版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
1、1网络攻击的检测和预防网络攻击的检测和预防 第七章2目录目录常见网络攻击的检测和预防DoS攻击的防范 3黑客攻击网络的一般过程黑客攻击网络的一般过程信息的收集 利用的公开协议或工具 TraceRoute程序 SNMP协议 DNS服务器 Whois协议 Ping实用程序4黑客攻击网络的一般过程黑客攻击网络的一般过程系统安全弱点的探测 主要探测的方式 自编程序 慢速扫描 体系结构探测 利用公开的工具软件5黑客攻击网络的一般过程黑客攻击网络的一般过程建立模拟环境,进行模拟攻击 根据前面两小点所得的信息 建立一个类似攻击对象的模拟环境 对此模拟目标进行一系列的攻击6黑客攻击网络的一般过程黑客攻击网络的
2、一般过程具体实施网络攻击 根据前几步所获得的信息 结合自身的水平及经验总结相应的攻击方法 等待时机,以备实施真正的网络攻击7协议欺骗攻击及防范协议欺骗攻击及防范源IP地址欺骗攻击 在路由器上的解决方法防止源IP地址欺骗行为的措施 抛弃基于地址的信任策略 使用加密方法 进行包过滤8协议欺骗攻击及防范协议欺骗攻击及防范源路由欺骗攻击防范源路由欺骗攻击的措施 抛弃由外部网进来却声称是内部主机的报文 在路由器上关闭源路由9协议欺骗攻击及防范协议欺骗攻击及防范拒绝服务攻击防止拒绝服务攻击的措施 调整该网段路由器上的配置 强制系统对超时的Syn请求连接数据包复位 缩短超时常数和加长等候队列 在路由器的前端
3、做必要的TCP拦截 关掉可能产生无限序列的服务10拒绝服务攻击拒绝服务攻击用超出被攻击目标处理能力的海量数据包消耗可用系统,带宽资源,致使网络服务瘫痪的一种攻击手段两种使用较频繁的攻击形式 TCP-SYN flood 半开式连接攻击 UDP flood11拒绝服务攻击拒绝服务攻击12拒绝服务攻击拒绝服务攻击UDP flood Udp在网络中的应用 如,DNS解析、realaudio实时音乐、网络管理、联网游戏等 基于udp的攻击种类 如,unix操作系统的echo,chargen. echo服务13拒绝服务攻击拒绝服务攻击Trinoo 是基于UDP flood的攻击软件Trinoo攻击功能的实
4、现 是通过三个模块付诸实施的 攻击守护进程 NS 攻击控制进程 MASTER 客户端 NETCAT,标准TELNET程序等14拒绝服务攻击及防范拒绝服务攻击及防范六个trinoo可用命令 Mtimer Dos Mdie Mping Mdos msize15拒绝服务攻击拒绝服务攻击16拒绝服务攻击拒绝服务攻击攻击的实例: 被攻击的目标主机victim IP为:5 ns被植入三台sun的主机里,他们的IP对应关系分别为 client1:1 client2:2 client3:3 master所在主机为masterhos
5、t:4 首先我们要启动各个进程,在client1,2,3上分别执行ns,启动攻击守护进程, 其次,在master所在主机启动master masterhost# ./master ? gOrave (系统示输入密码,输入gOrave后master成功启动) trinoo v1.07d2+f3+c Mar 20 2000:14:38:49 (连接成功) 17拒绝服务攻击拒绝服务攻击在任意一台与网络连通的可使用telnet的设备上,执行 telnet 4 27665 Escape character is . betaalmostdone (输入密码) tr
6、inoo v1.07d2+f3+c.rpm8d/cb4Sx/ trinoo (进入提示符) trinoo mping (我们首先来监测一下各个攻击守护进程是否成功启动) mping: Sending a PING to every Bcasts. trinoo PONG 1 Received from 1 PONG 2 Received from 2 PONG 3 Received from 3 (成功响应) trinoo mtimer 60 (设定攻击时间为60秒) mtimer: Setting timer on bcast to
7、 60. trinoo dos 5 DoS: Packeting 5. 18拒绝服务攻击拒绝服务攻击至此一次攻击结束,此时ping 5,会得到icmp不可到达反馈,目标主机此时与网络的正常连接已被破坏 19拒绝服务攻击拒绝服务攻击由于目前版本的trinoo尚未采用IP地址欺骗,因此在被攻击的主机系统日志里我们可以看到如下纪录 Mar 20 14:40:34 victim snmpXdmid: Will attempt to re-establish connection. Mar 20 14:40:35 victim snmpdx:
8、error while receiving a pdu from 1.59841: The message has a wrong header type (0 x0) Mar 20 14:40:35 victim snmpdx: error while receiving a pdu from 2.43661: The message has a wrong header type (0 x0) Mar 20 14:40:36 victim snmpdx: error while receiving a pdu from 3.401
9、83: The message has a wrong header type (0 x0) Mar 20 14:40:36 victim snmpXdmid: Error receiving PDU The message has a wrong header type (0 x0). Mar 20 14:40:36 victim snmpXdmid: Error receiving packet from agent; rc = -1. Mar 20 14:40:36 victim snmpXdmid: Will attempt to re-establish connection. Ma
10、r 20 14:40:36 victim snmpXdmid: Error receiving PDU The message has a wrong header type (0 x0). Mar 20 14:40:36 victim snmpXdmid: Error receiving packet from agent; rc = -1.20拒绝服务攻击防范拒绝服务攻击防范检测系统是否被植入了攻击守护程序办法 检测上述提到的udp端口 如netstat -a | grep udp 端口号 用专门的检测软件21拒绝服务攻击及防范拒绝服务攻击及防范下面为在一台可疑设备运行结果, Loggin
