各位英雄救命啊，那位大侠帮忙翻译一下啊

急啊！救命啊
Network Attack and Defense
Whoever thinks his problem can be solved using
cryptography, doesn’t understand his problem and doesn’t
understand cryptography.

18.1 Introduction
Internet security is a fashionable and fast-moving field; the attacks that are catching the
headlines can change significantly from one year to the next. Regardless of whether
they’re directly relevant to the work you do, network-based attacks are so high-profile
that they are likely to have some impact, even if you only use hacker stories to get your
client to allocate increased budgets to counter the more serious threats. The point is,
some knowledge of the subject is essential for the working security engineer.
There are several fashionable ideas, such as that networks can be secured by encryption
and that networks can be secured by firewalls. The best place to start debunking
these notions may be to look at the most common attacks. (Of course, many attacks
are presented in the media as network hacking when they are actually done in more
traditional ways. A topical example is the leak of embarrassing emails that appeared to
come from the office of the U.K. prime minister, and were initially blamed on hackers.
As it turned out, the emails had been fished out of the trash at the home of his personal
pollster by a private detective called Benji the Binman, who achieved instant celebrity
status [520].)
18.1.1 The Most Common Attacks
Many actual attacks involve combinations of vulnerabilities. Examples of vulnerabilities
we’ve seen in earlier chapters include stack overflow attacks (where you pass an
367
Anderson-44022 Book February 20, 2001 12:40
368 Security Engineering: A Guide to Building Dependable Distributed Systems
over-long parameter to a program that carelessly executes part of it) and password
guessing, both of which were used by the Internet worm. A common strategy is to
get an account on any machine on a target network, then install a password sniffer to
get an account on the target machine, then use a stack overflow to upgrade to a root
account.
The exact vulnerabilities in use change from one year to the next, as bugs in old
software get fixed and new software releases a new crop of them. Still, there are some
patterns, and some old favorites that keep coming back in new guises. Here’s a list of
the top 10 vulnerabilities, as of June 2000 [670].
1. A stack overflow attack on the BIND program, used by many Unix and Linux
hosts for DNS, giving immediate account access.
2. Vulnerable CGI programs on Web servers, often supplied by the vendor as
sample programs and not removed. CGI program flaws are the common means of
taking over and defacing Web servers.
3. A stack overflow attack on the remote procedure call (RPC) mechanism, used by
many Unix and Linux hosts to support local networking, and which allows
intruders immediate account access (this was used by most of the distributed
denial of service attacks launched during 1999 and early 2000).
4. A bug in Microsoft’s Internet Information Server (IIS) Web server software,
which allowed immediate access to an administrator account on the
server.
5. A bug in sendmail, the most common mail program on Unix and Linux
computers. Many bugs have been found in sendmail over the years, going back
to the very first advisory issued by CERT in 1988. One of the recent flaws can be
used to instruct the victim machine to mail its password file to the attacker, who
can then try to crack it.
6. A stack overflow attack on Sun’s Solaris operating system, which allows
intruders immediate root access.
7. Attacks on NFS (which I’ll describe shortly) and their equivalents on Windows
NT and Macintosh operating systems. These mechanisms are used to share files
on a local network.
8. Guesses of usernames and passwords, especially where the root or
administrator password is weak, or where a system is shipped with default
passwords that people don’t bother to change.
9. The IMAP and POP protocols, which allow remote access to email but are often
misconfigured to allow intruder access.
10. Weak authentication in the SNMP protocol, used by network administrators to
manage all types of network-connected devices. SNMP uses a default password
of “public” (which a few “clever” vendors have changed to “private”).
Observe that none of these attacks is stopped by encryption, and not all of them by
firewalls. For example, vulnerableWeb servers can be kept away from back-end business
systems by putting them outside the firewall, but they will still be open to vandalism;
Anderson-44022 Book February 20, 2001 12:40
Chapter 18: Network Attack and Defense 369
and if the firewall runs on top of an operating system with a vulnerability, then the bad
guy may simply take it over.
Although some of these attacks may have been fixed by the time this book is published,
the underlying pattern is fairly constant. Most of the exploits make use of program bugs,
of which the majority are stack overflow vulnerabilities. The exploitation of protocol
vulnerabilities (such as NFS) vies with weak passwords for second place.
