s07-流量内容监控-attackPPT学习课件.ppt
s07-流量内容监控-attackPPT学习课件.ppt
- 配套讲稿:
如PPT文件的首页显示word图标,表示该PPT已包含配套word讲稿。双击word图标可打开word文档。
- 特殊限制:
部分文档作品中含有的国旗、国徽等图片,仅作为作品整体效果示例展示,禁止商用。设计者仅对作品中独创性部分享有著作权。
- 关 键 词:
- s07 流量 内容 监控 attackPPT 学习 课件
- 资源描述:
-
,单击此处编辑母版文本样式,第二级,第三级,第四级,第五级,*,网络攻击的检测和预防,第七章,1,目录,常见网络攻击的检测和预防,DoS,攻击的防范,2,黑客攻击网络的一般过程,信息的收集,利用的公开协议或工具,TraceRoute,程序,SNMP,协议,DNS,服务器,Whois,协议,Ping,实用程序,3,黑客攻击网络的一般过程,系统安全弱点的探测,主要探测的方式,自编程序,慢速扫描,体系结构探测,利用公开的工具软件,4,黑客攻击网络的一般过程,建立模拟环境,进行模拟攻击,根据前面两小点所得的信息,建立一个类似攻击对象的模拟环境,对此模拟目标进行一系列的攻击,5,黑客攻击网络的一般过程,具体实施网络攻击,根据前几步所获得的信息,结合自身的水平及经验总结相应的攻击方法,等待时机,以备实施真正的网络攻击,6,协议欺骗攻击及防范,源,IP,地址欺骗攻击,在路由器上的解决方法,防止源,IP,地址欺骗行为的措施,抛弃基于地址的信任策略,使用加密方法,进行包过滤,7,协议欺骗攻击及防范,源路由欺骗攻击,防范源路由欺骗攻击的措施,抛弃由外部网进来却声称是内部主机的报文,在路由器上关闭源路由,8,协议欺骗攻击及防范,拒绝服务攻击,防止拒绝服务攻击的措施,调整该网段路由器上的配置,强制系统对超时的,Syn,请求连接数据包复位,缩短超时常数和加长等候队列,在路由器的前端做必要的,TCP,拦截,关掉可能产生无限序列的服务,9,拒绝服务攻击,用超出被攻击目标处理能力的海量数据包消耗可用系统,带宽资源,致使网络服务瘫痪的一种攻击手段,两种使用较频繁的攻击形式,TCP-SYN flood,半开式连接攻击,UDP flood,10,拒绝服务攻击,11,拒绝服务攻击,UDP flood,Udp,在网络中的应用,如,,DNS,解析、,realaudio,实时音乐、网络管理、联网游戏等,基于,udp,的攻击种类,如,,unix,操作系统的,echo,chargen.echo,服务,12,拒绝服务攻击,Trinoo,是基于,UDP flood,的攻击软件,Trinoo,攻击功能的实现,是通过三个模块付诸实施的,攻击守护进程,NS,攻击控制进程,MASTER,客户端,NETCAT,,标准,TELNET,程序等,13,拒绝服务攻击及防范,六个,trinoo,可用命令,Mtimer,Dos,Mdie,Mping,Mdos,msize,14,拒绝服务攻击,15,拒绝服务攻击,攻击的实例,:,被攻击的目标主机,victim IP,为,:12.23.34.45 ns,被植入三台,sun,的主机里,他们的,IP,对应关系分别为,client1:11.11.11.11 client2:22.22.22.22 client3:33.33.33.33 master,所在主机为,masterhost:11.22.33.44,首先我们要启动各个进程,在,client1,,,2,,,3,上分别执行,ns,,启动攻击守护进程,其次,在,master,所在主机启动,master masterhost#./master?gOrave(,系统示输入密码,输入,gOrave,后,master,成功启动,)trinoo v1.07d2+f3+c Mar 20 2000:14:38:49(,连接成功,),16,拒绝服务攻击,在任意一台与网络连通的可使用,telnet,的设备上,执行,telnet 11.22.33.44 27665,Escape character is.,betaalmostdone(,输入密码,),trinoo v1.07d2+f3+c.rpm8d/cb4Sx/,trinoo(,进入提示符,),trinoo mping(,我们首先来监测一下各个攻击守护进程是否成功启动,),mping:Sending a PING to every Bcasts.,trinoo PONG 1 Received from 11.11.11.11,PONG 2 Received from 22.22.22.22,PONG 3 Received from 33.33.33.33(,成功响应,),trinoo mtimer 60(,设定攻击时间为,60,秒,),mtimer:Setting timer on bcast to 60.,trinoo dos 12.23.34.45,DoS:Packeting 12.23.34.45.,17,拒绝服务攻击,至此一次攻击结束,此时,ping 12.23.34.45,,会得到,icmp,不可到达反馈,目标主机此时与网络的正常连接已被破坏,18,拒绝服务攻击,由于目前版本的,trinoo,尚未采用,IP,地址欺骗,因此在被攻击的主机系统日志里我们可以看到如下纪录,Mar 20 14:40:34 victim snmpXdmid:Will attempt to re-establish connection.,Mar 20 14:40:35 victim snmpdx:error while receiving a pdu from 11.11.11.11.59841:The message has a wrong header type(0 x0),Mar 20 14:40:35 victim snmpdx:error while receiving a pdu from 22.22.22.22.43661:The message has a wrong header type(0 x0),Mar 20 14:40:36 victim