the weakest link. To ensure network security, you should defend against server vulnerabilities, operating systems, and network transmission intrusions. In network security, people are the weakest link. The most successful intrusions often do not require advanced knowledge and complex technology. Practice has proved that many insecure factors are precisely reflected in organizational management.

1. Scan for potential victims. Extensive scanning activity began in 1997. Nowadays, new scanning tools take advantage of more advanced scanning technology, become more powerful, and increase speed.

2. Invading systems with vulnerabilities. Previously, attacks on vulnerable systems occurred after extensive scanning. Attack tools are now designed to exploit vulnerabilities as part of their scanning activities, greatly speeding up the process of intrusion.

3. Attack spread. Before 2000, attack tools required a human to initiate the rest of the attack process. Attack tools are now able to automate new attack processes. Tools such as Code Red and the Nimda virus spread around the world within 18 hours.

4. Collaborative management of attack tools. Since 1999, with the emergence of distributed attack tools, attackers have been able to launch attacks on a large number of attack tools distributed on the Internet.

Now, attackers can more effectively launch a distributed denial-of-service attack. The collaboration function utilizes the functions of a large number of popular protocols such as IRC (Inter Relay Chat), IR (Instant Message), etc. What is the definition of intrusion detection IDS?

The concept of intrusion detection system

Intrusion behavior mainly refers to the unauthorized use of system resources, which can cause the loss and destruction of system data, system denial of service and other hazards. For intrusion detection, network attacks can be divided into 4 categories:

① Attacks that can be detected by checking the header of a single IP packet (including TCP, UDP), such as winnuke, ping of death, land.c, Part of OS detection, source routing, etc.

②Check single IP packets, but attacks that can only be detected by checking the data segment information at the same time, such as using CGI vulnerabilities, buffer overflow attacks, etc.

③ Attacks that can only be detected by detecting the frequency of occurrence, such as port scanning, SYN Flood, *** urf attacks, etc.

④ Attacks using fragmentation, such as teadrop, nestea, jolt, etc. This type of attack exploits various vulnerabilities in the shard assembly algorithm. To detect this type of attack, assembly attempts must be made in advance (when the IP layer is receiving or forwarding, not when sending to the upper layer). Fragments can be used not only for attacks, but also to evade detection by intrusion detection systems that do not attempt to assemble the fragments.

Intrusion detection collects and analyzes information from several key points in a computer network or computer system to discover whether there are any violations of security policies and signs of attack in the network or system. The combination of software and hardware for intrusion detection is an intrusion detection system.

The main tasks performed by the intrusion detection system include: monitoring and analyzing user and system activities; auditing system structure and weaknesses; identifying and reflecting known attack activity patterns, and alerting relevant persons; statistical analysis of abnormal behavior patterns ;Assess the integrity of important systems and data files; audit, track and manage operating systems, and identify user violations of security policies. Intrusion detection is generally divided into three steps, namely information collection, data analysis, and response (passive response and active response).

The information collected includes the status and behavior of systems, networks, data and user activities. The information used in intrusion detection generally comes from four aspects: abnormal changes in system logs, directories and files, abnormal behavior in program execution, and physical form of intrusion information.

Data analysis is the core of intrusion detection. It first builds an analyzer, preprocesses the collected information, builds a behavior analysis engine or model, then implants time data into the model, and saves the model with embedded data in the knowledge base. Data analysis is generally carried out through three methods: pattern matching, statistical analysis and integrity analysis. The first two methods are used for real-time intrusion detection, while integrity analysis is used for post-event analysis. Five statistical models can be used for data analysis: operational model, variance, multivariate model, Markov process model, and time series analysis. The biggest advantage of statistical analysis is that it can learn users’ usage habits.

The intrusion detection system will respond promptly after discovering an intrusion, including cutting off network connections, recording events and alarming, etc. Responses are generally divided into two types: active response (stopping the attack or influencing and thus changing the course of the attack) and passive response (reporting and recording the detected problem). Active responses are user-driven or automated by the system itself and can take action against intruders (such as disconnecting), correct the system environment, or collect useful information; passive responses include alerts and notifications, Simple Network Management Protocol (SNMP) traps, and plug-ins. wait. In addition, responses can also be configured according to policies, and actions such as immediate, emergency, timely, local long-term and global long-term can be taken respectively.

