A program for demonstrating network attacks. Technologies of network attack detection systems

Malefactors seldom unceremoniously intrude into a network with "weapons" in hands. They prefer to check if the locks on the doors are secure and if all the windows are closed. They discreetly analyze patterns of traffic in and out of your network, individual IP addresses, and issue seemingly neutral queries addressed to individual users and network devices.

These cleverly camouflaged enemies require intelligent detection software to be installed. network attacks with high sensitivity. The purchased product should not only alert the administrator about cases of obvious system violations information security, but also about any suspicious events that at first glance seem completely harmless, but in reality hide a full-scale hacker attack. Needless to say, any active attempt to crack system passwords should be reported to the administrator immediately.

Modern corporations are literally under crossfire from attackers seeking to steal valuable information or simply disable Information Systems. The tasks pursued in the fight against hackers are quite obvious:

– notification of an attempted unauthorized access should be immediate;

– reflection of the attack and minimization of losses (in order to resist the intruder, you should immediately break the communication session with him);

- the transition to the counteroffensive (the attacker must be identified and punished).

It was this scenario that was used when testing the four most popular network attack detection systems on the market today:

– Intruder Alert;

– eTrust Intrusion Detection.

The characteristics of these software systems for detecting network attacks are given in Table. 3.2.

Network ICE's BlackICE is a specialized agent application designed solely to detect intruders. Having found an uninvited guest, it sends a report about this event to the ICEcap control module, which analyzes the information received from different agents and seeks to localize the attack on the network.

Alert Technologies' Intruder Alert software is more like a security toolkit because it gives you the most flexibility in defining network security strategies.

CyberSafe's Centrax is an all-in-one package that includes security controls, traffic monitoring, attack detection, and warning messages.

Computer Associates' eTrust Intrusion Detection is particularly strong in its security monitoring and policy management capabilities, although it still includes real-time alerts, data encryption, and intrusion detection.

The alerts generated by BlackICE agents are very specific. The message text will not make the administrator doubt the nature of the registered event, and in most cases, its importance. In addition, the product allows the administrator to customize the content of their own warning messages, but by and large it is not necessary.

Very useful property developed by Network ICE, as well as the Intruder Alert package, is the ability to download the latest signatures of hacker attacks from the server.

Attempts to disable a corporate server, which as a result is forced to refuse service requests (denial-of-service), are fraught with a rather serious threat to the business of companies providing services to their customers. global network. The essence of the attack is that the attacker generates thousands of SYN requests (to establish a connection) addressed to the attacked server. Each request is supplied with a fake source address, which makes it much more difficult to accurately identify the very fact of the attack and track down the attacker. Upon receiving the next SYN request, the server assumes that we are talking about the beginning of a new communication session and goes into the data transmission standby mode. Even though no data is received after that, the server must wait certain time(maximum 45 s) before terminating the connection. If several thousand of these false requests are sent to the server within a matter of minutes, it will be overloaded, so there will simply be no resources left to process real requests for the provision of a particular service. In other words, as a result of a SYN attack, real users will be denied service.

All systems described, with the exception of Computer Associates' eTrust Intrusion Detection, use the model software agents, which are first installed on network devices and then collect information about potential attacks and send it to the console. Agents detect violations established strategies protection and then generate the appropriate messages.

Agent-based systems are the best solution for switched networks because in such networks there is no single point through which all traffic must pass. Instead of monitoring a single connection, the agent monitors all packets received or sent by the device where it is installed. As a result, attackers are unable to "sit out" at the switch.

The foregoing can be illustrated by the example of Network ICE products. The BlackICE program is assigned the role of an agent installed in a completely autonomous operating environment, for example, on a remote user's computer or on one of the nodes of a corporate data transmission network. Upon detecting a hacker attacking a remote machine, the agent will issue a warning directly on its screen. If a similar event is recorded in the corporate network, a message about an unauthorized access attempt will be sent to another application - ICEcap, which contains network monitoring tools. The latter collects and compares information coming from different agents subordinate to it, and this enables it to quickly identify events that really threaten the network security.

