2004-09-18 IP route
Volume 1 Chapter 9 IP Routing
This chapter tells the basis for the TCP / IP protocol cluster. IP routing ensures that the correct transmission path can be found for the datagram. If you can't find it, the sender is notified to fail. In the process of finding the information, maintained by two aspects: Each host maintains its own routing table (Windows prints the current routing table with Route Print). Since there is only one network card on the general host, the routing table is relatively simple, including a loopback interface (127.0.0.1) and the current IP used, if there is no network card, there is only a loopback address. For all, 127.0.0.1, localhost's datagrams are sent to the Link layer (common is the Ethernet drive layer), turn to the IP input table. After the data sent to your own IP is sent to the link layer, the link layer is inspected to this address is itself, and then sent to the IP input table. For datagrams sent to other addresses, the selected interface is the network card, all sent to the NIC. The default route is also this interface. If you have multiple NICs installed, Windows's server version can turn on the routing forwarding function, that is, can be used as a router. If only one network card is installed, it is also used for forwarding function, but actually "where to come, where to go", it does not meet the "selection" purpose. In this way, when the host receives a datagram, check it to yourself. If so, it is normal communication, directly handled. If not, it is decided to discard the datagram directly according to the option (whether to turn on the routing forwarding function), or find a suitable forwarding from the network interface. If you decide forward, it really involves "finding the way". Hosts and routers have a routing table. First check the references to the pointing host in the routing table, see if there is any entry is the address of the destination to be sent. If you found it, send it directly to this host. If you can't find it, check the network numbers to see the network to see the network to be sent. If found, send the interface to this network to pass. If these can be found, let this data to the default route, deal with the default route. Usually the default route is more entries, more information can find the destination to be sent. If the default route cannot be found, it will be sent to its default route, until the top. The top-level core router is not found, then this datagram does not find the destination, the router returns an ICMP packet, telling the sender's host "network unachable", or "host is not up to". The specific information is determined according to the router, but the "host is not achievable". These are more annoying. Imagine an example in life: I want to take the train to Lhasa, go to Hangzhou Railway Station to take the car. Hangzhou has no direct trains (before the Qinghai-Tibet line, there is no :)), it is equivalent to finding the host "Lhasa", nor does it know which railway bureau (network number), it sent me to Transfer station Xuzhou (default route). Xuzhou Station can't find it, but it knows that the host "Lhasa" is the western part, and maybe the network "Zhengzhou Bureau" knows, so I sent me to "Zhengzhou". And Zhengzhou has no direct car, and it will send me a few "Xining". Then in Xining Railway Station, I learned that the Qinghai-Tibet line has not passed the car. This way is not available. So I inform me "The host is not reached", this Lhasa can't be. In life, I have to go back to Hangzhou's old man in the days. On the Internet, the datagon issued to "Xining" will not be sent back, the router (train station) just briefly throws "I", then inform Hangzhou police. This is a process of looking for a way.
If it is finally found, of course, it's a big joy, then you can "shake your hand" and find the organization. The next thing is not related to the route. From this process, you can see the routing entry. If the information of the routing table is detailed, each host can be found, then as long as the router is sent, all the datagrams can be successfully arrived, just like Hangzhou Station has a car to all over the country. However, this is actually unrealistic. The host on the Internet is unable to win, just like the nationwide train station, such as cattle, to do every host has a project, requiring the router to have great capacity to store these records, and find entries in this huge routing table Efficiency is also a problem. Then the current router constitutes a hierarchy, and the router of each layer saves local routing information. Data reported to yourself, send to the default routing, so that the requirements for a single router can be reduced. Then the creation and update of routing information. The host is turned on, the router is turned on, which is unpredictable, that is, the routing information may be uncertain. This minute is still passing, and the next minute may not pass (shutdown, I have collapsed and attacked ...). This caused routing information failure requires timely update to avoid erroneous routes. The creation of routing basic information is typically completed during the system startup, such as the default route configuration. Use the route add command to manually join a static route. More routing information is constantly enrichment in communication, that is, the router will slowly "learn". This is a similar place to ARP. In the LAN, if you want to send a data to another host, for example from A to B. If a start A don't know where B is, just send an ARP inquiry B where. B After receiving your own MAC address, then the ARP daemon saves this Mac's IP combination of the B machine. When you have data to be sent to B next time, you don't have to ask, send it directly to the corresponding MAC address (you can find the current ARP entry with ARP -A). The router is similar, if it knows that there is an interface to be sent, save this interface. Different, the ARP works in the link layer, below the IP layer, while the router is processed from this information, more complicated than the ARP daemon. Routers can be "learning". Learning is a routing advertisement message issued by other routers (ICMP Datasters). The router issues a routing packet for approximately 9 to 10 minutes, and the router that receives the message will update its corresponding entry. This kind of study is passive. When the router starts, the routing request message (same is also ICMP datagram), and other routers will respond, reply to routing advertisement packets, which can actively learn routing information on other routers. Another way to modify routing information is ICMP redirection packet. Also described above, I was sent to Xuzhou by Hangzhou Station, Xuzhou Station felt that I should be sent directly to Zhengzhou, but I don't have to run a road, so it inform Hangzhou station, after all like I like this, directly It will be done in Zhengzhou. After Hangzhou received, update routing information, which is re-direction. Of course, the host receives ICMP redirection requirements and updates routing information. The book lists four requirements for the 4.4BSD system to receive ICMP redirection. Didn't touch this system, and the book is written in a few years, and the current network environment is complicated than the time. Because these links are easy to be utilized by people.