IDS classification

Generally speaking, intrusion detection systems can be divided into host type and network type.

Host-type intrusion detection systems often use system logs, application logs, etc. as data sources. Of course, they can also collect information from the host through other means (such as monitoring system calls) for analysis. Host-type intrusion detection systems generally protect the system where they are located.

The data source of the network-based intrusion detection system is the data packets on the network. Often a machine's network card is set to promisc mode to monitor all data packets in this network segment and make judgments. Generally, network-based intrusion detection systems are responsible for protecting the entire network segment.

It is not difficult to see that the main advantage of network-based IDS is simplicity: only one or several such systems need to be installed on a network segment to monitor the entire network segment. And since a separate computer is often used for such applications, it will not increase the load on the host running key services. However, due to the increasing complexity of the current network and the popularity of high-speed networks, this structure is facing increasing challenges. A typical example is switched Ethernet.

Although the disadvantages of host-type IDS are obvious: different programs must be developed for different platforms, increased system load, a large number of installations required, etc., the internal structure does not have any constraints, and the operating system itself can be used Provided functions, combined with anomaly analysis, can report attack behaviors more accurately. Reference [7] describes this, interested readers can refer to it.

Several components of an intrusion detection system are often located on different hosts. Generally speaking, there will be three machines running the event generator, event analyzer and response unit respectively. Put the first two together and only need two units. When installing IDS, the key is to choose the location of the data collection part, because it determines the visibility of the "event".

For host-type IDS, its data collection part is of course located on the host it monitors.

For network-type IDS, there are many possibilities for the data collection part:

(1) If the network segments are connected with a bus-type hub, they can be simply connected to Just one port of the hub;

(2) For switched Ethernet switches, the problem will become complicated. Since switches do not share media, the traditional method of using a sniffer to monitor the entire subnet is no longer feasible. Possible solutions are:

a. There is generally a port for debugging (span port) on the core chip of the switch, and the incoming and outgoing information of any other port can be obtained from this. If the switch manufacturer opens this port, the user can connect the IDS system to this port.

Advantages: No need to change the IDS architecture.

Disadvantage: Using this port will reduce switch performance.

b. Place the intrusion detection system inside the switch or inside the firewall at key entrances and exits of data flow.

Advantages: Almost all key data available.

Disadvantages: Must work closely with other vendors, and will reduce network performance.

c. Use a tap and connect it to all lines to be monitored.

Advantages: Collects the required information without degrading network performance.

Disadvantages: Additional equipment (Tap) must be purchased; if there are many resources to be protected, the IDS must be equipped with numerous network interfaces.

d. Perhaps the only theoretically unrestricted method is to use a host-based IDS.

Communication protocol

IDS system components need to communicate with each other, and IDS systems from different manufacturers also need to communicate with each other. Therefore, it is necessary to define a unified protocol so that various parts can communicate according to the standards established by the protocol.

The IETF currently has a dedicated group, the Intrusion Detection Working Group (IDWG), responsible for defining this communication format, called the Intrusion Detection Exchange Format. At present, there is only a relevant draft (inter draft) and no formal RFC document has been formed. Nonetheless, the draft provides certain guidelines for communication between various parts of IDS and even between different IDS systems.

IAP (Intrusion Alert Protocol) is an application layer protocol developed by IDWG and runs on TCP. Its design refers to HTTP to a large extent, but it adds many other functions (such as the ability to download from any end-initiated connection, combined with encryption, authentication, etc.). For the specific implementation of IAP, please refer to [4], which gives a very detailed description. Here we mainly discuss the issues that should be considered when designing a communication protocol for an intrusion detection system:

(1) The information transmitted between the analysis system and the control system is very important information, so the data must be kept Authenticity and integrity. There must be a certain mechanism for authentication and confidential transmission of communicating parties (while preventing active and passive attacks).