The eTrust system, in contrast, is based on a centralized architecture. It is installed on the central node and analyzes the traffic in the subordinate network segment. The absence of agents does not allow this product to monitor all events in a switched network, since it is impossible to select a single "lookout" from where the entire network would be visible at a glance.

The Intruder Alert package and CyberSafe's Centrax system are more of a toolkit for building own system network attack detection. To take full advantage of their opportunities, an organization must have programmers with the appropriate qualifications on its staff or have a budget to order such work.

While all of the products described are easy to install, managing the Intruder Alert and Centrax systems is not easy. For example, if Centrax issues a warning message of unknown or indeterminate content (and this situation occurred more than once in our tests), the administrator is unlikely to be able to quickly determine what actually happened, especially if he has to refer to the event log files to clarify the diagnosis. . These files are exhaustive, but the developers, apparently, decided that it was enough for an ordinary person to just hint at what could be discussed, and the nature of what was happening would be unmistakably identified. The logs for this system contain descriptions of the warnings issued, but no warning identifiers. The administrator sees the port addresses to which suspicious requests were related, or the parameters of other operations, but does not receive any information about what all this could mean.

The noted circumstance significantly reduces the value of real-time messages, since it is impossible to immediately figure out whether the description of the event reflects a real threat to the security system or is it just an attempt to conduct a more thorough traffic analysis. In other words, it makes sense to buy these products only if your organization has experienced information security specialists on staff.

Computer Associates' eTrust Intrusion Detection software is more than just a system for monitoring network activity and detecting hacker attacks. This product is able not only to decode packets of various protocols and service traffic, but also to intercept them for subsequent output to the control console in original format. The system monitors all TSRYP traffic and warns the administrator about violations of established information security strategies. True, this development does not support the same level of detail of rule sets as Intruder Alert.

However, detecting unauthorized access attempts and issuing warning messages is only half the battle. Firewall software must stop the hacker and take countermeasures. In this sense, the Intruder Alert and Centrax packages make the best impression, the same ones that caused a lot of criticism in terms of configuration settings. While Network ICE software and eTrust software instantly close threatening communications, Intruder Alert and Centrax go even further. For example, an application from Axent Technologies can be configured to run a particular batch file depending on the nature of the logged events, such as rebooting a server that has suffered a denial of service attack.

Having repulsed the attack, I want to immediately go on the counteroffensive. The Black-ICE and Centrax applications support tables with hacker IDs. These tables are filled after tracing all the way to the "lair" where the enemy is hiding. Opportunities software BlackICE is especially impressive when it comes to identifying the source of an attack, whether inside or outside the network: despite numerous clever maneuvers, we were never able to remain incognito.

But the eTrust system strikes with the degree of penetration into the nature of the activities of each network user, often not even suspecting that he is under close supervision. At the same time, this package provides the most complete (and perhaps the most accurate) information about intruders, even where they are located.

The Centrax application is able to create so-called decoy files, giving a secondary file a meaningful name like "Vedomosti.xls" and thereby misleading overly curious users. This algorithm seems to us too straightforward, but it can also do a good job: with its help, it is possible to "catch" employees "combing" the corporate network in order to identify confidential information.

Each of the considered software products generates reports on suspicious cases of network activity. high quality ICEcap and eTrust Intrusion Detection stand out for such reports and their ease of use. The latter package is particularly flexible, perhaps because it is derived from a protocol decoder. In particular, the administrator can analyze network events in terms of individual resources, be they protocols, client stations or servers. eTrust provides many pre-designed report formats. Their well-thought-out structure greatly facilitates the detection of intruders and allows you to punish the guilty users.

Each product has its own strengths and weaknesses, so it can only be recommended for a solution certain tasks. When it comes to protecting switched networks, Network ICE, Axent Technologies and CyberSafe are good choices. eTrust Intrusion Detection is ideal for early notification of business ethics violations such as profanity in email messages. The Intruder Alert and Centrax systems are excellent tools for information security consultants and organizations with a staff of security professionals. However, for those companies that cannot afford to use the services of highly paid specialists, we recommend installing Network ICE products. These applications will replace the true expert on network protection better than any another system we've ever seen.

The first systems to detect suspicious network activity in corporate intranets, appeared almost 30 years ago. We can recall, for example, the MIDAS system, developed in 1988. However, it was more of a prototype.