11、g output to: LOG Scanning running processes. /proc/795/object/a.out: trinoo daemon /usr/bin/gcore: core.795 dumped /proc/800/object/a.out: trinoo master /usr/bin/gcore: core.800 dumped Scanning /tmp. Scanning /. /yiming/tfn2k/td: tfn2k daemon /yiming/tfn2k/tfn: tfn2k client /yiming/trinoo/daemon/ns:
12、 trinoo daemon /yiming/trinoo/master/master: trinoo master /yiming/trinoo/master/.: possible IP list file NOTE: This message is based on the filename being suspicious, and is not based on an analysis of the file contents. It is up to you to examine the file and decide whether it is actually an IP li
13、st file related to a DDOS tool. /yiming/stacheldrahtV4/leaf/td: stacheldraht daemon /yiming/stacheldrahtV4/telnetc/client: stacheldraht client /yiming/stacheldrahtV4/td: stacheldraht daemon /yiming/stacheldrahtV4/client: stacheldraht client /yiming/stacheldrahtV4/mserv: stacheldraht master ALERT: On
14、e or more DDOS tools were found on your system. Please examine LOG and take appropriate action. 22拒绝服务攻击防范拒绝服务攻击防范封掉不必要的UDP服务 如echo,chargen,减少udp攻击的入口 23拒绝服务攻击防范拒绝服务攻击防范路由器阻挡一部分ip spoof, syn攻击 通过连接骨干网络的端口 采用CEF和ip verify unicast reverse-path 使用access control lists 将可能被使用的网络保留地址封掉 使用CAR技术 限制 ICMP 报文大
15、小24Specific Attack TypesAll of the following can be used to compromise your system: Packet sniffers IP weaknesses Password attacks DoS or DDoS Man-in-the-middle attacks Application layer attacks Trust exploitation Port redirection Virus and worms Trojan horse Operator error25IP SpoofingIP spoofing o
16、ccurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. Two general techniques are used during IP spoofing: A hacker uses an IP address that is within the range of trusted IP addresses. A hacker uses an authorized external IP address that is trusted.Uses
17、 for IP spoofing include the following: IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data. A hacker changes the routing tables to point to the spoofed IP address, then the hacker can receive all the network packets that are addressed to the
18、 spoofed address and reply just as any trusted user can.26IP Spoofing MitigationThe threat of IP spoofing can be reduced, but not eliminated, through the following measures: Access controlThe most common method for preventing IP spoofing is to properly configure access control. RFC 2827 filteringYou
19、 can prevent users of your network from spoofing other networks (and be a good Internet citizen at the same time) by preventing any outbound traffic on your network that does not have a source address in your organizations own IP range. Additional authentication that does not use IP-based authentica
