版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
1、计算机网络攻击和防护技术简介网络安全各项专题应用软件安全(Application security)操作系统安全(Operating system security)网络安全(Network security)网页(Web security)网络攻击基本原理 (Principals of network attacks)网络攻击防护基本原理(Intrusion detection and prevention)网络安全技术要求计算机操作系统计算机体系结构计算机网络数据结构计算机算法C 语言汇编语言较强的英语阅读能力警告: 慎用网络安全知识我们会讨论一些 漏洞(vulnerabilities)
2、和攻击 (attacks)大部分漏洞已经堵了.一些攻击还是会造成破坏 不要尝试在非实验室场合试用目的学习如何避免和防卫恶性攻击学习作为软件工程师, 如何写好无漏洞的软件老一代的黑客(2000 前)Profile:计算机迷14 到34 岁不用照顾家庭不为钱Source: Raimund Genes新一代骇客高中未毕业生“most of these people I infect are so stupid they really aint got no business being on the Internet in the first place.“技能用攻击工具少量计算机知识工作时间: 2
3、-10 分钟管理 Botnet收入: 平均 $6,800 /月每天工作: 网上闲逛, 网上聊天 botnets 自动挣钱控制 13,000 以上的计算机, 分布在世界各地 不断地感染新的 Bot PCs, 下载广告软件和恶性软件到受感染的机器 窃取敏感数据帐号, 密码, 电邮, 社会安全号,信用卡号, 银行帐号等出售服务和非法数据给各种公司TopC, GammaC, Loudcash, or 180Solutions.6Washington Post: Invasion of the Computer Snatchers网络安全问题有多大?/stats/CERT Vulnerabilities
4、 reported恶性软件(Malware) 分类Virus(病毒)Copy and infect without permissionWorm(蠕虫)Self-propagating across networksTrojan(木马)Destructive program masquerading as a benign applicationBot and Botnet (僵尸和僵尸网)Used for the co-ordination and operation of an attackSpyware (间谍软件)Intercept or take partial control ov
5、er users interactionBackdoor (后门)Covert access to a computerDownloader Download/install malicious softwareRansomwareProgram to encrypt user useful data and request ransom for restoration AdwareDownload advertising software and display advertisements without user consentRootkit Subvert control of OS常
6、见的网络攻击分类2006 MITRE CVE stats: 21.5 % of CVEs were XSS 14 percent SQL injection 9.5 percent php includes“ 7.9 buffer overflow2005 年前, buffer overflows 是最常见2005 年后, Cross-Site Scripping (XSS) 最常见9Vulnerability Stats: web is “winning”Source: MITRE CVE trendsMajority of vulnerabilities now found in web
7、software网络攻击实例: SilentBankerProxy intercepts request and adds fieldsBank sends login page needed to log inWhen user submits information, also sent to attackerCredit: Zulfikar Ramzan网络安全黑市RankLast Goods and servicesCurrentPreviousPrices12Bank accounts22%21%$10-100021Credit cards13%22%$0.40-$2037Full
8、identity9%6%$1-154N/ROnline auction site accounts7%N/A$1-858Scams7%6%$2.50/wk - $50/wk (hosting); $25 design64Mailers6%8%$1-1075Email Addresses5%6%$0.83-$10/MB83Email Passwords5%8%$4-309N/RDrop (request or offer)5%N/A10-50% of drop amount106Proxies5%6%$1.50-$30Credit: Zulfikar Ramzan为什么有这么多安全漏洞(Secu
9、rity Vulnerabilities)Buggy software.insecure codeAwarenessSome contributing factorsFew courses in computer securityProgramming text books do not emphasize securityFew security audits C is an unsafe languageProgrammers have many other things to worry aboutLegacy software (some solutions, e.g. Sandbox
10、ing)Consumers do not care about securitySecurity is expensive and takes timeSource Of Computer and Network VulnerabilitiesOperation SystemsMicrosoft OSLinuxCommunication ProtocolsProtocol design issuesTCP syn-to-deathApplicationsHttp Word1515WormA worm is self-replicating software designed to spread
11、 through the networkexploit security flaws in widely used services and applications绿霸软件cause enormous damage Launch DDOS attacks, install bot networks Access sensitive informationCause confusion by corrupting the sensitive informationPenetration Methods (Source S21sec)Browser Exploit (65%)Browser se
12、curity bugsEmail Attachment (13%)Spam and unsolicited emailOperating System Exploit (11%)Internet Download (9%)Other (2%)1717How do worms self-propagate?Scanning worms : Worm chooses “random” addressCoordinated scanning : Different worm instances scan different addressesFlash wormsAssemble tree of v
13、ulnerable hosts in advance, propagate along treeNot observed in the wild, yetPotential for 106 hosts in 2 sec ! StanifordMeta-server worm: Ask server for hosts to infect (e.g., Google for “powered by phpbb”)Topological worm: Use information from infected hosts (web server logs, email address books,