An obstacle to the creation of full-fledged systems this class long time there was a weak computing power of mass computer platforms, and truly working solutions were presented only 10 years later. A little later, the first commercial samples of intrusion detection systems (ISOs, or IDS - Intrusion Detection Systems) entered the market ...

Today, the task of detecting network attacks is one of the most important. Its importance has increased due to the complexity of both attack methods and the topology and composition of modern intranets. Previously, attackers used a well-known exploit stack to carry out a successful attack, but now they resort to much more sophisticated methods, competing in skill with specialists on the defense side.

Modern requirements for IDS

Intrusion detection systems registered in the Russian software registry mostly use signature methods. Or they declare the definition of anomalies, but analytics, as a maximum, operates with data no more detailed than the protocol type. Pluto is based on deep analysis software definition packages. Pluto superimposes the data of the incoming packet on the specifics of the host data - more accurate and flexible analytics.

Previously, superficial analysis and signature methods successfully performed their functions (at that time, attackers tried to exploit already known software vulnerabilities). But in modern conditions, attacks can be stretched out in time (the so-called APT), when their traffic is masked by encryption and obfuscation (obfuscation), then signature methods are ineffective. In addition, modern attacks use various ways IDS bypass.

As a result, the effort to configure and maintain traditional intrusion detection systems can exceed reasonable limits, and often the business comes to the conclusion that such an exercise is just a waste of resources. As a result, IDS exists formally, performing only the task of presence, and the information systems of the enterprise remain defenseless as before. This situation is fraught with even greater losses.

next generation IDS

The Pluton IDS PAC, developed by Jet Infosystems, is a new generation high-performance complex for detecting network attacks. Unlike traditional IDS, Pluto combines simultaneous analysis of network packets by signature and heuristic methods with the preservation of environmental data, provides deep analytics and expands the data set for investigation. Advanced methods for identifying potential threats, complemented by historical data on network environment, traffic, as well as system logs, make "Pluto" important element enterprise information security systems. The system is able to detect signs computer attacks and anomalies in the behavior of network nodes in communication channels with a bandwidth of more than 1 Gbps.

In addition to detecting signs of computer attacks on information systems, Pluton provides serious protection for its own components, as well as protection of communication channels: in the event of a hardware failure, the connection will not be interrupted. All Pluto components operate in a closed software environment - this makes impossible launch third party program code and serves as an additional guarantee against infection malware. Therefore, you can be sure that Pluto will not become a “window” for intruders into your network and will not turn into a “headache” for networkers and security people.

"Pluto" carefully monitors its "health", controlling the integrity of the configuration of system components, data on collected network information security events and network traffic. This ensures the correct functioning of the system components and, accordingly, the stability of its operation. And the use of special network cards as part of the solution components makes it possible to eliminate the break in communication channels even in the event of a complete failure of the equipment or a power outage.

Given the complexity of implementing intrusion detection systems, as well as the constant increase bandwidth communication channels, we have provided for the possibility of flexible horizontal scaling of the complex components. If it becomes necessary to connect additional network sensors to the system, it will be enough to install additional server management by linking it into a cluster with an existing one. In this case, the computing power of both servers will be logically combined into a single resource. Thus, increasing system performance becomes a very simple task. In addition, the system has a fault-tolerant architecture: in the event of a failure of one of the components, the flow of events is automatically redirected to the standby components of the cluster.

Pluton is based on our more than 20 years of experience in deploying and operating complex defense systems. We know the most frequent problems customers and disadvantages of modern IDS class solutions. Our expertise allowed us to identify the most urgent tasks and helped to find the best ways to solve them.

At the moment, there is a component-by-component certification of the Pluton complex according to the requirements for network-level intrusion detection systems (2nd class of protection) and for the absence of undeclared capabilities (2nd level of control).

Pluto features:

Identification of signs of computer attacks in network traffic, including those distributed in time, using signature and heuristic methods;

Control of abnormal activity of network nodes and identification of signs of violation of corporate security policy;

. accumulation and storage:

— retrospective data on detected information security events with a configurable storage depth;

— inventory information about network nodes (host profile);

— information about network communications of nodes, including traffic consumption statistics (from the network to the application layer according to the OSI model);

— metadata about files transferred between network nodes;

Transfer of analysis results network traffic into external protection systems to improve the efficiency of identifying various types of information security incidents;

Providing an evidence base on the facts of computer attacks and network communications for the investigation of incidents.

