IP spoofing technology introduction (2)
Of course, there is a lot of valuable time. It is worth noting that hackers do not use those IP addresses that are working, because the true IP holder will receive the SYN / ACK response, and the RST is sent to the attack host, thereby disconnecting connection. The procedure described above can be expressed as the following mode.
1 z (x) --- SYN ---> B
Z (x) --- SYN ---> B
Z (x) --- SYN ---> B
2 x <--- Syn / ACK - B
X <--- Syn / ACK - B
3 x <--- RST --- B
At time 1, the attack host sends a large number of SYN requests to the attack target (at this stage, the trusted host), making its TCP queue full. At time 2, the attack target has a SYN / ACK reaction to the IP address (false IP) it believes. During this period, the TCP module of the attack host will ignore all new requests. Different TCP keep the connection queue have different lengths. BSD is generally 5, Linux is generally 6. Make the trusted host lose the ability to handle new connections, the precious void time won is the time of hackers to attack the target host, which makes it possible to be mounted into a trusted host.
Serial number sampling and guess
As mentioned earlier, to attack the target host, you must know the data package serial number used by the target host. Now let's discuss how hackers are predicted. They first set up a normal connection with a port of the attacked host (SMTP is a good choice). Typically, this process is repeated several times and stores the ISN sent by the target host. Hackers also need to estimate the RTT time (round trip time) between his host and the trusted host, this RTT time is made by multiple statistics. RTT is very important for estimating the next ISN. The previous ISN has increased 128,000 per second, and 64000 is added each time. It is not difficult to estimate the size of the ISN. It is 128,000 multiplied by half of RTT. If the target host has just established a connection, then add a 64000. After estimating the ISN size, attack immediately begins. When the hackstal false TCP packet enters the target host, different situations are different from the estimated accuracy:
If the estimated serial number is accurate, the incoming data will be placed in the received buffer for use.
If the estimated serial number is smaller than the expected number, it will be abandoned.
If the estimated serial number is greater than the expected number, and in the sliding window (previous buffer), the data is considered to be a future data, and the TCP module will wait for other missing data.
If the estimated serial number is greater than the expected number, and not within the sliding window (previous buffer), TCP will discard the data and return a desired data serial number. Hereinafter, the hacker's host cannot receive the returned data serial number.
1 z (b) ---- SYN ---> A2 B <--- Syn / ACK --- A
3 z (b) ----- ACK ---> A
4 z (b) ----- psh ---> a
Attacker disguised into the IP address of the trusted host, this host is still in the pause state (the foregoing loss processing power), then send a connection request to the 513 port of the target host, such as time 1 Indicated. At time 2, the target host responds to the connection request, sends the SYN / ACK packet to the trusted host (if the trusted host is in a normal operating state, then it is considered an error and immediately returns the RST packet to the target host, but at this time It is on a pause state). According to the plan, the trusted host will abandon the SYN / ACK packet. At time 3, the attacker sends an ACK packet to the target host, which uses the previously estimated serial number plus 1 (because it is confirmed). If an attacker estimates correct, the target host will receive the ACK. At this point, the connection is formally established. At time 4, the data is started. Generally, an attacker will place a back door in the system to invade. The 'CAT >> ~ / .rhosts' will often be used. This is because this method is quickly, simply paved the road for the next invasion.
One way to attack this TCP serial number is to use NetStat services. In this attack, intruders simulate a host shutdown. If there is NetStat on the target host, it provides a must-have serial number on the other port. This cancels all the needs to be guess.
Typical attack tool and attack process: hunt
Preventive points is that the key to this attack is the change speed of relatively rough initial serial number variables in the Berkeley system
. The TCP protocol requires this variable to increase 25,000 times per second. Berkeley uses relatively slow speed. However, the most important thing is to change the interval, not the speed.
We consider whether a counter works in work at 250,000 Hz. We first ignore other connections, just consider this counter to change in a fixed frequency.
In order to know the current serial number, send a SYN package and receive a reply:
X --- S: SYN (ISN X)
S --- x: SYN (ISN S), ACK (ISN X) (1)
The first fraud package that triggers the next serial number, can immediately follow the server's reaction to this package:
X --- S: SYN (ISN X), SRC = T (2)
The serial number ISN S is used to respond:
S --- T: SYN (ISN S), ACK (ISN X)
It is uniquely determined by the message received by the first message and the server. This number is the exact time of X and S. In this way, if deception can accurately measure and generate this time, even a 4-U clock cannot repel this attack.
Abandon address-based trust strategy
A very easy way to prevent such attacks is to give up the address-based verification. The R * class remote call command is not allowed; delete the .rhosts file; empty the /etc/hosts.equiv file. This will force all users to use other remote communication methods such as Telnet, SSH, SKEY, and more. Cut filter
If your network is connected to the Internet via the router, you can use your router to make packet filtering. Gree consider that only your internal LAN can use trust relationship, while the host on the internal LAN is carefully processed for hosts other than LAN. Your router can help you filter out all requests from the outside to establish a connection to internal.
Encryption method
Another obvious way to prevent IP spoof is to require encrypted transmission and verification during communication. When there are multiple means and time, it may be possible to encrypt the method.
Use randomized initial serial numbers
A very important factor that hacker attacks is achieved is that the serial number is not randomly selected or randomly increased. Bellovin describes a method of making up for TCP, which is to divide the serial number space. Each connection will have its own independent serial number space. The serial number will remain in the previous way, but there is no significant relationship in these serial number spaces. It can be explained by the following formula:
ISN = m f (localhost, localport, remotehost, remotEport
M: 4 microsecond timer
F: Encrypt the Hash function.
The serial number generated by F should not be calculated or guess for external. Bellovin suggests F is a Hash function that combines connection identifiers and special vectors (random numbers, start-up passwords).
