IP fraud technology introduction (1)
Even very well, the TCP / IP protocol is implemented, because it has some unsafe places, so you can attack TCP / IP networks.
. These attacks include serial number deception, routing attack, source address spoof and authorized spoof. In addition to introducing IP spoofing attack methods, this paper also describes how to prevent this attack.
The above attack is built in an attacker's computer (including routing) is connected to the Internet. The attack method here is for the defect of TCP / IP itself, not a specific implementation.
In fact, IP deception is not the result of offensive, but the means of attack. Attacks are actually destroyed by trust.
IP spoofing principle
trust relationship
In the field of UNIX, trust relationships can be easily obtained. If there is an account on the hosts A and B, it will be found in use, and the corresponding account on A is required when used on host A. When used on host B, the account, host A and B Take you as two users who are not related to each other, it is obviously some inconvenience. In order to reduce this inconvenience, the mutual trust relationship of two accounts can be established in host a and host B. Create a .rhosts file in your HOME directory on your host A and host B. From the host A, enter 'echo "b username"> ~ / .rhosts' in your home directory; from host B, enter 'echo "a username"> ~ / .rhosts' in your home directory. At this point, you can use any remote call commands starting with R *, such as rlogin, rcall, rsh, etc., without any trouble for verification. These commands will allow an address-based verification, or allow or reject access services based on IP addresses.
The trust relationship here is based on IP address.
Rlogin
Rlogin is a simple client / server program that uses TCP transfer. Rlogin allows users to log in to another host from a host, and if the target host trusts it, Rlogin will allow resources on the target host in the case where the password is not allowed. Safe verification is completely an IP address based on the source. Therefore, according to the above example, we can use rlogin to log in from B to a, and will not be prompted to enter the password.
TCP serial number forecast
IP just sends a packet and guarantees its integrity. If you cannot receive a complete IP packet, the IP sends an ICMP error message to the source address and wants to be resumpted. However, this package may also be lost. Since IP is unconnected, information is not maintained. Each IP packet is loosely transmitted, not the case where the previous and the latter packet is concerned. It should be seen that the IP stack can be modified, and an IP address that is placed in the source address and destination address, that is, provide a false IP address.
TCP provides reliable transmission. Reliability is provided by multi-bit control words in the packet, where the data sequence and data confirmation are represented by SYN and ACK, respectively. The TCP assigns a serial number to each of the data bytes, and the data packet sent by the source address indicated by the source address indicated (the data package sequence confirmed by the destination address ACK is the data package sequence of the source address, not oneself Sended data package sequences). The ACK also carries the next desired data serial number while confirming. Obviously, this reliability provided by TCP is more difficult to foolish with IP.
Sequence number, confirmation and other marker information
Since TCP is reliability based, it provides a mechanism for processing packet loss, repetition, or malfunctions such as sequential disorder. In fact, by assigning sequence numbers to all bytes sent, the TCP ensures reliable transmission by providing a sequence number to the transmitted data. The receiving end utilizes the serial number to ensure the order of data, remove the duplicate packet. The TCP sequence number can be regarded as a 32-bit counter. They are arranged from 0 to 2 ^ 32-1. Data each TCP connection (represented by a certain marking bit) is sequential. The label bit of the sequence number (SYN) is defined in the TCP packet is located at the front end of the data segment. The confirmation bit (ACK) confirms the received data and indicates the next data serial number that is expected to receive. TCP performs flow control through the concept of sliding windows. It is envisaged that the speed of transmitting data is very fast and the receiving end reception speed is slow. In order to ensure that the data is not lost, it is clear that traffic control, coordinating the work rhythm of both communications. The so-called sliding window can understand the buffer size that can be provided in the receiving end. TCP uses a sliding window to tell the sender to provide much buffer to the data it transmits. Since the window is defined by 16 bit Bit, the receiving end TCP can maximize 65,535 bytes of buffering. Thereby, the maximum acceptable data serial number can be calculated using the serial number of the window size and the first data.
Other TCP marks include RST (Connection Reset, RESET THE CONNECTION, PSH (Pressing Function, Push Function), and FIN (no data of the sender, no more data from sender). If the RST is received, the TCP connection will be disconnected immediately. RST is typically sent when the receiving end is received when a packet is not related to the current connection. Sometimes, the TCP module needs to be transferred immediately when it is full, and it is not allowed. A high-level process will trigger the PSH indicator of the TCP header and tell the TCP module to immediately send all the arranged data to the data receiver. FIN indicates an application connection end. When the receiving end receives the FIN, confirm it, it is considered that no data is received.
