In addition, it may be attacked.
Denial of service attack is a worldwide system vulnerability. Hackers are obsessed with its research, and countless network users will be the victims of this attack. Tribal flood network, TFN2K, Smurfs, Targa … and many other projects are constantly developing. These programs spread in the network like a plague, making our village weaker. We have to find a simple and easy-to-use security solution to deal with attacks in the dark.
Due to the strengthening of our preventive measures, denial of service attacks are also developing. Tribal flood network (tfn) and tfn2k introduced a new concept: distribution. These programs allow machines scattered all over the Internet to attack a host at the same time, thus making the host appear to be attacked by multiple hosts in different locations. These scattered machines are operated by several main control computers and carry out various types of attacks, such as UDP flood and SYN flood.
The defects of operating system and network equipment are constantly discovered and exploited by hackers to carry out malicious attacks. If we realize this clearly, we should use the following two steps to try to prevent network attacks and protect our network: try to correct the problems and system vulnerabilities that have been found as much as possible.
Identify, track or prohibit these annoying machines or networks from accessing us.
Let's focus on the second point. The main problem we face is how to identify those malicious hosts, especially those that use denial of service attacks. Because these machines hide their addresses and use the addresses of the attacked people. The attacker used thousands of maliciously forged packages to attack our host. The principle of "tfn2k" is as simple as that mentioned above, it just provides an image interface. If it is attacked by distributed denial of service, it is really difficult to deal with.
There are some simple techniques to prevent denial of service attacks. Of course, the most common thing is to always pay attention to safety information and expect the best methods to appear. Administrators should subscribe to safety information reports and pay attention to the development of all safety issues in real time. :) The second step is to apply the technology of packet filtering, mainly to filter the ports that are open to the outside world. These measures are mainly to prevent false address attacks, so that external machines cannot forge the address of internal machines to launch attacks on internal machines.
Whether to use inbound packet filtering or outbound packet filtering has been controversial. RFC 2267 suggests using inward filtering mechanism on the global Internet, but it will bring a lot of trouble. Using access control lists on middle-level routers will not bring much trouble, but the backbone routers that are already full will be obviously threatened. On the other hand, if the ISP uses outbound packet filtering measures, it will transfer the overloaded traffic to some less busy devices. ISPs also don't care whether consumers use this technology on their border routers. Of course, this filtering technology is not foolproof, which depends on the filtering mechanism adopted by managers.
1.ICMP protection measures
ICMP was originally developed to "help" the network and is usually used as a diagnostic tool by WAN administrators. However, today, all kinds of inadequate ICMP are abused and do not meet the standards originally formulated by RFC 792. It is necessary to implement some strategies to make it more secure.
Incoming ICMP timestamps and information request packets will be responded, and forged packets with illegal or bad parameters will also produce ICMP parameter problem packets, thus allowing another form of host search. This still leaves the website unprotected.
A common way to secretly send commands from a host to a client is to use ICMP echo reply packets as carriers. Echo response itself cannot be answered, and generally it will not be blocked by firewall.
First of all, we must deal with the whole "ICMP restriction" problem according to outbound and inbound. ICMP echo can easily authenticate remote machines, but outbound ICMP echo should be limited to supporting individuals or a single server /ICMP proxy (preferred).
If we restrict ICMP responses to external IP addresses (through proxies), our ICMP responses can only enter predefined hosts in our network.
Redirection usually occurs between routers, not between hosts. Firewall rules should be adjusted so that these types of ICMP are only allowed to be used between routers involved in Internet connections that require information.
It is suggested that all external transmissions should pass through the proxy, and internal ICMP transmissions should pass through the firewall when returning the proxy address. This will at least restrict ICMP timeout packets from entering the internal address, but may prevent timeout packets.
When the Internet control message protocol is sent with incorrect parameters, the data packet will be discarded, and then the ICMP parameter error data packet will be sent. The host or router discards the sent data packet and sends back the parameter ICMP error data packet to the sender, pointing out the wrong parameters.
Generally speaking, only servers with public addresses (such as Web, e-mail and FTP servers), firewalls and routers connected to the Internet have real reasons to use ICMP to talk to the outside world. If properly adjusted, almost all secret communication channels using inbound and outbound ICMP will be suspended.
