Session 4 Case Study - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Session 4 Case Study

Description:

Session 4 Case Study & Discussion NBAR Remote Triggered Black Hole Phishing Routing Security Discussion NBAR NBAR class-map match-any codered match protocol http url ... – PowerPoint PPT presentation

Number of Views:84
Avg rating:3.0/5.0
Slides: 24
Provided by: wangy154
Category:

less

Transcript and Presenter's Notes

Title: Session 4 Case Study


1
Session 4Case Study Discussion
  • NBAR
  • Remote Triggered Black Hole
  • Phishing
  • Routing Security
  • Discussion

2
NBAR
3
NBAR
  • class-map match-any codered
  • match protocol http url "default.ida"
  • match protocol http url "cmd.exe"
  • match protocol http url "root.exe"
  • policy-map mark-codered
  • class codered
  • set ip dscp 1
  • int s 0
  • service-policy input mark-codered
  • access-list 100 deny ip any any dscp 1
  • access-list 100 permit ip any any
  • int e 0
  • ip access-group 100 out

4
Remote Triggered Black Hole
  • Lab

5
Phishing
  • ????????????,IP??AAA.AAA.AAA.AAA
    ????????,????????,????????????,???????????????,???
    ??

6
Phishing Website
7
Process
  • 1. ???????????????
  • 2. ????????,????????????

8
Server situation
  • Windows 2000 sp4
  • Latest patches
  • Norton Antivirus,latest virus definition
  • Firewall,only port 80
  • Complicated administrator password

9
Check Log
  • ????????????????Index.htm 2005?11?26?231755
  • ????IIS????????????????????

10
Check Log
  • ??,??????????web???????????????????,???????????,??
    ??????????????????8???,??????????15?????????23??

11
Check Log
  • ??????IIS???????????????
  • 1. 2005-11-26 151745 192.168.1.1 POST
    /admin.asp
  • ActionUpFileAction2Post 80 - 220.201.17.3
    Mozilla/4.0(compatibleMSIE6.0Windows98A
    lexaToolbar) 200 0 0
  • 2. 2005-11-26 151759 192.168.1.1 GET
    /images/index.htm - 80 - 220.201.17.3
    Mozilla/4.0(compatibleMSIE6.0Windows98Ale
    xaToolbar) 200 0 0

12
Trojan
  • admin.asp ???ASP??????
  • ??
  • 1. ????
  • 2. ???????
  • 3. ???????
  • 4. ?????????
  • ????????????????

13
Trojan
  • ????admin.asp????????
  • 2005?11?26?220159
  • ?????????IIS??,??????
  • 2005-11-26 140159 192.168.1.1 POST
    /UploadFiles/20051126215655189.asp - 80 -
    67.15.22.36 Mozilla/4.0(compatibleMSIE6.0Win
    dows98AlexaToolbar) 200 0 0

14
Trojan
  • 20051126215655189.asp???????admin.asp?????????asp?
    ?,???????????
  • ???????????
  • 2005?11?26?215655
  • ????IIS??
  • 2005-11-26 135655 192.168.1.1 POST
    /upfile_article.asp - 80 - 220.201.17.3
    Mozilla/4.0(compatibleMSIE5.01WindowsNT5.0
    ) 200 0 0

15
Trojan
  • upfile_article.asp??????????????,?????????????????
    ??????????????asp????,????????????????????????????
    ?????????,?????????????
  • There is a security leak in the file!

16
Measure
  • ????????????????,????????????asp????,?????????????
    ,?????????????????

17
Summary
  • ??????????????????????????????????????????????????
    ,???????????????

18
Routing Security
  • Prefix-list filter

19
(No Transcript)
20
neighbor 203.222.38.4 remote-as 1239 neighbor
203.222.38.4 description to-sprint-HK-2x622M
neighbor 203.222.38.4 ebgp-multihop 2 neighbor
203.222.38.4 update-source Loopback0 neighbor
203.222.38.4 version 4 neighbor 203.222.38.4
send-community neighbor 203.222.38.4
soft-reconfiguration inbound neighbor
203.222.38.4 distribute-list 26 in neighbor
203.222.38.4 prefix-list CERNET2 out neighbor
203.222.38.4 route-map sprint-622m-in in
neighbor 203.222.38.4 route-map sprint-622m-out
out
route-map sprint-622m-in permit 10 set
local-preference 280 set community 45381239
45384789 additive
route-map sprint-622m-out permit 10 set as-path
prepend 4538 4538 4538 set community 650004635
21
hk-r0p-bgwsh ip bgp nei 203.222.38.4
received-routes in 192.0.2.0 gti 192.0.2.0/24
203.222.38.4 2113 0 1239 i
ip prefix-list defaul seq 5 deny 192.0.2.0/24 ip
prefix-list defaul seq 10 permit 0.0.0.0/0 le 32
neighbor 203.222.38.4 remote-as 1239 neighbor
203.222.38.4 description to-sprint-HK-2x622M
neighbor 203.222.38.4 ebgp-multihop 2 neighbor
203.222.38.4 update-source Loopback0 neighbor
203.222.38.4 version 4 neighbor 203.222.38.4
send-community neighbor 203.222.38.4
soft-reconfiguration inbound neighbor
203.222.38.4 prefix-list CERNET2 out neighbor
203.222.38.4 prefix-list defaul in neighbor
203.222.38.4 route-map sprint-622m-in in
neighbor 203.222.38.4 route-map sprint-622m-out
out
22
Discussion
23
  • End
  • Thanks
Write a Comment
User Comments (0)
About PowerShow.com