?????????? ?CERNET??? - PowerPoint PPT Presentation

1 / 63

About This Presentation

Title:

?????????? ?CERNET???

Description:

Title: CERNET Author: DUAN Last modified by: Ren xiaoxia Created Date: 10/28/2000 6:40:06 AM Document presentation format – PowerPoint PPT presentation

Number of Views:74

Avg rating:3.0/5.0

Slides: 64

Provided by: DUA62

Category:

more less

Transcript and Presenter's Notes

Title: ?????????? ?CERNET???

1
???????????CERNET???
2
????

?????????????
CERNET ????????(CCERT)??????
???????????
CERNET ??????????
????

3
Internet ????????

Internet??????,?????????
?????,??????,???????
???(???)?????? ??????
Security issues are not discussed in this memo
???????????????
??????,?????
???????
Internet ???????????????
??????????????

4
????????www.securityfocus.com
5
??????????
6
????

???????
Redhat Linux 6.2 , ???telnet, www??
www.helpwork.net ????????????
7??358???
??????dump??root ???

San Diego ??????
Redhat Linux 5.2 , no patch
8??sun rpc probe
21?
20 ?pop, imap, rpc, mountd??Redhat6.X?????
40?
??pop ?????????
???????
???rootkit? sniffer

7
??????????

?????????CERT/CC
1988?Morris ?????????CERT/CC???
CERT/CC?????
??????
???????????????
???????
?????????????????????
?????CSIRT???CSIRT?????????????????
????CSIRT(??IRT?CERT)????

8
CERT/CC??

??????30??,12?????288,600 ?Email,
18,300?????,????????80??CSIRT?????

9
CERT/CC??
DoD
CMU
SEI
Networked Systems Survivability program
Survivable Network Management
CERT/CC
Survivable Network Technology
Incident Handling
Vulnerability Handling
CSIRT Development
10
??????????

?????????(CSIRT)????
DOE CIAC?FedCIRC?DFN-CERT?
FedCIRC?AFCERT, NavyCIRT
????AusCERT?SingCERT?
FIRST(1990)
FIRST?IRT??????????????????,??????????????????????
,??????????????
80????????,??18??????
?FIRST???????IRT??????????
?????????

11
??????????????

?????????????????
???????????????,??????????????
????????????????
CCERT(1999?5?),?????????????
NJCERT(1999?10?)
????ChinaNet????
???,???
????????
??????????/????CNCERT/CC
??????????? ,2000?3?,??

12
??????????
????????
?CERT/CC, FIRST
???????
???????
?CNCERT/CC
?? IRT
?? /?? IRT
??IRT
??????? IRT
?CCERT
???????
?cisco, IBM
?????? ???
???????
????? ????
????
??????
13
???????????????

CSIRT?????
????
????
??
????
????
?????
?????

14
???????????

?????????
????????????????
????????
?IRT???????,????????????
????
??????????

15
????

?????????????
CCERT??????
???????????
CERNET ??????????
????

16
CERNET?????????

????????????
10M/ 100M/ 1000M?????
??????????????
BBS??????

17
CERNET? Internet2?IPv6 ???
CERNET?????????
18
CERNET?????????

?????????, ???????
IPv6????Internet2 ?????
?????????
???????????????????????
??????????,??????
?CERNET????????
?????????????????????
??IP??????????
gt100M ??????????????
???????NSP/ISP
???????????????

19
CERNET ??????????(CCERT)

http//www.ccert.edu.cn

20
CERNET??(?)????????????(NJCERT)

http//www.njnet.cn/njcert/index.html

21
CCERT ????
Internet ??
???
???
NIC
CCERT
NOC
IPv6
??????
??

???
??????
?????
22
CERNET ??????????(CCERT)

??????CERNET ??,???????????????
?????????????
???????????????????????DoS????
????????????
?????????????
?????????????
???????????
?????????,??
?????????????????PKI

23
CCERT?????

???????????
?????????
??
??
DOS ??
?2000?9?,??? 2000 ????,????
1800?????????????
110 ???? DOS ????
50 ?????