20、tionExamples of this include the following: Cryptographic (recommended) Strong, two-factor, one-time passwords27Application Layer AttacksApplication layer attacks have the following characteristics: Exploit well known weaknesses, such as protocols, that are intrinsic to an application or system (for
21、 example, sendmail, HTTP, and FTP) Often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall) Can never be completely eliminated, because new vulnerabilities are always being discovered28Application LayerAttacksMitigationSo
22、me measures you can take to reduce your risks are as follows: Read operating system and network log files, or have them analyzed by log analysis applications. Subscribe to mailing lists that publicize vulnerabilities. Keep your operating system and applications current with the latest patches. IDSs
23、can scan for known attacks, monitor and log attacks, and in some cases, prevent attacks.29Network ReconnaissanceNetwork reconnaissance refers to the overall act of learning information about a target network by using publicly available information and applications. 30Network Reconnaissance Mitigatio
24、n Network reconnaissance cannot be prevented entirely. IDSs at the network and host levels can usually notify an administrator when a reconnaissance gathering attack (for example, ping sweeps and port scans) is under way.31Virus and Trojan HorsesViruses refer to malicious software that are attached
25、to another program to execute a particular unwanted function on a users workstation. End-user workstations are the primary targets.A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool. A Trojan horse is mitigated b
26、y antivirus software at the user level and possibly the network level.32DOS/DDOSDOS 拒绝服务攻击DDOS 分布式拒绝服务攻击利用TCP/IP缺陷33常见常见DOS工具工具Bonk通过发送大量伪造的UDP数据包导致系统重启动 TearDrop通过发送重叠的IP碎片导致系统的TCP/IP栈崩溃 SynFlood通过发送大量伪造源IP的基于SYN的TCP请求导致系统重启动 Bloop 通过发送大量的ICMP数据包导致系统变慢甚至凝固 Jolt 通过大量伪造的ICMP和UDP导致系统变的非常慢甚至重新启动 34SynF
27、lood原理原理Syn 伪造源地址()IP:(TCP连接无法建立,造成TCP等待超时)Ack 大量的伪造数据包发向服务器端35DDOS攻击攻击黑客控制了多台服务器,然后每一台服务器都集中向一台服务器进行DOS攻击36DDOS攻击示意图攻击示意图37分布式拒绝服务攻击分布式拒绝服务攻击38分布式拒绝服务攻击步骤分布式拒绝服务攻击步骤1ScanningProgram不安全的计算机不安全的计算机Hacker攻击者使用扫描攻击者使用扫描工具探测扫描大工具探测扫描大量主机以寻找潜量主机以寻找潜在入侵目标。在入侵目标。1Internet39分布式拒绝服务攻击步骤分布式拒绝服务攻击步骤2Hacker被控制的计算机被控制的计算机(代理端代理端)黑客设法入侵有安全漏洞黑客设法入侵有安全漏洞的主机并获取控制权。这的主机并获取控制权。这些主机将被用于放置后门、些
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2025交通赔偿协议书模板
- 临时工劳动签订协议书七篇
- 债务协议范本
- 全国赛课一等奖初中统编版七年级道德与法治上册《增强安全意识》获奖课件
- 重庆2020-2024年中考英语5年真题回-教师版-专题07 阅读理解之说明文
- 《商务数据分析》课件-市场定位分析
- 企业安全管理人员尽职免责培训课件
- 《卓越的销售技巧》课件
- 养老院老人康复设施维修人员福利待遇制度
- 新冠救治和转运人员的闭环管理要点(医院新冠肺炎疫情防控感染防控专家课堂培训课件)
- 国家开放大学《组织行为学》章节测试参考答案
- 《班主任工作常规》课件
- HTML5CSS3 教案及教学设计合并
- 青岛版六三二年级上册数学乘加乘减解决问题1课件
- 电子课件机械基础(第六版)完全版
- 消防维保方案 (详细完整版)
- 临沂十二五城市规划研究专题课件
- 2022更新国家开放大学电大《计算机应用基础本》终结性考试试题答案格式已排好任务一
- DB64∕T 001-2009 梯田建设技术规范
- DB62∕T 4128-2020 公路工程竣工文件材料立卷归档规程
- 五年级道德与法治上册部编版第10课《传统美德源远流长》课件(第2课时)
评论
0/150
提交评论