1、1網(wǎng)絡(luò)攻擊的檢測(cè)和預(yù)防網(wǎng)絡(luò)攻擊的檢測(cè)和預(yù)防 第七章2目錄目錄常見(jiàn)網(wǎng)絡(luò)攻擊的檢測(cè)和預(yù)防DoS攻擊的防范 3黑客攻擊網(wǎng)絡(luò)的一般過(guò)程黑客攻擊網(wǎng)絡(luò)的一般過(guò)程信息的收集 利用的公開協(xié)議或工具 TraceRoute程序 SNMP協(xié)議 DNS服務(wù)器 Whois協(xié)議 Ping實(shí)用程序4黑客攻擊網(wǎng)絡(luò)的一般過(guò)程黑客攻擊網(wǎng)絡(luò)的一般過(guò)程系統(tǒng)安全弱點(diǎn)的探測(cè) 主要探測(cè)的方式 自編程序 慢速掃描 體系結(jié)構(gòu)探測(cè) 利用公開的工具軟件5黑客攻擊網(wǎng)絡(luò)的一般過(guò)程黑客攻擊網(wǎng)絡(luò)的一般過(guò)程建立模擬環(huán)境，進(jìn)行模擬攻擊 根據(jù)前面兩小點(diǎn)所得的信息 建立一個(gè)類似攻擊對(duì)象的模擬環(huán)境 對(duì)此模擬目標(biāo)進(jìn)行一系列的攻擊6黑客攻擊網(wǎng)絡(luò)的一般過(guò)程黑客攻擊網(wǎng)絡(luò)的

2、一般過(guò)程具體實(shí)施網(wǎng)絡(luò)攻擊 根據(jù)前幾步所獲得的信息 結(jié)合自身的水平及經(jīng)驗(yàn)總結(jié)相應(yīng)的攻擊方法 等待時(shí)機(jī)，以備實(shí)施真正的網(wǎng)絡(luò)攻擊7協(xié)議欺騙攻擊及防范協(xié)議欺騙攻擊及防范源IP地址欺騙攻擊 在路由器上的解決方法防止源IP地址欺騙行為的措施 拋棄基于地址的信任策略 使用加密方法 進(jìn)行包過(guò)濾8協(xié)議欺騙攻擊及防范協(xié)議欺騙攻擊及防范源路由欺騙攻擊防范源路由欺騙攻擊的措施 拋棄由外部網(wǎng)進(jìn)來(lái)卻聲稱是內(nèi)部主機(jī)的報(bào)文 在路由器上關(guān)閉源路由9協(xié)議欺騙攻擊及防范協(xié)議欺騙攻擊及防范拒絕服務(wù)攻擊防止拒絕服務(wù)攻擊的措施 調(diào)整該網(wǎng)段路由器上的配置 強(qiáng)制系統(tǒng)對(duì)超時(shí)的Syn請(qǐng)求連接數(shù)據(jù)包復(fù)位 縮短超時(shí)常數(shù)和加長(zhǎng)等候隊(duì)列 在路由器的前端

3、做必要的TCP攔截 關(guān)掉可能產(chǎn)生無(wú)限序列的服務(wù)10拒絕服務(wù)攻擊拒絕服務(wù)攻擊用超出被攻擊目標(biāo)處理能力的海量數(shù)據(jù)包消耗可用系統(tǒng)，帶寬資源，致使網(wǎng)絡(luò)服務(wù)癱瘓的一種攻擊手段兩種使用較頻繁的攻擊形式 TCP-SYN flood 半開式連接攻擊 UDP flood11拒絕服務(wù)攻擊拒絕服務(wù)攻擊12拒絕服務(wù)攻擊拒絕服務(wù)攻擊UDP flood Udp在網(wǎng)絡(luò)中的應(yīng)用 如，DNS解析、realaudio實(shí)時(shí)音樂(lè)、網(wǎng)絡(luò)管理、聯(lián)網(wǎng)游戲等 基于udp的攻擊種類 如，unix操作系統(tǒng)的echo,chargen. echo服務(wù)13拒絕服務(wù)攻擊拒絕服務(wù)攻擊Trinoo 是基于UDP flood的攻擊軟件Trinoo攻擊功能的實(shí)

4、現(xiàn) 是通過(guò)三個(gè)模塊付諸實(shí)施的 攻擊守護(hù)進(jìn)程 NS 攻擊控制進(jìn)程 MASTER 客戶端 NETCAT，標(biāo)準(zhǔn)TELNET程序等14拒絕服務(wù)攻擊及防范拒絕服務(wù)攻擊及防范六個(gè)trinoo可用命令 Mtimer Dos Mdie Mping Mdos msize15拒絕服務(wù)攻擊拒絕服務(wù)攻擊16拒絕服務(wù)攻擊拒絕服務(wù)攻擊攻擊的實(shí)例: 被攻擊的目標(biāo)主機(jī)victim IP為:5 ns被植入三臺(tái)sun的主機(jī)里，他們的IP對(duì)應(yīng)關(guān)系分別為 client1:1 client2:2 client3:3 master所在主機(jī)為masterhos