In effect, there is a race between the attackers, who try to find loopholes, and the
vendors, who develop patches for them. Capable motivated attackers may find exploits
for themselves and keep quiet about them, but most reported attacks involve exploits
that are not only well known but for which tools are available on the Net.
18.1.2 Skill Issues: Script Kiddies
and Packaged Defense
One of the main culture changes brought by the Net is that, until recently, sophisticated
attacks on communications (such as middleperson attacks) were essentially the
preserve of national governments. Today, we find not just password-snooping attacks
but also more subtle routing attacks being done by kids, for fun. The critical change
here is that people write the necessary exploit software, then post it on sites such as
www.rootshell.com, from which script kiddies can download it and use it. This term
refers primarily to young pranksters who use attack scripts prepared by others, but it
also refers to any unskilled people who download and launch tools they don’t fully understand.
As systems become ever more complicated, even sophisticated attackers are
heading this way; no individual can keep up with all the vulnerabilities that are discovered
in operating systems and network protocols. In effect, hacking is being progressively
deskilled, while defence is becoming unmanageably complex.
As discussed in Chapter 4, the Internet protocol suite was designed for a world in
which trusted hosts at universities and research labs cooperated to manage networking
in a cooperative way. That world has passed away. Instead of users being mostly honest
and competent, we have a huge user population that’s completely incompetent (many of
whom have high-speed always-on connections), a (small) minority that’s competent and
honest, a (smaller) minority that’s competent and malicious, and a (less small) minority
that’s malicious but uses available tools opportunistically.
Deskilling is also a critical factor in defense. There are a few organizations, such as
computer companies, major universities, and military intelligence agencies, that have
people who know how to track what’s going on and tune the defenses appropriately.
But most companies rely on a combination of standard products and services. The
products include firewalls, virus scanners, and intrusion detection systems; the services
are often delivered in the form of new configuration files for these products. In these
ways, vulnerabilities become concentrated. An attacker who can work out a defeat of a
widely sold system has a wide range of targets to aim at.
We’ll now look at a number of specific attack and defense mechanisms. Keep in mind
here that the most important attack is the stack overwriting attack, and the second most
important is password guessing; but because I already covered the first in Chapter 4 and
the second in Chapters 2–3, we’ll move down to number three: vulnerabilities in network
protocols.
Anderson-44022 Book February 20, 2001 12:40
370 Security Engineering: A Guide to Building Dependable Distributed Systems
18.2 Vulnerabilities in Network Protocols
Commodity operating systems such as Unix and NT are shipped with a very large
range of network services, many of which are enabled by default, and/or shipped with
configurations that make “plug and play” easy—for the attacker as well as the legitimate
user. We will look at both local area and Internet issues; a common theme is
that mapping methods (between addresses, filenames, etc.) provide many of the weak
points.
This book isn’t an appropriate place to explain network protocols, so I offer a telegraphic
summary, as follows: the Internet Protocol (IP) is a stateless protocol that transfers
packet data from one machine to another; it uses 32-bit IP addresses, often written
as four decimal numbers in the range 0–255, such as 172.16.8.93. Most Internet services
use a protocol called Transmission Control Protocol (TCP), which is layered on top
of IP, and provides virtual circuits by splitting up the data stream into IP packets and
reassembling it at the far end, asking for repeats of any lost packets. IP addresses are
translated into the familiar Internet host addresses using the Domain Name System
(DNS), a worldwide distributed service in which higher-level name servers point to
local name servers for particular domains. Local networks mostly use Ethernet, in which
devices have unique Ethernet addresses, which are mapped to IP addresses using the
Address Resolution Protocol (ARP).
There are many other components in the protocol suite for managing communications
and providing higher-level services. Most of them were developed in the days when the
Net had only trusted hosts, and security wasn’t a concern. So there is little authentication
built in; and attempts to remedy this defect with the introduction of the next generation
of IP (IPv6) are likely to take many years.
18.2.1 Attacks on Local Networks
Let’s suppose that the attacker is one of your employees; he has a machine attached to
your LAN, and he wants to take over an account in someone else’s name to commit a
fraud. Given physical access to the network, he can install packet sniffer software to
harvest passwords, get the root password, and create a suitable account. However, if
your staff use challenge-response password generators, or are careful enough to only
use a root password at the keyboard of the machine it applies to, then he has to be more
subtle.
