1 Overview of network attacks
Network security is an eternal topic, because computers cannot be completely safe as long as they are connected to the network, and there are security loopholes in the network all the time. With the upgrading of various programs, old security vulnerabilities are often filled, and there are new security risks. The essence of network attack is actually to find all possible network security defects in order to destroy the system and resources.
Network attacks are generally divided into three stages:
The first stage: get the login account.
The primary goal of attacking UNLX system is to try to get login account and password. Attackers usually try to get the encrypted password file in the /etc/passwd or NIS map first, and then crack it. With the help of a password dictionary, Crack can even decipher an account in a few minutes.
Phase 2: Get root access.
After the intruder enters the system, he will collect all kinds of information, look for all kinds of loopholes in the system, and try to gain root permission by taking advantage of some defects of the network itself, such as unrestricted NFS allowing root to read and write to it. Using NFS protocol, the client first exchanges information with the installation daemon of the server. After the information exchange, it generates requests to the NFS daemon, through which the client can read or write files on the server. Therefore, when the client installs the file system and opens the file, if the intruder sends out an appropriate UDP datagram, the server will process the NFS request and send the result back to the client. If the request is a write operation, the intruder can write the information to the disk in the server as much as possible. If it is a read operation, the intruder can use its snooper between the server and the client to learn the information on the server disk, thus gaining root access.
The third stage: expanding access rights
Once the intruder obtains root user rights, the system can be used to power other systems on the network. For example, you can modify the login daemon to get the password; You can add a packet listener to obtain the network communication password; Or you can use some independent software tools to dynamically modify the UNLX kernel to intercept the terminal and connection of any user in the system and gain access to the remote host.
Two types of attacks and their analysis
Common attacks can usually be divided into the following categories:
2. 1 denial of service attack
Denial of service attacks do not destroy data, but deny service to users. It is often achieved by blocking the system with a lot of irrelevant information or sending destructive commands to the system. For example, after an intruder illegally invades a system, he can send a lot of information to other systems associated with it, which will eventually lead to overload of the receiving system, leading to misoperation or even paralysis of the system. The main purpose of this supply is to slow down the target server, fill up the available disk space, and consume system resources with a lot of useless information, but the server can't respond in time and tries to log in to the authorized account on the workstation. For example, when the workstation requests NISpasswd information from the North Supply Server, the attacking server responds instead of the attacked server by taking advantage of the fact that the attacked server can't respond in time, and provides false information, such as no password record. Because the attacked server can't receive or receive the software package in time and can't respond in time, the workstation will regard the wrong response as correct, thus allowing the attacker with a fake passwd entry to log in successfully. 2.2 SYN attack synchronization is similar to denial of service attack, which destroys the normal communication handshake relationship. When SYN provisioning occurs, the attacker's computer does not respond to ACK from other computers, but sends him a lot of SYN ACK information. Usually, the computer has a default value that allows it to save SYN ACK information for a specific tree. Once this number is reached, others will not be able to initiate handshakes, which means that others will not be able to access the system, which may eventually lead to a network crash. 2.3 Web Deception The key to attacking Web Deception is to logically place the Web server forged by the attacker between the user and the destination web server, so that all the information of the user is under the surveillance of the attacker. There are two techniques used in general web spoofing: URL address rewriting technique and related information shielding technique. Using URL address rewriting technology, the attacker rewrites all URL addresses on some important Websites, so that these geology points to the attacker's web server, that is, the attacker can add the URL address of his own website in front of all URL addresses. For example, suppose the URL address of the attacker's website is:, while the URL address of the legitimate website is:. After rewriting, this address can be added before the legal URL address, that is/. When the user establishes a secure link with the website, he will enter the attacker's server defenseless. At this point, the user browser first requests access from the attacker server, then the attacker server requests access from the real target server, and the target server returns relevant information to the attacker server, which rewrites the returned page and then transmits it to the user. At this point, the browser presents a secure link to the user, but the connected object is the attacker server. The information submitted by the user to the real Web server and all the information transmitted to the user by the real Web server must pass through and be dominated by the attacker's server, and the attacker can record and modify all the information. Because browsers are generally equipped with an address bar and a status bar, when the browser is connected to a website, the address and related transmission information of the connected website can be obtained in the address bar and the status bar, so that users can find problems. Therefore, general attackers often use related information shielding technology, that is, commonly used JavaScript programs to cover up deception.
2.4 TCP/IP spoofing attack
IP spoofing can occur at all levels of IP system, including hardware data link layer, IP layer, transport layer and application layer. If the bottom layer is destroyed, all the protocols in the application layer will be in danger. In addition, because users themselves don't communicate directly with the underlying structures, and sometimes they don't even realize the existence of these structures at all, attacks on the underlying structures are more deceptive.