5、t:4 首先我們要啟動(dòng)各個(gè)進(jìn)程，在client1，2，3上分別執(zhí)行ns，啟動(dòng)攻擊守護(hù)進(jìn)程， 其次，在master所在主機(jī)啟動(dòng)master masterhost# ./master ? gOrave (系統(tǒng)示輸入密碼，輸入gOrave后master成功啟動(dòng)) trinoo v1.07d2+f3+c Mar 20 2000:14:38:49 (連接成功) 17拒絕服務(wù)攻擊拒絕服務(wù)攻擊在任意一臺(tái)與網(wǎng)絡(luò)連通的可使用telnet的設(shè)備上，執(zhí)行 telnet 4 27665 Escape character is . betaalmostdone (輸入密碼) tr

6、inoo v1.07d2+f3+c.rpm8d/cb4Sx/ trinoo (進(jìn)入提示符) trinoo mping (我們首先來(lái)監(jiān)測(cè)一下各個(gè)攻擊守護(hù)進(jìn)程是否成功啟動(dòng)) mping: Sending a PING to every Bcasts. trinoo PONG 1 Received from 1 PONG 2 Received from 2 PONG 3 Received from 3 (成功響應(yīng)) trinoo mtimer 60 (設(shè)定攻擊時(shí)間為60秒) mtimer: Setting timer on bcast to

7、 60. trinoo dos 5 DoS: Packeting 5. 18拒絕服務(wù)攻擊拒絕服務(wù)攻擊至此一次攻擊結(jié)束，此時(shí)ping 5，會(huì)得到icmp不可到達(dá)反饋，目標(biāo)主機(jī)此時(shí)與網(wǎng)絡(luò)的正常連接已被破壞 19拒絕服務(wù)攻擊拒絕服務(wù)攻擊由于目前版本的trinoo尚未采用IP地址欺騙，因此在被攻擊的主機(jī)系統(tǒng)日志里我們可以看到如下紀(jì)錄 Mar 20 14:40:34 victim snmpXdmid: Will attempt to re-establish connection. Mar 20 14:40:35 victim snmpdx:

8、error while receiving a pdu from 1.59841: The message has a wrong header type (0 x0) Mar 20 14:40:35 victim snmpdx: error while receiving a pdu from 2.43661: The message has a wrong header type (0 x0) Mar 20 14:40:36 victim snmpdx: error while receiving a pdu from 3.401

9、83: The message has a wrong header type (0 x0) Mar 20 14:40:36 victim snmpXdmid: Error receiving PDU The message has a wrong header type (0 x0). Mar 20 14:40:36 victim snmpXdmid: Error receiving packet from agent; rc = -1. Mar 20 14:40:36 victim snmpXdmid: Will attempt to re-establish connection. Ma

10、r 20 14:40:36 victim snmpXdmid: Error receiving PDU The message has a wrong header type (0 x0). Mar 20 14:40:36 victim snmpXdmid: Error receiving packet from agent; rc = -1.20拒絕服務(wù)攻擊防范拒絕服務(wù)攻擊防范檢測(cè)系統(tǒng)是否被植入了攻擊守護(hù)程序辦法 檢測(cè)上述提到的udp端口 如netstat -a | grep udp 端口號(hào) 用專門的檢測(cè)軟件21拒絕服務(wù)攻擊及防范拒絕服務(wù)攻擊及防范下面為在一臺(tái)可疑設(shè)備運(yùn)行結(jié)果， Loggin

11、g output to: LOG Scanning running processes. /proc/795/object/a.out: trinoo daemon /usr/bin/gcore: core.795 dumped /proc/800/object/a.out: trinoo master /usr/bin/gcore: core.800 dumped Scanning /tmp. Scanning /. /yiming/tfn2k/td: tfn2k daemon /yiming/tfn2k/tfn: tfn2k client /yiming/trinoo/daemon/ns:

12、 trinoo daemon /yiming/trinoo/master/master: trinoo master /yiming/trinoo/master/.: possible IP list file NOTE: This message is based on the filename being suspicious, and is not based on an analysis of the file contents. It is up to you to examine the file and decide whether it is actually an IP li

13、st file related to a DDOS tool. /yiming/stacheldrahtV4/leaf/td: stacheldraht daemon /yiming/stacheldrahtV4/telnetc/client: stacheldraht client /yiming/stacheldrahtV4/td: stacheldraht daemon /yiming/stacheldrahtV4/client: stacheldraht client /yiming/stacheldrahtV4/mserv: stacheldraht master ALERT: On

14、e or more DDOS tools were found on your system. Please examine LOG and take appropriate action. 22拒絕服務(wù)攻擊防范拒絕服務(wù)攻擊防范封掉不必要的UDP服務(wù) 如echo,chargen,減少udp攻擊的入口 23拒絕服務(wù)攻擊防范拒絕服務(wù)攻擊防范路由器阻擋一部分ip spoof, syn攻擊 通過(guò)連接骨干網(wǎng)絡(luò)的端口 采用CEF和ip verify unicast reverse-path 使用access control lists 將可能被使用的網(wǎng)絡(luò)保留地址封掉 使用CAR技術(shù) 限制 ICMP 報(bào)文大