Procedure for detecting network attacks.

1. Classification of network attacks

1.1. Packet sniffers

A packet sniffer is an application program that uses a network card running in promiscuous mode ( in this mode, all packets received via physical channels are network adapter sends to application for processing). In this case, the sniffer intercepts all network packets that are transmitted through a specific domain.

1.2. IP spoofing

IP spoofing occurs when a hacker, whether inside or outside the system, poses as an authorized user. This can be done in two ways. First, a hacker can use an IP address that is within the range of authorized IP addresses, or an authorized external address that is allowed to access certain network resources. IP spoofing attacks are often the starting point for other attacks. A classic example is a DoS attack that starts with someone else's address hiding the hacker's true identity.

Typically, IP spoofing is limited to inserting false information or malicious commands into a normal data stream transmitted between a client and server application or over a communication channel between peers. For two-way communication, a hacker must change all the routing tables to direct traffic to a fake IP address. Some hackers, however, don't even try to get a response from the applications. If the main task is to receive an important file from the system, the responses of applications do not matter.

If the hacker manages to change the routing tables and direct traffic to a fake IP address, the hacker will receive all the packets and be able to respond to them as if he were an authorized user.

1.3. Denial of Service ( Denial of Service - DoS)

DoS is the most well-known form of hacker attacks. Against attacks of this type, it is most difficult to create one hundred percent protection.

The most famous types of DoS:

• TCP SYN Flood Ping of Death Tribe Flood Network ( TFN);
• Tribe Flood Network 2000 TFN2K);
• Trinco;
• Stacheldracht;
• Trinity.

DoS attacks are different from other types of attacks. They are not intended to gain access to the network or to obtain any information from this network. A DoS attack renders a network unavailable for normal use by exceeding the allowable limits of the network, operating system, or application.

When using some server applications (such as Web server or FTP server) DoS attacks can be to take all the connections available to these applications and keep them in a busy state, preventing normal users from being served. DoS attacks can use common Internet protocols such as TCP and ICMP ( Internet Control Message Protocol). Most DoS attacks do not rely on software errors or security holes, but general system architecture weaknesses. Some attacks nullify network performance by flooding it with unwanted and unnecessary packets, or by reporting false information about the current state of network resources. This type of attack is difficult to prevent as it requires coordination with the ISP. If the traffic intended to flood your network is not stopped at the provider, then at the entrance to the network you will no longer be able to do this, because the entire bandwidth will be occupied. When this type of attack is carried out simultaneously through many devices, the attack is a distributed DoS ( DDoS - distributed DoS).

1.4. Password attacks

Hackers can carry out password attacks using a variety of methods, such as brute force ( brute force attack), Trojan horse, IP spoofing and packet sniffing. Although the login and password can often be obtained using IP spoofing and packet sniffing, hackers often try to guess the password and login using multiple access attempts. This approach is called simple iteration. (brute force attack). This attack is often used special program The that tries to access the resource common use (e.g. to the server). If, as a result, a hacker gains access to resources, he gets it on the rights regular user, whose password has been guessed. If this user has significant access privileges, a hacker can create a "gateway" for himself for future access, which will work even if the user changes his password and login.

Another problem arises when users use the same ( even if it's very good) password for access to many systems: corporate, personal and Internet systems. Since the strength of the password is equal to that of the weakest host, a hacker who learns the password through this host gains access to all other systems where the same password is used.

1.5. Man-in-the-Middle attacks

For a Man-in-the-Middle attack, a hacker needs access to the packets being sent over the network. Such access to all packets transmitted from the provider to any other network can, for example, be obtained by an employee of this provider. Packet sniffers, transport protocols, and routing protocols are often used for this type of attack. Attacks are carried out to steal information, intercept the current session and gain access to private network resources, to analyze traffic and obtain information about the network and its users, to carry out DoS attacks, distort transmitted data and enter unauthorized information into network sessions.