snmpdx:error while receiving a pdu from 33.33.33.33.40183:The message has a wrong header type(0 x0),Mar 20 14:40:36 victim snmpXdmid:Error receiving PDU The message has a wrong header type(0 x0).,Mar 20 14:40:36 victim snmpXdmid:Error receiving packet from agent;rc=-1.,Mar 20 14:40:36 victim snmpXdmid:Will attempt to re-establish connection.,Mar 20 14:40:36 victim snmpXdmid:Error receiving PDU The message has a wrong header type(0 x0).,Mar 20 14:40:36 victim snmpXdmid:Error receiving packet from agent;rc=-1.,19,拒绝服务攻击防范,检测系统是否被植入了攻击守护程序,办法,检测上述提到的,udp,端口,如,netstat-a|grep udp,端口号,用专门的检测软件,20,拒绝服务攻击及防范,下面为在一台可疑设备运行结果,,Logging output to:LOG,Scanning running processes.,/proc/795/object/a.out:trinoo daemon,/usr/bin/gcore:core.795 dumped,/proc/800/object/a.out:trinoo master,/usr/bin/gcore:core.800 dumped,Scanning/tmp.,Scanning/.,/yiming/tfn2k/td:tfn2k daemon,/yiming/tfn2k/tfn:tfn2k client,/yiming/trinoo/daemon/ns:trinoo daemon,/yiming/trinoo/master/master:trinoo master,/yiming/trinoo/master/.:possible IP list file,NOTE:This message is based on the filename being suspicious,and is not,based on an analysis of the file contents.It is up to you to examine the,file and decide whether it is actually an IP list file related to a DDOS,tool.,/yiming/stacheldrahtV4/leaf/td:stacheldraht daemon,/yiming/stacheldrahtV4/telnetc/client:stacheldraht client,/yiming/stacheldrahtV4/td:stacheldraht daemon,/yiming/stacheldrahtV4/client:stacheldraht client,/yiming/stacheldrahtV4/mserv:stacheldraht master,ALERT:One or more DDOS tools were found on your system.,Please examine LOG and take appropriate action.,21,拒绝服务攻击防范,封掉不必要的,UDP,服务,如,echo,chargen,减少,udp,攻击的入口,22,拒绝服务攻击防范,路由器阻挡一部分,ip spoof,syn,攻击,通过连接骨干网络的端口,采用,CEF,和,ip verify unicast reverse-path,使用,access control lists,将可能被使用的网络保留地址封掉,使用,CAR,技术,限制,ICMP,报文大小,23,Specific Attack Types,All of the following can be used to compromise your system:,Packet sniffers,IP weaknesses,Password attacks,DoS or DDoS,Man-in-the-middle attacks,Application layer attacks,Trust exploitation,Port redirection,Virus and worms,Trojan horse,Operator error,24,IP Spoofing,IP spoofing occurs when a hacker inside or outside a network impersonates the conversations of a trusted computer.,Two general techniques are used during IP spoofing:,A hacker uses an IP address that is within the range of trusted IP addresses.,A hacker uses an authorized external IP address that is trusted.,Uses for IP spoofing include the following:,IP spoofing is usually limited to the injection of malicious data or commands into an existing stream of data.,A hacker changes