From the beginning of 1988, at Carnegie Mellon University's CERT CC (Computer Emergency Response Team Coordination Center) began to investigate the activities of the intruder. CERT CC given a number of ways to attack the invaders on the latest trend.
A trend: the process of automated attack tools, attacks and the rapid update
Attacks on the degree of automation tools to continue growing. Automated attacks involved four stages of change.
1. Scanning the potential victims. Since 1997, the beginning of a large number of activities Scanner. At present, a new scanning tool to use more advanced scanning technology, more powerful, and increased speed.
2. With invasion of loopholes in the system. In the past, with the loopholes in the system to attack occurred in a wide range of scanning after. Now, attack tools will have loopholes in the invasion of the design activities Scanner become a part of this greatly accelerated the pace of the invasion.
3. The proliferation of attack. Before 2000, attack tools require a person to launch attacks on the rest of the process. Now, attack tools could automatically launch a new attack on the process. For example, Code Red and Nimda viruses in these tools within 18 hours spread throughout the world.
4. Attacks on the co-management tool. Since 1999, with the emergence of distributed attack tools, an attacker can be found in a large number of attacks on Internet tools to attack. Now, the attacker can more effectively launched a distributed denial of service attacks. Cooperative use of the function of a large number of agreements such as the popular IRC (Internet Relay Chat), IR (Instant Message), and so on.
Second trend: the constant attack tools complicate
The author of the attack tools used more than ever before-the-art technology. Tools of the signature attacks increasingly difficult to find, through analysis, and more and more difficult for signature-based detection systems, such as anti-virus software and intrusion detection systems. The three-day attack tool is an important feature of anti-detection, as well as the characteristics of the dynamic behavior of the modular tool to attack.
1. Anti-testing. An attacker can hide the use of tools to attack the technology. Safety experts want to make it through a variety of new analytical methods to determine the course of the attack more difficult and time-consuming.
2. Dynamic behavior. Before the attack tool according to the steps of a single attack. The automatic attack tools can be different ways to change their characteristics, such as random selection, is scheduled to decision-making path, or through direct control of the invaders.
3. The modular tool to attack. And the previous attack tool to achieve a just attack, attack the new tool can upgrade or replace some of the modules of the rapid completion of the change. Moreover, the attack can be a tool in a growing number of platforms. For example, many of the tools used to attack a standard protocol such as HTTP and IRC commands and data transmission, so you want from the normal network traffic analysis of the characteristics of the attack is even more difficult.
Three trends: faster and find the loopholes
Every year reported to the CERT / CC vulnerability of the number doubled. CERT / CC vulnerability data released in 2000 to 1090, 2001, for 2437, 2002 has been increased to 4129, that every day more than a dozen new vulnerabilities have been discovered. Imagine, for example administrators want to keep up with the pace of patches is very difficult. Moreover, the invaders are often able to fix the loopholes software vendors before they found loopholes. With the discovery of loopholes in the trend of automation tools, users left to patch the increasingly short time. In particular types of buffer overflow vulnerabilities, the dangers of very large and ubiquitous, is the biggest computer security threats. In the international network of CERT and other security agencies in the investigation of this type of loopholes in the server is the most serious consequences.
Four trends: a firewall penetration
We are always looking to provide a secure firewall, the main border protection. However, the situation is:
* Already exist to bypass some of the typical configuration of the firewall technology, such as the IPP (the Internet Printing Protocol) and WebDAV (Web-based Distributed Authoring and Versioning)
* Flaunt some of the "firewall application of the" agreement is designed to actually be able to bypass the typical configuration of the firewall.
The specific characteristics of the "mobile code" (such as ActiveX controls, Java and JavaScript) makes the protection of the existence of loopholes in the system as well as the discovery of malicious software more difficult.
In addition, as the Internet computer network is growing, all the computer between the strong interdependence. Once the computer has been some invasion, it is likely to become the habitat of the invaders and a springboard for further attacks. The network infrastructure such as the DNS system, the router to attack more and more become a serious security threat.
Active defense measures in response to a new generation of network attacks
"Code Red" worm on the Internet to disseminate the first nine hours on infected more than 250,000 computer systems. The infection caused by the cost of 200,000,000 U.S. dollars a day to the rapid growth and ultimately the loss of up to 2,600,000,000 U.S. dollars. "Code Red" and "Code Red II", and "Nimda" and "cover letter" shows that the rapid spread of the threat of the emergence of some serious defense network limitations. Most of the market, intrusion detection system is simple, and emerging networks, the unknown, are often referred to as "transient attacks: Zero-day Attack" threats do not have sufficient means of defense.
Hacker's "window of opportunity"
At present, most of the intrusion detection system is limited in that they use for signature to identify the existence of aggressive behavior. These systems are used in this way on a specific pattern of attacks carried out surveillance. Based on their stored in its database to identify the message: anti-virus software similar to the inspection of known viruses. This means that these systems can only detect them have been incorporated into the program to identify specific attacks. "Instantaneous attack" is emerging, not yet widely recognized, so the new signature has been developed, and the installation and configuration of these processes, and so on before they will be able to bypass the security of these systems. In fact, the only known of the need to attack the slightly modified manner, the system will not recognize the way these attacks, which provided the intruder to avoid the signature-based defense system means.
The new attacks to launch a new signature of this period of time, is a dangerous "window of opportunity", many of the network will be broken. At this time many of the rapid invasion of design tools will be developed, the network is vulnerable to attack. The chart illustrates why the majority of the safety of products in the period, in fact null and void. CERT developed by the organization chart shows a typical network attack life cycle. The peak of the curve in the attack for the first time after the attack, which is most of the safety of the product will start to provide protection. However, "instant attacks" is the most sophisticated hackers in the early stages of the key to start. |
