In the field of network security, with the continuous "fool" of hacker application technology, the status of intrusion detection system IDS is gradually increasing. In a network, only by effectively implementing IDS can we keenly detect attackers' invasion behavior and prevent problems before they happen! This article provides a comprehensive introduction to the concept, behavior and strategies of IDS in the form of a question and answer, hoping to help managers use IDS faster and better.
Q: What are the important IDS systems?
Depending on the monitoring object, IDS systems are divided into many types. The following are several very important IDS systems:
1、NIDS
NIDS is the abbreviation of network intrusion detection system, which is the network intrusion detection system. It is mainly used to detect hacker or cracker intrusion behaviors through the network.
There are two ways to run NIDS. One is to run on the target host to monitor its own communication information, and the other is to run on a separate machine to monitor the communication information of all network devices, such as hubs and routers.
2、SIV
SIV is the abbreviation of system integrity verifiers, that is, system integrity detection, which is mainly used to monitor whether important information such as system files or Windows registry has been modified to block the attacker's backdoor visit later. SIV appears more in the form of tool software, such as "Tripwire", which can detect changes in important system components, but does not generate real-time alarm information.
3、LFM
LFM is the abbreviation of log file monitors, namely log file monitors, which are mainly used to monitor log files generated by network services. LFM judges intrusion behavior by detecting the content of the log file and matching the keywords. For example, for the log files of the HTTP server, just search for the "swatch" keyword, you can determine whether there is a "phf" attack.
4、Honeypots
The honeypot system, or the deception system, is a system containing vulnerabilities that provides hackers with an easy target by simulating one or more vulnerable hosts. Since there are no other tasks to be completed in honeypots, all attempts to connect should be considered suspicious. Another use of honeypots is to delay attackers’ attacks on their real targets, allowing the attacker to waste time on the honeypot. Meanwhile, the initial target of attack is protected and truly valuable content will not be violated. One of the original purposes of honeypots was to collect evidence for prosecution of malicious hackers, which seemed like "snapping".
Q: Who is the invader?
Usually we call the intruder hackers, but in fact this is inaccurate. It can be said that hacker discovers system vulnerabilities and patches vulnerabilities, and cracker is the intruder who exploits vulnerabilities to occupy the mountain and engages in damage. In order not to confuse the public, I will simply call it an invader here. Generally speaking, intruders are divided into two categories: internal and external. Internal intruders usually use social engineering to steal unauthorized accounts for illegal activities, such as using other people's machines, impersonating directors or directors; external intruders must use certain attack technologies to monitor and detect leaks, and then take sabotage activities.
One thing to remember: statistics show that 80% of invasions come from within.
Q: How does an intruder enter the system?
There are three main ways:
1. Physical invasion
It refers to the intruders physically accessing a machine for sabotage activities, such as when people are not prepared to walk into the computer room, quickly hit the keyboard twice to try to break into the operating system, and remove the machine shell with a pliers and screwdriver, "borrow" the hard drive and install it on another machine for in-depth research.
2. System intrusion
Refers to the sabotage activity carried out by an intruder under the authority of a low-level account in the system. Generally, if the system does not "fix" the most recent patches in a timely manner, users with low-level permissions may exploit system vulnerabilities to obtain higher administrative privileges.
3. Remote intrusion
It refers to the intruders infiltrate into a system through the network. In this case, intruders usually do not have any special permissions. They need to discover the target of attack through technologies such as vulnerability scanning or port scanning, and then use relevant technologies to perform sabotage activities. NIDS mainly targets this kind of invasion.
Q: Why can an intruder break into the system?
Flies do not stare at seamless eggs. Invaders can easily break into the system by finding a slit in a complex computer network. So, understanding where these slits are possible is crucial to patching them. Generally, cracks are mainly manifested in software writing bugs, improper system configuration, password theft, plain text communication information being monitored, and initial design defects.
1. There are bugs in software writing
Whether it is a server program, client software or operating system, as long as it is written in code, there will be bugs of varying degrees. Bugs are mainly divided into the following categories:
Buffer overflow: refers to the intruder entering a string of more than the specified length into the relevant input items of the program. The excess part is usually the attack code that the intruder wants to execute, and the program writer does not check the input length, which ultimately leads to the extra attack code occupying the memory after the input buffer and executing. Don’t think that leaving 200 characters for the login username is enough and no longer doing length checks. As the saying goes, guard against villains but not gentlemen, intruders will try every means to try to attack.