the routing tables to point to the spoofed IP address,then the hacker can receive all the network packets that are addressed to the spoofed address and reply just as any trusted user can.,25,IP Spoofing Mitigation,The threat of IP spoofing can be reduced,but not eliminated,through the following measures:,Access control,The most common method for preventing IP spoofing is to properly configure access control.,RFC 2827 filtering,You can prevent users of your network from spoofing other networks(and be a good Internet citizen at the same time)by preventing any outbound traffic on your network that does not have a source address in your organizations own IP range.,Additional authentication that does not use IP-based authentication,Examples of this include the following:,Cryptographic(recommended),Strong,two-factor,one-time passwords,26,Application Layer Attacks,Application layer attacks have the following characteristics:,Exploit well known weaknesses,such as protocols,that are intrinsic to an application or system(for example,sendmail,HTTP,and FTP),Often use ports that are allowed through a firewall(for example,TCP port 80 used in an attack against a web server behind a firewall),Can never be completely eliminated,because new vulnerabilities are always being discovered,27,Application LayerAttacksMitigation,Some measures you can take to reduce your risks are as follows:,Read operating system and network log files,or have them analyzed by log analysis applications.,Subscribe to mailing lists that publicize vulnerabilities.,Keep your operating system and applications current with the latest patches.,IDSs can scan for known attacks,monitor and log attacks,and in some cases,prevent attacks.,28,Network Reconnaissance,Network reconnaissance refers to the overall act of learning information about a target network by using publicly available information and applications.,29,Network Reconnaissance Mitigation,Network reconnaissance cannot be prevented entirely.,IDSs at the network and host levels can usually notify an administrator when a reconnaissance gathering attack(for example,ping sweeps and port scans)is under way.,30,Virus and Trojan Horses,Viruses refer to malicious software that are attached to another program to execute a particular unwanted function on a user,s workstation.End-user workstations are the primary targets.,A Trojan horse is different only in that the entire application was written to look like something else,when in fact it is an attack tool.A Trojan horse is mitigated by antivirus software at the user level and possibly the