Summary of common network attacks

Others 2020-10-29 12:57:58 views: null

Summary of common network attacks

1. Land (Land Attack) attack

The LAND attack uses the three-way handshake process of TCP connection establishment, and completes the attack on the target computer by sending a TCP SYN message (connection establishment request message) to a target computer. Different from normal TCP SYN packets, the source and destination IP addresses of LAND attack packets are the same, and both are the IP addresses of the target computer. In this way, after the target computer receives the SYN message, it will send an ACK message to the source address of the message and establish a TCP connection control structure (TCB), and the source address of the message is itself. Therefore, this The ACK message was sent to myself. In this way, if the attacker sends enough SYN packets, the TCB of the target computer may be exhausted and eventually cannot serve normally. This is also a DOS attack.

Defense method:

Check whether the source address and destination address of the TCP packet are the same, or whether the source address of the TCP packet is a loopback address, and if so, discard it.

2、Ping of Death

Ping of Death is commonly known as “ping of death”. Its attack principle is that attacker A sends some oversized (greater than 64K) ICMP (Ping command uses ICMP packets) to victim B to attack it (for some The router or the system, after receiving such a message, will have a memory allocation error, which will cause the system to crash, crash or restart).
The maximum length of an IP message is 2^16-1=65535 bytes, then the 20 bytes of the IP header and 8 bytes of the ICMP header are removed, and the maximum length of the actual data part is: 65535-20-8=65507 Bytes. The so-called oversized ICMP message refers to the ICMP message whose data part exceeds 65507 bytes.

Defense method:

The device detects whether the packet size is greater than 65535 bytes, directly discards the packet greater than 65535 bytes, and records the attack log. A simpler method is to prohibit ICMP messages from passing through network security devices.

3、ICMP Redrt

ICMP redirect information is that the router provides real-time routing information to the host. When a host receives ICMP redirect information, it will update its routing table based on this information. Due to the lack of necessary legality checks, if a hacker wants the attacked host to modify its routing table, the hacker will send ICMP redirect information to the attacked host, allowing the host to modify the routing table according to the hacker's requirements.

Defense method:
  • Gateway side:
     1. Turn off ICMP redirection (no ip redirects).
     2. The variable length subnet mask divides the network segment.
     3. Use network control list (ACL) and proxy.
  • Host side:
      1. You can use a firewall to filter out ICMP messages, or use anti-spyware software to monitor.
      2. Combine the defense against ARP and IP spoofing.

4. Smurf attack

Smurf is a simple but effective DDoS attack technology. Smurf still uses the ping program to directly broadcast the fake source IP to attack. (The attacked machine is the source IP, sending a ping to the local area network, and then paralyzed after a large number of replies.) Broadcasting information on the Internet can be sent to the machines in the entire network by certain means (through broadcast addresses or other mechanisms).

Defense method:

1. Configure the router to prohibit IP broadcast packets from entering the network;
  2. Configure the operating systems of all computers on the network to prohibit responding to ICMP packets whose destination address is the broadcast address.
  3. The attacked target negotiates with the ISP, and an ISP temporarily blocks these traffic.
  4. For data packets sent from this network to external networks, this network should filter out the part of the data packets whose source address is other networks.

Use restrictions:

Since Layer 3 devices such as routers do not forward packets whose destination address is a broadcast address, it is difficult for Smurf attacks to form attacks on the network. The physical examination of Smurf attacks on the firewall must require that the attacked network is connected to the firewall.

5. Winnuke attack

Winnuke is based on an OOB (Out of Band) vulnerability in the NetBIOS protocol, which is the so-called out-of-band data vulnerability. Its principle is to transmit an Urgent emergency data packet to the computer's port 139 (139) through the TCP/IP protocol. : TCP port of NetBIOS session service), when win95/NT receives this data packet, it will freeze or blue screen instantly. You cannot continue to use TCP/IP to access the network without restarting the computer.
Another type is IGMP (Internet Group Management Protocol) fragmented packets. In general, IGMP messages are not fragmented, and many systems also have problems with the processing of IGMP fragmented messages.