15、小24Specific Attack TypesAll of the following can be used to compromise your system: Packet sniffers IP weaknesses Password attacks DoS or DDoS Man-in-the-middle attacks Application layer attacks Trust exploitation Port redirection Virus and worms Trojan horse Operator error25IP SpoofingIP spoofing o

16、ccurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. Two general techniques are used during IP spoofing: A hacker uses an IP address that is within the range of trusted IP addresses. A hacker uses an authorized external IP address that is trusted.Uses

17、 for IP spoofing include the following: IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data. A hacker changes the routing tables to point to the spoofed IP address, then the hacker can receive all the network packets that are addressed to the

18、 spoofed address and reply just as any trusted user can.26IP Spoofing MitigationThe threat of IP spoofing can be reduced, but not eliminated, through the following measures: Access controlThe most common method for preventing IP spoofing is to properly configure access control. RFC 2827 filteringYou

19、 can prevent users of your network from spoofing other networks (and be a good Internet citizen at the same time) by preventing any outbound traffic on your network that does not have a source address in your organizations own IP range. Additional authentication that does not use IP-based authentica

20、tionExamples of this include the following: Cryptographic (recommended) Strong, two-factor, one-time passwords27Application Layer AttacksApplication layer attacks have the following characteristics: Exploit well known weaknesses, such as protocols, that are intrinsic to an application or system (for

21、 example, sendmail, HTTP, and FTP) Often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall) Can never be completely eliminated, because new vulnerabilities are always being discovered28Application LayerAttacksMitigationSo

22、me measures you can take to reduce your risks are as follows: Read operating system and network log files, or have them analyzed by log analysis applications. Subscribe to mailing lists that publicize vulnerabilities. Keep your operating system and applications current with the latest patches. IDSs

23、can scan for known attacks, monitor and log attacks, and in some cases, prevent attacks.29Network ReconnaissanceNetwork reconnaissance refers to the overall act of learning information about a target network by using publicly available information and applications. 30Network Reconnaissance Mitigatio

24、n Network reconnaissance cannot be prevented entirely. IDSs at the network and host levels can usually notify an administrator when a reconnaissance gathering attack (for example, ping sweeps and port scans) is under way.31Virus and Trojan HorsesViruses refer to malicious software that are attached

25、to another program to execute a particular unwanted function on a users workstation. End-user workstations are the primary targets.A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool. A Trojan horse is mitigated b

26、y antivirus software at the user level and possibly the network level.32DOS/DDOSDOS 拒絕服務(wù)攻擊DDOS 分布式拒絕服務(wù)攻擊利用TCP/IP缺陷33常見(jiàn)常見(jiàn)DOS工具工具Bonk通過(guò)發(fā)送大量偽造的UDP數(shù)據(jù)包導(dǎo)致系統(tǒng)重啟動(dòng) TearDrop通過(guò)發(fā)送重疊的IP碎片導(dǎo)致系統(tǒng)的TCP/IP棧崩潰 SynFlood通過(guò)發(fā)送大量偽造源IP的基于SYN的TCP請(qǐng)求導(dǎo)致系統(tǒng)重啟動(dòng) Bloop 通過(guò)發(fā)送大量的ICMP數(shù)據(jù)包導(dǎo)致系統(tǒng)變慢甚至凝固 Jolt 通過(guò)大量偽造的ICMP和UDP導(dǎo)致系統(tǒng)變的非常慢甚至重新啟動(dòng) 34SynF

27、lood原理原理Syn 偽造源地址()IP:(TCP連接無(wú)法建立，造成TCP等待超時(shí)）Ack 大量的偽造數(shù)據(jù)包發(fā)向服務(wù)器端35DDOS攻擊攻擊黑客控制了多臺(tái)服務(wù)器，然后每一臺(tái)服務(wù)器都集中向一臺(tái)服務(wù)器進(jìn)行DOS攻擊36DDOS攻擊示意圖攻擊示意圖37分布式拒絕服務(wù)攻擊分布式拒絕服務(wù)攻擊38分布式拒絕服務(wù)攻擊步驟分布式拒絕服務(wù)攻擊步驟1ScanningProgram不安全的計(jì)算機(jī)不安全的計(jì)算機(jī)Hacker攻擊者使用掃描攻擊者使用掃描工具探測(cè)掃描大工具探測(cè)掃描大量主機(jī)以尋找潛量主機(jī)以尋找潛在入侵目標(biāo)。在入侵目標(biāo)。1Internet39分布式拒絕服務(wù)攻擊步驟分布式拒絕服務(wù)攻擊步驟2Hacker被控制的計(jì)算機(jī)被控制的計(jì)算機(jī)(代理端代理端)黑客設(shè)法入侵有安全漏洞黑客設(shè)法入侵有安全漏洞的主機(jī)并獲取控制權(quán)。這的主機(jī)并獲取控制權(quán)。這些主機(jī)將被用于放置后門、些