IP spoofing technology is more complicated, not simply graphic cats and tigers to master, but as regular attack methods, it is necessary to understand its principles, at least in their own safety, easy to fight.
Assuming that the customers on B run Rlogin and a RLogind communication:
1. B Send a data segment with the SYN flag A to establish a TCP connection. And set the Sequence Number in the TCP header into the initial value ISN of this connection.
2. A returns B a data segment with the Sys ACK flag, tells your own ISN, and confirms the first data segment sent by B, set the Acknowledge Number to B ISN 1.
3. B Confirm the data segment of the received A, set the Acknowledge Number to a 'ISN 1.
B ---- SYN ----> a
B <---- SYN ACK ---- A
B ---- ACK ----> a
The Sequence Number used by TCP is a 32-bit counter from 0-4294967295. TCP selects an initial number ISN for each connection, in order to prevent three handshakes due to delay, retransmission, etc., ISN cannot be selected, different systems have different algorithms. Understanding how TCP allocates ISN and ISN changes with time, is important for successful IP spoofing attacks.
Based on the remote process calls the RPC command, such as RLogin, RCP, RSH, etc. In order to allow or reject the user RPC.
Description of IP spoofing attack:
1. Suppose Z attempts to attack A, and A trust B, the so-called trust /etc/hosts.equiv and $ home / .rhosts are related settings. Note, how can I know A trust B? There is no exact way. My suggestion is usually paying attention to the collection of the spider silk mart, and the thickness is thin. A successful attack is actually mainly because of the technical high, but because the information collected is widely used. It is a technique that has been self-righteous, but it is not better than the clever question on the wine table.
2. Hypothesis Z already knows that the trusted B is, should find a way to temporarily embrace B network function, so as not to cause interference to the attack. The famous SYN FLOOD is often a prelude to IP spoof attack. Please look at the framework of a concurrent server:
INT INITSOCKID, NewsockId;
IF ((INITSOCKID = Socket (...) <0) {
Error ("Can Create Socket");
}
IF (Bind (INITSOCKID, ...) <0) {
Error ("Bind Error");
}
IF (Listen (INITSOCKID, 5) <0) {
Error ("Listen Error");
}
FOR (; {
Newsockid = Accept (INITSOCKID, ...); / * blocking * /
IF (NewsockId <0) {
Error ("accept error");
}
IF (fork () == 0) {/ * child process * /
Close (INITSOCKID);
Do (newsIckid); / * Handle customer request * /
exit (0);
}
Close (NewsockID);
}
The second parameter in the Listen function is 5, which means the maximum number of connection requests allowed on the initsockid. If the number of connection requests on a time INITSOCKID has reached 5, the connection request to the initsockid will be discarded by TCP. Note Once the connection is completed by three handshakes, the Accept call has handled this connection, and the TCP connection request queue is empty out. So this 5 does not refer to INITSOCKID can only accept 5 connection requests. SYN FLOOD is a Denial Of Service, causing the network function of B to send multiple data segments with the SYN flag to be connected to b, pay attention to replace the source IP address to a host X; B Ziwu has X sent SYN ACK data segment, but there is no ACK from X appears. B The IP layer reports B's TCP layer, X is not arrogant, but the TCP layer of B is not ignored, and it is considered to be temporary. So B can never receive normal connection requests upon this INITSOCKID.
Z (x) ---- SYN ----> B
Z (x) ---- SYN ----> B
Z (x) ---- SYN ----> B
Z (x) ---- SYN ----> B
Z (x) ---- SYN ----> B
......
X <---- SYN ACK ---- B
X <---- SYN ACK ---- B
X <---- SYN ACK ---- B
X <---- SYN ACK ---- B
X <---- SYN ACK ---- B
......
I think this makes B network function temporarily, but I always feel that it is not right.
Because B cannot receive TCP connection requests on the initsockid, you can receive on Another IntesockID, which should only affect only the specific service (port), should not affect the overall situation. Of course, if the connection request is constantly transmitted, the flood package is used in the flood package, so that the TCP / IP of B is busy with the processing load. As for Syn Flood, I have the opportunity to give me a scoop alone about DOS. How to make B network function temporarily a number of ways, depending on the specific situation, no longer repeat it.
3. Z must determine a current ISN. First, the 25-port (SMTP is not a secure calibration mechanism), similar to 1, but this time you need to record a ISN, and the rough RTT (Round Trip Time) of Z to A. This step is to repeat multiple times to find the average of RTT. Now z knows the ISN base value and increased regularity (such as adding 128,000 per second, adding 64000 per connection), and also knows that RTT / 2 from z to A is required. You must immediately enter the attack, otherwise there are other hosts and a connection, and ISN will be more than 64,000 than expected.
4. Z Send a data segment with the SYN flag with the SYN flag, just that the source IP is changed to B, note that it is for TCP513 port (rlogin). A Turn to b to the SYN ACK data segment, B has not responded that the TCP layer of B is simply discarding A return data segment.