Out-of-band data OOB refers to a kind of special data sent in a TCP connection. Its priority is higher than general data. Out-of-band data is set with the URG flag in the header and can enter the TCP buffer in the usual order. Enter another buffer, which can be immediately read by the process or use the SIGURG signal to notify the process of the arrival of out-of-band data according to the process settings.

Later Winnuke series tools have evolved from an initial attack on a single IP to a computer within an IP range. It can detect and select ports, and can perform continuous attacks. It can also verify the effect of the attack, so using it can cause a certain All computers in the IP address range have a blue screen of death.

Defense method:

This type of attack is due to the failure to process a certain type of message or request during the software development process, causing the software to run abnormally when encountering this type of message, and the software crashes or even the system crashes. The way to prevent such attacks is to upgrade the system or patch the system. You can also delete the NetBIOS protocol or close ports 137, 138, and 139.

6. Fraggle attack

When the UDP port (usually 19) running the Chargen service receives a data packet, it will respond with a string. When the UDP port (usually 7) running the Echo service receives a data packet, it will simply return the data content of the packet as a response. These two services can be exploited by attackers to carry out circular attacks. This causes the victim's system to be busy and link congestion.

The attacker can send a UDP packet to the network where the attack target is located. The source address of the packet is the address of the attacked host, the destination address is the broadcast address or subnet network address of the attacked host’s subnet, and the destination port number is 7 or 19. Each system in the subnet that has this function enabled will send a response message to the attacked host, thereby generating a large amount of traffic, occupying the bandwidth, and causing the blockage of the victim network or the collapse of the victim host.

Even if the system does not activate these functions on the subnet, an ICMP unreachable message will be generated, thus still consuming bandwidth. If the attacker changes the source port of the UDP packet to 19 and the destination port to 7, this will continuously generate a large number of response packets, which is more harmful.

Defense method:

The device detects incoming UDP packets. If the destination port number is 7 or 19, it directly rejects it and records the attack in the log.

7. IP Fragment attack (IP fragment packet detection)

The Do Not Fragment (DF) bit and More Fragmentation (MF) bits in the IP packet header are used for fragmentation control. Attackers send packets that are illegal to fragment control, causing the host to malfunction when receiving packets. The packet processing is abnormal, even causing the host to crash.

Defense method:

When the device detects that the packet control bit is one of the following, it directly discards and records the attack log:

  • The DF bit is 1 (indicating that the packet cannot be segmented), and the MF bit is also 1 (indicating that there are more segments).
  • The DF bit is 1, and the segment offset (Offset)>0.
  • The DF bit is 0, and the fragment Offset + Length> 65535.

8. TCP Flag attack (TCP packet flag bit attack):

The TCP message flags include URG, ACK, PSH, RST, SYN, and FIN. The attacker sends packets with illegal TCP flag combinations. After receiving the packets, the victim host judges and recognizes, consumes its performance, and even causes some operating system packet processing exceptions and the host crashes. Different systems have different responses to these flag bit groups and can be used for operating system detection.

Defense method:

Check the flag bits of the TCP packet. If the following situations occur, it is considered an attack, discarded and recorded in the attack log:

  • All 6 flag bits are 1.
  • The 6 flag bits are all 0s.
  • The SYN and FIN bits are 1 at the same time.
  • The SYN and RST bits are 1 at the same time.
  • The FIN bit is 1, and the ACK bit is 0.

9. Teardrop attack (teardrop attack):

For some large IP data packets, in order to meet the requirements of the MTU (Maximum Transmission Unit) of the link layer, they need to be split into several IP packets during transmission. There is an offset field and a split flag (MF) in each IP header, where the offset field indicates the position of this fragment in the entire IP packet. If the attacker intercepts the IP data packet and sets the offset field to an incorrect value, after receiving these split data packets, the receiver cannot correctly combine the offset field values ​​in the data packets to be split. In this way, the receiving end will keep trying, and even the operating system will crash due to exhaustion of resources.