Unexpected joint use problem: A program is often composed of multi-layer code with different functions, and may even involve the lowest level of operating system. Intruders usually use this feature to input different contents for different layers to achieve the purpose of stealing information. For example: For programs written by Perl, the intruder can enter a string similar to "| mail < /etc/passwd" into the program's input project, so that perl lets the operating system call the mail program and send out important password files to the intruder. It’s really great to send a “letter” by borrowing Mail!
Not to check the input content: Some programmers are afraid of trouble and do not check the input content as expected, making the work delivered by intruders easy and simple.
Race conditions: There are more and more multi-task and multi-threaded programs. While improving operational efficiency, you should also pay attention to the problem of Race conditions. For example: Program A and Program B operate a file in the order of "read/change/write". When A completes reading and modifying work, B starts to immediately execute all the "read/change/write" work. At this time, A continues to execute the writing work, and the result is that A's operation has no performance! Intruders may use this vulnerability in processing order to rewrite certain important files to achieve the purpose of breaking into the system. Therefore, programmers should pay attention to the order of file operations and locking issues.
2. Improper system configuration
Deficiencies of default configuration: Many systems have default security configuration information after installation, which is usually called easy to use. But unfortunately, easy to use also means easy to break in. Therefore, the default configuration must be abandoned.
Administrator laziness: One of the manifestations of laziness is that the administrator password is kept empty after the system is installed and no modification is made. You should know that the first thing an intruder needs to do is search for whether there is such an administrator on the network with empty passwords.
Temporary port: Sometimes, for testing purposes, the administrator will open a temporary port on the machine, but after testing, he forgets to ban it, which will give the intruder holes to find and leaks to drill. The usual solution is: ban a port unless it is a must! Generally, security audit data packets can be used to discover such ports and notify administrators.
Trust relationship: Systems between networks often establish trust relationships to facilitate resource sharing, but this also brings the possibility of intruders to use bulls to fight force and indirect attacks. For example, as long as one machine in the trust group is broken, it is possible to further attack other machines. Therefore, we must strictly review trust relations and ensure a true security alliance.
3. Password theft
A weak password: even though the password is set, it is simple and simple. The cunning invader can crack it with just a force of blowing.
Dictionary attack: refers to the intruder using a program that uses a dictionary database containing username and password to continuously try to log in to the system until it successfully enters. Needless to say, the key to this approach is to have a good dictionary.
Brutal Attack: Similar to dictionary attacks, but this dictionary is dynamic, that is, the dictionary contains all possible combinations of characters. For example, a 4-character password containing upper and lower case has about 500,000 combinations, and a 7-character password containing upper and lower case and punctuation has about 10 trillion combinations. For the latter, it takes about several months for a computer to experiment. I’ve seen the benefits of long passwords, it’s really a big deal!
4. Sniff unencrypted communication data
Shared media: The traditional Ethernet structure is very convenient for intruders to place a sniffer on the network to view the communication data on the network segment, but if the switched Ethernet structure is used, the sniffing behavior will become very difficult.
Server sniffing: There is also a clear deficiency in switching networks. Intruders can install a sniffer software on the server, especially on the server that acts as a routing function, and then they can break into the client machine and trusted machines through the information it collects. For example, although the user's password is not known, the user can sniff the password he entered when logging in with Telnet software.
Remote sniffing: Many devices have RMON (Remote monitoring) function so that managers can use public community strings for remote debugging. With the increasing popularity of broadband, invaders are becoming more and more interested in this backdoor.
5. There are defects in the initial design of TCP/IP
Even if the software is written without bugs and the program is executed in the correct steps, the initial design flaws will still lead to attacks by the intruder. The TCP/IP protocol is now widely used and popular, but it was designed a long time ago when invaders were rampant. Therefore, many shortcomings are inevitable in the presence of security vulnerabilities, such as smurf attacks, ICMP Unreachable packet disconnection, IP address spoofing, and SYN annihilation. However, the biggest problem is that the IP protocol is very easy to be "guilty", that is, the intruder can forge and modify IP packets at will without being discovered. Fortunately, the Ipsec protocol has been developed to overcome this shortcoming.
