1. PrefaceHot Network
In the world of the Internet, a constantly renewed world, security vulnerabilities in the Internet are everywhere. Even if old security vulnerabilities are filled, new security vulnerabilities will continue to emerge. Cyber attacks are precisely to exploit these existing vulnerabilities and security flaws to attack systems and resources.
Perhaps some people will have an indifferent attitude towards network security, thinking that at most it is just an attacker's stolen account, which will cause little harm. They often think that "safety" is only for those large and medium-sized enterprises, institutions and websites. In fact, technically speaking, the motivation for hackers is to become the owner of the target host. As long as they obtain superuser permissions for a network host, they may modify resource configuration, place "Troy" programs, hide whereabouts, execute any process, etc. on that host. Who of us would like others to have these privileges unbridled in our machines? What's more, the motives of these attackers are not all that simple. Therefore, each of us may face security threats, it is necessary to have some understanding of network security and be able to deal with some security issues.
Let’s take a look at how those attackers found security vulnerabilities in your computer and learn about their attack methods.
2. Steps of cyber attack
Step 1: Hide your position
Ordinary attackers will use other people's computers to hide their real IP addresses. Experienced attackers will also use 800-phone unmanned transfer service to connect to the ISP, and then steal other people's accounts to surf the Internet.
Step 2: Find the target host and analyze the target host
The attacker first needs to find the target host and analyze the target host. What can truly identify the host on the Internet is the IP address. The domain name is a new name to facilitate memory of the host's IP address. As long as the domain name and IP address are used, the target host can be successfully found. Of course, it is not enough to know where the target is to be attacked. You must also have a comprehensive understanding of the operating system type of the host and its services provided. At this time, the attackers will use some scanner tools to easily obtain information such as which operating system is running on the target host, which account is available on the system, what versions of the server programs such as WWW, FTP, Telnet, SMTP, etc., and make full preparations for intrusion.
Step 3: Get your account and password and log in to the host
If an attacker wants to invade a host, he must first have an account and password of the host, otherwise he will not even be able to log in. This often forces them to first try to steal account files and crack them, obtain a user's account and password from it, and then find the right time to enter the host as this identity. Of course, logging into the host using certain tools or system vulnerabilities is also a common technique used by attackers.
Step 4: Obtain control
After attackers use FTP, Telnet and other tools to use system vulnerabilities to enter the target host system to gain control, they will do two things: clear the records and leave the backdoor. He changes certain system settings, puts * horses or some other remote manipulator in the system so that he can enter the system again without being noticed in the future. Most backdoor programs are pre-compiled and you can use it just by finding ways to modify the time and permissions. Even the size of the new file is exactly the same as the original file. Attackers generally use rep to pass these files so that they do not leave FTB records. After clearing logs, deleting copied files and other means to hide their traces, the attacker starts the next step of action.
Step 5: Stealing network resources and privileges
After the attacker finds the target, he will continue with the next attack. Such as: downloading sensitive information; implementing economic thieves such as stealing account passwords and credit card numbers; paralyzing the network.
3. Principles and methods of cyber attacks
1. Password intrusion
Password intrusion refers to using the account and password of certain legitimate users to log in to the destination host, and then conducting attack activities. The premise of this method is that you must first obtain the account of a legal user on the host, and then decipher the legal user password. There are many ways to obtain an ordinary user account, such as
Use the Finger function of the target host: When querying with the Finger command, the host system will display the saved user information (such as username, login time, etc.) on the terminal or computer;
X.500 service that utilizes the target host: Some hosts do not turn off the X.500 directory query service, which also provides an easy way to obtain information for attackers;Hot Network
Collect from email addresses: Some users often disclose their account on the target host in their email addresses;
Check whether the host has habitual accounts: Experienced users know that many systems will use some habitual accounts, causing the account to be leaked.
There are three more ways to do this:
(1) It is to illegally obtain user passwords through network monitoring. This method has certain limitations, but it is extremely harmful. Listeners often use the method of intercepting midway, which is also an effective way to obtain user accounts and passwords. At present, many protocols do not use any encryption or identity authentication technology at all. For example, in Telnet, FTP, HTTP, SMTP and other transmission protocols, user account and password information are transmitted in plain text format. At this time, if an attacker uses packet interception tools, it can easily collect your account and password. There is also a more powerful method of intercepting attacks. After you complete the "three-way handshake" with the server to establish a connection, you can play the role of a "third party" in the communication process, pretend to be a server identity and deceive you, and then pretend to make a malicious request to the server. The consequences will be unimaginable. In addition, attackers sometimes use software and hardware tools to monitor the work of the system host at all times, waiting to record user login information, thereby obtaining user password; or compile SUID programs with buffer overflow errors to obtain super user permissions.
