1, network anomaly behavior - traffic burst
(1) large data transfers (are P2P, Thunder) (2) Allocation (routing loop, switched ring) (3) outbreak (4) operating system or application error
(5) failure of network equipment (6) propagating worm (7) Trojan / botnet (8) DOS attack (9) penetration attacks
2, worm propagation analysis
A worm is a program to copy its own initiative spread through the network.
Worm transmission
message waxy insects --Loveletter
Messenger vulnerability --MSN / Worm.MM
operating system or network vulnerabilities --CodeRed, Nimda
Behavioral characteristics :
Network layer: a large number of host sessions, mostly contract, each session little traffic.
Session Layer: session connection lot, mostly SYN packet, the majority does not respond or rejected.
The overall flow is not necessarily great, but the contract is much larger than the number of received packets.
Worm propagation :
3, Trojans and botnets analysis
Trojans
= "Road Bearing in mind that
Characteristics : suspicious domain names are frequently resolved
Botnets
Features : the use of a large number of domain name "= There algorithm feature, avoid feature library
Name selection: dynamic domain name, low cost, offered the top-level domain
Common name:. * Cc * .ws * .info * .do
4, Dos attack detection analysis
Distributed denial of service attack is an important means for hackers to take the current, usually through some important systems to the Internet (such as: financial websites, government websites issued a large number of packets, the target host is unable to provide normal services outside the usual way
(1) simple stand-alone flood attacks.
(2) focus on a large number of bots to launch distributed attacks. (DDOS attack)
Common methods of attack :
(1) network bandwidth resource depletion mode
Smurf
UDP Flood
the DNS amplification attacks
(2)计算机资源耗尽型
ping of death
syn flood
DNS放大攻击
DNS放大攻击是一种典型的大流量的拒绝服务攻击,攻击者利用僵尸网络中大量的被控主机,伪装成被攻击主机,在特定时间点连续向多个允许递归查询的DNS服务器发送大量DNS服务请求,迫使其提供应答服务,经DNS服务器放大后的大量应答数据发送到被攻击主机,形成攻击流量,导致其无法提供正常服务甚至瘫痪.