1.6. Application Layer Attacks

Application layer attacks can be carried out in several ways. The most common of these is exploiting weaknesses in server software ( sendmail, HTTP, FTP). Using these weaknesses, hackers can gain access to the computer on behalf of the user running the application ( usually this is not a simple user, but a privileged administrator with system access rights). Application layer attack details are widely published to enable administrators to correct the problem using corrective modules ( patches). The main problem with application layer attacks is that they often use ports that are allowed to pass through the firewall. For example, a hacker exploiting a well-known weakness in a Web server often uses port 80 in a TCP attack. Since a Web server exposes Web pages to users, the firewall must provide access to this port. From the firewall's point of view, the attack is treated as standard traffic on port 80.

1.7. network intelligence

Network intelligence is the collection of information about the network using publicly available data and applications. When preparing an attack against a network, a hacker usually tries to get as much information as possible about it. more information. Network reconnaissance takes the form of DNS queries, ping sweeps, and port scans. DNS queries help to understand who owns a particular domain and what addresses are assigned to this domain. Echo Testing ( ping sweep) addresses disclosed since using DNS, allows you to see which hosts are actually running in a given environment. Given a list of hosts, the hacker uses port scanning tools to compile a complete list of services supported by those hosts. And finally, the hacker analyzes the characteristics of the applications running on the hosts. As a result, information is obtained that can be used for hacking.

1.8. breach of trust

This type of action is not "attack" or "storm". It is a malicious exploitation of the trust relationships that exist on the network. An example is a system installed on the outside of a firewall that has a trust relationship with a system installed on its side. inside. In the event of a hack external system, a hacker can use trust relationships to break into a system protected by a firewall.

1.9. Port forwarding

Port forwarding is a form of breach of trust where a compromised host is used to send traffic through a firewall that would otherwise be sure to be rejected. An example of an application that can provide this access is netcat.

1.10. Unauthorized access

Unauthorized access cannot be considered separate type attacks. Most network attacks are carried out to gain unauthorized access. To pick up a telnet login, a hacker must first get a telnet prompt on their system. After connecting to the telnet port, a message appears on the screen « authorization required to use this resource" (Authorization is required to use this resource.). If after that the hacker continues to attempt access, they will be considered "unauthorized". The source of such attacks can be both inside the network and outside.

1.11. Viruses and applications of the type "Trojan horse"

Client workstations are very vulnerable to viruses and Trojan horses. "Trojan horse" is not a software insert, but real program, which looks like useful application, but in fact plays a harmful role.

2. Methods for countering network attacks

2.1. You can mitigate the threat of packet sniffing by using the following tools:

2.1.1. Authentication - Strong means authentications are the first way to protect against packet sniffing. Under "strong" we understand an authentication method that is difficult to bypass. An example of such authentication is one-time passwords ( OTP - One Time Passwords). OTP is a two-factor authentication technology that combines what you have with what you know. Under the "card" ( token) means a hardware or software tool that generates ( on a random basis) unique one-time one-time password. If a hacker learns this password using a sniffer, this information will be useless because at that point the password will already be used and obsolete. This way of dealing with sniffing is effective only for dealing with password sniffing.

2.1.2. Switched Infrastructure - Another way to combat packet sniffing in a network environment is to create a switched infrastructure so that hackers can only access traffic on the port they are connected to. The switched infrastructure does not eliminate the threat of sniffing, but it significantly reduces its severity.

2.1.3. Anti-sniffers - A third way to combat sniffing is to install hardware or software that recognizes sniffers running on your network. These tools cannot completely eliminate the threat, but, like many other tools, network security, they are included in common system protection. So called "anti-sniffers" measure the response time of the hosts and determine if the hosts need to process "extra" traffic.

2.1.4. Cryptography - Most effective method packet sniffing does not prevent interception and does not recognize the work of sniffers, but makes this work useless. If the communication channel is cryptographically secure, this means that the hacker is not intercepting the message, but the ciphertext (that is, an incomprehensible sequence of bits).

