According to an analysis report on China’s Internet network security monitoring data in the first half of 2020, cyber attacks such as malicious programs controlling servers and denial-of-service (DDoS) attacks are on the rise. Up to now, network attack has become one of the main factors affecting network information security and service information security.
Network attacks are attacks on the software, hardware and system data of the network system using network vulnerabilities and security defects. As the basic protocol of the network, TCP/IP protocol has not considered the network will face so many threats at the beginning of design, resulting in many attack methods. Because the communication in the network originates from data packets, network attacks can be quickly discovered and traced through automatic collection and decoding analysis of data packets.
TCP/IP protocol
The TCP/IP stack is usually divided into four layers: link layer, network layer, transport layer, and application layer.
-
The link layer is mainly used to process data transmission in physical media (such as Ethernet, token ring, etc.) and realize network driver of nic interface.
-
The network layer adopts IP protocol, which is the core of the whole protocol stack. Its main functions are routing and forwarding of data packets, Internet interconnection and congestion control, etc.
-
The transport layer provides end-to-end communication for applications between hosts. This layer defines two protocols, NAMELY TCP and UDP.
-
The application layer processes application logic, such as file transfer, name query, and network management. Protocols at this layer include FTP file transfer protocol based on TCP, HTTP hypertext transfer protocol, and DOMAIN name service DNS based on UDP.
The TCP/IP protocol has four layers, and each layer has different functions and protocols. Therefore, the attack methods for different protocol layers are different. Attacks on the link layer mainly damage network hardware and infrastructure or forcibly change router routes. IP and ARP are the two most important protocols at the network layer. The attacks on the network layer mainly include IP fragment attack and ARP spoofing. As TCP and UDP are the two most important protocols at the transport layer, there are many attacks on the transport layer, including DOS attacks. The protocols of the application layer are the largest in the whole protocol stack, so the number of attacks against this layer is very large, such as DNS spoofing.
ARP attack
The Address Resolution Protocol (ARP) resolves the IP Address of a network host into a MAC Address. Each host has an ARP Cache. You can map directly; If no, broadcast ARP request packets.
Then check whether the destination IP address in the packet is the same as its own IP address. If yes, you can send an ARP response to inform the MAC address.
After receiving the ARP response packet, the source node can add the IP address and MAC address mapping entries of the destination host to its ARP cache.
ARP attack is to forge IP and MAC addresses to achieve ARP spoofing, by creating a large amount of ARP traffic in the network to block the network, the attacker can change the IP-MAC entries in the ARP cache of the target host as long as the attacker continuously sends forged ARP response packets. ARP attacks are often called ARP spoofing because they cause network outages or man-in-the-middle attacks.
Although ARP attacks can only be carried out on Ethernet and the threshold of ARP attacks is very low, they cause serious impacts, such as network interruption attacks, traffic restriction, and account theft. The ARP defense mechanism can be adopted for network o&M. For example, the ARP defense mechanism can be deployed on the switch to capture suspicious data packets for analysis. The ARP defense mechanism can also be combined with DHCP listening and IP source defense technologies to maintain network security.
DoS attack
TCP is a reliable and connection-oriented communication method based on flow. It can reduce the bandwidth cost caused by retransmission in the case of poor network.
In each step, the sender and the receiver are connected simultaneously. The sender sends a SYN packet and enters the SYN_SENT state, indicating the server port and initial sequence number of the planned connection, and waits for the confirmation from the receiver.
After receiving a SYN packet, the receiving end sends a SYN_ACK packet to confirm the sender and enter the SYN_RECV state. The sender receives a SYN_ACK packet and sends an ACK to the receiver. The connection is established.
As TCP is a connection-oriented transmission control protocol, the main purpose of DoS attack is that the user host or network cannot receive or process external requests. For example, creating a large amount of useless data causes network congestion and prevents the attacked host from communicating with the outside world.
Repeated connection defect is used to send repeated service requests repeatedly, making it unable to process other requests normally;
Or using protocol defects, repeatedly send attack data, occupying host or system resources, resulting in crash.
In simple terms, Denial of Service (DoS) attacks usually overwhelm the local system with data packets to disturb or seriously prevent services that are helping the local system from responding to legitimate requests from outside, causing the local system to crash.
SYN flood attacks are the most common DoS attacks. An attacker disguises its own SOURCE IP address and sends TCP connection requests to the local system.
The local system replies with a SYN-ACK to the disguised ADDRESS. As a result, the local system cannot receive the RST message, cannot receive the ACK response, and remains half-connected until resources are exhausted. The attacker sends connection requests faster than the TCP timeout release rate. As a result, the local service cannot receive other connections through repeated connection requests.
The best way to solve SYN flood attacks is to perform defense policies. Use network performance management tools to automatically filter suspicious packets, shorten SYN Timeout, and set SYN cookies for each request. If SYN packets from a certain IP address are received within a short period of time, Consider it an attack and discard the IP address.
DNS attack
To transmit data packets from the original device to the destination device, the IP protocol relies on IP addresses and IP routers. IP address is a machine language, usually long, so although IP address is unique, but not easy to remember and use, people invented DNS on this basis. The Domain Name System (DNS) is a short Domain Name that is readable and practical. A domain name corresponds to an IP address in a one-to-one manner. Therefore, you only need to enter the domain name in the address box when accessing the Internet. The system resolves the domain name and translates it into an IP address.
After performing a domain name search, the DNS server saves a domain name record, and each record contains the domain name and IP address. If an address of the DNS server is changed manually, the user’s access address can be manipulated. This behavior is called domain name hijacking. The initiator of “domain name hijacking” is the domain name server provider, so the effective way to solve this problem is to abandon or change the domain name server.
In addition to domain name hijacking, there is another common DNS attack called domain name contamination or domain name spoofing. When the computer sends the “domain name query” to the DNS server, the DNS server sends the response back to the computer. Sending the request and receiving the information are a process, and there is a time difference in the process. Network attacks may forge an error reply to the computer before receiving the information, and the information is the wrong IP address.
In the face of network attacks, we need to improve security awareness, actively and responsibly maintain the system, strengthen firewall Settings, but also through the analysis of data packets to trace network attacks.
By collecting and decoding network data, you can learn about the slightest changes on the network and configure effective alarm information based on the characteristic values or behaviors of network attacks to quickly locate attacks on the network.
You can also use network performance management tools with security protection functions, such as Tiandan Network performance Management NPM, to automatically analyze suspicious packets such as TCP port scanning, ARP attacks and DOS attacks to realize automatic alarms and ensure the normal transmission and use of data information.