14、config files, SSH “known hosts”)Contagion worm : Propagate parasitically along with normally initiated communication1818Cost of worm attacksMorris worm, 1988Infected approximately 6,000 machines10% of computers connected to the Internet cost $10 million in downtime and cleanupCode Red worm, July 16
15、2001Direct descendant of Morris wormInfected more than 500,000 serversProgrammed to go into infinite sleep mode July 28 Caused $2.6 Billion in damages,Love Bug worm: $8.75 billionStatistics: Computer Economics Inc., Carlsbad, California1919Internet Worm (First major attack)Released November 1988Prog
16、ram spread through Digital, Sun workstations Exploited Unix security vulnerabilitiesVAX computers and SUN-3 workstations running versions 4.2 and 4.3 Berkeley UNIX codeConsequencesNo immediate damage from program itself Replication and threat of damage Load on network, systems used in attackMany sys
17、tems shut down to prevent further attack2020Some historical worms of noteWormDateDistinctionMorris11/88Used multiple vulnerabilities, propagate to “nearby” sysADM5/98Random scanning of IP address spaceRamen1/01Exploited three vulnerabilitiesLion3/01Stealthy, rootkit wormCheese6/01Vigilante worm that
18、 secured vulnerable systemsCode Red7/01First sig Windows worm; Completely memory residentWalk8/01Recompiled source code locallyNimda9/01Windows worm: client-to-server, c-to-c, s-to-s, Scalper6/0211 days after announcement of vulnerability; peer-to-peer network of compromised systemsSlammer1/03Used a
19、 single UDP packet for explosive growth2121Increasing propagation speedCode Red, July 2001Affects Microsoft Index Server 2.0, Windows 2000 Indexing service on Windows NT 4.0.Windows 2000 that run IIS 4.0 and 5.0 Web serversExploits known buffer overflow in Idq.dllVulnerable population (360,000 serve
20、rs) infected in 14 hoursSQL Slammer, January 2003Affects Microsoft SQL 2000Exploits known buffer overflow vulnerabilityServer Resolution service vulnerability reported June 2002 Patched released in July 2002 Bulletin MS02-39Vulnerable population infected in less than 10 minutes2222Code RedInitial ve
21、rsion (July 13, 2001)Sends its code as an HTTP requestHTTP request exploits buffer overflow Malicious code is not stored in a filePlaced in memory and then runWhen executed,Worm checks for the file C:NotwormIf file exists, the worm thread goes into infinite sleep stateCreates new threadsIf the date
22、is before the 20th of the month, the next 99 threads attempt to exploit more computers by targeting random IP addresses2323Code Red of July 13 and July 19Initial release of July 13, 20011st through 20th month: Spread via random scan of 32-bit IP addr space20th through end of each month: attack.Flood
23、ing attack against 1 ()Failure to seed random number generator linear growthRevision released July 19, 2001.White House responds to threat of flooding attack by changing the address of Causes Code Red to die for date 20th of the month.But: this time random number generator correctly seeded2424Infect
24、ion rate2525Spread of Code RedNetwork telescopes estimate of # infected hosts: 360K. (Beware DHCP & NAT)Course of infection fits classic logistic.Note: larger the vulnerable population, faster the worm spreads.That night ( 20th), worm dies except for hosts with inaccurate clocks!It just takes one of
25、 these to restart the worm on August 1st 26262727Code Red 2Released August 4, 2001.Comment in code: “Code Red 2.”But in fact completely different code base.Payload: a root backdoor, resilient to reboots.Bug: crashes NT, only works on Windows 2000.Localized scanning: prefers nearby addresses.Kills Co
26、de Red 1.Safety valve: programmed to die Oct 1, 2001.2828Striving for Greater Virulence: NimdaReleased September 18, 2001.Multi-mode spreading:attack IIS servers via infected clients email itself to address book as a virus copy itself across open network shares modifying Web pages on infected server