2.2. The threat of spoofing can be mitigated ( but not eliminate) through the following measures:

2.2.1. Access Control - The easiest way to prevent IP spoofing is to correct setting access control. To reduce the effectiveness of IP spoofing, access control is configured to cut off any traffic coming from external network with the source address, which must be located within your network. This helps fight IP spoofing when only internal addresses are authorized. If some external network addresses are also authorized, this method becomes ineffective.

2.2.2. Filtering RFC 2827 - suppression of attempts to spoof foreign networks by users of a corporate network. To do this, it is necessary to reject any outgoing traffic, the source address of which is not one of the Bank's IP addresses. This type of filtering, known as "RFC 2827", can also be performed by an ISP ( ISP). As a result, all traffic that does not have a source address expected on a particular interface is rejected.

2.2.3. Most effective method The fight against IP spoofing is the same as in the case of packet sniffing: it is necessary to make the attack completely ineffective. IP spoofing can only function if authentication is based on IP addresses. Therefore, the introduction of additional authentication methods makes this type of attack useless. best view additional authentication is cryptographic. If it's impossible, nice results can give two-factor authentication using one-time passwords.

2.3. The threat of DoS attacks can be mitigated in the following ways:

2.3.1. Anti-spoofing features - Properly configuring the anti-spoofing features on your routers and firewalls will help reduce the risk of DoS. These features should, at a minimum, include RFC 2827 filtering. Unless a hacker can disguise his true identity, he is unlikely to attempt an attack.

2.3.2. Anti-DoS Functions - Proper configuration of anti-DoS functions on routers and firewalls can limit the effectiveness of attacks. These features limit the number of half-open channels at any one time.

2.3.3. Limiting the amount of traffic ( traffic rate limiting) – contract with the provider ( ISP) about limiting the amount of traffic. This type of filtering allows you to limit the amount of non-critical traffic passing through the network. A common example is to limit the amount of ICMP traffic that is used for diagnostic purposes only. attacks ( D) DoS often use ICMP.

2.3.4. Blocking IP addresses - after analysis DoS attacks and identifying the range of IP addresses from which the attack is carried out, contact the provider to block them.

2.4. Password attacks can be avoided by not using plain text passwords. One Time Passwords and/or cryptographic authentication can virtually eliminate the threat of such attacks. Not all applications, hosts, and devices support the above authentication methods.

When using regular passwords, you need to come up with a password that would be difficult to guess. The minimum password length must be at least eight characters. The password must include uppercase characters, numbers, and Special symbols (#, %, $, etc.). Best passwords hard to guess and hard to remember, forcing users to write down passwords on paper.

2.5. Man-in-the-Middle attacks can only be effectively dealt with using cryptography. If a hacker intercepts the data of an encrypted session, he will have on the screen not an intercepted message, but a meaningless set of characters. Note that if a hacker gets information about a cryptographic session ( e.g. session key), this can make a Man-in-the-Middle attack possible even in an encrypted environment.

2.6. It is not possible to completely eliminate application layer attacks. Hackers are constantly discovering and publishing new vulnerabilities on the Internet application programs. The most important thing is good system administration.

Steps you can take to reduce your vulnerability to this type of attack:

• reading and/or analyzing log files of operating systems and network log files using special analytical applications;
• timely updating of versions of operating systems and applications and installation of the latest correction modules ( patches);
• use of attack recognition systems ( IDS).

2.7. It is impossible to completely get rid of network intelligence. If you disable ICMP echo and echo reply on peripheral routers, you will get rid of pinging, but you will lose the data needed to diagnose network failures. You can also scan ports without pinging them first. This one will just take longer, as non-existent IP addresses will also have to be scanned. Network and host-level IDS systems are usually good at notifying the administrator of ongoing network reconnaissance, which allows them to better prepare for an upcoming attack and notify the ISP ( ISP) on whose network a system that exhibits excessive curiosity is installed.

2.8. You can reduce the risk of breach of trust by controlling the levels of trust within your network more tightly. Systems outside the firewall should never be absolutely trusted by systems protected by the firewall. Trust relationships should be limited to certain protocols and, if possible, be authenticated not only by IP addresses, but also by other parameters.

2.9. The main way to deal with port forwarding is to use strong trust models ( see point 2.8 ). In addition, to prevent a hacker from installing his software can IDS host system ( HIDS).