IP spoofing is usually implemented by an external computer masquerading as another legitimate machine. He can destroy the normal data flow on the communication link between two machines or insert data on the communication link. The purpose of his disguise is to deceive other machines in the network to mistakenly accept the attacker as a legitimate machine, induce other machines to send him data or allow him to modify the data.
Because the original intention of many applications is to establish trust on the sender's thin IP address, that is, if the packet can reach the destination by land and the reply packet can return to its original place, it can be determined that the source IP address is valid. Therefore, an attacker can cheat by sending an IP datagram whose valid IP source address belongs to another machine.
On the one hand, some configurations of existing routers make the network more vulnerable to IP spoofing attacks. For example, some routers do not protect the source information of IP packets, and all IP packets from ports are put in the same queue and then processed one by one. If the packet indicates that the IP source address is from the internal network, it can be forwarded. Therefore, taking advantage of this, users outside the network can bypass the router method as long as they try to indicate that it is an internal IP address.
On the other hand, when an attacker sends a datagram with a forged IP address, he can not only obtain the unique valid request of the datagram, but also force the receiver to believe that it is legal by predicting the TCP byte sequence number, thus realizing TCP spoofing connection.
TCp connection includes three stages: (1) establishing connection; (2) exchange data; And (3) disconnection. One of the most critical is data exchange. TCP protocol assigns its own sequence number to each data byte, and each TCP header contains a sequence field. In the TCP data exchange, the client sends one or more TCP/IP packets. Starting from sending the TCP header with SYN flag, the receiver sends back the header containing SYN and ack flag to reply to the sender's SYN header.
The initial serial number is random. When the receiver receives the serial number of the customer, it must first confirm it. If the acknowledgement number field is valid, it corresponds to the sequence number of the next expected data byte, and the ACK flag is set. After the attacker successfully sends datagrams using forged IP addresses, he only gets the only valid requests for these datagrams, and he must predict the TCP sequence number to get responses to some requests. The attacker's prediction of serial number is a process of estimation and guess. An attacker can set a listener between the client and the server to determine the initial serial number. Once the attacker obtains the initial serial number of the connection, he can calculate the next expected serial number by estimating the amount of TCP/IP data sent by the sender to the receiver, that is, the next expected serial number is: data amount+initial serial number. In fact, some TCP/IP implementations do not allocate the initial sequence number completely in a random way, but are generated by a simple random number generator. This kind of generator generates data in a fixed order, so the actual possible initial serial number can only be in a limited range, which will be more convenient to predict. The predicted serial number is only an estimate, which can be generally divided into three situations.
The first case: the predicted value is exactly equal to the next serial number.
If the forged data arrives later than the legitimate datagram and contains less data than the legitimate datagram, the receiver will completely discard the forged datagram; If the forged data packet contains more data than the legitimate datagram, the receiver will receive the part of the forged datagram whose serial number is greater than the legitimate datagram and discard the part whose serial number overlaps with the legitimate datagram; If the forged datagram arrives before the legitimate datagram, the receiver will discard the legitimate datagram.
The second case: the predicted value is greater than the next serial number.
In this case, the receiver will discard part of the content beyond the window domain (that is, the input buffer) and put the previous part into the buffer until the space between the next expected sequence number and the byte sequence number of the first forged datagram is filled with legal data, and then the receiver will not receive it.
The third case: the predicted value is less than the next serial number.
In this case, the first part of the forged datagram will definitely be discarded, but if there are enough contents of the forged datagram, the receiver may accept the later contents.
3 Several common network attacks and their prevention
3. 1 password attack
If the user selects the "Save Password" function when dialing the Internet, the Internet password will be stored in the windows directory in the form of "username.pwl". If someone accidentally sees this file, it will be in trouble, because it is easy to find software such as pwlview to watch its content on the Internet, and the online password will be leaked.
Some people use names, birthdays, phone numbers, etc. As a password, some people simply use the same password as the user name. Such a password can easily be hacked into the huge dictionary file of the software.
So how to prevent passwords from being attacked? We should start from the following aspects: (1) Don't use easily guessed characters such as birthday, phone number and name as passwords. (2) Try not to save the password when surfing the Internet. (3) Change your password every half a month or so, don't be afraid of trouble.
3.2 Trojan attack
Trojan horse is a special virus, which makes itself quietly lurk in the system by modifying the registry and other means. After users surf the Internet, hackers implanted with Trojans can control your computer and get your password and other important information through the Trojan horse program on the server side, which is very harmful.
To prevent Trojan horse programs, we should start from the following aspects: (1) Load an antivirus firewall. (2) Be cautious about emails of unknown origin, and don't easily open their attachment files. (3) Don't download software from some small websites on the Internet, but from big websites.