The TCP serial number prediction was first elaborated by Morris. He predicted using TCP serial numbers, even if there is no response from the server to generate a TCP package sequence. This makes him deceive the host on the local network.
Usually the TCP connection creates a sequence including 3 handshakes. Customer selects and transmits an initial serial number (SEQ flag) ISN C, and sets the flag SYN = 1, tells the server that it needs to be established. The server confirms this transfer and sends its own serial number ISN S, and sets the flag bit ACK, and inform the next expected data serial number is ISN = 1. Customer confirms it again. After three confirmation, the data is started. The whole process is as follows: (C: Client S: Server)
C --- S: SYN (ISN C)
S --- C: SYN (ISN S), ACK (ISN C)
C --- S: ACK (ISN S)
C --- S: Data or S --- C: Data
That is to say to a session, c must get ISN S to confirm. ISN S may be a random number.
Understand the number of sequence numbers to choose the initial serial number and how to change according to time change. It seems that there should be this situation that the sequence number is initialized to 1 after the host is started, but it is not true. The initial serial number is determined by the TCP_INIT function. ISN adds 128,000 per second, if there is a connection, each connection will increase the value of the counter 64000. Obviously, this allows the 32-bit counter to indicate the ISN to reset once every 9.32 hours without connection. This is because this is conducive to minimizing the opportunity to interfere with the current connection. The concept of 2 msl waiting time (not within the scope of this article) is used here. If the initial serial number is freely selected, then the existing serial number cannot be guaranteed is different from previous. Suppose there is such a case, in a routing loop finally jumps out of the loop, returning to the "old" connection (at this time, it is actually different from the existing connection), obviously occurs on existing connections. interference. Suppose an intruder X has a method to predict ISN S. In this case, he may give the following serial numbers to the host T to simulate the real ISN S of the customer:
X --- S: SYN (ISN X), SRC = T
S --- T: SYN (ISN S), ACK (ISN X)
X --- S: ACK (ISN S), SRC = T
Although the message S * t is not X, but X can know its content, therefore can send data. If x is to attack a connection, this connection allows the command to execute, then additional commands can be executed.
So how do I generate random ISN? At the Berkeley system, the initial serial number variable is generated by a constant, when this constant is half, it will start a connection. In this way, if a legal connection is started, it is observed that an ISN S is used, it can be calculated, with high credibility, ISN S is in the next connection attempt.
Morris pointed out, replying to the message
S --- T: SYN (ISN S), ACK (ISN X)
In fact, it does not disappear, and the real host will receive it and try to reconnect. This is not a serious obstacle.
Morris discovered that by imitating a port on T and requesting a connection to that port, he can generate a sequence overflow, so that it looks that the S * t message is lost. Another method, you can wait for T shutdown or restart.
IP spoof
IP spoof consists of several steps, here is briefly described, then explain it again.
. Do the following assumptions first: First, the target host has been selected. Second, trust model has been discovered and found a host trusted by the target host. In order to perform IP spoof, the hacker performs the following work: Make the trusted host lose its ability to work, and the TCP serial number issued by the target host will guess its data serial number. Then, disguise into trusted hosts, and establish an application connection with the target host based address verification. If successful, hackers can use a simple command to place a system back door for unauthorized operations.
Make the trusted host lose work ability
Once the trusted host is found, in order to disguise it, it often loses its ability to lose its work. Since the attacker will replace the true trusted host, he must ensure that the host that is really trusted cannot receive any valid network data, otherwise it will be exposed. There are many ways to do this. Here is "TCP SYN Submerge".
As mentioned earlier, the first step in establishing a TCP connection is that the client sends SYN requests to the server. Typically, the server will send a SYN / ACK signal to the client. Here the client is determined by the IP address. The client then sends an ACK to the server, and then the data transfer can be done. However, the TCP processing module has a maximum to process parallel SYN requests, which can be considered as a queue length that stores multiple connections. Among them, the number of connections includes connections that have not finally completed three-step hands, including those that have successfully completed handshake, but have not been called called by the application. If the top limit of the queue is reached, the TCP will reject all connection requests until some connection link is processed. Therefore, here is organic to multiply. Hackers tend to send a large SYN request to the TCP port of the offense target, which uses a legal but false IP address (may not boot without booting the host using the legal IP address). The attacked host often sends a response to the IP address, but unfortunately there is no message. At the same time, the IP package will notify the attack host's TCP: The host is not reachable, but unfortunately the TCP will think is a temporary error, and continue to attempt (such as routing the IP address, issue SYN / ACK data Package, etc.) until it is unable to connect.
