单纯的基于端口和程序的包规则的技术的确已过时了
对于PC机上防火墙最主要的功能——监控程序的网络活动,现在面临的挑战和卡巴8的解决在帖子《适应KIS 8.0程序监控方式的转变》中说的很明白
那么对于外部攻击,我们先来看一段文字,来自于卡巴8的帮助文件,Online Security→Intrusion Prevention System 下
Types of detected network attacks
There are currently a multitude of various network attacks that utilize operating system vulnerabilities and other software, system or otherwise, installed on your computer.
To timely ensure the security of your computer, you must know what kinds of network attacks you might encounter. Known network attacks can be divided into three major groups:
Port scan – this threat is not an attack in and of itself, but usually precedes one, since it is one of the common ways of obtaining information about a remote computer. The UDP/TCP ports used by the network tools on the computer in question are scanned to find out what state they are in (closed or open).
Port scans can tell a hacker what types of attacks will work on that system and what types will not. In addition, the information obtained by the scan (a model of the system) will help the malefactor to know what operating system the remote computer uses. This in turn further restricts the number of potential attacks, and, correspondingly, the time spent running them. It also aid a hacker in attempting to use vulnerabilities particular to that operating system.
DoS (Denial of Service) attacks – these are attacks that result in the system attacked reaching an unstable or entirely inoperable state. Attacks of this type may lead to the impossibility to use the information resources under attack (for example, impossibility of internet access).
There are two basic types of DoS attacks:
Sending the target computer specially created packets that the computer does not expect, which cause the system either to restart or to stop
Sending the target computer many packets within a timeframe that the computer cannot process, which cause system resources to be exhausted
The following attacks are common examples from this group:
Ping of death attack consists of sending a ICMP packet with a size greater than the maximum of 64 KB. This attack can crash some operating systems.
Land attack consists of sending a request to an open port your computer to establish a connection with itself. This sends the computer into a cycle, which intensifies the load on the processor and can end with some operating systems crashing.
ICMP Flood attack consists of sending a large quantity of ICMP packets to your computer. The attack leads to the computer being forced to reply to each inbound packet, which seriously weighs down the processor.
SYN Flood attack consists of sending a large quantity of queries to your computer to establish a fake connection. The system reserves certain resources for each of those connections, which completely drains your system resources, and the computer stops reacting to other connection attempts.
Intrusion attacks, which aim to take over your computer. This is the most dangerous type of attack, when if it is successful, the hacker has complete control of your system.
Hackers use this attack when they need to obtain confidential information from a remote computer (for example, credit card numbers, passwords) or to take hold of the system to use its resources later for malicious purposes (using the captured system in zombie networks or as a platform for new attacks).
This group is also contains more attacks than any other. They can be divided into three subgroups based on operating system: Microsoft Windows attacks, Unix attacks, and the general group for network services used in both operating systems.
The most common types of attacks that use operating system network tools are:
Buffer overflow attacks – type of vulnerability in software that surfaces because of no control or insufficient control in handling massive amounts of data. This is one of the oldest vulnerability types and the easiest for hackers to exploit.
Format string attacks – type of vulnerability in software that arise from insufficient control of input values for I/O functions such as printf(), fprintf(), scanf(), and others from the C standard library. If a program has this vulnerability, the hacker, with the ability to send queries created with a special technique, can gain complete control or the system.
Intrusion Detector automatically analyzes and blocks attempts to exploit these vulnerabilities in the most common network tools (FTP, POP3, IMAP) if it is running on the user’s computer.
Microsoft Windows OS attacks are based on taking advantage of vulnerabilities in software installed on the computer (for example, programs such as Microsoft SQL Server, Microsoft Internet Explorer, Messenger, and system components that can be accessed through the network – DCom, SMB, Wins, LSASS, IIS5).
In addition, there are isolated incidents of intrusion attacks using various malicious scripts, includes scripts processed by Microsoft Internet Explorer and Helkern-type worms. The essence of this attack type consists of sending a special type of UDP packets to a remote computer that can execute malicious code.
我觉得这篇短文对现在主要的攻击手段说明得很清晰。三类攻击手段中:第二类,DoS,主要有四种,Ping of death 和Land attack 都是利用不合规范的包,早期的系统不检查网络包,现在的系统一般都会检查或安装的安全软硬件会检查,利用价值不大了。这一类攻击现在常见的是ICMP Flood attack 和SYN Flood attack ,常说的洪水攻击,“用口水淹死你”,不过个人PC,遇到这个直接拔掉网络或改个IP就完事了,不同于服务器,必须要提供服务。可以说这一类攻击对个人PC没什么用,有用的是另两类。第一类,Port Scan,主要是为后面的攻击做铺垫。后继有两种可能,一种是找到某些木马开放的服务端口,有很多木马会打开固定的端口以便“主人”使用。这种技术几年前的流行是基于端口和程序的包规则的防火墙技术被广泛部署在PC上的的原因之一。一方面使用固定端口极易被发现,这种方式现已很少使用,另一方面在卡巴8内部如此严密的监控下,木马要窃取信息变得很困难。另一种后继的攻击便是嗅探到可利用的信息如漏洞,发起文中所说的第三类攻击。第三类,利用系统的漏洞(个人PC一般不对外提供服务,暂不讨论这些程序的漏洞)进行攻击,这类要得手,基本是会取得系统控制权的。这类主要是写代码时安全方面不严谨造成的,常用的缓冲区溢出、字符串格式,如果在写代码时时时注意,都是能避免的。微软每月的补丁很多时候便是修补已发现这些漏洞。
综合上面的讨论,个人PC上有价值的攻击:Port Scan铺垫,继而第三类攻击。基于端口和程序的包规则的技术并不能提供良好的防御,如果攻击是有目标性的话。而这些攻击应该说都具有很明显的特征,很容易被IPS检测到。通常在做端口扫描的时候,IPS就会检测到并会断开与发起攻击IP的一切网络联系。因此在卡巴8中,对外部攻击的防御还是很安全的。能有隐身自然更好,但近来的许多应用(主要是P2P)在隐身状态下工作会有问题,论坛中也常有反应。估计卡巴8的开发团队权衡了一下,在能提供足够安全防御的情况下,撤销了隐身模式(其实也还保留了TCP, UDP入站流两条规则,设置成拒绝就是所谓的隐身模式,入站流的意思并不是所有进来的数据,只是其它机器发起的连接,这在P2P应用很普遍)。
[ 本帖最后由 bluaze 于 2008-5-1 20:14 编辑 ] |
楼主: polly5771
发表于 2008-5-1 13:17:33
高手们讨论半天 我都看不懂 全是英文的 晕
楼主