Network spoofing Author: Gu Yu Source: "YESKY" Date: 2000-8-15
What is network deception?
Information security of computer systems and networks will be one of the major challenges facing all countries in the new century. In our country, this issue has attracted high attention, some typical technologies and related products such as password and encryption, certification and access control, intrusion detection and response, security analysis and simulation and disaster recovery are in full swing, research and development. in. In recent years, in the process of crossing the invaders, another effective information security technology has gradually entered people's vision, that is, network deception.
Web spoof is to make the intruder believe that the information system has valuable, available security weaknesses, and some of course attackable resources (of course these resources are forged or unimportant), and lead intruders to these mistakes Resource. It can significantly increase the workload, intruder complexity, and uncertainty of intruders, so that the intruder does not know whether its offense works or succeed. Moreover, it allows the guardian to track the behavior of intruders, and the security vulnerabilities that may exist before the invaders.
In principle, each valuable network system has security weaknesses, and these weaknesses may be utilized by intruders. Web spoof mainly has the following three roles:
Impact the invaders make it in accordance with your will;
Quickly detect intruders' offense and know their offensive technology and intentions;
Consume the resource of invaders.
An ideal network spoof can make intruders feel that they are not easy to achieve the desired goals (of course, the goal is fake) and makes it believe in invasion.
Network spoofing main technology
Honey Pot and Distributed Honey Pot
Web spoofing is generally implemented by technological means such as hidden and install error information. The former includes hidden services, multi-path, and maintenance security status information confidentiality, the latter includes redirect routing, fake fake information, and set loop. In combination of these technical methods, the earliest network spoof is Honey POT technology, which places a small amount of attractive goals (we call Honey Pot) to the place where intruders is easily discovered to induce invaders.
The goal of this technique is to find an effective way to affect intruders, enabling intruders to concentrate technology, concentrate into Honey Pot instead of other truly valuable normal systems and resources. Honey POT technology can also switch to once the intrusion attempt is detected.
However, Honey POT technology has a slightly advanced network invasion. Therefore, distributed Honey POT technology is born, it will deceive Pot spread in the normal system and resources of the network, using idle service ports to act as deception, thereby increasing the possibility of intruders encounters deception. It has two direct effects, one is to distribute the fraud into a wider range of IP addresses and port space, and the other is to increase the percentage of deception throughout the network, so that the deception is discovered by the invader scanner than the security weakness. The possibility is increased.
Despite this, distributed Honey POT technology still has limitations, which is reflected in three aspects: First, it is invalid for network scans for exhausting the entire space search; second, it only provides relatively low degree-oriented; The safety weaknesses of the entire search space are reduced. Moreover, a more serious drawback of this technique is that it is only valid for remote scans. If the invasion has been partially entered into the network system, the real network service is transparent to the intruder when observing (such as sniffing) instead of active scanning phase, then this deception will lose its role.
Deception space technology
Deceive space technology is to significantly increase the workload of intruders by increasing search spaces, thereby achieving safety protection. With the multi-homed capability of your computer system, you can implement a host with a number of IP addresses on a computer that has only one Ethernet card, and each IP address also has its own MAC address. This technology can be used to establish a deception that fills a large number of address spaces and it costs extremely. In fact, there is now a research institution to bind more than 4,000 IP addresses on a PC running Linux. This means using the network system consisting of 16 computers to cover the spoof of the entire B address space. Although there is a lot of different deception, it is actually realized on a computer. From the effect, put the network service on all these IP addresses will undoubtedly increase the amount of invaders, because they need to decide which services are real, which services are forged, especially for 40,000 The above IP addresses are placed for the system for falsifying network services. Moreover, in this case, the deception service is relatively easier to be discovered by the scanner. By losing the intruder, increasing the intrusion time, thereby consumes a large number of intruders's resources, making the true network service detected by the possibility. Decrease.
When the intruder's scanner accesses the external router of the network system and detects a spoofing service, all the network traffic of the scanner can also be redirected to spoof, so that the next remote access will become this spoofing.
Of course, the switching (redirection) of network traffic and services must be strictly confidential when using this deception, because once exposure will lead to attacks, it will make any known effective service and this kind of test invading. The scan detection and the deception of its response are separated.
Enhance fraud quality
In the face of the continuous improvement of network attack technology, a network spoofing technology must not be always successful, must constantly improve the quality of fraud, in order to make the invasive service and deceptive distraction.
Network traffic simulation, network dynamic configuration, multi-address conversion, and organizational information spoof is a few main methods effectively enhanced network fraud quality, and below is introduced.
Network traffic simulation
The purpose of generating simulation traffic is to make the flow analysis cannot detect spoof. There are two ways to generate simulation flow in the fraud system. One method is to replicate real network traffic in real time or reproduction. This makes the spoofing system very similar to the real system because all access connections are copied. The second method is to generate fake traffic from the remote, so that the intruder can discover and utilize.
Network dynamic configuration
The real network changes over time. If the deception is static, then the deception is invalid if the invader is surprising. Therefore, there is a need to dynamically configure the spoofing network to simulate normal network behavior, so that the deception network is also changed as the real network. In order to make it effective, spoofing features should also be able to reflect the characteristics of the real system as much as possible. For example, if the office is turned off after get off work, then deceived computers should also shut down at the same time. Other holidays, weekends and special moments must also be considered, otherwise invaders will likely find deception.
Multiple Address Translation
The multiple conversion of the address can separate the deception network and the real network, so that the real computer can replace low credibility, increase indirectness and concealment. Its basic concept is to redirect a proxy service (implemented by rewrite the proxy server), the proxy service is addressed, so that the same source and destination address are maintained in the spoofing system as the real system. In the right, the access from the Mnop into the ABCG interface will pass through a series of address translations - sent by AFCG to 10.NOP and then to 10.GCF, finally convert packet spoofing from Mnop to the real machine ABCG . And the spoofing service can also be binded to a host that provides the same type and configuration of the real service host, thereby remarkably improving the authenticity of spoofing. You can also try dynamic multi-address conversion. Create an organization information spoof
If a organization provides access to individual and system information, then deception must also reflect this information in some way. For example, if the organization's DNS server contains detailed information about the personal system owner and its location, you need to have forged owners and its location in the deceived DNS list, otherwise deception is easily discovered. Moreover, forged people and locations also need for forged information such as salary, budget and personal records.
Conclude
This paper describes the role of network fraud in information system security and the main technique of implementation, and introduces specific methods to enhance fraud quality. High-quality network spoofing makes it possible to have a good hidden placement, real service and spoofing services are almost integrated, making intruders difficult to distinguish. Therefore, a comprehensive network security overall solution is inseparable from the network spoof. Network fraud technology will have broad development prospects during the development of network attacks and security protection.