24
???????????

??????
90????????????
?????
?????
?????????,????????
??
???? ---gt????
????????????????????spamcop
???????????
????
relay-test scan
???????????
???????????????

25
????????????
26
???????????

??,?????
??????,? proxy hunter( 80, 8080,1080)
????,?SATAN ???
ftp, telnet ,ssh, pop2, pop3, sunrpc, netbios,
imap, klogind, socks,
??
?????????????,??????
Solaris rpc.statd, rpc.ttdbserver,
Linux imapd, wu_ftp
freeBSD pop3d
Win2k Terminal Server,
????????????,???????

27
???????

????
Root compromise pop3d
?? syslogd , ??/etc/inetd.conf, ?? telnet, ftp,
????????
/bin/login ?/bin/ps ?/usr/bin/du ?/bin/ls
?/bin/netstat
?????? sniffer /usr/.sniffit
???? syslogd ,??pop3d
?????? wtmp?wtp?message?syslog

28
??????
29
??????

DoS ??
land , teardrop,
SYN flood
ICMP smurf
Router remote reset , UDP port 7,
Windows Port 135, 137,139(OOB), terminal server
Solaris
Linux
??...

30
SYN Flood
target
attacker
Send SYN (seq100 ctlSYN)
SYN received
Send SYN (seq300 ack101 ctlsyn,ack)
SYN received
Established (seq101 ack301 ctlack)
Established (seq301 ack301 ctlack Data)
???TCP ?????? -- ????
31
ICMP Smurf
attacker
target
32
???????(DDOS)

???????????????
?????
Trin00,
TFN/TFN2K,
Stacheldraht
????
?????,????,??????

client
target
33
(No Transcript)
34
DDOS???????

??????
??????????
???????????????????,???DDoS ??Linux imapd,
Solaris rpc ?rstatd, Windows
?????,????
????????TCP/UDP/ICMP?,?????????????,??????????????
??????
DDOS??
???????????????,?????DDOS??
???/?????????????IP ?
????find_ddosv31?ddos_scan?rid

35
????????????
36
????

?????????????, ???????????
?????????????,????,??????????
99??????????????????

37
???????
38
????

?????????????,DNS/Mail/Web/ FTP
?????????????,uid stud?? / Pwd123456
????????,?????????????
????,???????????

39
???????

??????????????
????????????
?????????
??? whois ???,??????????
?????????,????????????????????

40
????

?????????????
CCERT ????????
???????????
CERNET????????????
????

41
NT ???????

??
????????????,????????????
???????NTFS??,???????
??9?????????????
?????
??
?????????Service Pack
????????? hotfixes
?????SP ? hotfix

42
NT ???????

????
???????,???????
??????????????????????????
????
??????????
?????/???,????????TCP port 135, 137, 139 and UDP
port 138.

43
NT ???????

?????????
???????????????????
??????n???
??????,guest, Administrator

???????
?????????
??????????,??Server ?computer browser ??
?????????????????
???????

44
NT ???????

?????
???????????
???????shutdown ??
?????????
????????????
????
?????????,??????
??logon /log off, restart , shutdown
???????????????????
??????

45
Unix?? ?????

?????????
?????
?????????lp, shutdown?
shadow passwd
?crack /john???????????
(???????)
??????? /etc/inetd.conf, /etc/rc.d/
TFTP ?? get /etc/passwd
??ftp???
??rsh/rlogin/rexec ??
?????? rpc ??
??sshd, ??telnet ?
NFS export

46
Unix?? ?????

????
??,??( umask)
???????
?????
tripware
COPS
tcpwrapper
satan

47
??????????

??????
??enable secret , ???enable password
TACACS/TACACS, RADIUS, Kerberos ??
???????
??????????????
????telnet, rlogin, ssh, LAT, MOP, X.29, Modem
????????vty, tty login , no password
??????????,?transport input ssh
?????????ip access-class
????exec-timeout
????banner login

48
??????????

