Overview of interception tactics
攔截策略概述
In the previous course items, you learned how packet sniffing and IP spoofing are used in network attacks. Because these attacks intercept data packets as they travel across the network, they are called interception attacks.
在之前的課程內容中,您已經學習到封包嗅探和 IP 欺騙如何在網路攻擊中被使用。由於這些攻擊在數據包穿越網路時進行攔截,因此被稱為攔截攻擊。
This reading will introduce you to some specific attacks that use packet sniffing and IP spoofing. You will learn how hackers use these tactics and how security analysts can counter the threat of interception attacks.
本閱讀材料將介紹一些使用封包嗅探和 IP 欺騙的特定攻擊。您將了解駭客如何使用這些策略,以及安全分析師如何應對攔截攻擊的威脅。
A closer review of packet sniffing
深入檢視封包嗅探
As you learned in a previous video, packet sniffing is the practice of capturing and inspecting data packets across a network. On a private network, data packets are directed to the matching destination device on the network.
如您在之前的影片中所學,封包嗅探是指捕獲和檢查網路上的數據封包。在私人網路中,數據封包會被定向到網路上相應的目的地設備。
The device’s Network Interface Card (NIC) is a piece of hardware that connects the device to a network. The NIC reads the data transmission, and if it contains the device’s MAC address, it accepts the packet and sends it to the device to process the information based on the protocol. This occurs in all standard network operations. However, a NIC can be set to promiscuous mode, which means that it accepts all traffic on the network, even the packets that aren’t addressed to the NIC’s device. You’ll learn more about NIC’s later in the program. Malicious actors might use software like Wireshark to capture the data on a private network and store it for later use. They can then use the personal information to their own advantage. Alternatively, they might use the IP and MAC addresses of authorized users of the private network to perform IP spoofing.
設備的網路介面卡(NIC)是一種將設備連接到網路的硬體。NIC 會讀取數據傳輸,如果其中包含設備的 MAC 地址,它就會接受該數據包,並將其發送到設備以根據協議處理信息。這在所有標準網路操作中都會發生。然而,NIC 可以設置為混雜模式,這意味著它會接受網路上的所有流量,即使是那些並非發送給該 NIC 設備的數據包。您將在課程中進一步了解 NIC。惡意行為者可能會使用像 Wireshark 這樣的軟體來捕獲私人網路上的數據並將其存儲以供日後使用。然後,他們可以利用這些個人信息來獲取利益。或者,他們可能會使用私人網路授權用戶的 IP 和 MAC 地址來進行 IP 欺騙。
A closer review of IP spoofing
深入檢視 IP 欺騙
After a malicious actor has sniffed packets on the network, they can impersonate the IP and MAC addresses of authorized devices to perform an IP spoofing attack. Firewalls can prevent IP spoofing attacks by configuring it to refuse unauthorized IP packets and suspicious traffic. Next, you’ll examine a few common IP spoofing attacks that are important to be familiar with as a security analyst.
當惡意行為者在網路上嗅探到封包後,他們可以冒充授權設備的 IP 和 MAC 地址來執行 IP 欺騙攻擊。防火牆可以通過配置拒絕未授權的 IP 封包和可疑流量來防止 IP 欺騙攻擊。接下來,您將檢視幾種常見的 IP 欺騙攻擊,作為安全分析師,熟悉這些攻擊是很重要的。
On-path attack 中間人攻擊
An on-path attack happens when a hacker intercepts the communication between two devices or servers that have a trusted relationship. The transmission between these two trusted network devices could contain valuable information like usernames and passwords that the malicious actor can collect. An on-path attack is sometimes referred to as a meddler-in-the middle attack because the hacker is hiding in the middle of communications between two trusted parties.
中間人攻擊發生在駭客攔截兩個具有信任關係的設備或伺服器之間的通信時。這兩個受信任的網路設備之間的傳輸可能包含用戶名和密碼等有價值的信息,這些信息可能被惡意行為者收集。中間人攻擊有時被稱為「中間干擾者攻擊」,因為駭客隱藏在兩個受信任方之間的通信中。
Or, it could be that the intercepted transmission contains a DNS system look-up. You’ll recall from an earlier video that a DNS server translates website domain names into IP addresses. If a malicious actor intercepts a transmission containing a DNS lookup, they could spoof the DNS response from the server and redirect a domain name to a different IP address, perhaps one that contains malicious code or other threats. The most important way to protect against an on-path attack is to encrypt your data in transit, e.g. using TLS.
