1、1網絡攻擊的檢測和預防網絡攻擊的檢測和預防 第七章2目錄目錄常見網絡攻擊的檢測和預防DoS攻擊的防范 3黑客攻擊網絡的一般過程黑客攻擊網絡的一般過程信息的收集 利用的公開協議或工具 TraceRoute程序 SNMP協議 DNS服務器 Whois協議 Ping實用程序4黑客攻擊網絡的一般過程黑客攻擊網絡的一般過程系統安全弱點的探測 主要探測的方式 自編程序 慢速掃描 體系結構探測 利用公開的工具軟件5黑客攻擊網絡的一般過程黑客攻擊網絡的一般過程建立模擬環境，進行模擬攻擊 根據前面兩小點所得的信息 建立一個類似攻擊對象的模擬環境 對此模擬目標進行一系列的攻擊6黑客攻擊網絡的一般過程黑客攻擊網絡的

2、一般過程具體實施網絡攻擊 根據前幾步所獲得的信息 結合自身的水平及經驗總結相應的攻擊方法 等待時機，以備實施真正的網絡攻擊7協議欺騙攻擊及防范協議欺騙攻擊及防范源IP地址欺騙攻擊 在路由器上的解決方法防止源IP地址欺騙行為的措施 拋棄基于地址的信任策略 使用加密方法 進行包過濾8協議欺騙攻擊及防范協議欺騙攻擊及防范源路由欺騙攻擊防范源路由欺騙攻擊的措施 拋棄由外部網進來卻聲稱是內部主機的報文 在路由器上關閉源路由9協議欺騙攻擊及防范協議欺騙攻擊及防范拒絕服務攻擊防止拒絕服務攻擊的措施 調整該網段路由器上的配置 強制系統對超時的Syn請求連接數據包復位 縮短超時常數和加長等候隊列 在路由器的前端

3、做必要的TCP攔截 關掉可能產生無限序列的服務10拒絕服務攻擊拒絕服務攻擊用超出被攻擊目標處理能力的海量數據包消耗可用系統，帶寬資源，致使網絡服務癱瘓的一種攻擊手段兩種使用較頻繁的攻擊形式 TCP-SYN flood 半開式連接攻擊 UDP flood11拒絕服務攻擊拒絕服務攻擊12拒絕服務攻擊拒絕服務攻擊UDP flood Udp在網絡中的應用 如，DNS解析、realaudio實時音樂、網絡管理、聯網游戲等 基于udp的攻擊種類 如，unix操作系統的echo,chargen. echo服務13拒絕服務攻擊拒絕服務攻擊Trinoo 是基于UDP flood的攻擊軟件Trinoo攻擊功能的實

4、現 是通過三個模塊付諸實施的 攻擊守護進程 NS 攻擊控制進程 MASTER 客戶端 NETCAT，標準TELNET程序等14拒絕服務攻擊及防范拒絕服務攻擊及防范六個trinoo可用命令 Mtimer Dos Mdie Mping Mdos msize15拒絕服務攻擊拒絕服務攻擊16拒絕服務攻擊拒絕服務攻擊攻擊的實例: 被攻擊的目標主機victim IP為:5 ns被植入三臺sun的主機里，他們的IP對應關系分別為 client1:1 client2:2 client3:3 master所在主機為masterhos

5、t:4 首先我們要啟動各個進程，在client1，2，3上分別執行ns，啟動攻擊守護進程， 其次，在master所在主機啟動master masterhost# ./master ? gOrave (系統示輸入密碼，輸入gOrave后master成功啟動) trinoo v1.07d2+f3+c Mar 20 2000:14:38:49 (連接成功) 17拒絕服務攻擊拒絕服務攻擊在任意一臺與網絡連通的可使用telnet的設備上，執行 telnet 4 27665 Escape character is . betaalmostdone (輸入密碼) tr

