according to 2020 China's Internet network security monitoring data analysis report in the first half of , Malware control server , Denial of service attack （DDoS） And other network attacks continue unabated . Today , Network attack has become a threat to network information security , Business information security is one of the main factors .
Network attack refers to the use of network vulnerabilities and security flaws to attack the network system hardware and software and system data .TCP/IP Protocol is the basic protocol of network , From the beginning of the design did not consider the network will face so many threats , This leads to many attack methods . Because the communication in the network comes from the data packet , Through the automatic acquisition and decoding analysis of data packets , It can quickly detect and trace network attacks .
The industry will generally TCP/IP The protocol stack is divided into four layers ： That is the link layer , network layer , Transport layer and application layer . Link layer is mainly used to process data in physical media （ Such as Ethernet , Token ring, etc ） Transmission of , Implementation of network driver for network card interface ; Network layer adopts IP Protocol is the core of the whole protocol stack , Its main function is to select and forward packets , Realize Internet Interconnection and congestion control ; The transport layer provides end-to-end communication for applications between hosts , This layer defines two protocols, namely TCP And UDP; The main function of the application layer is to process the logic of the application , For example, file transfer , Name query and network management, etc , The protocols in this layer are based on TCP Of the agreement FTP File transfer protocol ,HTTP Hypertext transfer protocol and its application based on UDP Domain name service based on Internet Protocol DNS etc .
（TCP/IP Protocol model hierarchy diagram ）
because TCP/IP The protocol has four layers and each layer has its own functions , The agreements are different , Therefore, the attack methods for different protocol layers are also different ：
Attack on link layer , It is mainly to physically destroy the network hardware and infrastructure or forcibly change the router route ;IP Agreement and ARP Protocol is the two most important protocols in network layer , Attack on network layer , Mainly IP Fragment attack ,ARP
Deception, etc ; because TCP Agreement and UDP Protocol is the two most important protocols in transport layer , Therefore, there are many attacks on the transport layer , include DOS Attacks, etc ; The protocol of application layer is the most in the whole protocol stack , Therefore, the number of attacks against this layer is extremely large , Common examples are
DNS Deception, etc .
ARP（Address Resolution Protocol, Address resolution protocol ）, Connect the network host's IP Address resolved to MAC address , There is one on each host device
ARP cache （ARP Cache）, By checking your own ARP cache , Then make a judgment （ If so , It can be mapped directly ; If not , It can be broadcast ARP
Request package ）; Then check the target in the packet IP Is the address the same as your own IP Same address , If consistent , Can be sent ARP response , inform MAC address ; When the source node receives ARP
After responding to the packet , Can get the target host IP Address and MAC Add address pair mapping table entries to your own ARP In cache .
（ARP How protocol works ）
ARP Attack is through forgery IP Address and MAC Address ARP deception , By creating a large number of ARP Traffic is blocking the network , The attacker only needs to send out forged messages continuously
ARP The response package can change the target host ARP In cache IP-MAC entry , Cause network interruption or man in the middle attack , therefore ARP Attacks are also commonly referred to as attacks ARP deception .
although ARP The attack can only be carried out in Ethernet and the threshold is very low , The impact is great , For example, there will be network disconnection attack , The flow is limited , Account theft, etc . Network operation and maintenance can take ARP defense mechanism , For example, through the deployment of network image in the switch , Analysis of capturing suspicious packets , It can also be combined DHCP Listening ,IP Source protection technology , Maintain network security .
The protocol is a stream based approach , Connection oriented reliable communication mode , It can reduce the bandwidth overhead caused by retransmission in the case of poor network . say concretely ,TCP The process of establishing a connection involves three steps , Each step connects the sender and receiver at the same time , be commonly called “ Three handshakes ”： Sent by sender SYN package , get into SYN_SENT state , Indicates the server port and initial serial number of the planned connection , Waiting for the receiver to confirm ; Received at receiving end SYN package , send out SYN_ACK, Confirm the sender , get into SYN_RECV state ; Received by sender SYN_ACK package , Send to receiver ACK, The connection between the two parties has been established .
（TCP My three handshakes ）
because TCP Protocol is a connection oriented transmission control protocol , therefore DoS The main purpose of the attack is to make the host or network unable to receive or process external requests . For example, by creating a large amount of useless data , Causing network congestion , Make the attacked host unable to communicate with the outside world normally ; Exploit duplicate connection defects , Send repeated service requests repeatedly , Make it unable to process other requests normally ; Or take advantage of the defects of the agreement , Repeatedly sending attack data , Occupying host or system resources , Cause crash, etc .
In a nutshell ,DoS（Denial of
Service） Denial of service attacks usually use packets to submerge the local system , To disturb or seriously hinder the local service to respond to external legal requests , Crash the local system .SYN flood Attacks are the most common
DoS Attack type . The attacker will kill himself IP Source address masquerade , Send to local system
TCP Connection request ; Local system reply SYN-ACK To masquerade address , The local system cannot receive it RST news , Unable to receive ACK respond , Will always be semi connected , Until the resources are exhausted . The attacker sends connection request faster than
TCP Time out releases resources faster , Using repeated connection requests , Causes the local service to be unable to receive other connections . solve SYN flood
The best way is to do a good job in prevention strategy , Through network performance management tools , Automatically filter suspicious packets , shorten SYN Timeout time , set up SYN
Cookie, Set for each request Cookie, If you receive one in a short period of time IP Repetition of SYN message , It's an attack , Abandon the idea IP address .
IP The protocol is used to transfer packets from the original device to the destination device , Need to rely on IP Address and IP Router .IP The address is machine language , Usually longer , So even though IP The address is unique , But it is not convenient to remember and use , People invented it on this basis DNS.DNS（Domain
System） That is, the domain name system , Domain names are usually short , It has both readability and practicability . Because the domain name and IP There is a one-to-one correspondence between addresses , therefore , When surfing the Internet, just input the domain name in the address bar , The system will resolve the domain name directly , Translate domain name into IP address .
After the domain name search , The domain name server will keep the domain name record , Each record will contain the domain name and IP address . If an address of the domain name server is artificially modified , Then you can manually operate the user's access address , This behavior is known as “ domain hijacking ”.“ domain hijacking ” The originator of is a domain name server provider , Therefore, the effective way to solve this problem is to discard or replace the domain name server .
except “ domain hijacking ” Outside , There's another common one DNS The attack is called “ Domain name pollution ” or “ Domain name deception ”. When the computer sends “ Domain name query ” To the domain name server , The DNS will send the response back to the computer , Sending requests and receiving information is a process , There will be a time difference in the middle , Network attack will occur before receiving information , False response to computer , Then the information is an error IP.
Facing network attack , We need to raise safety awareness , Actively and responsibly maintain the system , Strengthen the setting of firewall , Network attacks can also be traced by analyzing packets . Through the network data acquisition and decoding analysis , Grasp the most subtle changes in the network , Effective alarm information configuration for the characteristic value or behavior of network attack , It can quickly locate the attack in the network . You can also use network performance management tools with security protection function , Tiandan network performance management NPM, support TCP Port scan ,ARP Attack and DOS Automatic analysis of suspicious packets such as attacks , Realize automatic alarm , Ensure the normal transmission and use of data information .