或者,攔截的傳輸可能包含 DNS 系統查詢。您會記得在之前的影片中提到,DNS 伺服器將網站域名轉換為 IP 地址。如果惡意行為者攔截了包含 DNS 查詢的傳輸,他們可能會偽造伺服器的 DNS 回應,並將域名重定向到不同的 IP 地址,可能是包含惡意代碼或其他威脅的地址。防止中間人攻擊的最重要方法是加密您的傳輸數據,例如使用 TLS。
Smurf attack Smurf 攻擊
A smurf attack is a network attack that is performed when an attacker sniffs an authorized user’s IP address and floods it with packets. Once the spoofed packet reaches the broadcast address, it is sent to all of the devices and servers on the network.
Smurf 攻擊是一種網路攻擊,當攻擊者嗅探到授權用戶的 IP 地址並用數據包淹沒它時進行。一旦偽造的數據包到達廣播地址,它會被發送到網路上的所有設備和伺服器。
In a smurf attack, IP spoofing is combined with another denial of service (DoS) technique to flood the network with unwanted traffic. For example, the spoofed packet could include an Internet Control Message Protocol (ICMP) ping. As you learned earlier, ICMP is used to troubleshoot a network. But if too many ICMP messages are transmitted, the ICMP echo responses overwhelm the servers on the network and they shut down. This creates a denial of service and can bring an organization’s operations to a halt.
在 Smurf 攻擊中,IP 欺騙與另一種阻斷服務(DoS)技術結合,向網路灌入不需要的流量。例如,偽造的數據包可能包含網際網路控制訊息協定(ICMP)ping。如你之前所學,ICMP 用於網路故障排除。但如果傳輸過多的 ICMP 訊息,ICMP 回應會使網路上的伺服器不堪負荷而關閉。這會造成阻斷服務,並可能使組織的運作停擺。
An important way to protect against a smurf attack is to use an advanced firewall that can monitor any unusual traffic on the network. Most next generation firewalls (NGFW) include features that detect network anomalies to ensure that oversized broadcasts are detected before they have a chance to bring down the network.
防範 Smurf 攻擊的一個重要方法是使用能夠監控網路上任何異常流量的高級防火牆。大多數新一代防火牆(NGFW)都包含檢測網路異常的功能,以確保在過大的廣播有機會癱瘓網路之前被檢測到。
DoS attack 阻斷服務攻擊
As you’ve learned, once the malicious actor has sniffed the network traffic, they can impersonate an authorized user. A Denial of Service attack is a class of attacks where the attacker prevents the compromised system from performing legitimate activity or responding to legitimate traffic. Unlike IP spoofing, however, the attacker will not receive a response from the targeted host. Everything about the data packet is authorized including the IP address in the header of the packet. In IP spoofing attacks, the malicious actor uses IP packets containing fake IP addresses. The attackers keep sending IP packets containing fake IP addresses until the network server crashes.
如你所學,一旦惡意行為者嗅探到網路流量,他們就可以冒充授權用戶。拒絕服務攻擊是一類攻擊,攻擊者會阻止受害系統執行合法活動或回應合法流量。然而,與 IP 欺騙不同的是,攻擊者不會從目標主機收到回應。數據包的所有內容都是授權的,包括數據包標頭中的 IP 地址。在 IP 欺騙攻擊中,惡意行為者使用包含假 IP 地址的 IP 數據包。攻擊者不斷發送包含假 IP 地址的 IP 數據包,直到網路伺服器崩潰。
Pro Tip: Remember the principle of defense-in-depth. There isn’t one perfect strategy for stopping each kind of attack. You can layer your defense by using multiple strategies. In this case, using industry standard encryption will strengthen your security and help you defend from DoS attacks on more than one level.
專業提示:記住縱深防禦的原則。沒有一種完美的策略可以阻止每一種攻擊。您可以通過使用多種策略來層層防禦。在這種情況下,使用行業標準的加密技術將增強您的安全性,並幫助您在多個層面上防禦 DoS 攻擊。
Key takeaways 關鍵要點
This reading covered several types of common IP spoofing attacks. You learned about how packet sniffing is performed and how gathering information from intercepting data transmissions can give malicious actors opportunities for IP spoofing. Whether it is an on-path attack, IP spoofing attack, or a smurf attack, analysts need to ensure that mitigation strategies are in place to limit the threat and prevent security breaches.
本閱讀材料涵蓋了幾種常見的 IP 欺騙攻擊類型。您了解了如何進行數據包嗅探,以及從攔截數據傳輸中收集信息如何為惡意行為者提供 IP 欺騙的機會。無論是中間人攻擊、IP 欺騙攻擊還是 Smurf 攻擊,分析師都需要確保有緩解策略到位,以限制威脅並防止安全漏洞。