3.3 Spam attacks
Spam refers to sending unauthorized emails or email lists to other people's emails, which is difficult to refuse. Its contents include advertising information, electronic magazines, website information and so on. After the user's mailbox is flooded by these junk mails, it will greatly occupy network resources, lead to network congestion, and in serious cases, it will "blow up" the user's mailbox, making it unable to work normally.
To prevent spam, we should start from the following aspects: (1) Apply for a free email address for external contact. This way, even if the mailbox is bombarded by spam, it can be discarded at any time. (2) Apply for a forwarding mailbox, which can basically eliminate spam after filtering. (3) Never reply to spam. (4) Disable Cookie. Cookie refers to a string written in a file named cookies.txt on the hard disk, and any server can read the contents of this file. Hackers can also track your online information through Cookie and get your email address. In order to avoid this situation, Cookie in ie browser can be set to "forbidden".
3.4 Attack through chat software
When users chat with chat software, hackers can use some small software to find out the IP address of the other person chatting, and then bomb the user's machine with IP bombs, making it blue screen or crash. To prevent the supply of chat software, we should start from the following aspects: (1) Use proxy server to surf the Internet, so as to hide your IP address. (2) Install firewall software, and use the firewall to block each other's attacks. (3) Upgrading the operating system, such as win2000, will greatly improve its security compared with win95/98.
Four Six Trends of Network Attacks
4. 1 improves automation and attack speed.
The automation level of attack tools is constantly improving. Automated attack involves four stages, and each stage has new changes.
Scan for possible victims. Since 1997, large-scale scanning has become commonplace. At present, scanning tools use more advanced scanning modes to improve the scanning effect and speed.
Destroy fragile systems. Previously, security vulnerabilities were not exploited until a comprehensive scan was completed. Now attack tools regard these security vulnerabilities as part of scanning activities, thus accelerating the spread of attacks.
Spread the attack. Before 2000, attack tools needed people to launch a new round of attacks. At present, attack tools can launch a new round of attacks by themselves. Tools like Red Team and Nimda can spread themselves and reach the global saturation point in less than 18 hours.
Coordinated management of attack tools. With the appearance of distributed attack tools, attackers can manage and coordinate a large number of attack tools published on many Internet systems. At present, distributed attack tools can launch denial-of-service attacks more effectively, scan potential victims and endanger systems with security risks.
4.2 The attack tools are becoming more and more complex.
Attack tool developers are using more advanced technology to arm attack tools. Compared with before, the characteristics of attack tools are more difficult to find and detect. The attack tool has three characteristics: anti-detection, the attacker uses the technology of hiding the characteristics of the attack tool, which makes the security experts spend more time analyzing the new attack tool and understanding the new attack behavior; Dynamic behavior, early attack tools execute attack steps in a certain order, but today's automatic attack tools can change their patterns and behaviors according to random selection, predefined decision paths or direct management of intruders; The maturity of attack tools is different from that of early attack tools. At present, the attack tools can be changed rapidly by upgrading or replacing some tools, and the results of rapid changes can be launched, and there will be many different forms of attack tools in each attack.
4.3 Finding security vulnerabilities is getting faster and faster.
The newly discovered security vulnerabilities are doubled every year, and managers constantly use the latest patches to fix these vulnerabilities, and new types of security vulnerabilities are discovered every year. Intruders can usually find the target before the manufacturer fixes these vulnerabilities.
4.4 Increase firewall penetration
Firewall is the main protection measure to protect people from intrusion. But more and more attack technologies can bypass the firewall. For example, (IPP Internet Printing Protocol) and WebDAV (Web-based distributed authoring and translation) can be used by attackers to bypass the firewall.
4.5 Increasingly asymmetric threats
Security on the Internet is interdependent. The possibility of each Internet system being attacked depends on the security status of other systems connected to the global Internet. Due to the progress of attack technology, attackers can easily use distributed systems to launch destructive attacks on victims. With the improvement of deployment automation and attack tool management technology, the asymmetry of threats will continue to increase.
4.6 It will pose an increasing threat to infrastructure.
Infrastructure attack is an attack that affects key components of the Internet on a large scale. As users rely more and more on the Internet to complete their daily business, people are increasingly worried about infrastructure attacks. Infrastructure faces distributed denial of service attacks, worms, attacks on Internet domain name system DNS, attacks on routers or attacks using routers.
5 Personal User Protection Strategies
In view of some common attack methods and means, it is necessary for individual users to take some security precautions. Here are some examples of possible prevention.
5. 1 Check the system information frequently.
In the process of surfing the internet, if you feel that the computer is in an abnormal state, such as slow running speed, some software running errors, out of control, etc. , you should stop and check the running status of the system. One is to check the usage status of system resources, and the other is to press "Ctrl+Alt+Del" to check whether there are other programs running in the system. If there is a program that our department is familiar with, or we don't run it, we should stop it immediately to prevent future troubles.