27、s w/ client exploit scanning for Code Red II backdoors (!) worms form an ecosystem!Leaped across firewalls.2929Code Red 2 kills off Code Red 1Code Red 2 settles into weekly patternNimda enters the ecosystemCode Red 2 dies off as programmedCR 1 returns thanksto bad clocksSlammer01/25/2003Vulnerabilit
28、y disclosed : 25 June 2002Better scanning algorithmUDP Single packet : 380bytesMuch faster than TCP based wormSlammer propagationNumber of Scan/secPacket LossServer ViewConsequencesATM systems not availablePhone network overloaded (no 911!)5 DNS root downPlanes delayedBotnetBotNetsA New Big ProblemB
29、otsLittle program installed silently without user interventionMost users are not aware of Bots in their computersCommon users are weakest linksNeed good education to common users to mitigate the Botnet Millions of computers infected 53000 infected per day (2007)BotnetsNetworks of computers on which
30、Bots are installed. Managed by command and control serverUsed for DDOS, Cyber War, Identity Theft, SPAM, SCAMBots are deployed across countries around worldChina, USA, Germany, Spain, France are the top five countries infectedHow Botnets workC & CBotBotBotBotCentralized BotnetsCentralizedDistributed
31、 BotnetsC&C centralized StatWorld Wild ProblemIntrusion Detection & PreventionAn OverviewFirewallFirewall can block unwanted serviceThe first-level of defense for network intrusion.Firewall Alone Is Not EnoughFirewall cannot look into applicationsIPS is the key to keep up with new security threats p
32、rotectionIPS can realize Qos for business critical applications over nonessential apps like P2P and IMTimelineVulnerabilitiesDiscoveredAdvisory IssuedWorm ReleasedExploits ReleasedGetting ShorterLifecycle of Vulnerabilities and ThreatsBenefits of Network IPSDropped from the networkBenefitsAttacks ne
33、ver reach their victim, eliminating impact to the networkNo need to waste time investigating the attackWorks for all traffic (IP, TCP, UDP, etc.)Drops only the offending trafficAn active, in-line system detects an attack and drops malicious traffic during the detection processUserUserUserServersMail
34、ServerWebServerFirewallHTTP TrafficCode redTypical DeploymentsLarge Enterprise / Service ProvidersRegional OfficesSmall/Mid-size BusinessesMid-size BusinessesIntegrated FW/IPSIPSIPSIPSWe have Long Way to GoKnown Threats but no known ways to protectKnown Threats with available protectionUnknown Threa
35、ts & VulnerabilitiesPacketEngineIPS Sensor ArchitecturesPacket engine packet IOpacket defragmentationflow and session managementDetector analyzes and decodes applicationsPolicy contains signatures and rules to detect attacksBoth policy and detector can be dynamically loadableLog for forensic analysi
36、sDetectorPolicyLogManagementActionNetwork InterfaceIPS ArchitectureIP Fragment ReassemblyTCP ReassemblyLine-breakingApplication (HTTP) Parsing Event CorrelationLogs + PacketsFlow Lookup/ReconstructionActionsSignaturesAttack MatchingNetwork InterfaceTraffic Anomaly DetectionIdentify abnormal usage patternNo protocol anomalies or attack patterns but unusual traffic usage/volumeExample: Ping SweepReconnaissance Scan networks to identify resources for possible attackPing Sweep from external/suspicious source should alert administratorProtocol Anoma
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2024届宁夏回族自治区石嘴山市三中高三一诊练习一数学试题
- 开题报告:新中国特殊教育思想史研究
- 开题报告:新时代教育数字化背景下智能管理系统一体化提升学生体质健康研究
- 2024年度事业单位聘用协议模板版A版
- 2024年室内装修施工协议模板版B版
- 2026春夏女装主题趋势预测:栖息旧时
- 2024年人事管理岗位保密协议样本
- 2024年广告宣传印刷品订购协议样本版B版
- 关于二年级第二学期体育教学计划
- 2021年春学期小学数学教研组工作计划
- 人教版四年级上册数学期末测试卷(综合题)
- 高考作文写作提升课堂:记叙文升华主题的途径(附例解析)
- 中国古代语言学史3课件
- 慢性咳嗽 课件
- TAVI(经皮导管主动脉瓣植入术)术后护理
- 服务区建设项目EPC总承包招标文件
- 中国滑雪运动安全规范
- 创建二甲妇幼保健机构评审验收工作汇报课件
- 柱包钢施工方案
- IEC60287中文翻译版本第一部分课件
- 古诗词考级方案
评论
0/150
提交评论