????
SNMPv1?????community name
community name, snmp-server community
SNMPv2 ??Keyed-MD5?????
snmp-server party Digest Authentication
HTTP ???????????????
ip http access-class , ip http authentication ,
TACACS/RADIUS
????
??????ssh ??, SNMPv2?????
?????(OTP) SecureID/Token, S/Key
IPSec ???????? telnet , SNMP,HTTP

49
??????????

?????????
small TCP
no service tcp-small-servers echo / chargen /
discard
finger, ntp
??????(cdp)
??
SNMP ??????,???????? Trap
??????system logging console, Unix syslogd,
???????????
??????
???IOS ???????????BUG

50
???????????

??????
?????/????/?????
??????
??IP???????(Anti-spoofing/DDOS)
????? ip verify unicast reverse-path
??RFC1918 ???????IP?
????? no ip source-route
??????????
Flood ????QoS?????Flood
interface xyz
rate-limit output access-group 2020 3000000
512000 786000 conform-action
transmit exceed-action drop
access-list 2020 permit icmp any any echo-reply

51
???????DoS???
eth0
Stub AD
Transit AD
Transit AD
eth0
eth1
202.112.0.0/16
52
????????

???????????
w, who, finger ,last ??
ps , crash
???????
last, lastcomm, netstat, lsof,
/var/log/syslog,/var/adm/messages, /.history
?????????? find
??sniffer ??
ifconfig, cpm
????? tripware,cops, cpm, tcpdump,

53
????????????

???????
??????
??????????
????
?????????????
find / \( -perm -004000 -o -perm -002000 \)
-type f -print
????????,?web pages,
?????????????
sniffer, Trojan Horses, backdoor
?????? messages, xferlog,utmp,wtmp, /.history

54
????????????

??sniffer cpm, ifstatus
http//www.cert.org/advisories/CA-94.01.ongoing.ne
twork.monitoring.attacks.html
?????????????
????IRT??
??, ???????
??????
??
???????????
??????????
???????

55
????????????

??IRT?????
????????
????????
????????
??UNIX / NT????????????????
http//www.cert.org/tech_tips/unix_configuration_g
uidelines.html
http//www.auscert.org.au/Information/Auscert_info
/Papers/win_configuration_guidelines.html
???????
??????
??????
?????

56
????????????

?????INTERNET
????????
???????????
????
??????

57
????

?????????????
CCERT ????????
???????????
CCERT???????
????

58
CERNET ?? ????
CERNET ??
????
????
CERNET-CERT ????
????
????
????
????
?????
????
????
?????
???? ????
??? ??????
???? ????
?????
??????
?????
????
59
CERNET ??????????
60
????

NT????????
http//ciac.llnl.gov/cgi-bin/index/documents.htm,
CIAC-2317
http//www.auscert.org.au/Information/Auscert_info
/Papers/win_configuration_guidelines.html
http//www.windows.com/windows2000/en/datacenter/h
elp/sag_SEchecklist.htm
Unix ????????
http//ciac.llnl.gov/cgi-bin/index/documents.htm,
CIAC-2305
http//www.cert.org/tech_tips/unix_configuration_g
uidelines.html
http//www.cert.org/tech_tips/root_compromise.html
RFC 2196 Site Security Handbook
CISCO ???????
http//ciac.llnl.gov/cgi-bin/index/documents.htm,
CIAC-2319
http//www.cisco.com/warp/public/707/newsflash.htm
l
??????????(CSIRT)??
http//www.sei.cmu.edu/pub/documents/98.reports/pd
f/98hb001.pdf
RFC 2350 Expectations for Computer Security
Incident Response.
http//www.singcert.org.sg/papers/Forming_an_Incid
ent_Response_Team.html
????
http//www.auscert.org.au/Information/Tools/other_
tools.html
http//www.singcert.org.sg/resource.shtml