Network interface layer security:
ARP spoofing defense:
1. Use static ARP cache
2. IP and MAC address binding (the most direct solution)
3. ARP defense tool
IP header structure:
Total length (16 bits): The total length of the IP packet should not exceed 65536.
Time-to-live (TTL): Every time a data packet passes a router, the TTL will be -1 to prevent the data packet from continuously circulating in the network and wasting network resources. Different packet types have different initial values to judge whether it is Windows or Linux. (You can check IPv6 related information, useful later)
ICMP protocol:
Features: Built on the structure of IP packets, but it is considered to be a protocol on the same layer as IP.
effect:
1. Transfer error messages and other information that needs attention
2. ICMP address mask request and response
3. ICMP timestamp request and response
tracer command: Diagnose those routes through the network and trace packets
Internet layer security:
1. Denial of service: sharding attack (teardrop) / ping of death
DOS or distributed denial of service
Ping of Death
Attack principle:
Instead of pinging all the time, you can ping -l 10000 in the 2000s because the data packet is sent and a 64kb buffer will be opened. If it exceeds 64kb, a buffer overflow will occur. As a result, the TCP / IP protocol stack will crash, causing the host to restart or crash.
Detection method: judge whether the data packet is larger than 65535 bytes, if it is larger, IDS intrusion detection alarm.
IDS intrusion detection: Built-in common attack features, parsing and matching network traffic packets, and alarming if they match.
Indicators for detecting intrusion detection products: false negative rate and false positive rate.
Teardrop
"Teardrop" is also called a fragmented attack, it is a typical way to use the TCP / IP protocol to perform a denial of service attack.
Since the name of the first program to implement this attack is Teardrop, this attack is also called "teardrop".
Attack principle:
Example Sharding 1-1025 1026-2049 2049-3073
After attack 1-1025 1000-2049 2049-3073
Overwrite or overflow occurred when accepting host reorganization, crashing the protocol stack
Detection method: analyze the received fragmented data packet and calculate whether the fragment offset (Offset) of the data packet is wrong.
Smurf attack
Emphasize attack methods
Attack principle:
The hacker sends a large number of broadcast packets to the intermediate website by forging the IP of the target website. Assuming there are 10,000 hosts in the intermediate website, a response will be received after the broadcast is sent, and the response will be sent to the target website, resulting in a large number of echo reply The package was dropped by DOS.
Mainly use echo request in ICMP to receive reply.
2. Spoofing: IP spoofing
3. Eavesdropping: sniffing
4. Forgery: IP data packet forgery
Transport layer security: