Table of contents
1. Main reasons for business interruption
1. Main reasons for business interruption
1. Network attack: Every layer of the network may be called the entry point of the attacker. Non-application layer attacks may cause the basic network to be unavailable. For example, DDOS and DOS can make the enterprise network exit almost unavailable. For the application layer The CC attack can make the server unable to provide external services normally. No matter which layer the attack is aimed at, it may cause the customer's business to be interrupted and cannot operate normally.
Classification of cyber attacks:
(1) Traffic-based attacks : such as DDOS and DOS, which use a large amount of traffic or application-layer connections to cause business unavailability. From the attack level, it can be divided into the network layer and the application layer. By constructing a large number of packets, interface traffic congestion and device freezes have never been caused, and normal services cannot be processed in a timely manner, thereby interrupting services.
Network layer : eg: TCP flood, UDP flood, ICMP flood
Application layer : For example: HTTP flood, HTTPS flood, DNS flood, SIP flood.
(1-1) TCP flood: The attacker first forges the address to initiate a SYN request to the server, and the server responds with an ACK + SYN message after receiving the message, but at this time the real IP does not initiate the request, so it does not respond, the server If no response is received, it will retry 3-5 times, and after waiting for a SYN time (30 seconds-2 minutes), the connection will be discarded. If the attacker sends a large number of forged attack packets, the server will consume a lot of resources to process the semi-connection of this illegal request. Will consume cpu and memory resources. In turn, it can cause the server to be unable to process normal business requests.
(1-2) UDP flood: The attacker sends a large number of UDP protocol data packets to the service, causing the server's bandwidth and system resources to be exhausted and unable to provide services for normal business. It is more common for attackers to use a large number of small UDP packets to attack DNS servers, RADIUS authentication servers, streaming video servers, etc. UDP flood attacks include two attack methods: large packets and small packets.
(1-3) ICMP flood: Attackers use tools to send a large number of forged IP ICMP messages, causing a large amount of server bandwidth and resources to be occupied, which brings a large load to the server and affects the normal service of the server. The firewall directly filters ICMP packets, so the frequency of ICMP flood attacks is relatively low
(1-4) HTTP flood: common http flood attack types are divided into http get flood and http post flood, which refers to using the application layer HTTP protocol to send a large number of http requests to the server, which in turn causes the server to be busy and resources exhausted, unable to Services are provided as normal. HTTPs flood is similar to HTTP flood, but it is an attack based on HTTPs.
(1-5) DNS flood : divided into DNS query flood and DNS reply flood.
(2) Single-packet attack : Generally, it is launched by individual hackers, and the attack message is relatively simple. Although the attack is strong in destructive type, as long as the characteristics of the attack are mastered, it is relatively easy to defend. Scanning and snooping attacks: For example: IP address scanning, port scanning Malformed packet attacks: smurf, land, ip fragmentation, ip spoofing, tcp packet flags, ping of death, teardrop, etc. Special packet attacks: super large ICMP packets text attack, ICMP redirection attack, ICMP unreachable attack, IP packet attack of pending routing tag items, tracert packet attack, IP packet attack with timestamp option, etc.
(2-1) Malformed packet attack: It usually means that the attacker sends a large number of defective packets, which causes the host or server to crash when processing such packets. By sending defective IP packets to the target host, the target host will make an error when processing such packets, or cause the system to crash, affecting the normal operation of the target system.
(2-2) Scanning type attack: It is a potential attack behavior, which does not have direct destructive behavior, and is usually a network detection behavior before the attacker launches a real attack. Use ping scanning (including ICMP and TCP) to indicate the surviving system in the network, so as to accurately locate potential targets. Using tcp and udp port scanning, you can detect the operating system and potential services that listen to it. Attackers spy through scanning You can get a general understanding of the service types and potential security holes provided by the target system, and prepare for further intrusion into the system.
(2-3) Special control packet attack: It is also a potential attack behavior and does not have direct destructive behavior. Attackers usually send special control packets to detect the network structure, and then prepare for subsequent real attacks. ready. Attackers usually send legitimate packets for reconnaissance and data detection. These packets are all legal packet types, but they are rarely used in the network.
2. Vulnerabilities: Vulnerabilities that are not patched in time, 0Day (0day vulnerabilities refer to software defects in the programmers responsible for the application program or the location of the supplier), all of which make the business of the enterprise run in an unsafe environment. Attacks that exploit vulnerabilities can make Hackers illegally steal data, cause business interruption, data loss, etc.
3. Viruses: Viruses represented by ransomware virus (eternal blue). Viruses can cause system services to be unavailable in many ways, server resource usage is high, data is deleted, and data is encrypted.
2. Attack Defense
Deploy security products such as fire protection and antiddos
1. Intranet protection: 1. Security group: the main protection object is the elastic cloud server itself 2. Network acl: the protection object is the subnet of vpc 2. Internal and external network boundary protection
2. vNGFW for internal and external network boundary protection
3. External network boundary protection 1. Deploy DDOS high-defense 2. Anti-DDOS traffic cleaning equipment
3. Vulnerability prevention
Vulnerability defense The defense against web security can be divided into the following two aspects:
1. User side: On the user side, by restricting the types of web sites that users can access, restricting malicious sites, so as to achieve the purpose of defending against web attacks
2. Site side: standardize the development on the site, and defend against web attacks from the language writing level during development, so that the attack behavior cannot be executed