This is the igmp protocol in the IP protocol under Linux. The protocol mainly contains the first two attributes. Type represents the information type of the igmp protocol, and code represents the routing code. Then, the address of the intercepted data frame is assigned to the defined structure. From this, the data can be analyzed based on different structures to obtain the information we need.

Methods for detecting network monitoring

Network monitoring has been explained in the above. It is designed for system administrators to manage networks, monitor network status and data flow. However, because it has the function of intercepting network data, it is also one of the common tricks used by hackers.

Definition of detection rules

Listening is to get the network information we need, but the information flow in the network may be very large. For example, a network with hundreds of computers has a general listening log in MB per minute. It is not easy to find the information we need from such a large amount of data. So I added the definition of detection rules to the program, so that users can define the detection rules themselves to find the required data from a large amount of data and operate on it. The definition includes most of the packet attributes that we are interested in: including source address, destination address, source IP address, destination IP address, source port, destination port, protocol type, connection flag, number of packets, time limit, etc.

For example, we can define the data with the source physical address of 172.16.11.148 and the source port is 25, the protocol is tcp connection flag syn to be stored in the relevant log file, and chain rules are adopted in the detection, that is, we can define many rules, and the data will be detected and processed through the detection of various rules like a pipeline. This function is similar to the rule definition of most intrusion detection systems now. With this function, network monitoring is more targeted and can meet the needs of different users.

The general method of detecting network monitoring is carried out through the following:

Network monitoring is actually difficult to detect. Because the host running the monitor program only passively receives information transmitted on the Ethernet during the monitoring process, it will not exchange information with other hosts, nor can it modify the information packets transmitted on the network. This shows that network monitoring detection is a relatively troublesome thing.

Generally, it can be detected by ps -ef or ps -aux. But most people who implement listening programs will modify the ps command to prevent ps -ef.

As mentioned above. When running the listener program, the host response will generally be affected and slower, so some people have proposed to judge whether it is being listened to by the response rate. If you suspect that a machine on the network is implementing a listener program, you can ping it with the correct IP address and the wrong physical address, so that the running listener program will respond. This is because normal machines generally do not receive ping information of wrong physical addresses. But the machine that is entering the listening machine can receive it, and it will respond if its IP stack does not check again. However, this method has no effect on many systems because it depends on the IP stack of the system.

Another way is to send a large number of packages with non-existent physical addresses to the Internet, and the listener often processes these packages, which will lead to a decline in machine performance. You can use icmp echo delay to judge and compare it. You can also search for programs running on all hosts on the network, but the difficulty of doing so can be imagined, because this is not only a large amount of work, but also cannot completely check the processes on all hosts at the same time. However, if an administrator does this, it will be very necessary, that is, it can be determined whether a process is started from the administrator machine. In Unix, a list of all processes can be generated through the ps –aun or ps –augx command: the owner of the process and the processor time and memory occupied by these processes, etc. These are output in the form of standard tables on STDOUT. If a process is running, it will be included in this list. But many hackers will unceremoniously modify ps or other running programs into * Horse programs when running the listener program, because they can do this completely. If this is true, then the above method will not have any results. But doing so has made a difference to a certain extent. It is easy to get a list of the current process on Unix and Windows NT.

There is another way, this way depends on enough luck. Because most of the monitoring programs used by hackers are free to get online, and they are not professional monitoring. Therefore, as an administrator, it can also be detected by searching for listeners. Using Unix, you can write such a search gadget. There is a tool called Ifstatus running under Unix, which can identify whether the network interface is in debugging or under installation. If the network interface runs in such a mode, it is very likely that it is being attacked by the listener. Ifstatus generally does not produce any output, and it will return the output when it detects that the network interface is in listening mode. The administrator can set the system's cron parameters to run Ifstatus regularly. If there is a good cron process, the output it generates can be sent to the person who is executing cron tasks by mail. To implement, you can add the ****/usr/local/etc/ifstatus parameter in the crontab directory. If this doesn't work, you can also use a script program to 00****/usr/local/etc/run-ifstatus under crontab.

Generally speaking, monitoring is just a little more sensitive to user password information (no boring hackers listen to chat information between two machines is a waste of time). Therefore, it is completely necessary to encrypt user information and password information. Prevent it from being monitored by transmission in plain text. In modern networks, the SSH communication protocol has always been used. The port used by SSH is 22. It excludes information that communicates on insecure channels. The possibility of being monitored uses the RAS algorithm. After the authorization process is completed, all transmissions are encrypted with IDEA technology. But SSH is not completely safe. Therefore, in general, monitoring detection is a security prevention content and requires very comprehensive knowledge and skills for analysis and design.

Safety considerations

Detection and prevention of DOS attacks

my country is still in the development stage of the Internet, so naturally there are network "hacker" and "crack". It is precisely because it is the development stage that these people's attack methods generally rely on some tools. These tools are generally divided into cracking and destructive. The cracking takes a long time and success rate is low, while destructive tools are more in line with the personalities of these people, so they are popular. DOS attack tools are convenient to attack and have a high success rate, which is generally the first choice for "hacker".