2. Synchronous flood control
SYN Flood is one of the most popular methods of DoS (Denial of Service Attack) and DdoS (Distributed Denial of Service Attack). It is an attack method that uses the defects of TCP protocol to send a large number of forged TCP connection requests, so that the attacked party runs out of resources (full CPU or insufficient memory). At present, there is no good monitoring and defense method for SYN Flood attack, but if the system administrator is familiar with the attack method and system architecture, through a series of settings, the load of the attacked system can be reduced to some extent and the negative impact can be alleviated.
Generally speaking, if the load of a system (or host) suddenly rises or even loses its response, you can see a large number of SYN_RCVD semi-connections ($ number >;; 500 or more than 65438+ 00% of the total number of connections), it can be concluded that this system (or host) has been attacked by SYN Flood. After being attacked by SYN Flood, the first thing to do is to obtain evidence. pass Netstat -n -p tcp > Resault.txt is necessary to record all current tcp connection states. If there is a sniffer or a tool like TcpDump, recording all the details of TCP SYN messages will also be helpful for future tracking and defense. Fields to be recorded include: source address, identification in IP header, serial number in TCP header, TTL value, etc. Although this information is probably forged by the attacker, it is also helpful to analyze the attacker's psychological state and attack program. Especially TTL value, if a large number of attack packets seem to come from different IPs but have the same TTL value, we can often infer the router distance between the attacker and us, or at least reduce the load of the attacked system by filtering messages with specific TTL value (in this case, users with different TTL values of attack packets can resume normal access). From a defensive point of view, there are several simple solutions:
2. 1 Shorten SYN timeout: Because the effect of SYN Flood attack depends on the number of SYN semi-connections maintained on the server, this value = the frequency of SYN attack x SYN timeout. Therefore, by shortening the time from receiving SYN message to determining that the message is invalid and discarding the connection, for example, setting it within 20 seconds (too low SYN timeout setting may affect the normal access of customers), the load on the server can be doubled.
2.2 Setting SYN Cookie: It is to assign a Cookie to each IP address requesting connection. If you receive repeated SYN messages from an IP in a short time, it will be considered as an attack, and the packets from this IP address will be discarded in the future. However, the above two methods can only deal with the primitive SYN Flood attack, and shortening the SYN timeout will only take effect if the attack frequency of the other party is not high. SYN Cookie is more dependent on the other party using the real IP address. If an attacker sends SYN messages at the rate of tens of thousands per second and randomly rewrites the source address in IP messages through SOCK_RAW, all the above methods will be invalid.
2.3 negative feedback strategy: refer to some popular operating systems, such as the SYN attack protection mechanism of Windows2000. In general, OS has a routine setting for some important parameters of TCP connection: SYN timeout, the number of retries of SYN-ACK, the delay of SYN message from router to system to Winsock, and so on. This general setting aims at system optimization and can provide users with convenient and fast services; Once the server is attacked and the number of SYN half-links exceeds the upper limit of TCP active half-connections in the system, the system will think that it has been attacked by SYN Flood, and will respond according to the judgment of the attack, such as shortening the SYN timeout, reducing the number of SYN-ACK retries, and automatically delaying the messages in the buffer. In order to minimize the damage of the attack. If the attack continues and exceeds the maximum half connection value allowed by the system, the system can no longer provide normal services. In order to ensure that the system does not crash, any SYN message exceeding the maximum half connection value can be randomly discarded to ensure the stability of the system.
Therefore, we can test or predict the upper limit of the host's activity in the peak period in advance, and set the value of the maximum number of TCP active semi-connections as a reference, and then take the multiple of this value (no more than 2) as the maximum TCP semi-connection value, so that SYN attacks can be prevented to some extent through negative feedback.