(2) After knowing the user's account (such as the previous part of the email @), some special software is used to forcefully crack the user password. This method is not restricted by the network segment, but the attacker must have enough patience and time. For example: the dictionary exhaustive method (or brute force method) is used to crack the user's password. An attacker can automatically take out a word from the computer dictionary through some tool programs, as a user's password, and then input it to the remote host to apply to enter the system; if the password is wrong, the next word will be taken out in order, and the next attempt will be made, and the loop will be continued until the correct password or dictionary word is found until the test is completed. Since this deciphering process is automatically completed by a computer program, you can try all the words in the dictionary with hundreds of thousands of records in a few hours.
(3) It is to take advantage of the system administrator's mistake. In modern Unix operating systems, the user's basic information is stored in the passwd file, while all passwords are encrypted by the DES encryption method and stored in a file called shadow. After hackers obtain the password file, they will use a special program to crack DES encryption to unlock the password. At the same time, since a large number of operating systems have many security vulnerabilities, bugs or some other design flaws, once these flaws are found, hackers can go straight in. For example, the BO that opens the backdoor of Windows 95/98 system takes advantage of the basic design flaws of Windows.
, placing * horse program
* horse programs can directly invade the user's computer and destroy it. It is often disguised as a tool program or game, and induces users to open email attachments with * horse programs or download them directly from the Internet. Once the user opens the attachments of these emails or executes these programs, they will stay in their computers like the * horses full of soldiers left by the Gu*s outside the enemy city, and hide a program in their computer system that can be quietly executed when Windows starts. When you connect to the Internet, the program notifies the attacker to report your IP address and pre-set ports. After receiving this information, an attacker can use this program lurking in it to arbitrarily modify the parameter settings of your computer, copy files, peek at the contents of your entire hard disk, etc., so as to achieve the purpose of controlling your computer.
3. WWW's deception technology
Online users can use browsers such as IE to visit various WEB sites, such as reading news groups, consulting product prices, subscribing to newspapers, e-commerce, etc. However, ordinary users probably wouldn't expect that these problems exist: the web page being visited has been tampered with by hackers, and the information on the web page is false! For example, a hacker rewrites the URL of the web page the user wants to browse to point to the hacker's own server. When the user browses the target web page, he actually makes a request to the hacker server, so the hacker can achieve the purpose of deception.
Generally, Web spoofing uses two technical means, namely URL address rewriting technology and related information masking technology. Using URL addresses, these addresses are made to the attacker's web server, that is, the attacker can add his own web address to the front of all URL addresses. In this way, when the user securely links with the site, he will enter the attacker's server without any warning, so all the information he recorded is under the attacker's surveillance. However, since browsers generally have address bars and status bars, when the browser connects with a certain site, the web site address and related transmission information can be obtained in the address bars and status samples. Users can find problems. Therefore, attackers often use relevant information placing technology while rewriting URLf addresses, that is, generally use JavaScript programs to rewrite address samples and plaque samples to achieve the purpose of placing them.
4. Email Attack
Email is a very widely used communication method on the Internet. Attackers can use some email bomb software or CGI programs to send a large number of duplicate and useless spam emails to the destination mailbox, thus making the destination mailbox burst and unusable. When the traffic of spam is particularly large, it may cause the mail system to respond slowly to normal work and even paralyze. Compared with other attack methods, this attack method has the advantages of being simple and quick to take effect.
Email attacks mainly manifest in two ways:
(1) It is email bombing and "snowballing" of emails, which is commonly referred to as email bombing. It refers to sending thousands, tens of thousands or even endless spam messages with the same content to the same mailbox with fake IP addresses and email addresses, causing the victim's email address to be "blasted". In severe cases, it may bring danger to the email server operating system or even paralyzed;
(2) It is email spoofing. The attacker pretends to be a system administrator (the email address is exactly the same as the system administrator), sends an email to the user and asks the user to modify the password (the password may be a specified string) or load viruses or other * programs in seemingly normal attachments.
5. Attack other nodes through one node
After an attacker breaks through a host, he often uses this host as a base to attack other hosts (to conceal its intrusion path and avoid leaving clues). They can use network monitoring methods to try to break through other hosts in the same network; they can also attack other hosts through IP spoofing and host trust relationships.