The so-called DOS attack is a denial of service attack. It does not invade the system, but just crashes the system or is in a denial of connection. The method of DOS attack is mainly to send a large number of fake syn packets to make the server busy responding and waiting for fake syn requests to be unable to respond to normal connections, or to send a large number of broadcast packets. Using a certain system system to generate response bugs to some broadcast packets to form a broadcast storm blocking the network, consuming server resources to achieve offensive purposes. Now there is also a distributed DOS attack tool, which sends attack packets at the same time by controlling multiple extensions, which is powerful. At the same time, DOS attack may be a prelude to another supply, which is an IP spoofing attack (the attack can obtain ROOT permissions and has the highest risk factor). If a DOS attack occurs but does not block the network and the attack target is inconspicuous, then this is likely to be the beginning of an IP spoof or TCP interception. Therefore, DOS attack is an attack with great destructive power, obvious effects, and hidden murderous intent.

Hot and DOS attacks are easier to detect, with obvious attack phenomena and outstanding attack characteristics. It is not difficult to find through monitoring the network. As mentioned above, we can already listen to data frames from the network and analyze them. So we write a program so that users can compare their own specifications with data frames and then respond to data that meet the specifications accordingly. For DOS attacks, we can determine a specification with time limit. For example, we can define a DOS attack in 1 second, if more than 100 syn packets appear as DOS attacks, and then define processing methods, such as MAIL, LOG, SHUTDOWN or linkage with _blank">firewall.

Detection and attack of IP impersonation

The rapid development of the network has led to the failure of the original 32-bit address protocol to meet the huge computer group that has rapidly expanded. The inability to divide interests evenly leads to the emergence of IP impersonation and confusion in network order.

Here we will first explain the application of the ARP protocol. The ARP protocol is a protocol that converts IP addresses into MAC addresses and is the basis for data exchange in LANs. How does a computer bind itself to a certain IP address? First, when a computer starts up, it will send its IP ARP inquiry packet to the LAN. This is to prevent IP conflicts. If no one answers, it will send its IP ARP answer packet and declare to the LAN that it binds its physical address and IP address. If a fixed IP/mac table is not used on the server, then a computer without IP access can also bind IP on the plane, which is an IP impersonation.

The utilization of network monitoring can achieve the purpose of detecting the occurrence of IP impersonation and attacking it. The specific method is to take out the IP and Eth addresses in the detected ARP data frame with the corresponding table we have established. If an IP is misused, a reverse ARP packet is sent to it to interrupt the network to achieve an attack. This practice is applicable to network management that cannot control the router configuration and does not want to modify the gateway configuration. In the program, I use passive arp query, that is, I do not send an arp query package. It can be said that sending an attack package does not add any additional burden to the network. Application of monitoring technology in network testing

Network monitoring is not only the basis of network management, but can also be applied in network testing. Most of the current network testing tools are based on monitoring, and count the types and number of data frames heard, thereby realizing network testing. Similarly, this monitoring program can be used to achieve the role of the test network for data classification statistics.

For example, the most commonly used network tests are currently used:

1) Detect the load of the broadcast packet in the network, that is, detect the proportion of the broadcast packet in all packets. You can know by comparing the physical address of the destination address in the data frame in the program to the ratio of ff:ff:ff:ff:ff:ff to the total number of frames. This gives the data basis for configuring VLANs and so on.

2) Detect the number of bad data frames generated by conflict in the network. Because the CSMA/CD protocol adopted by shared Ethernet adopts, each computer cannot guarantee that no other computers are sending signals when sending signals. However, it stops sending after a conflict is discovered, so some damaged data frames will be generated. Detecting the proportion of damaged data frames in network data is an important parameter that reflects network performance. This kind of detection is roughly the same as the first detection for the monitoring program, but only changes the statistical data packets into conflicting data frames, that is, the number of data frames with a data frame size less than 64 bytes. Similarly, network testing can be implemented through monitoring programs, so we can analyze more suitable wiring methods, etc.

Preliminary implementation of spam filtering

Spam is to filter emails that we do not want to accept and content is unsafe. Due to the characteristics of email services, emails have become one of the convenient ways to convey information in contemporary society. However, some people use this to send unsafe publicity that endangers the society, so spam filtering becomes necessary. Due to the slack management of email servers, any person can form a server with a computer and an IP, which makes the source of emails quite complicated, so it is not easy to completely filter. However, we can still achieve preliminary filtering of emails through network monitoring.

The first method is to block the swtp connections of certain IPs. This can be achieved through the listener program. For example, when the source IP address is **** and the TCP connection port is 25, the connection will be blocked.

The second method: Since many email servers allow email forwarding (this is also necessary, we cannot connect to each machine), the user's email may not be blocked through the IP address and he can forward it through other servers. Therefore, when the first method is invalid, we can block the service through the account. Since the unified command of the email server requires the user to declare the user when sending an email, for example: mail from XXX@XXX , we can detect users we don't like and block them through the listener program. This requires us to not only analyze the header for the data frame, but also analyze the data, and compare it with the string we set. If the same is true, the blocked connection is found.

Article entry: aaadxmm Editor in charge: aaadxmm

Network monitoring technology under Linux