Follow our public account to learn more Java tips!
Source: blog.csdn.net/daocaokafei/article/details/116176790
According to the analysis report of China’s Internet network security monitoring data in the first half of 2020, malicious program-controlled servers, denial-of-service attacks (DDoS), and other network attacks are on the rise. To this day, network attacks have become one of the main factors affecting network information security and business information security.
Network attacks refer to actions that exploit vulnerabilities and security flaws in networks to attack the hardware, software, and system data of network systems. The TCP/IP protocol, as the foundational protocol of the network, did not consider that networks would face so many threats from the very beginning of its design, leading to numerous attack methods. Since communication in the network originates from data packets, automatic collection and decoding analysis of these packets can quickly discover and trace network attacks.
TCP/IP Protocol
The industry typically divides the TCP/IP protocol stack into four layers: the Link layer, Network layer, Transport layer, and Application layer.
- The Link layer is primarily used to handle the transmission of data over physical media (such as Ethernet, Token Ring, etc.) and implements the network driver for network interface cards;
- The Network layer uses the IP protocol, which is the core of the entire protocol stack. Its main functions include routing and forwarding data packets, achieving internetworking and congestion control;
- The Transport layer provides end-to-end communication for applications between hosts, defining two protocols: TCP and UDP;
- The main function of the Application layer is to handle the logic of applications, such as file transfers, name resolution, and network management. Protocols at this layer include the FTP file transfer protocol based on TCP, the HTTP hypertext transfer protocol, and the DNS domain name service based on UDP.
TCP/IP Protocol Model Layer Structure Diagram
Due to the four layers of the TCP/IP protocol, each with different functions and protocols, the attack methods for different protocol layers also vary:
Attacks targeting the Link layer mainly involve physical damage to network hardware and infrastructure or forcibly altering router routes; the IP protocol and ARP protocol are the two most important protocols at the Network layer, with attacks on this layer including IP fragmentation attacks, ARP spoofing, etc.;
Since TCP and UDP are the two main protocols of the Transport layer, there are many attacks targeting this layer, including DoS attacks; and the Application layer has the most protocols in the entire protocol stack, so the number of attacks targeting this layer is extremely large, with common ones like DNS spoofing. The latest interview questions have been organized, click on the Java interview library mini-program to practice online.
ARP Attacks
ARP (Address Resolution Protocol) resolves the IP address of a network host to its MAC address. Each host device has an ARP cache (ARP Cache), which checks its own ARP cache to determine whether it has an entry (if it does, it can map directly; if not, it can broadcast an ARP request packet);
Then, it checks whether the target IP address in the data packet matches its own IP address. If they match, it can send an ARP response to inform the MAC address; when the source node receives the ARP response packet, it can add the obtained target host’s IP address and MAC address mapping entry to its own ARP cache.
ARP Protocol Working Principle
ARP attacks involve forging IP addresses and MAC addresses to achieve ARP spoofing. By generating a large volume of ARP traffic in the network, the attacker can continuously send forged ARP response packets to alter the IP-MAC entries in the target host’s ARP cache, causing network interruptions or man-in-the-middle attacks. Therefore, ARP attacks are often referred to as ARP spoofing.
Although ARP attacks can only occur over Ethernet and have a low threshold, their impact can be significant, leading to issues such as network outages, bandwidth limitations, and account theft. Network operations can implement ARP defense mechanisms, such as deploying network mirroring on switches to capture suspicious data packets for analysis, and can also combine technologies like DHCP snooping and IP source protection to maintain network security.
Follow our public account to learn more Java tips!
DoS Attacks
The TCP protocol is a stream-based, connection-oriented reliable communication method that can reduce the bandwidth overhead caused by retransmissions under poor network conditions.
Specifically, the process of establishing a TCP connection involves three steps, where each step simultaneously connects the sender and receiver, commonly known as the “three-way handshake”: the sender sends a SYN packet, enters the SYN_SENT state, indicating the planned server port and initial sequence number, and waits for confirmation from the receiver; the receiver receives the SYN packet, sends a SYN_ACK to confirm to the sender, and enters the SYN_RECV state; the sender receives the SYN_ACK packet and sends an ACK to the receiver, completing the connection establishment.
TCP Three-Way Handshake
Since the TCP protocol is a connection-oriented transport control protocol, the main purpose of DoS attacks is to prevent user hosts or networks from receiving or processing external requests. For example, by generating a large volume of useless data, it can cause network congestion, preventing the attacked host from communicating normally with the outside world; exploiting the repeated connection flaw to repeatedly send duplicate service requests, making it unable to handle other requests; or using protocol flaws to repeatedly send attack data, occupying host or system resources, leading to crashes.
In simple terms, a DoS (Denial of Service) attack typically uses packet flooding to disrupt or severely hinder the local system’s ability to respond to legitimate external requests, causing the local system to crash. SYN flood attacks are the most common type of DoS attack.
The attacker disguises their own IP source address and sends TCP connection requests to the local system; the local system replies with a SYN-ACK to the disguised address, causing the local system to not receive the RST message and remain in a half-connected state until resources are exhausted. The attacker sends connection requests faster than the TCP timeout release rate, using repeated connection requests to prevent local services from receiving other connections.
The best way to mitigate SYN flood attacks is to implement preventive strategies, such as using network performance management tools to automatically filter suspicious data packets, shorten the SYN Timeout duration, and set SYN Cookies. Each request can be assigned a Cookie, and if a repeated SYN packet from a certain IP is received within a short period, it can be identified as an attack, and that IP address can be discarded.
DNS Attacks
The IP protocol relies on IP addresses and IP routers to transmit data packets from the source device to the destination device. IP addresses are machine-readable and usually long, making them inconvenient to remember and use despite their uniqueness. This led to the invention of DNS. DNS (Domain Name System) provides a shorter, more readable, and practical way to represent addresses. Since domain names correspond one-to-one with IP addresses, users only need to input the domain name in the address bar, and the system will directly resolve the domain name to an IP address.
After executing a domain name search, the domain name server saves the domain name records, each containing a domain name and its corresponding IP address. If a record in the domain name server is manually modified, it can manipulate the user’s access address, a behavior known as “domain hijacking.” The initiators of “domain hijacking” are domain name server providers, and the effective methods to resolve this issue include abandoning or switching domain name servers.
In addition to “domain hijacking,” another common DNS attack is called “domain pollution” or “domain spoofing.” When a computer sends a “domain query” to the domain name server, the server responds back, and there is a time lag in the process of sending the request and receiving the information. Network attackers can forge erroneous responses to the computer before the correct information is received, resulting in incorrect IP information.
In the face of network attacks, we need to raise security awareness, actively maintain systems, strengthen firewall settings, and analyze data packets to trace network attacks. By collecting and decoding network data, we can grasp the slightest changes in the network and configure effective alert information based on the characteristics or behaviors of network attacks, enabling quick localization of attacks in the network. Additionally, using network performance management tools with security protection features, such as Tiandan Network Performance Management (NPM), can support automatic analysis of suspicious data packets like TCP port scanning, ARP attacks, and DoS attacks, achieving automatic alerts to ensure the normal transmission and use of data information.
— End —
Recent Hot Articles:1. Spring Boot Study Notes, this is comprehensive!2. A new colleague asked me what does where 1=1 mean?3. Detailed explanation of Spring AOP, must understand after reading!4. Stop writing full screens of if/else for parameter validation…5. What are the components of Tomcat? Explain its working principle?—— For more, please click to follow Java Backend——
Get a copy of Spring Boot materials!