network level.,31,DOS/DDOS,DOS,拒绝服务攻击,DDOS,分布式拒绝服务攻击,利用,TCP/IP,缺陷,32,常见,DOS,工具,Bonk,通过发送大量伪造的,UDP,数据包导致系统重启动,TearDrop,通过发送重叠的,IP,碎片导致系统的,TCP/IP,栈崩溃,SynFlood,通过发送大量伪造源,IP,的基于,SYN,的,TCP,请求导致系统重启动,Bloop,通过发送大量的,ICMP,数据包导致系统变慢甚至凝固,Jolt,通过大量伪造的,ICMP,和,UDP,导致系统变的非常慢甚至重新启动,33,SynFlood,原理,Syn,伪造源地址(1.1.1.1),IP:211.100.23.1,1.1.1.1(,TCP,连接无法建立,造成,TCP,等待超时),Ack,大量的伪造数据包发向服务器端,34,DDOS,攻击,黑客控制了多台服务器,然后每一台服务器都集中向一台服务器进行,DOS,攻击,35,DDOS,攻击示意图,36,分布式拒绝服务攻击,37,分布式拒绝服务攻击步骤1,Scanning,Program,不安全的计算机,Hacker,攻击者使用扫描工具探测扫描大量主机以寻找潜在入侵目标。,1,Internet,38,分布式拒绝服务攻击步骤2,Hacker,被控制的计算机(代理端),黑客设法入侵有安全漏洞的主机并获取控制权。这些主机将被用于放置后门、,sniffer,或守护程序甚至是客户程序。,2,Internet,39,分布式拒绝服务攻击步骤3,Hacker,黑客,在得到入侵计算机清单后,从中选出满足建立网络所需要的主机,放置已编译好的守护程序,并对被,控制的计算机发送命令。,3,被控制计算机(代理端),Master,Server,Internet,40,Hacker,Using Client program,黑客发送控制命令给主机,准备启动对目标系统的攻击,4,被控制计算机(代理端),Targeted,System,Master,Server,Internet,分布式拒绝服务攻击步骤4,41,Targeted,System,Hacker,主机发送攻击信号给被控制计算机开始对目标系统发起攻击,。,5,Master,Server,Internet,被控制计算机(代理端),分布式拒绝服务攻击步骤5,42,分布式拒绝服务攻击步骤6,Targeted,System,Hacker,目标系统被无数的伪造的请求所淹没,从而无法对合法用户进行响应,,DDOS,攻击成功。,6,Master,Server,User,Request Denied,Internet,被控制计算机(代理端),43,分布式拒绝服务攻击的效果,整个过程是自动化的,攻击者能够在5秒钟内入侵一台主机并安装攻击工具,也就是说,在短短的一小时内可以入侵数千台主机,并使某一台主机可能要遭受1000,MB/S,数据量的猛烈攻击,这一数据量相当于1.04亿人同时拨打某公司的一部电话号码,44,BGP,网络,DDOS,攻击的解决案例,实验演示。,(一定程度保密协议的案例),45,展开阅读全文
咨信网温馨提示:1、咨信平台为文档C2C交易模式,即用户上传的文档直接被用户下载,收益归上传人(含作者)所有;本站仅是提供信息存储空间和展示预览,仅对用户上传内容的表现方式做保护处理,对上载内容不做任何修改或编辑。所展示的作品文档包括内容和图片全部来源于网络用户和作者上传投稿,我们不确定上传用户享有完全著作权,根据《信息网络传播权保护条例》,如果侵犯了您的版权、权益或隐私,请联系我们,核实后会尽快下架及时删除,并可随时和客服了解处理情况,尊重保护知识产权我们共同努力。
2、文档的总页数、文档格式和文档大小以系统显示为准(内容中显示的页数不一定正确),网站客服只以系统显示的页数、文件格式、文档大小作为仲裁依据,个别因单元格分列造成显示页码不一将协商解决,平台无法对文档的真实性、完整性、权威性、准确性、专业性及其观点立场做任何保证或承诺,下载前须认真查看,确认无误后再购买,务必慎重购买;若有违法违纪将进行移交司法处理,若涉侵权平台将进行基本处罚并下架。
3、本站所有内容均由用户上传,付费前请自行鉴别,如您付费,意味着您已接受本站规则且自行承担风险,本站不进行额外附加服务,虚拟产品一经售出概不退款(未进行购买下载可退充值款),文档一经付费(服务费)、不意味着购买了该文档的版权,仅供个人/单位学习、研究之用,不得用于商业用途,未经授权,严禁复制、发行、汇编、翻译或者网络传播等,侵权必究。
4、如你看到网页展示的文档有www.zixin.com.cn水印,是因预览和防盗链等技术需要对页面进行转换压缩成图而已,我们并不对上传的文档进行任何编辑或修改,文档下载后都不会有水印标识(原文档上传前个别存留的除外),下载后原文更清晰;试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓;PPT和DOC文档可被视为“模板”,允许上传人保留章节、目录结构的情况下删减部份的内容;PDF文档不管是原文档转换或图片扫描而得,本站不作要求视为允许,下载前可先查看【教您几个在下载文档中可以更好的避免被坑】。
5、本文档所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用;网站提供的党政主题相关内容(国旗、国徽、党徽--等)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。
6、文档遇到问题,请及时联系平台进行协调解决,联系【微信客服】、【QQ客服】,若有其他问题请点击或扫码反馈【服务填表】;文档侵犯商业秘密、侵犯著作权、侵犯人身权等,请点击“【版权申诉】”,意见反馈和侵权处理邮箱:1219186828@qq.com;也可以拔打客服电话:0574-28810668;投诉电话:18658249818。
实名认证
平台协调中心【客服】
自信AI助手
微信客服
客服QQ
发送邮件
意见反馈
链接地址:https://www.zixin.com.cn/doc/5872178.html