What is agency? What is the role of CDN? What are the offensive and defensive points of network security?
A, agents,
1.1. Proxy server (Proxy Server)
Features: Does not itself produce content, in the middle position forward upstream and downstream requests and responses.
- Downstream client: it is the server (forward proxy)
- Upstream facing server: It is the client (reverse proxy)
1.1.1. Forward proxy
The object of the proxy is the client.
Function:
- Hide the client identity
- The network request uses a proxy server IP, so the client IP is not exposed (but is actually available, you know!!).
- Circumventing firewalls (breaking access restrictions)
- For example, frequently used scientific Internet tools do this
- Internet Access control
- The router allows the specified server to access the Internet. Other clients can only access the Internet through the specified server. The server determines whether the client can exchange data by judging its IP address
- Data filtering
- The proxy server parses the data content based on rules to determine whether the data is filtered
- .
Free forward agents: ip.jiangxianli.com, https://www.kuaida…
1.1.2. Reverse proxy
The object of the proxy is the server.
Function:
- Hiding server Identity
- Safety protection
- Load balancing
- .
The load balancing server in the figure above is a reverse proxy that serves the server. When a user accesses a specified server, the data is forwarded by a load balancing server. This not only hides the identity of the real server, but also uses algorithms to keep the server running stably.
1.1.3. Proxy server-related header fields
Via: indicates the host name (or domain name) of each proxy server that passes through it. X-forwarded-for: indicates the IP address of the forwarder. X-real-ip: indicates the Real IP address of the client
Agents (1) Via: 1 X – Forwarded – For: 14.14.14.14 X – Real – IP: 14.14.14.14
Agents (2) Via: 1, 2 X – Forwarded – For: 14.14.14.14, 220.11.11.11 X – Real – IP: 14.14.14.14
③ Via: Agent 2
④ Via: Agent 2, agent 1
1.2. Principle of the packet capture tool
Packet capture tools such as Fiddler and Charles work as follows: Enable the forward proxy service on the client.
The Wireshark is not an agent. Instead, it uses underlying drivers to intercept data that flows through network adapters.
Second, the CDN
Content Delivery Network (CDN) or Content Distribution Network.
Function: Use the server closest to each user, faster and more reliable transfer of music, pictures, videos and other resource files (generally static resources) to users.
Before the advent of CDN, all content was fetched from one server:
After the emergence of CDN, the content is fetched from the server nearest to the user:
Contrast:
CDN operators have set up computer rooms in major hub cities all over the country and even the world. A large number of nodes with high storage and bandwidth are deployed to build a cross-carrier and cross-regional private network. The content owner pays a fee to the CDN operator, which delivers its content to the end user.
For example, using CDN to introduce jQuery:
< script SRC = "https://cdn.bootcdn.net/ajax/libs/jquery/3.5.1/jquery.min.js" > < / script > < script > $(() = > { $(document.body).css('background', '#f00') }) </script>Copy the code
Either the domain name contains the CDN or the CDN server.
Third, cyber security
Four security threats in network communication:
Intercept: eavesdrop on communication content Interrupt: interrupt network communication Tamper: tamper with communication content Forge: forge communication content
3.1. Network Layer -ARP spoofing
ARP spoofing is also known as ARP poisoning, ARP viruses, and ARP attacks.
ARP spoofing can cause the following effects:
- Allows attackers to obtain data packets on the LAN and even tamper with data packets
- Software that disables communication between specific computers on a network (e.g., software such as network enforcer)
- Allow traffic destined for a particular IP address to be mistakenly sent to a place where the attacker is taking its place
- .
Example of ARP spoofing core steps:
- Assume that host C is the attacker, and hosts A and B are the victims
- As long as C receives ARP requests from A and B, it has the IP and MAC addresses of A and B and can perform spoofing activities
- C sends an ARP response to B, and sets the source IP address of the response packet to the IP address of A and the source MAC address to the MAC address of C
- After receiving the ARP response, USER B updates its ARP table and changes the MAC addresses of USER A (IP_A, MAC_A) to (IP_A, MAC_C).
- When B wants to send A packet to A, it encapsulates the packet header according to the ARP table and sets the destination MAC address to MAC_C instead of MAC_A
- When the switch receives A packet from B to A, it forwards the packet to C based on the destination MAC address (MAC_C) of the packet
- After receiving the data packet, C can save it and then send it to A for eavesdropping effect. C can also tamper with data before sending data packets to A
ARP spoofing protection
- Using Static ARP
- With the aid of a DHCP Snooping
- Network devices can use DHCP to reserve MAC addresses of computers on the network and detect forged ARP packets
- Use some software to detect abnormal changes in ARP
- .
3.2. DoS and DDoS
Denial-of-service (DoS) attacks exhaust the network or system resources of the target computer and temporarily interrupt or stop the services so that normal users cannot access the computer.
Dos attacks can be divided into two categories:
- Bandwidth consuming: UDP flood attacks and ICMP flood attacks
- Data is continuously transmitted to the server using UDP or ICMP, occupying the bandwidth of the server. As a result, the server is overloaded and breaks down.
- Resource-consuming mode: SYN flood attack and LAND attack
Distributed denial-of-service (DDoS) attacks. Hackers use two or more compromised computers on the network as “zombies” to launch DoS attacks on specific targets.