(2) Both parties to the communication may be interrupted due to abnormal circumstances, and the IDS system must have additional measures to ensure the normal operation of the system.

Intrusion detection technology

Analyzing various events and discovering violations of security policies is the core function of the intrusion detection system. Technically, intrusion detection is divided into two categories: one is based on signature (signature-based) and the other is based on anomaly (anomaly-based).

For identification-based detection technology, it is first necessary to define the characteristics of events that violate security policies, such as certain header information of network data packets. Detection mainly determines whether such features appear in the collected data. This method is very similar to antivirus software.

The anomaly-based detection technology first defines a set of values ??for the "normal" conditions of the system, such as CPU utilization, memory utilization, file checksums, etc. (This type of data can be manually defined, or It can be obtained by observing the system and using statistical methods), and then comparing the values ??when the system is running with the defined "normal" conditions to determine whether there are signs of being attacked. Central to this approach is how to define what is considered “normal.”

There are very big differences in the methods and conclusions drawn by the two detection technologies. The core of anomaly-based detection technology is to maintain a knowledge base. For known attacks, it can report the attack type in detail and accurately, but it has limited effect on unknown attacks, and the knowledge base must be constantly updated. Anomaly-based detection technology cannot accurately identify attack methods, but it can (at least in theory) identify broader or even undetected attacks.

If conditions permit, the combined detection of the two will achieve better results.

Intrusion detection system technology and main methods

Intrusion detection system technology

Probabilistic statistical methods, expert systems, neural networks, pattern matching, behavioral analysis, etc. can be used to implement the detection mechanism of the intrusion detection system to analyze the audit records of events, identify specific patterns, generate detection reports and final Analyze the results.

Intrusion detection generally uses the following two technologies:

① Anomaly detection technology assumes that all intrusion behaviors are different from normal behaviors. Its principle is that assuming that the trajectory of the system's normal behavior can be established, all system states that are different from the normal trajectory are regarded as suspicious attempts. The selection of anomaly thresholds and features is the key to its success or failure. Its limitation is that not all intrusions appear as abnormalities, and the trajectory of the system is difficult to calculate and update.

② It is a pattern discovery technology. It assumes that all intrusion behaviors and methods (and their variants) can be expressed as a pattern or feature, and all known intrusion methods can be discovered by matching methods. The key to pattern discovery technology is how to express the pattern of intrusion to correctly distinguish real intrusion from normal behavior. The advantage of pattern discovery is that there are fewer false positives, but the limitation is that it can only detect known attacks and is powerless against unknown attacks.

Main methods of intrusion detection

Static configuration analysis

Static configuration analysis checks the current system configuration of the system, such as the contents of system files or system tables. Check whether the system has been or may be compromised. Static refers to examining the static characteristics of the system (system configuration information), rather than the activities in the system.

The main reasons for using static analysis methods are as follows: Intruders may leave traces when they attack the system, which can be detected by checking the status of the system; system administrators and users when setting up the system It is inevitable that some errors will occur or some system security measures will be omitted; in addition, after the system is attacked, the intruder may install some security backdoors in the system to facilitate further attacks on the system.

Therefore, the static configuration analysis method needs to understand the flaws of the system as much as possible, otherwise the intruder can simply use the unknown security flaws in the system to avoid the detection system. How do Mongolian girls dress?

Because the Mongolian people have lived in the Saibei grassland for a long time, both men and women of the Mongolian people like to wear long robes. Winter clothes in pastoral areas are mostly made of bare leather, but there are also clothes made of satin or cotton. Summer clothes are mostly made of cloth. The robe has a fat body and long sleeves, and is mostly red, yellow or dark blue. There are no slits at the hem of men's or women's robes. Belt made of red and green satin. What are Mongolian funerals like?

Mongolian funerals were early formed in the context of Lamaism.