Defense method:

Analyze the received fragmented data packet, calculate whether the offset of the data packet is wrong, discard it if it is wrong, and record the attack log.

10. Flood attack

SYN Flood

SYN Flood forges a SYN message to initiate a connection to the server. The server responds with SYN_ACK after receiving the message. After this response is sent, it will not receive an ACK message, resulting in a semi-connection. If an attacker sends a large number of such messages, a large number of semi-connections will appear on the attacked host, exhausting its resources, and making normal users inaccessible until the semi-connection times out. In some implementations with unlimited connection creation, SYN Flood has a similar impact, it consumes system memory and other resources.

Defense method:

When the SYN Flood attack detection function is enabled, it is required to set a connection rate threshold and a threshold for the number of half-open connections. Once it is found that the rate of new TCP connections responded by the protection host exceeds the connection speed threshold or the number of half-open connections exceeds the half-open connection number threshold, the firewall will output The alarm log of a SYN Flood attack occurred, and the following three measures can be taken according to the user's configuration:
  1. Block subsequent connection requests sent to the protected host
  2. Cut off the oldest semi-connected session on the protected host
  3. Add to TCP Proxy Protected IP address

ACK Flood

The attacker uses the botnet to send a large number of ACK packets, which usually causes the following three situations. If it is an ACK Flood attack with a large payload, it will cause link congestion. If it is a very high-rate variable-source variable-port ACK Flood attack, it is easy to reduce the forwarding performance of the device that relies on session forwarding, and even the session is exhausted and the network is paralyzed. If the attack message arrives at the server, the server's processing power will be exhausted, thus denying normal services.

Defense method:
  1. Use symmetry judgment to analyze whether there is an attack. The so-called symmetrical judgment means that the received packet is abnormally larger than the sent packet, because the attacker usually uses a large number of ACK packets, and in order to increase the attack speed, generally use small packets with basically the same content to send. This can be used as a basis for judging whether an ACK Flood occurs. However, according to the current known situation, ACK Flood attacks are rarely used alone, and they are mixed with other attack methods. Therefore, it is easy to cause misjudgments.
  2. Establish a hash table to store the "status" of the TCP connection. Compared with the host's TCP stack implementation, the status check process is relatively simplified. For example, no sequence number check, no out-of-sequence processing of packets, just count whether ACK packets have passed on the "connection" (ie, quadruple) within a certain period of time, so as to "roughly" determine whether the "connection" is " active".

UDP Flood

The attacker initiates a large number of UDP packets to the target server through the botnet. Such UDP packets are usually large packets and have a very fast rate, which usually causes the following harm. As a result, server resources are exhausted and cannot respond to normal requests. In severe cases, the link will be congested.

  • The general attack effect is to consume network bandwidth resources and cause link congestion in severe cases.
  • A large number of UDP Floods with variable sources and ports will cause network devices that rely on session forwarding to reduce performance or even session exhaustion, leading to network paralysis.
  • If the attack message reaches the open UDP service port of the server, the server needs to consume computing resources to check the correctness of the message, which affects normal services.
UDP Flood related TCP service defense:

UDP is a connectionless protocol, so source authentication cannot be used to defend against UDP Flood attacks. If UDP service traffic needs to be authenticated or controlled by TCP service traffic, when the UDP service is attacked, the associated TCP service is forced to start defense, and the whitelist generated by this TCP defense is used to determine whether UDP packets from the same source are discarded or forwarded.

For example, some services such as game services first authenticate users through the TCP protocol, and then use the UDP protocol to transmit business data after the authentication is passed. In this case, the UDP-related TCP services can be verified to defend against UDP Flood attacks. When a UDP service is attacked, the associated TCP service is forced to start defense, and a TCP whitelist is generated through the associated defense to determine the direction of UDP traffic from the same source, that is, UDP traffic from the source that hits the whitelist is allowed to pass, otherwise it is discarded.

Defense method:

When the UDP Flood attack detection function is enabled, it is required to set a connection rate threshold. Once it is found that the UDP connection rate that the protection host responds to exceeds this value, the firewall will output the alarm log of the occurrence of UDP Flood attack, and can prevent sending to the host according to the user's configuration For subsequent connection requests.