6、inoo v1.07d2+f3+c.rpm8d/cb4Sx/ trinoo (進入提示符) trinoo mping (我們首先來監測一下各個攻擊守護進程是否成功啟動) mping: Sending a PING to every Bcasts. trinoo PONG 1 Received from 1 PONG 2 Received from 2 PONG 3 Received from 3 (成功響應) trinoo mtimer 60 (設定攻擊時間為60秒) mtimer: Setting timer on bcast to

7、 60. trinoo dos 5 DoS: Packeting 5. 18拒絕服務攻擊拒絕服務攻擊至此一次攻擊結束，此時ping 5，會得到icmp不可到達反饋，目標主機此時與網絡的正常連接已被破壞 19拒絕服務攻擊拒絕服務攻擊由于目前版本的trinoo尚未采用IP地址欺騙，因此在被攻擊的主機系統日志里我們可以看到如下紀錄 Mar 20 14:40:34 victim snmpXdmid: Will attempt to re-establish connection. Mar 20 14:40:35 victim snmpdx:

8、error while receiving a pdu from 1.59841: The message has a wrong header type (0 x0) Mar 20 14:40:35 victim snmpdx: error while receiving a pdu from 2.43661: The message has a wrong header type (0 x0) Mar 20 14:40:36 victim snmpdx: error while receiving a pdu from 3.401

9、83: The message has a wrong header type (0 x0) Mar 20 14:40:36 victim snmpXdmid: Error receiving PDU The message has a wrong header type (0 x0). Mar 20 14:40:36 victim snmpXdmid: Error receiving packet from agent; rc = -1. Mar 20 14:40:36 victim snmpXdmid: Will attempt to re-establish connection. Ma

10、r 20 14:40:36 victim snmpXdmid: Error receiving PDU The message has a wrong header type (0 x0). Mar 20 14:40:36 victim snmpXdmid: Error receiving packet from agent; rc = -1.20拒絕服務攻擊防范拒絕服務攻擊防范檢測系統是否被植入了攻擊守護程序辦法 檢測上述提到的udp端口 如netstat -a | grep udp 端口號 用專門的檢測軟件21拒絕服務攻擊及防范拒絕服務攻擊及防范下面為在一臺可疑設備運行結果， Loggin

11、g output to: LOG Scanning running processes. /proc/795/object/a.out: trinoo daemon /usr/bin/gcore: core.795 dumped /proc/800/object/a.out: trinoo master /usr/bin/gcore: core.800 dumped Scanning /tmp. Scanning /. /yiming/tfn2k/td: tfn2k daemon /yiming/tfn2k/tfn: tfn2k client /yiming/trinoo/daemon/ns:

12、 trinoo daemon /yiming/trinoo/master/master: trinoo master /yiming/trinoo/master/.: possible IP list file NOTE: This message is based on the filename being suspicious, and is not based on an analysis of the file contents. It is up to you to examine the file and decide whether it is actually an IP li

13、st file related to a DDOS tool. /yiming/stacheldrahtV4/leaf/td: stacheldraht daemon /yiming/stacheldrahtV4/telnetc/client: stacheldraht client /yiming/stacheldrahtV4/td: stacheldraht daemon /yiming/stacheldrahtV4/client: stacheldraht client /yiming/stacheldrahtV4/mserv: stacheldraht master ALERT: On

14、e or more DDOS tools were found on your system. Please examine LOG and take appropriate action. 22拒絕服務攻擊防范拒絕服務攻擊防范封掉不必要的UDP服務 如echo,chargen,減少udp攻擊的入口 23拒絕服務攻擊防范拒絕服務攻擊防范路由器阻擋一部分ip spoof, syn攻擊 通過連接骨干網絡的端口 采用CEF和ip verify unicast reverse-path 使用access control lists 將可能被使用的網絡保留地址封掉 使用CAR技術 限制 ICMP 報文大

15、小24Specific Attack TypesAll of the following can be used to compromise your system: Packet sniffers IP weaknesses Password attacks DoS or DDoS Man-in-the-middle attacks Application layer attacks Trust exploitation Port redirection Virus and worms Trojan horse Operator error25IP SpoofingIP spoofing o