One approach is to try to masquerade as a machine where the target user has already
logged on. ARP is one possible target; by running suitable code, the attacker can give
wrong answers to ARP messages and claim to be the victim. The victim machine might
notice if alert, but the attacker can always wait until it is down—or take it down by using
another attack. One possibility is to use subnet masks.
Originally, IP addresses used the first 3 bits to specify the split between the network
address and the host address. Now they are interpreted as addressing network, subnetwork,
and host, with a variable network mask. Diskless workstations, when booting,
broadcast a request for a subnet mask; many of them will apply any subnet mask they
receive at any time. So by sending a suitable subnet mask, a workstation can be made
to vanish.
Anderson-44022 Book February 20, 2001 12:40
Chapter 18: Network Attack and Defense 371
Another approach, if the company uses Unix systems, is to target Sun’s Network
File System (NFS), the de facto standard for Unix file sharing. This allows a number
of workstations to use a network disk drive as if it were a local disk; it has a number
of well-known vulnerabilities to attackers who’re on the same LAN. When a volume
is first mounted, the client requests from the server a root filehandle, which refers to
the root directory of the mounted filesystem. This doesn’t depend on the time, or the
server generation number, and it can’t be revoked. There is no mechanism for peruser
authentication; the server must trust a client completely or not at all. Also, NFS
servers often reply to requests from a different network interface to the one on which
the request arrived. So it’s possible to wait until an administrator is logged in at a file
server, then masquerade as her to overwrite the password file. For this reason, many
sites use alternative file systems, such as ANFS.
18.2.2 Attacks Using Internet
Protocols and Mechanisms
Moving up to the Internet protocol suite, the fundamental problem is similar: there is no
real authenticity or confidentiality protection in most mechanisms. This is particularly
manifest at the lower-level TCP/IP protocols.
Consider, for example, the three-way handshake used by Alice to initiate a TCP connection
to Bob and to set up sequence numbers, shown in Figure 18.1.
This protocol can be exploited in a surprising number of different ways. Now that
service denial is becoming really important, let’s start off with the simplest service denial
attack: the SYN flood.急啊！救命啊
Network Attack and Defense
Whoever thinks his problem can be solved using
cryptography, doesn’t understand his problem and doesn’t
understand cryptography.

18.1 Introduction
Internet security is a fashionable and fast-moving field; the attacks that are catching the
headlines can change significantly from one year to the next. Regardless of whether
they’re directly relevant to the work you do, network-based attacks are so high-profile
that they are likely to have some impact, even if you only use hacker stories to get your
client to allocate increased budgets to counter the more serious threats. The point is,
some knowledge of the subject is essential for the working security engineer.
There are several fashionable ideas, such as that networks can be secured by encryption
and that networks can be secured by firewalls. The best place to start debunking
these notions may be to look at the most common attacks. (Of course, many attacks
are presented in the media as network hacking when they are actually done in more
traditional ways. A topical example is the leak of embarrassing emails that appeared to
come from the office of the U.K. prime minister, and were initially blamed on hackers.
As it turned out, the emails had been fished out of the trash at the home of his personal
pollster by a private detective called Benji the Binman, who achieved instant celebrity
status [520].)
18.1.1 The Most Common Attacks
Many actual attacks involve combinations of vulnerabilities. Examples of vulnerabilities
we’ve seen in earlier chapters include stack overflow attacks (where you pass an
367
Anderson-44022 Book February 20, 2001 12:40
368 Security Engineering: A Guide to Building Dependable Distributed Systems
over-long parameter to a program that carelessly executes part of it) and password
guessing, both of which were used by the Internet worm. A common strategy is to
get an account on any machine on a target network, then install a password sniffer to
get an account on the target machine, then use a stack overflow to upgrade to a root
account.
The exact vulnerabilities in use change from one year to the next, as bugs in old
software get fixed and new software releases a new crop of them. Still, there are some
patterns, and some old favorites that keep coming back in new guises. Here’s a list of
the top 10 vulnerabilities, as of June 2000 [670].
1. A stack overflow attack on the BIND program, used by many Unix and Linux
hosts for DNS, giving immediate account access.