In March 2018, GitHub was hit by the largest DDoS attack to date.
3.2.1. Transport layer-SYN flood attack
SYN flooding attack. The attacker sends a series of SYN requests to the target and then drains resources by making the target wait for no ACK (third handshake).
Attack method:
- Skip sending the last ACK message
- Change the source IP address so that the target sends syn-ACK to the forged IP address, so the target can never receive an ACK (third handshake)
Defense: See RFC_4987
3.2.2. Transport layer -LAND attack
LAND attack (Local Area Network Denial attack). By continuously sending spoofed packets with the same source address and destination address, the target view establishes a connection with itself, consuming system resources until it crashes.
Some systems have design flaws that allow devices to accept and respond to packets from the network that claim to come from the device itself, leading to circular replies.
Protection:
- Most firewalls can block similar attack packets to protect the system
- Some operating systems have fixed the vulnerability by issuing security patches
- The router should be configured with both upstream and downstream filters to block all packets whose source IP address is the same as the destination IP address
3.3. DoS and DDoS Defense
The defense modes are intrusion detection, traffic filtering, and multiple authentication. Traffic that blocks the network bandwidth is filtered out, but normal traffic can pass through.
Firewall: Firewalls can set rules, such as allowing or denying specific communication protocols, ports, or IP addresses.
- When an attack originates from a few abnormal IP addresses, you can simply use the reject rule to block all traffic originating from the source IP address of the attack
- Complex attacks cannot be blocked by simple rules. For example, when port 80 is attacked, all traffic on the port cannot be denied because legitimate traffic is blocked
- Firewalls may be located later in the network architecture, and routers may be affected by malicious traffic before it reaches the firewall
Switches: Most switches have some speed limits and access control capabilities.
Routers: Like switches, routers have certain speed limits and access control capabilities.
Black hole guidance: All traffic from a compromised computer is routed to a “black hole” (empty interface or nonexistent computer address) or to a network equipment vendor with sufficient capacity to handle the flood to avoid major network disruption.
Traffic cleaning: When traffic is sent to the DDoS cleaning center, anti-ddos software is used to distinguish normal traffic from malicious traffic. Normal traffic is injected back to the customer’s website.
3.4. Application layer -DNS hijacking
DNS hijacking, also known as domain name hijacking. An attacker modifies the resolution result of a domain name, making the IP address pointing to the domain name become another IP address. Causing access to the corresponding url to be hijacked to another unreachable or fake url. So as to achieve the purpose of stealing user information illegally or destroying normal network services.
To prevent DNS hijacking, use a more reliable DNS server, such as 114.114.114.114.
- Google:
8.8.8.8
.8.8.4.4
- Microsoft:
4.2.2.1
.4.2.2.2
- Baidu:
180.76.76.76
- Ali:
223.5.5.5
.223.6.6.6
3.5. Application layer -HTTP hijacking
HTTP hijacking is the interception of HTTP packets, such as the insertion of JS code.
The most common is when visiting some websites, in the lower right corner more than a puzzling pop-up AD.
3.6. Security of HTTP protocol
HTTP is transmitted in plaintext by default. Therefore, it has great security risks. A common method to improve security is to encrypt communication content before transmission.
Common encryption methods:
- The irreversible
- One-way hash functions: MD5, SHA, etc
- reversible
- Symmetric encryption: DES, 3DES, AES, etc
- Asymmetric encryption: RSA, etc
- other
- Hybrid cryptosystem
- A digital signature
- certificate
Common English: encrypt, decrypt, plaintext, and ciphertext.
3.7. How to prevent wiretapping?
To facilitate differentiation, four virtual characters are designed: Alice and Bob: communicate with each other; Eve: eavesdropper; Mallory: active attacker
Encryption:
Common encryption and decryption addresses: MD5 encryption: www.cmd5.com/hash.aspx MD5 decryption: www.cmd5.com Other encryption: www.sojson.com/encrypt_des…
3.8. One-way hash functions (One-way hash function)
A one-way hash function that computes the hash value based on the message content.
One-way hash functions are also known as message Digest function and Hash function.
The output hash value is also known as message digest, fingerprint
The length of the hash value is independent of the length of the message. Whether the message is 1bit, 10M, or 100G, the one-way hash function will calculate a fixed length hash value.
Features:
- A fixed-length hash value is calculated based on a message of arbitrary length
- Fast calculation speed, can quickly calculate the hash value
- The hash value varies from message to message
- Unidirectional
3.8.1. Several common one-way hash functions
- MD4, MD5
- Generate 128bit hash value, MD isMessage DigestIs no longer safe
- SHA-1
- Generates a 168bit hash value, which is no longer secure
- SHA-2
- The hash value of SHA-256, SHA-384, and SHA-512 is 256 bits, 384 bits, and 512 bits respectively
- SHA-3
- New standard
3.8.2. How to prevent data from being tampered with?
- How do I ensure that two files are the same?
- The original practice was to make a copy for comparison (very cumbersome).
- Calculate the comparison hash value (recommended).
When downloading software, some websites will provide the hash value of the software package (such as IDEA) to prevent the software package from being tampered with illegally. We can calculate the hash value after downloading the installation package from the mirror website (fast), and then compare it with the hash value of the official software package to ensure the integrity of the software.
For more articles in this series, please pay attention to wechat official account [1024 Planet].