5.2 Trojan detection and deletion
If your computer is manipulated by someone, such as a Trojan horse program, it will crash and data files will be deleted. At this time, you can look at the registry, Netspy.exe or space. Exe or other suspicious file names under \ HKEY local machine \ HKEY. local _ Machine \ software \ Microsoft \ Windows \ current version \ Kun。 If yes, flash the corresponding key value as soon as possible, find the corresponding program in the computer and delete it.
5.3 Protect network accounts and passwords.
There are often some files with the suffix ".". Pwl "is placed in the Windows directory. These files are used for password storage, such as the password to open the Exchange e-mail box and the power-on password, and other information is stored in the file with the suffix "". pwl”。 Some hackers can use some special software to crack the pwl file of Windows95/98, and can directly read the encrypted data information such as power-on password and user name in pwl at a very fast speed. In this case, the safest way is to automatically use the password function without using Windows95/98, so there is no encrypted information flow in the pwl file, and there is no way to crack the software. In addition, there is a more direct way to deal with this situation, which is to delete these files with the suffix "". Pwl "to avoid leaving a password on the hard disk.
5.4 Protect your IP address.
Many domestic users access the Internet by dialing 163. Some malicious saboteurs often track their online accounts, look for IP from user information, or wait for IP recorded in BBS and chat rooms or obtain IP through ICQ. In order to prevent users from illegally obtaining the IP address information of individual users, it is best to take the following two security measures: First, use a proxy server for transit, so that users do not need real IP addresses when surfing the Internet, and others cannot obtain their own IP address information. Second, pay attention to avoid exposing your IP address in some BBS and chat rooms that will display IP.
5.5 shielding ActiveX controls
Because ActiveX controls can be embedded in HTML pages and executed in browsers, it will pose a certain degree of security threat to browsers. Therefore, if users want to ensure the absolute security of their information on the Internet, they can block these ActiveX controls that may pose a threat to computer security. The specific operation steps are as follows: first, click the tools menu item in the menu bar with the mouse, and select the Internet option from the drop-down menu; Then select the security tab in the option setting box, and click the custom level button in the tab; At the same time, find it in the security settings dialog box that opens.
5.6 Be careful when using "Terminal window appears after dialing"
Select a connection, click the right mouse button, and select "Properties-General-Configuration-Options-Terminal window appears after dialing". Then when dialing, don't fill in the user name and password on the dialing interface (let alone select the "save password" item), and then enter the corresponding input after the dialing terminal port appears. This can prevent the user name and password from being recorded in the password file on the hard disk, and also prevent some hacker programs from grabbing the user name and password.
5.7 Reject "Cookie" information
Many websites will use imperceptible technology to secretly collect the email address information in the form you fill out. The most common way is to use cookie to record the browsing behavior and habits of visitors. If you don't want cookies to record your private information casually, you can make some necessary settings in the browser, ask the browser to remind you before accepting cookies, or simply refuse. The operation steps of blocking cookies are as follows: first, click the tools menu item in the menu bar and select the Internet option from the drop-down menu; Then select the security tab in the option setting box, and click the custom level button in the tab; At the same time, find the settings about cookies in the opened security settings dialog box, and then select Disable: or Prompt.
5.8 Do not use the "MYDocuments" folder to store Word and Excel files.
The default file storage path for Word and Excel is the "MYDocuments" folder under the root directory. After Trojan horse turns the user's hard disk into a * * * shared hard disk, the intruder can see at a glance what the user is doing from the file name in this directory, which is almost the characteristic sign of the user, so for the sake of safety, the working path should be changed to another directory, and the deeper the stagger, the better.
5.9 Encrypting and Protecting E-mail
As more and more people conduct important business activities and send confidential information through e-mail, and with the development of the Internet, this application will be more frequent. Therefore, it is becoming more and more important to ensure the authenticity of the mail and not to be intercepted by others. Therefore, for emails containing sensitive information, it is best to digitally sign your original email with a digital label before sending it. The so-called digital label refers to the certificate issued by an independent authorized institution to prove your identity on the Internet, which is your identity card on the Internet. These card-issuing commercial organizations will issue you this ID card and constantly verify its validity. You apply for a logo from these companies first, and then you can use this digital logo to digitally sign your email. If you get someone else's digital ID, you can also send him an encrypted email. By digitally signing the sent mail, you can send your digital label to others. This is actually the public key they received, and then they can encrypt the email sent to you through this public key. You use the private key to decrypt and read encrypted messages. In Outlook Eepress, you can prove your e-mail identity by digital signature, that is, convince the other party that the e-mail was sent by your machine, and it also provides an e-mail encryption function so that your e-mail can only be received and read by the intended recipients. But only if you get the other person's number first The digital signature part of the digital label is your original electronic identity, and the digital signature can make the recipient believe that it was reissued by you and has not been forged or tampered with.