16、ccurs when a hacker inside or outside a network impersonates the conversations of a trusted computer. Two general techniques are used during IP spoofing: A hacker uses an IP address that is within the range of trusted IP addresses. A hacker uses an authorized external IP address that is trusted.Uses

17、 for IP spoofing include the following: IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data. A hacker changes the routing tables to point to the spoofed IP address, then the hacker can receive all the network packets that are addressed to the

18、 spoofed address and reply just as any trusted user can.26IP Spoofing MitigationThe threat of IP spoofing can be reduced, but not eliminated, through the following measures: Access controlThe most common method for preventing IP spoofing is to properly configure access control. RFC 2827 filteringYou

19、 can prevent users of your network from spoofing other networks (and be a good Internet citizen at the same time) by preventing any outbound traffic on your network that does not have a source address in your organizations own IP range. Additional authentication that does not use IP-based authentica

20、tionExamples of this include the following: Cryptographic (recommended) Strong, two-factor, one-time passwords27Application Layer AttacksApplication layer attacks have the following characteristics: Exploit well known weaknesses, such as protocols, that are intrinsic to an application or system (for

21、 example, sendmail, HTTP, and FTP) Often use ports that are allowed through a firewall (for example, TCP port 80 used in an attack against a web server behind a firewall) Can never be completely eliminated, because new vulnerabilities are always being discovered28Application LayerAttacksMitigationSo

22、me measures you can take to reduce your risks are as follows: Read operating system and network log files, or have them analyzed by log analysis applications. Subscribe to mailing lists that publicize vulnerabilities. Keep your operating system and applications current with the latest patches. IDSs

23、can scan for known attacks, monitor and log attacks, and in some cases, prevent attacks.29Network ReconnaissanceNetwork reconnaissance refers to the overall act of learning information about a target network by using publicly available information and applications. 30Network Reconnaissance Mitigatio

24、n Network reconnaissance cannot be prevented entirely. IDSs at the network and host levels can usually notify an administrator when a reconnaissance gathering attack (for example, ping sweeps and port scans) is under way.31Virus and Trojan HorsesViruses refer to malicious software that are attached

25、to another program to execute a particular unwanted function on a users workstation. End-user workstations are the primary targets.A Trojan horse is different only in that the entire application was written to look like something else, when in fact it is an attack tool. A Trojan horse is mitigated b

26、y antivirus software at the user level and possibly the network level.32DOS/DDOSDOS 拒絕服務攻擊DDOS 分布式拒絕服務攻擊利用TCP/IP缺陷33常見常見DOS工具工具Bonk通過發送大量偽造的UDP數據包導致系統重啟動 TearDrop通過發送重疊的IP碎片導致系統的TCP/IP棧崩潰 SynFlood通過發送大量偽造源IP的基于SYN的TCP請求導致系統重啟動 Bloop 通過發送大量的ICMP數據包導致系統變慢甚至凝固 Jolt 通過大量偽造的ICMP和UDP導致系統變的非常慢甚至重新啟動 34SynF

27、lood原理原理Syn 偽造源地址()IP:(TCP連接無法建立，造成TCP等待超時）Ack 大量的偽造數據包發向服務器端35DDOS攻擊攻擊黑客控制了多臺服務器，然后每一臺服務器都集中向一臺服務器進行DOS攻擊36DDOS攻擊示意圖攻擊示意圖37分布式拒絕服務攻擊分布式拒絕服務攻擊38分布式拒絕服務攻擊步驟分布式拒絕服務攻擊步驟1ScanningProgram不安全的計算機不安全的計算機Hacker攻擊者使用掃描攻擊者使用掃描工具探測掃描大工具探測掃描大量主機以尋找潛量主機以尋找潛在入侵目標。在入侵目標。1Internet39分布式拒絕服務攻擊步驟分布式拒絕服務攻擊步驟2Hacker被控制的計算機被控制的計算機(代理端代理端)黑客設法入侵有安全漏洞黑客設法入侵有安全漏洞的主機并獲取控制權。這的主機并獲取控制權。這些主機將被用于放置后門、些