2. Vulnerable CGI programs on Web servers, often supplied by the vendor as
sample programs and not removed. CGI program flaws are the common means of
taking over and defacing Web servers.
3. A stack overflow attack on the remote procedure call (RPC) mechanism, used by
many Unix and Linux hosts to support local networking, and which allows
intruders immediate account access (this was used by most of the distributed
denial of service attacks launched during 1999 and early 2000).
4. A bug in Microsoft’s Internet Information Server (IIS) Web server software,
which allowed immediate access to an administrator account on the
server.
5. A bug in sendmail, the most common mail program on Unix and Linux
computers. Many bugs have been found in sendmail over the years, going back
to the very first advisory issued by CERT in 1988. One of the recent flaws can be
used to instruct the victim machine to mail its password file to the attacker, who
can then try to crack it.
6. A stack overflow attack on Sun’s Solaris operating system, which allows
intruders immediate root access.
7. Attacks on NFS (which I’ll describe shortly) and their equivalents on Windows
NT and Macintosh operating systems. These mechanisms are used to share files
on a local network.
8. Guesses of usernames and passwords, especially where the root or
administrator password is weak, or where a system is shipped with default
passwords that people don’t bother to change.
9. The IMAP and POP protocols, which allow remote access to email but are often
misconfigured to allow intruder access.
10. Weak authentication in the SNMP protocol, used by network administrators to
manage all types of network-connected devices. SNMP uses a default password
of “public” (which a few “clever” vendors have changed to “private”).
Observe that none of these attacks is stopped by encryption, and not all of them by
firewalls. For example, vulnerableWeb servers can be kept away from back-end business
systems by putting them outside the firewall, but they will still be open to vandalism;
Anderson-44022 Book February 20, 2001 12:40
Chapter 18: Network Attack and Defense 369
and if the firewall runs on top of an operating system with a vulnerability, then the bad
guy may simply take it over.
Although some of these attacks may have been fixed by the time this book is published,
the underlying pattern is fairly constant. Most of the exploits make use of program bugs,
of which the majority are stack overflow vulnerabilities. The exploitation of protocol
vulnerabilities (such as NFS) vies with weak passwords for second place.
In effect, there is a race between the attackers, who try to find loopholes, and the
vendors, who develop patches for them. Capable motivated attackers may find exploits
for themselves and keep quiet about them, but most reported attacks involve exploits
that are not only well known but for which tools are available on the Net.
18.1.2 Skill Issues: Script Kiddies
and Packaged Defense
One of the main culture changes brought by the Net is that, until recently, sophisticated
attacks on communications (such as middleperson attacks) were essentially the
preserve of national governments. Today, we find not just password-snooping attacks
but also more subtle routing attacks being done by kids, for fun. The critical change
here is that people write the necessary exploit software, then post it on sites such as
www.rootshell.com, from which script kiddies can download it and use it. This term
refers primarily to young pranksters who use attack scripts prepared by others, but it
also refers to any unskilled people who download and launch tools they don’t fully understand.
As systems become ever more complicated, even sophisticated attackers are
heading this way; no individual can keep up with all the vulnerabilities that are discovered
in operating systems and network protocols. In effect, hacking is being progressively
deskilled, while defence is becoming unmanageably complex.
As discussed in Chapter 4, the Internet protocol suite was designed for a world in
which trusted hosts at universities and research labs cooperated to manage networking
in a cooperative way. That world has passed away. Instead of users being mostly honest
and competent, we have a huge user population that’s completely incompetent (many of
whom have high-speed always-on connections), a (small) minority that’s competent and
honest, a (smaller) minority that’s competent and malicious, and a (less small) minority
that’s malicious but uses available tools opportunistically.
Deskilling is also a critical factor in defense. There are a few organizations, such as
computer companies, major universities, and military intelligence agencies, that have
people who know how to track what’s going on and tune the defenses appropriately.
But most companies rely on a combination of standard products and services. The
products include firewalls, virus scanners, and intrusion detection systems; the services
are often delivered in the form of new configuration files for these products. In these
ways, vulnerabilities become concentrated. An attacker who can work out a defeat of a
widely sold system has a wide range of targets to aim at.
We’ll now look at a number of specific attack and defense mechanisms. Keep in mind
here that the most important attack is the stack overwriting attack, and the second most
important is password guessing; but because I already covered the first in Chapter 4 and
the second in Chapters 2–3, we’ll move down to number three: vulnerabilities in network
protocols.