2.10. Ways to deal with unauthorized access are quite simple. The main thing here is to reduce or completely eliminate the ability of a hacker to gain access to the system using an unauthorized protocol. As an example, consider preventing hackers from accessing the telnet port on a server that provides Web services to external users. Without access to this port, a hacker will not be able to attack it. As for the firewall, its main task is to prevent the simplest attempts of unauthorized access.

2.11. The fight against viruses and Trojan horses is carried out with the help of effective anti-virus software that works at the user level and at the network level. Antivirus tools detect most viruses and Trojan horses and prevent their spread.

3. Algorithm of actions when network attacks are detected

3.1. Most network attacks are blocked by automatically installed information protection tools ( firewalls, trusted boot tools, network routers, antivirus products, etc.).

3.2. Attacks that require human intervention to block them or mitigate the severity of the consequences include DoS attacks.

3.2.1. DoS attacks are detected by analyzing network traffic. The beginning of the attack is characterized by " driving» communication channels using resource-intensive packets with fake addresses. Such an attack on the Internet banking site complicates the access of legitimate users and the web resource may become inaccessible.

3.2.2. If an attack is detected, the system administrator performs the following actions:

• manually switches the router to backup channel and vice versa in order to identify a less loaded channel (a channel with a wider bandwidth);
• reveals the range of IP addresses from which the attack is carried out;
• sends a request to the provider to block IP addresses from the specified range.

3.3. A DoS attack is typically used to disguise a successful attack on a client's resources in order to make it more difficult to detect. Therefore, when a DoS attack is detected, it is necessary to analyze the latest transactions in order to identify unusual transactions, block them (if possible), and contact customers via an alternative channel to confirm the transactions.

3.4. If information about unauthorized actions is received from the client, all available evidence is recorded, an internal investigation is carried out and an application is submitted to law enforcement.

Download ZIP file (24151)

Documents came in handy - put a "like":

The main purpose of this program is to detect hacker attacks. As you know, the first phase of most hacker attacks is network inventory and port scanning on discovered hosts. Port scanning helps determine the type of operating system and detect potentially vulnerable services (for example, mail or a WEB server). After port scanning, many scanners determine the type of service by sending test requests and analyzing the server's response. The APS utility conducts an exchange with the attacker and allows you to uniquely identify the fact of the attack.

In addition, the purpose of the utility is:

• detection of various kinds of attacks (primarily port scanning and service identification) and the appearance of programs and network worms(the APS database contains more than a hundred ports used by worms and Backdoor components);
• testing port scanners and network security (to check the operation of the scanner, you need to run APS on a test computer and perform a port scan - using the APS protocols, it is easy to determine which checks the scanner will see and in what sequence);
• testing and operational control of the Firewall - in this case, the APS utility is launched on a computer with the Firewall installed and port scanning and (or other attacks) are carried out against the PC. If APS issues an alarm, then this is a signal that the Firewall is inoperable or that it incorrect setting. APS can be constantly running behind a Firewall-protected computer to monitor the correct functioning of the Firewall in real time;
• blocking the work of network worms and Backdoor modules and their detection - the principle of detection and blocking is based on the fact that the same port can be opened for listening only once. Therefore, opening the ports used by Trojans and Backdoor programs before they are launched will interfere with their work, after launch, it will lead to the detection of the fact that the port is being used by another program;
• testing of anti-trojans and programs, IDS systems - more than a hundred ports of the most common Trojans are included in the APS database. Some anti-Trojan tools have the ability to perform a port scan of the PC being checked (or build a list of listening ports without scanning using Windows API) - such means should report the suspicion of the presence Trojans(with a list of "suspicious" ports) - the resulting list is easy to compare with the list of ports in the APS database and draw conclusions about the reliability of the tool used.

The principle of the program is based on listening to the ports described in the database. The ports database is constantly updated. The database contains a brief description of each port - brief descriptions contain either the names of the viruses using the port, or the name of the standard service to which this port corresponds. When an attempt to connect to a listening port is detected, the program records the fact of the connection in the protocol, analyzes the data received after the connection, and for some services transmits the so-called banner - a certain set of text or binary data transmitted real service after connecting.