2.4 Concession strategy: Concession strategy is a vulnerability based on SYN Flood attack code. Let's analyze the process of SYN Flood attackers again: SYN Flood programs have two attack methods, IP-based and domain-based. The former is that the attacker resolves the domain name himself and sends the IP address to the attacker, while the latter is that the attacker automatically resolves the domain name, but the two are the same. That is to say, once the attack begins, domain name resolution will not be carried out, and this is our breakthrough point: assuming that a server is attacked by SYN Flood and its IP address changes rapidly, the attacker is still attacking an empty IP address without any host, and the defender can restore the normal access of users through the domain name in a short time (depending on the DNS refresh time) by changing the DNS resolution to a new IP address. In order to confuse the attacker, we can even put a "sacrificial" server to make the attacker satisfied with the "effect" of the attack (because of DNS buffer, as long as the attacker's browser does not restart, he still accesses the original IP address).
2.5 Distributed DNS load balancing: Among many load balancing architectures, load balancing based on DNS parsing itself has immunity to SYN Flood. Load balancing based on DNS resolution can distribute users' requests to server hosts with different IP, and attackers will always attack only one of the servers, which will increase the cost of attackers. Secondly, too many DNS requests can help us to trace the real trace of the attacker (DNS requests are different from SYN attacks, so it is difficult to disguise IP).
2.6 firewall Qos: for the firewall, the method of defending SYN Flood attack depends on the basic principle of the firewall. Generally speaking, a firewall can work above the TCP layer or below the IP layer. A firewall working above the TCP layer is called a gateway firewall. In the gateway firewall layout, there is no real TCP connection between the client and the server. All data exchange between the client and the server is through the firewall proxy, and the external DNS resolution also points to the firewall. So, the website was attacked, and the firewall was really attacked. The advantages of this firewall are good stability and strong anti-attack ability, but because all TCP messages need to be forwarded through the firewall, the efficiency is relatively low. Because the client does not directly establish a connection with the server, when the TCP connection is not completed, the firewall will not establish a new TCP connection with the background server, so the attacker cannot directly attack the background server through the firewall. As long as the firewall itself is strong enough, this architecture can resist quite strong SYN Flood attacks. However, because the actual number of TCP connections established by the firewall is twice that of users (both ends of the firewall need to establish TCP connections), at the same time, all TCP requests and data transmission of the client are proxy. When the system accesses a lot, the load of the firewall itself will be higher, so this architecture is not suitable for large websites. (I feel that for such a firewall architecture, using TCP_STATE attack estimation will be quite effective:)
Working under the IP layer or IP layer, it is called routing firewall, and its working principle is different: the client directly connects with the server through TCP, and the firewall acts as a router. It intercepts all packets and filters them, and the filtered packets are forwarded to the server, and the external DNS resolution also points directly to the server. The advantage of this firewall is its high efficiency. It can adapt to the traffic of 100Mbps- 1Gbps. However, if this firewall is improperly configured, it will not only allow attackers to directly attack internal servers through the firewall, but may even amplify the attack intensity, leading to the collapse of the whole system.
In addition to these two basic models, there is a new firewall model, which integrates the advantages of the two firewalls. The working principle of the firewall is as follows:
In the first stage, the client requests to establish a connection with the firewall:
In the second stage, the firewall disguised as a client and established a connection with the server in the background.
In the third stage, after that, all TCP packets from the client are directly forwarded to the server in the background.
This structure absorbs the advantages of the above two firewalls, and can completely control all SYN messages without having to proxy all TCP data messages. This is a way to kill two birds with one stone. Recently, some foreign and domestic firewall manufacturers began to study bandwidth control technology. If the bandwidth can be strictly controlled and allocated, most SYN attacks can be largely defended.
3. Several methods to prevent 3. (Internet) a trumpet; Play the trumpet
Blocking the source of Smurf attacks: Smurf attacks rely on the attacker's strength to send echo requests with deceptive source addresses. Users can use routing access to ensure that all transmission information sent in the internal network has a legal source address to prevent this attack. This can prevent fraud groups from finding rebound websites.
Stop Smurf's rebound websites: Users have two options to stop Smurf's rebound websites. The first method can simply block all inbound echo requests, which can prevent these packets from reaching their own networks. If all inbound echo requests cannot be blocked, users need to have their own routers map network broadcast addresses to LAN broadcast addresses. Stop this mapping process, and your system will no longer receive these response requests.