The content of the book is finished, saying some aspects I am interested. ARP and routing are used to probe. ARP is used for local area networks, while routing is used for wide area network (not strictly divided, which is substantially like this). For flexibility, this information can be modified by ICMP datagram. Once you can be modified, all related data traffic will be traged elsewhere. There is a hidden danger, which is likely to be utilized. The ARP protocol stipulates that if you receive the ARP datagram, you should update the information that has been saved in the ARP cache in the IP of the data report, which is sent to the new MAC in the new MAC with the IP of the IP in the Datpet. This will make an ARP information by constructing an ICMP datagram, and implement ARP spoof. Now the popular ARP spoofing step is this: assuming A and B, C is the same LAN, each has an IP address. A to B is fully trusted, and there is a limit to C, such as filtering all data from C, or limits some ports, etc., anyway is not as bits. And C felt uneven, I want to get the same treatment (for specific reasons, the result is the same as the result). In this way, c will start doing your hands, you will definitely not do it directly to the administrator, but you have to replace B position in secret. 1. First engage B to crash. If B is still on the Internet, the ARP deception is hindered by the ARP behind C. 2. Change C himself into b IP, so you can defraud A, let A think it is really B. 3. Distribute the forged ARP package, link B's IP with C's MAC. 4. All hosts receive the ARP package and update the ARP cache according to the content, so all the data sent to B is now changed to C, and all hosts that receive C send data are called B. And B is now crazy, don't know. This kind of deception is difficult to implement. Can only be used within the LAN. First of all, you have to get B, if B can't take it, it is hard. Moreover, it is increasingly increasingly adding other limits for IP open services. There are two cases to this kind of deception, one is in a forum, some netizens say that he uses this method to do network management software, use it to block some websites, all requests to be blocked by the block IP Other websites, do not use proxy servers. This idea is good. The other is the first two days (September 15th afternoon), the security focus XCON2004 was held, and www.xfocus.net "Black", the page cannot be opened normally. According to the member of the site, another host of the hosting service provider is black, and the ARP spoofed the request to access the normal web page to the black host. So I implemented a "attack and defense confrontation", a constant deception message, transfer access; another continuously issued normal packets, take the visit. So when I visited the web this time, I suddenly had a normal web page, and the page turned black when refreshed, and then refreshed and normal. Unfortunately I was working at work, I didn't see it.
Routing information is also possible. Routing Notification Information You can update the routing table of other routers. If a forged routing notification information is issued, it destroys the normal routing table of the router. This is relatively difficult to achieve, and the difficulty of achieving the ICMP redirected is much smaller. ARP spoof can only be implemented in the LAN. If you want to achieve the same purpose on a wide area, you must bind to ICMP deception. Use ARP spoofing to transfer flow, but there is a restriction in the transfer, which cannot be transferred to the router, that is, the ARP information is unable to cross the route (different from the agent ARP). This means that when the ARP information of the other host is refreshed into a router, it is still in the local area network, which is not sent to the router. At this time, you must send another ICMP spoof, saying that the MAC sent to the router is correct. After receiving this message, the host can reach the purpose, C completely replaces B. After the matter, it is like an intruder's mood. In this sense, you can implement the SNIFFER of any machine (all communication data). What I said above, I am now just understanding on the concept, principles, and summaries to these aspects. It is not enough to do it, you have to learn. The online capture package is now, but it is necessary to talk about protocol analysis. Even the construction of the Raw Socket is not too much, and it is even more popular. Pure learning purpose.