5. Z Pause a small party, let A have enough time to send SYN ACK, because Z can't see this package. Then z reproduce the ACK again to A. The data segment transmitted at this time is ISN 1 with Z predicted A. If the forecast is accurate, the connection is established, the data transfer begins. The problem is that even if the connection is established, A will still send data to b, instead of z, z is still unable to see the data segment sent to B. Z must be a head according to the Rlogin protocol standard counterfeit B to send similar "Cat >> ~ / .rhosts "such a command, then the attack is completed. If the prediction is not accurate, a will send a data segment with the RST flag to terminate the connection, and Z is only from the beginning. Z (b) ---- SYN ----> a
B <---- SYN ACK ---- A
Z (b) ---- ACK ----> A
Z (b) ---- psh ----> a
......
6. IP spoofing attacks use the RPC server only depend on the feature of the source IP address for security checks, it is recommended to read the source code of Rlogind. The most difficult place is to predict a ISN of A. I think the difficulty of attack is big, but the possibility of success is also very large, not very understanding, it seems a bit of contradiction. Consider this situation, the invader controls a router between A to B. It is assumed that z is this router, then a time to go to B data segment, now z is it can be seen, obviously attacking difficulty suddenly declined suddenly a lot of. Otherwise, Z must accurately foresee the information that may be sent from A, as well as what responds from B, which requires attackers to be quite familiar with the agreement itself. At the same time, it is necessary to understand that this attack is not possible to complete in an interaction state, and must write the program. Of course, the protocol analysis can be used in the preparation phase.
7. If Z is not a router, can it consider the combination of ICMP redirection and ARP spoof and other technologies? There is no careful analysis, just casually guess. And with A, B,
The specific network topology between Z is closely related, and in some cases, it is clear that the attack is greatly reduced. Note that IP spoofing attack is theoretically initiated from WAN, which is not limited to local area network, which is also the charm of this attack. Using IP spoof attack to get a shell on a A, for many advanced intruders, get the shell of the target host, not far from the root permissions, and the easiest thing to think is of course the next Buffer Overflow attack.
8. Maybe someone wants to ask, why can't Z can't set your IP into B? This problem is very bad, to analyze the network topology, of course, there is also an ARP conflict, no problem such as gateway. Then there is an ARP conflict problem during the IP spoofing attack. Recall the ARP spoof attack on my front, if the ARP Cache is not affected, there will be no ARP conflicts. If the z-to A sends a data segment, trying to resolve a MAC address or router's MAC address, inevitably send an ARP request package, but the source IP in this ARP request package and the source Mac are z, naturally not cause ARP conflicts. . ARP Cache will only be changed by the ARP package, not affected by the IP package, so it can be sure that there is no ARP conflict during the IP spoofing attack. Conversely, if Z modifies its own IP, this ARP conflict may appear, showing specific situations. In the attack, there is an attack in the attack, and the purpose is nothing more than preventing B interference, if B itself is Down, it is good.
9. Fakeip has been boiled, and I scanned it, it was found that the TCP port 113 was connected to the connection. There is no direct contact with IP spoof, etc., and security checks is related. Of course, this thing is not as suggested, there is no action on the IP layer. 10. With regard to forecasting ISN, I think another problem. How to cut off the TCP connection between A and B as a third party identity, actually a problem that predicts Sequence Number. Try, it is also very difficult. If Z is a router between A and B, it is not necessary to say; or Z Moiless technology can monitor communication between A and B, which is also easy to say; otherwise it is too difficult. The author refers to the 25-port of connecting A in 3, but I don't understand what is the relationship between the ISN and 25 ports of the 513 port? It seems that you need to see the source code implemented inside the TCP / IP.
Prepare
Although IP spoofing attacked is quite difficult, we should be aware that this kind of attack is very broad, and the invasion is often started here. Preventing this attack or easier, such as deleting all /etc/hosts.equiv, worthy /.rhosts files, modifying / etc / inetd.conf files, making the RPC mechanism can not be shipped, you can also kill portmapper, etc. . Set the router, filter from the outside and the source address is the internal IP packet. Cisio's products have this feature. However, the router only defenss external invasion, internal intrusion?
The ISN selection of TCP is not random, increasing is not random, which enables the attacker to function, can modify the code related to ISN, select the algorithm, so that the attacker is difficult to find regular. It is estimated that Linux is easy to do, the Solaris, Irix, HP-UNIX has AIX? Sigh
Although I don't know anything, but finally let everyone know the IP spoof attack, I experimentally predicted Sequence Number, not ISN, attempted to cut off a TCP connection, and it feels very difficult. Author's recommendation to find regular, do not blindly predict, this takes time and patience. Now, what is the spirit of what is the kind of spirit, the legendary story we are, and there is so silent hardship and perseverance, I hope we learn this, not the floating and hustle and bustle. A ready-made bug is enough to get root permissions, but what are you doing, do you understand? We are too superficial ...
Author: EMIL911 (emil911@sohu.com)