11. Scanning and snooping attacks

Scanning attack is a potential attack and does not have direct destructive behavior. It is usually a network detection behavior before the attacker launches a real attack.

IP address scanning attack:

IP address scanning attack, that is, the attacker uses ICMP packets (such as Ping and Tracert commands) to detect the target address, or uses TCP/UDP packets to initiate a connection to a certain address (such as TCP ping), and determines whether there is a response packet. Determine which target systems are actually alive and connected to the target network.

Defense method:

Detect incoming TCP, UDP, and ICMP packets. When the destination IP address of a packet sent from a source IP address is different from the destination IP address of the previous packet sent by this source IP address, it will be recorded as an exception. When the number of abnormalities exceeds the predefined threshold, the packet with the source IP address is considered to be an IP address scanning attack, and the source IP address is added to the blacklist.

PortScan port scan attack

Attackers use scanning tools to detect target addresses and ports to determine which target systems are connected to the target network and which port services the host opens.

  • According to the TCP protocol specification, when a computer receives a TCP connection establishment request message (TCP SYN), it does the following:
      1. If the requested TCP port is open, it responds with a TCP ACK message, and Establish a TCP connection control structure (TCB);
      2. If the requested TCP port is not open, it will respond with a TCP RST (RST flag in the TCP header is set to 1) to inform the initiating computer that the port is not open.
  • Correspondingly, if the IP protocol stack receives a UDP message, it will do the following:
       1. If the target port of the message is open, the UDP message will be sent to the upper layer protocol (UDP) for processing, and no message will be responded (upper layer). The protocol responds to the message based on the processing result (exception);
       2. If the target port of the message is not open, an ICMP unreachable message is responded to the initiator, telling the initiator that the port of the UDP message is unreachable.
       
    Using this principle, the attacker’s computer can determine which TCP or UDP ports of the target computer are open by sending appropriate messages. The process is as follows:
      1. Send TCP SYN or UDP messages with port numbers increasing from 0 (port The number is a 16-bit number, so the maximum is 65535, and the number is very limited);
      2. If you receive an RST packet for this TCP packet, or an ICMP unreachable packet for this UDP packet, it means this port Not open;
      3. On the contrary, if an ACK message for this TCP SYN message is received, or any ICMP message for this UDP message is not received, it means that the TCP port is open and the UDP port may be open ( Because some implementations may not respond to ICMP unreachable messages, even if the UDP port is not open). If this continues, it is easy to determine which TCP or UDP ports are opened by the target computer, and then proceed to the next attack against the specific numbers of the ports. This is the so-called port scanning attack.
Defense method:

When the scanning attack protection function is enabled, it is required to set a scanning rate threshold. Once the connection rate initiated by an IP exceeds this value, it is determined that the IP is scanning and detecting, and the firewall will output the alarm log of the scanning attack to prevent the scanning initiated by the scanner. Follow-up connection, and the scanner can be added to the blacklist according to user configuration.

12. ICMP packet unreachable attack

Different hosts deal with ICMP unreachable packets in different ways. After some hosts receive ICMP packets that are unreachable from the network or host, they directly regard subsequent packets sent to this destination address as unreachable, thus cutting off the destination. The connection between the ground and the host. Attackers use this to forge unreachable ICMP packets, cut off the connection between the victim and the destination, and cause an attack.

Defense method:

After the ICMP redirect packet attack defense is enabled, the device directly discards the ICMP redirect packet and records the attack log.

13. Tracert message attack

Tracert message attack is that the attacker uses the ICMP timeout message returned when the TTL is 0 and the ICMP port unreachable message returned when the destination address is reached to discover the path that the message takes to reach the destination. It can spy on the network structure .

Defense method:

After the Tracert packet attack defense is enabled, the device will directly discard the timeout ICMP packets or UDP packets, or the destination port unreachable packets, and record the attack log.

Guess you like

Origin blog.csdn.net/qq_40741808/article/details/108059999
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com