Q: How do intruders get passwords?
1. Listen to plain password information
A large number of communication protocols such as Telnet, Ftp, and basic HTTP use plaintext passwords, which means that they are transmitted to the server and client on the network in an unencrypted format. Intruders can view this information by simply using a protocol analyzer, thereby further analyzing the exit commands and becoming cloned by real users.
2. Listen to encrypted password information
Of course, more communication protocols use encrypted information to transmit passwords. At this time, the intruder needs to use dictionary or use brute-force attack method to decrypt. Note that we cannot detect the intruder's surveillance behavior, because he is completely passive in the dark and does not send any information to the network. The intruder's machine is only used to analyze these password information.
3. Replay attack
This is another indirect attack method, that is, the intruder does not have to decrypt the password, but what is needed is to rewrite the client software to use the encrypted password to enable system login.
4. Steal password files
Password files are usually saved in a separate file. For example, the password file of the UNIX system is /etc/passwd (or may be a mirror of that file), and the password file of the WinNT system is /winnt/system32/config/sam. Once the intruder obtains the password file, he can use the cracking program to discover the weak password information in it.
5. Observation
Users may write the password on a piece of paper and press it under the keyboard to view it at any time due to the complexity of the password, or whether there is a "spectator" standing behind them when entering the password. The invaders have very good search and memory, and these operating habits are simply easy to train for them. So, don't ignore the intruder's eyes!
6. Social Engineering
As mentioned earlier, social engineering refers to illegal activities carried out by using non-hidden methods to steal unauthorized accounts, such as using other people's machines, impersonating directors or directors to deceive administrators into trust and get passwords, etc. Remember: If someone wants your password, no matter what he says it is for, remember that once a case about the password occurs, that person is the number one suspect!
Q: What are the typical invasion scenarios?
The so-called intrusion scenario refers to what aspects and steps the intruders will take to try to attack the system. A typical invasion scene is like this:
1. External research
Know yourself and your enemy, and you will never be defeated in a hundred battles. The first step in an intruder's attack is to do everything possible to conduct research on the attack targets to obtain sufficient information. The methods taken include: using whois tool to obtain network registration information; using nslookup or dig tool to search for DNS tables to determine the machine name; searching for public news about the company. This step is completely unknown to the attacked person.
2. Internal analysis
The basic attributes (site address, host name) of the attack target are determined, and the intruder will conduct in-depth analysis of them. The methods include: traversing each web page to search for CGI vulnerabilities; using ping tools to explore the "living" machines one by one; performing UDP/TCP scans on the target machine to find out whether there are available services. These behaviors are normal network operations and cannot be considered intrusions, but the NIDS system will be able to tell the manager "Someone is shaking the door handle..."
3. Vulnerability utilization
Now it’s time to start doing things! There are so many ways to destroy it. Here are the following: test the security of CGI scripts by writing shell command strings in the input project; sending a large amount of data to determine whether there is a notorious buffer overflow vulnerability; trying to use a simple password to crack login barriers. Of course, mixed use of multiple methods is the only way to win success.
4. Get a firm foothold
For intruders, once they successfully invade a machine in the network, they can be said to have gained a foothold. What the intruders need to do now is to hide the invasion traces and create a backdoor that they will attack in the future. This requires remodeling the log files or other system files, or installing * programs, or replacing the system files with backdoor programs. At this time, the SIV (System Integrity Detection) system will notice changes in these files. Since security measures are usually less in the internal network, further, the intruders will use this first machine as a springboard to attack other machines in the network and find the next home to settle down.
5. Enjoy the results
At this point, the intruder can be said to have completed the attack task, and the rest is to enjoy the results: either wantonly use the stolen secret files, abuse system resources, or tamper with the content of the web page, or even use your machine as a springboard to attack other machines.
The above discussion is the usual behavior of purposeful intruders. There is also an invasion scenario that is usually called "birthday attack". I think its meaning is to simulate receiving gifts from many acquaintances or unknown friends on birthdays. However, if you use it here, you must add the word "attack" before the gift. The general steps of Birthday attack are: randomly search for an Internet address; search for any specified vulnerability; if so, attack according to known exploit methods.