This type of attack is very cunning, but it is difficult to master certain technologies, such as TCP/IP spoofing attacks. The attacker did it by masquerading as another legitimate machine by an external computer. It can destroy data on the communication link between two machines. Its purpose is to trick other machines in the network into mistakenly accepting their attackers as legitimate machines, and induce other machines to send data to them or allow them to modify the data. TCP/IP spoofing can occur at all levels of the TCP/IP system, including the data link layer, network layer, transportation layer and application layer, which are easily affected. If the underlying layer is compromised, all protocols of the application layer will be at risk. In addition, since the user does not communicate directly with each other with the underlying layer, the attacks on the underlying layer are more deceptive.
6. Network monitoring
Network monitoring is a working mode of the host. In this mode, the host can receive all the information transmitted by this network segment on the same physical channel, regardless of who the sender and receiver of this information are. Because when the system performs password verification, the password entered by the user needs to be transmitted from the user to the server, and the attacker can monitor data between the two ends. At this time, if the information about the communication between the two hosts is not encrypted, you can easily intercept information including passwords and accounts by using certain network monitoring tools (such as NetXRay for Windows 95/98/NT, Sniffit for Linux, Solaries, etc.). Although the user accounts and passwords obtained by network monitoring have certain limitations, listeners can often obtain all user accounts and passwords in their network segment.
7. Use hacking software to attack
Using hacking software to attack is a more common attack method on the Internet. Back Orifice2000, Glacier, etc. are all relatively famous * horses. They can illegally obtain the super user-level rights of the user's computer and can fully control them. In addition to performing file operations, they can also perform operations such as capturing pictures on the desktop and obtaining passwords on the other side. These hacking software are divided into server-side and user-side. When a hacker attacks, he will use the user-side program to log in to a computer with the server-side program installed on it. These server-side programs are relatively small and are generally included on certain software. It is possible that when the user downloads a small game and runs it, the server installation of the hacking software is completed, and most hacking software has strong rebirth ability, causing some trouble for users to clear. In particular, there has been a recent trick of TXT file spoofing. On the surface, it looks like a TXT text file, but in fact it is an executable program with a hacker program. In addition, some programs will also disguise themselves as files in pictures and other formats.
8. Security vulnerability attack
Many systems have various security vulnerabilities (bugs). Some of these are owned by the operating system or application software itself. Such as buffer overflow attack. Since many systems accept data input of any length without checking the changes between the program and the buffer, they will arbitrarily accept data input of any length, put the overflowing data in the stack, and the system will execute commands as usual. In this way, the attacker will enter an unstable state as long as he sends instructions that exceed the length that the buffer can handle. If an attacker specifically configures a string of characters ready to be used as an attack, he can even access the root directory, thus having absolute control over the entire network. Others are exploiting protocol vulnerabilities for attacks. For example, an attacker uses this vulnerability that must be run in the root directory to launch an attack to destroy the root directory, thereby obtaining the permissions of the super user. For example, the ICMP protocol is also often used to launch denial of service attacks. Its specific method is to send a large number of data packets to the destination server, occupying almost all the network broadband of the server, making it unable to process normal service requests, resulting in the inability to enter the website, the website response speed is greatly reduced, or the server is paralyzed. Nowadays, common worms or viruses of the same type can attack the server by denial of service attacks. They have extremely strong reproductive capabilities, and generally send virus-containing emails to many mailboxes through Microsoft's Outlook software, making the mail server unable to bear such a huge amount of data processing and paralyzed. For individual users who are online, they may also be attacked by a large number of data packets, which will prevent them from performing normal network operations.
9. Port scanning attack
The so-called port scanning is to use Socket programming to establish a TCP connection with certain ports of the target host, verify the transmission protocol, etc., so as to detect whether the scanning port of the target host is in an activated state, which services the host provides, whether the service provided contains certain defects, etc. Common scanning methods are: Connect() scanning. Fragmentation scan.
4. Common attack tools used by attackers
1. Attack tools:
For example, WinNuke causes the system to be blue screen by sending OOB vulnerabilities; Bonk causes the system to be restarted by sending a large number of fake UDP packets; TearDrop causes the system to be crashed by sending overlapping IP fragments; WinArp causes the system to be restarted by sending special packets; Land causes the system to be restarted by sending a large number of SYN-based TCP requests for fake source IP; FluShot causes the system to be solidified by sending a large number of ICMP packets; Bloo causes the system to be slowed and even solidified by sending a large number of ICMP packets; PIMP causes the system to be blue screen or even restart through IGMP vulnerabilities; Jolt causes the system to be very slow or even restart through a large number of fake ICMP and UDP.
2. * program
(1), BO2000 (BackOrific): It is the most comprehensive attack tool of the TCP/IP architecture. It can collect information, execute system commands, reset the machine, and redirect the network client/server application. BO2000 supports multiple network protocols, it can be transmitted using TCP or UDP, and can also be encrypted with XOR encryption algorithm or more advanced 3DES encryption algorithm. After being infected with BO2000, the machine is completely under the control of others. Hackers have become super users. All your operations can be recorded into "video tape" from the "secret camera" built with BO2000.