Shielding the smurf platform: In order to prevent the system from becoming a platform for Smurf attacks, the IP broadcast function on all routers should be banned. Generally speaking, IP broadcast function is not needed. If an attacker wants to successfully use you as an attack platform, your router must allow the packet to leave the network, and its source address is not generated from your intranet. You can configure the router to filter out packets that are not generated in your intranet. This is the so-called network exit filtering function.
Prevent Smurf from attacking the target site: Unless the user's ISP is willing to help, it is difficult for users to prevent Smurf from affecting their WAN connection lines. Although users can block this transmission in their own network devices, it is too late to prevent Smurf from devouring all the WAN bandwidth. But at least users can limit the influence of Smurf on peripheral devices. By using dynamic packet filtering technology or using firewall, users can prevent these packets from entering their own networks. The firewall's state table is clear that these attack sessions are not sent from the local network (there is no initial echo request record in the state table record), so it will discard this information like other deceptive attacks.
4.UDP flood prevention
Taking trinoo mentioned above as an example, the analysis is as follows:
In all communication between the main program and the agent, trinoo uses UDP protocol. Intrusion detection software can use UDP protocol (type 17) to find data streams.
The listening port of Trinoo main program is 27655, and attackers usually connect to the computer where the main program is located through telnet and TCP. Intrusion detection software can use TCP (type 6) to search data streams and connect to port 27655.
All communication from the main program to the agent program contains the string "l44" and is directed to UDP port 27444 of the agent. Intrusion detection software checks the connection of UDP port 27444. If a packet containing the string l44 is sent, the computer receiving the packet may be a DDoS agent.
The communication between master agents is protected by passwords, but passwords are not sent in encrypted format, so they can be sniffed and detected. Using this password and the trinot script provided by Dave Dittrich, he must first send a DNS request to resolve the domain name. Usually, those attack tools will perform this step by themselves, calling the gethostbyname () function or the corresponding application interface. In other words, the DNS request before the attack will provide us with a related list, which we can use to locate the attacker.
It is feasible to read the DNS suspicious request list by using off-the-shelf tools or manually reading the DNS request log. However, it has three main disadvantages:
Attackers usually use local DNS as the starting point for resolving and querying addresses, so the initiator of DNS request we found may not be the attacker himself, but the local DNS server he requested. However, if the attacker hides in an organization with local DNS, we can use this organization as the starting point of the query.
The attacker may already know the IP address of the target, or know the IP address of the target by other means (host, ping), or it takes a long time for the attacker to start the attack after querying the IP address, so we can't judge the attacker (or their local server) from the time period of DNS request.
DNS keeps a lifetime for different domain names, so attackers can use the information stored in DNS cache to resolve domain names. In order to make a detailed analysis record, the TTL time saved by DNS can be shortened, but this will lead to more DNS queries, thus increasing the use of network bandwidth.
6. Host prevention
All hosts that provide public services to the Internet should be restricted. The following suggested policies can protect hosts exposed to the Internet.
Isolate all public servers from the quarantine zone.
Each service provided should have its own server.
If you use Linux (recommended), you can use one or more "Buffer Overflow/Stack Execution" patches or enhancements to prevent most (if not all) local or remote buffer overflows from endangering the root. It is strongly recommended that the patch of Solar Designer be included in the additional security functions.
Use SRP (Secure Remote Password) instead of SSH.
Restrict access to telnet and FTP daemons supporting SRP to internal addresses, and emphasize that only clients supporting SRP can talk to these programs. If you must run regular FTP for public access (such as anonymous FTP), you can run SRP FTP on another port.
Use a trusted path. The ownership of the directory where the binary executable program owned by the root user should be placed should be root, and all users or groups cannot have write permission. If necessary, you can change the kernel to enforce this.
Use the built-in firewall function. By turning on firewall rules, you can usually take advantage of the kernel state table.
Use some anti-port scanning measures. This can be achieved by using the background program function of Linux or modifying the kernel.
Use Tripwire and equivalent software to help detect changes to important files.