Anderson-44022 Book February 20, 2001 12:40
370 Security Engineering: A Guide to Building Dependable Distributed Systems
18.2 Vulnerabilities in Network Protocols
Commodity operating systems such as Unix and NT are shipped with a very large
range of network services, many of which are enabled by default, and/or shipped with
configurations that make “plug and play” easy—for the attacker as well as the legitimate
user. We will look at both local area and Internet issues; a common theme is
that mapping methods (between addresses, filenames, etc.) provide many of the weak
points.
This book isn’t an appropriate place to explain network protocols, so I offer a telegraphic
summary, as follows: the Internet Protocol (IP) is a stateless protocol that transfers
packet data from one machine to another; it uses 32-bit IP addresses, often written
as four decimal numbers in the range 0–255, such as 172.16.8.93. Most Internet services
use a protocol called Transmission Control Protocol (TCP), which is layered on top
of IP, and provides virtual circuits by splitting up the data stream into IP packets and
reassembling it at the far end, asking for repeats of any lost packets. IP addresses are
translated into the familiar Internet host addresses using the Domain Name System
(DNS), a worldwide distributed service in which higher-level name servers point to
local name servers for particular domains. Local networks mostly use Ethernet, in which
devices have unique Ethernet addresses, which are mapped to IP addresses using the
Address Resolution Protocol (ARP).
There are many other components in the protocol suite for managing communications
and providing higher-level services. Most of them were developed in the days when the
Net had only trusted hosts, and security wasn’t a concern. So there is little authentication
built in; and attempts to remedy this defect with the introduction of the next generation
of IP (IPv6) are likely to take many years.
18.2.1 Attacks on Local Networks
Let’s suppose that the attacker is one of your employees; he has a machine attached to
your LAN, and he wants to take over an account in someone else’s name to commit a
fraud. Given physical access to the network, he can install packet sniffer software to
harvest passwords, get the root password, and create a suitable account. However, if
your staff use challenge-response password generators, or are careful enough to only
use a root password at the keyboard of the machine it applies to, then he has to be more
subtle.
One approach is to try to masquerade as a machine where the target user has already
logged on. ARP is one possible target; by running suitable code, the attacker can give
wrong answers to ARP messages and claim to be the victim. The victim machine might
notice if alert, but the attacker can always wait until it is down—or take it down by using
another attack. One possibility is to use subnet masks.
Originally, IP addresses used the first 3 bits to specify the split between the network
address and the host address. Now they are interpreted as addressing network, subnetwork,
and host, with a variable network mask. Diskless workstations, when booting,
broadcast a request for a subnet mask; many of them will apply any subnet mask they
receive at any time. So by sending a suitable subnet mask, a workstation can be made
to vanish.
Anderson-44022 Book February 20, 2001 12:40
Chapter 18: Network Attack and Defense 371
Another approach, if the company uses Unix systems, is to target Sun’s Network
File System (NFS), the de facto standard for Unix file sharing. This allows a number
of workstations to use a network disk drive as if it were a local disk; it has a number
of well-known vulnerabilities to attackers who’re on the same LAN. When a volume
is first mounted, the client requests from the server a root filehandle, which refers to
the root directory of the mounted filesystem. This doesn’t depend on the time, or the
server generation number, and it can’t be revoked. There is no mechanism for peruser
authentication; the server must trust a client completely or not at all. Also, NFS
servers often reply to requests from a different network interface to the one on which
the request arrived. So it’s possible to wait until an administrator is logged in at a file
server, then masquerade as her to overwrite the password file. For this reason, many
sites use alternative file systems, such as ANFS.
18.2.2 Attacks Using Internet
Protocols and Mechanisms
Moving up to the Internet protocol suite, the fundamental problem is similar: there is no
real authenticity or confidentiality protection in most mechanisms. This is particularly
manifest at the lower-level TCP/IP protocols.
Consider, for example, the three-way handshake used by Alice to initiate a TCP connection
to Bob and to set up sequence numbers, shown in Figure 18.1.
This protocol can be exploited in a surprising number of different ways. Now that
service denial is becoming really important, let’s start off with the simplest service denial
attack: the SYN flood.