(2) "Glacier": Glacier is a domestic * program with a simple Chinese usage interface, and only a few popular anti-virus and firewalls can detect the existence of Glacier. Glacier's functions are not inferior to foreign * programs. It can automatically track the screen changes of the target machine and can completely simulate keyboard and mouse input. That is, while the screen changes of the controlled end are synchronized with the monitoring end, all keyboard and mouse operations on the monitored end will be reflected on the screen of the control end. It can record various password information, including boot passwords, screensaver passwords, various shared resource passwords, and most password information that appear in the dialog box; it can obtain system information; it can also perform registry operations, including browsing the primary key, adding and deleting, copying, renaming, and reading and writing key values.
(3), NetSpy: It can run on Windows 95/98/NT/2000 and other platforms. It is a simple file transfer software based on TCP/IP, but in fact you can regard it as an enhanced FTP server without permission control. Through it, the attacker can unconsciously download and upload any file on the target machine and can perform some special operations.
(4), Glacier: This program can automatically track the screen changes of the target computer, obtain the target computer login password and various password information, obtain the target computer system information, restrict the target computer system functions, arbitrarily operate the target computer files and directories, remote shutdown, and send information, and other monitoring functions. Similar to BO2000.
(5), KeyboardGhost: Windows system is an operating system based on message loop (MessageLoop). The core area of the system retains certain bytes as a buffer for keyboard input, and its data structure is a queue. It is through direct access to this queue that the keyboard enters your email address, proxy account number, and password Password (the one displayed on the screen is an asterisk) and all symbols involving the password window displayed in the form of an asterisk will be recorded, and an implicit file named after the file is generated in the root of the system.
(6) ExeBind: This program can bundle the specified attack program to any widely spread popular software, so that when the host program is executed, the parasitic program is also executed in the background and supports multiple bundling. In fact, it is achieved by splitting the file multiple times and calling the child process from the parent process multiple times.
5. Cyber Attack Response Strategies
Based on the above analysis and identification of cyber attacks, we should carefully formulate targeted strategies. Clarify the security objects and set up a strong security guarantee system. Be targeted, set up defenses in the network layer by layer, play the role of each layer of the network, and make each layer a level, so that the attacker has no gaps to drill or tricks to do. It is also necessary to be prepared to be on the verge of precautions, back up important data and always pay attention to the system's operating status. Here are a few suggestions for many worrying cybersecurity issues
1. Improve safety awareness
(1) Don’t open emails and files of unknown origin at will, and don’t run programs given to you by people you don’t know much. For example, the “Troy” type hacker program needs to trick you into running.
(2) Try to avoid downloading unknown software and game programs from the Internet. Even software downloaded from well-known websites should be scanned in time with the latest virus and * detection software.
(3) Use alphanumeric mixed arrangements as much as possible for password settings. Simple English or numbers are easy to exhaust. Set the commonly used passwords differently to prevent people from finding one and bringing it to an important password. It is best to change important passwords frequently.
(4) Download and install system patches in a timely manner.
(5) Do not run hacker programs casually, and many of these programs will send your personal information when they run.
(6) On BBS that supports HTML, if you find that you submit a warning, look at the source code first, which is likely to be a trap to cheat your password.
2. Use anti-virus, anti-black and other firewall software.
A firewall is a barrier used to prevent hackers in the network from accessing an organization's network, and can also be called a threshold for controlling communications in and out of two directions. The internal and external networks are isolated on the network boundary by establishing corresponding network communication monitoring systems to prevent the intrusion of external networks.
3. Set up a proxy server and hide your IP address.
It is important to protect your IP address. In fact, even if your machine is installed with a * program, there is no way for an attacker to do without your IP address. The best way to protect the IP address is to set up a proxy server. A proxy server can serve as an intermediate transfer function for external networks to apply for access to internal networks. Its function is similar to a data forwarder, which mainly controls which users can access which service types. When an external network applies for a certain network service to the internal network, the proxy server accepts the application, and then it decides whether to accept the service based on its service type, service content, the object to be served, the time of application by the service provider, the applicant's domain name range, etc. If accepted, it forwards the request to the internal network.Hot Network
4. Treat anti-virus and anti-black as daily routine work, update anti-virus components regularly, and keep anti-virus software in a permanent state to completely prevent viruses.
5. Since hackers often launch attacks on specific dates, computer users should be particularly alert during this period.
6. Provide strict protection for important personal information and develop the habit of backup information.