7. Email bomb protection
In order to protect the safety of electronic parts, it is necessary to know the sending process of e-mail. The process is as follows: when users write emails, they first connect to the mail server. When the mail server responds, it will start the mail tool and call the routing program Sendmail to route the mail. According to the receiving host specified in the receiving address attached to the mail, such as 163.net in a@ 163.net, a 25-port TCP connection is established with the mail daemon located at the host 163.net, and the two parties interact according to the SMTP protocol after the establishment, thus completing the mail delivery. After receiving the mail, the mail of the receiver will be placed in the mail directory of the system according to the name of the receiving user, such as the semxa file in the /usr/ e-mail directory. Receiving users also use mail tools to get and read these sent mails. If the delivery fails, these messages will be returned to the sender again. In fact, the sending process of e-mail is much more complicated than that mentioned here, and many configuration files will be involved in the process. At present, SMTP protocol is a text-based protocol, which is relatively simple to understand and implement. Telnet can be used to directly log in to port 25 of the mail server (which is assigned to SMTP protocol by LANA) for interaction.
The most effective way to protect the security of e-mail information is to use encryption signature technology, such as PGP to verify the mail, which can protect the information from being sent from the right place and not being modified during transmission. But this is not something that individual users can do, because PGP is more complicated.
As far as mail bombs are concerned, protection can still be done. Because it's not very complicated, it's just spam. You can use /hacking/echom20 1.zip mail chopper to protect yourself. But at present, as far as domestic users are concerned, most users use free mailboxes, such as yeah.net, 163.net, 063.net and so on. Even if someone blows them up, they remain on the mail server, which is basically harmless. If you connect through pop3, you can use pop receiving tools such as Outlook or Foxmail to receive emails. Most users use Outlook Express of windows. You can set filtering in Tools-Inbox Assistant. You can use anti-email virus software to prevent all kinds of email worms and unknown email worms spread by email.
In addition, the mail system administrator can use the "blacklist" to filter some spam. For different email systems, most of them can find the latest blacklist programs or lists on the Internet.
8. Use ngrep tool to deal with tfn2k attacks.
According to the principle of tracking tfn2k resident program by DNS, a utility program named ngrep appeared. The modified ngrep can monitor about five types of tfn2k denial-of-service attacks (Targa 3, Synflood, UDP Flood, ICMP Flood and smurf), and it also has a recyclable cache to record DNS and ICMP requests. If ngrep finds an attack, it will print out its cached contents and continue to record ICMP response requests. If an attacker ping the target by pinging the target host, recording the ICMP response request during or after the attack is a way to catch the careless attacker. Because attackers are likely to use other services to verify the effectiveness of their attacks (such as the web), they should also keep detailed logs of other standard services.
It should also be noted that ngrep uses the means of monitoring the network, so ngrep cannot be used in a switching environment. However, the modified ngrep does not have to be in the same network segment as your DNS, but it must be in a location where all DNS requests can be monitored. The modified ngrep also doesn't care about the target address. You can put it on the DMZ network segment so that it can check tfn2k attacks throughout the network. Theoretically, it can also detect foreign tfn2k attacks well.
In the ICMP flood event, the internet control message protocol as part of tfn2k flood will not be included in the report of ICMP response request. Ngrep can also report the types of attacks detected (TARGA, UDP, SYN, ICMP, etc. ) Except the Smurfs. By default, mixed attacks appear as ICMP attacks, and unless you block incoming ICMP response requests, it appears as UDP or SYN attacks. The results of these attacks are basically similar.
9. Suggestions for intrusion detection system
Because many methods used to defeat the network-based intrusion detection system are still effective for most commercial intrusion detection system products, it is suggested that the intrusion detection system should at least have self-addressed data packets that can reorganize or find fragments. Here are some things to pay attention to:
Be sure to include all existing rules, including some new rules for distributed denial of service attacks.
If you follow the ICMP recommendations, many ICMPs will be blocked and there will be many opportunities for intrusion detection system triggers. Any inbound or outbound internet control message protocol ICMP that is usually blocked will be triggered.
Any network transmission isolated by a firewall may be a potential IDS trigger.
If your intrusion detection system supports the detection of long-term attacks, make sure that trusted hosts that are allowed to pass through the firewall are not excluded. This also includes virtual private networks.
If you can train each ping user to use small packets when pinging the host, it is possible to build an intrusion detection system to find the response and response reply packets with more than 29 bytes.