The Mongols call death "becoming a god" and "returning to heaven". They also use the words "death" and "passing away" that the Han people call. Sometimes they say someone "went to Hades." The most common ones are "dead", "gone" and "gone", which are probably the same all over the world. The "original" information my father sent me said that it was the name for death by people who had not read the book. The brave and capable Mongolians emphasized that when their enemy dies, it is called "get out".

After the death of the Mongols, the size of the coffin used was not determined based on body shape and age, but based on power, wealth, and poverty.

After the death of a wealthy person, those buried standing up are called "standing materials"; those who sit down are called "sitting materials"; and those who lie down are called "lying materials". When the Mongols of the Alxa League died, they wrapped the body in a whole piece of cloth and buried it, which was called "cloth material"; after the death of pregnant women, they buried it with only clothes on it, which was called "clothing material"; after the death of poor people, they buried their bodies naked. The corpse is called "naked burial".

", put the body on the back of the camel with a white cloth, and walk aimlessly. Wherever the body falls, there is a cemetery, and the camel is buried with it. Mongolians do not use chariots for funerals. Chariots are the most taboo method for Mongolians.

There are four ways of burial in Mongolian funerals:

Cremation: Lamas, pregnant women, and those who commit suicide (dying who do not deserve to die) are burned after death;

Burial: Princes, aristocrats, and wealthy people are buried in coffins after death;

Wild burial: Most of them are poor people, who throw their bodies in the wild to be eaten by wolves, dogs and other wild animals;< /p>

Water burial: rarely used, only some people can use it.

In the whole process of the funeral, encoffining is more particular. Local people with authority will make a big deal out of it. Wash the deceased's face, comb his hair, dress him, hold money in his mouth, and ask the lama to recite sutras for one to three days, and then recite them again on the forty-ninth day, once on the hundredth day, and even again on the third year. During the burial, relatives and friends brought nine or twenty-one embroidery needles, threaded them with various silk threads, and "Cihada" (called "Sangbai" by Mongolians). Then relatives and friends chant sutras, pray, and the dead ascend to heaven. The Mongolian people asked the lama to be optimistic about "feng shui" and point out the "direction of burial" and make the "form of burial". The Mongols do not invite bands such as "drummers" (drummers).

Mongolian relatives and friends who come to mourn, or guests who come to mourn the deceased Mongolian, also have mourning etiquette to abide by.

1. When mourning: It is forbidden to cry loudly, and you can only shed tears silently to express your deep condolences. Crying loudly will frighten the dead, and crying too much will be considered a river of tears. The dead will not be able to cross the river and will not be able to reach heaven.

2. Chanting, seeking sutras, and kowtowing: queue up according to generation to kowtow to the dead. But the paper is not burned, only the offerings are burned.

3. Mourning: The mourning period is 7 days, 21 days, 49 days, 100 days, or even 1 year or 3 years. The latter two are rarely used by people.

Those who have mourned for 7 days will "remove filial piety" on the 8th day; those who have mourned for 21 days will "remove filial piety" on the 22nd day. In short, the day after the mourning period is the "removal of filial piety day" ".

4. The strict rules and precepts during the period of mourning: do not participate in any entertainment activities, do not cut hair, do not shave, do not wear jewelry, wear black clothes, black veil, and black headband.

During the funeral period, the Mongolians also eat differently from their daily diet. At this time, they do not drink milk tea, but only brick tea, only eat fried snacks (pastry) fried with sesame seeds, rice porridge, and pieces of meat. , do not eat "sheep's back", do not eat whole sheep, and do not eat meat for weddings. Before eating and drinking, food should be offered to heaven and earth, and food should be burned. Drinking alcohol is taboo. However, during the ceremony, the food burned must contain wine.

The last part of the funeral is to give thanks. After the deceased is buried, the deceased's belongings, clothing, riding, etc. are handed over to the lama. In addition, some cattle, sheep, horses with saddles, camels, and "present oceans" should be given to the people and lamas who come to help. The current price is determined based on the social conditions and currency circulation conditions at that time. Furs, felts and yurts are also given to helpers. What does Inner Mongolia look like in spring?

The green ground looks extremely beautiful