Even very well implemented TCP / IP protocols, because itself has some unsafe places, you can attack TCP / IP networks. These attacks
Including serial number spoof, routing attack, source address spoof and authorized spoofing. In addition to introducing IP spoofing methods, this article also introduces how to prevent this attack.
means. The above attack is built in an attacker's computer (including routing) is connected to the Internet. The attack method here is for TCP / IP this
The defects of the body, not a specific implementation. In fact, IP deception is not the result of offensive, but the means of attack. Attacks are actually trustworthy
Destruction of the department. IP spoofing principles Trust relationship in the Unix field, trust relationship can be easily obtained. If there is an account in each of the hosts A and B,
In use, it will be found that the corresponding account on A is required when used on host A. When using the host B, the account on B must be input, the host A
And B as two users who are not related to each other, obviously some inconvenience. In order to reduce this inconvenience, two accounts can be established in the host A and host B.
Mutual trust relationship. Create a .rhosts file in your HOME directory on your host A and host B. From host A, enter 'echo in your home directory
"B Username"> ~ / .rhosts'; from host B, enter 'echo "a username"> ~ / .rhosts' in your home directory. At this point,
You can use any remote logins starting with R *, such as: Rlogin, RCALL, RSH, etc., without obstruction, etc. These commands will allow
The address-based verification, or allows or rejects access services based on IP address. The trust relationship here is based on IP address. Rlogin
Rlogin is a simple client / server program that uses TCP transfer. Rlogin allows users to log in from a host to another host, and
Moreover, if the target host trusts it, Rlogin will allow the resources on the target host to be used without answering the password. Safe verification is based on the source based on the source
The IP address of the machine. Therefore, according to the above example, we can use rlogin to log in from B to a, and will not be prompted to enter the password.
The TCP serial number predictive IP is only transmitted, and its integrity is guaranteed. If you can't receive a complete IP packet, IP sends a source address to the source address.
ICMP error message, want to be resumpted. However, this package may also be lost. Since IP is unconnected, do not maintain any connection status
information. Each IP packet is loosely transmitted, not the case where the previous and the latter packet is concerned. From this, it is seen that the IP stack can be repaired.
Change, put any IP address that satisfies the required requirements in the source address and destination address, that is, provides a false IP address. TCP provides reliable transmission. reliable
Sex is provided by multi-bit control words in the packet, where the data sequence and data confirmation are represented by SYN and ACK, respectively. TCP
Each data byte assigns a serial number and can represent the data packet sent by the source address to which the source address has been confirmed (the destination address ACK is determined)
The recognized data package sequence is the packet sequence of the source address, not the data package sequence sent by yourself). At the same time as ACK, the next period is also carried.
I hope the data serial number is obtained. Obviously, this reliability provided by TCP is more difficult to foolish with IP. Sequence number, confirmation and other marker information
Since TCP is reliability based, it provides a mechanism for processing packet loss, repetition, or malfunctions such as sequential disorder. In fact, by assigning sequence numbers to all bytes sent, the TCP can guarantee reliable transmission by providing a sequence number to all byte sequence numbers transmitted.
give away. The receiving end utilizes the serial number to ensure the order of data, remove the duplicate packet. The TCP sequence number can be regarded as a 32-bit counter. They
0 to 2 ^ 32-1 is arranged. Data each TCP connection (represented by a certain marking bit) is sequential. Defined in the TCP packet
The sign bit of the serial number (SYN) is located at the front end of the data segment. The confirmation bit (ACK) confirmed the received data and pointed out the next expectation to receive
Data serial number. TCP performs flow control through the concept of sliding windows. Imagine the speed of the transmitted data quickly and the receiving end reception speed
Slowly, in order to ensure that the data is not lost, it is clear that traffic control is required, and the work rhythm of both communications are coordinated. The so-called sliding window,
To understand the size of the buffer that can be provided in the receiving end. TCP uses a sliding window to tell the sender to provide how much can be provided on the data it sent.
Chongzu. Since the window is defined by 16 bit Bit, the receiving end TCP can maximize 65,535 bytes of buffering. Thus, the window size and the first
The serial number of a data calculates the maximum received data serial number. Other TCP markers have RST (connection reset, reset the
Connection, PSH (Pressure, Push Function) and FIN (no data of the sender, no more data from sender). in case
RST is received, and the TCP connection will be disconnected immediately. RST is typically sent when the receiving end is received when a packet is not related to the current connection. Sometimes
Waiting, the TCP module needs immediate transmission of data and cannot wait for the whole section. A high-level process will trigger the PSH indication of the TCP header, and
And tell the TCP module to immediately send all arranged data to the data receiver. FIN indicates an application connection end. When the receiving end receives the FIN, it is indeed
Recognize it and think that you will not receive any data. The TCP serial number prediction was first elaborated by Morris. He uses TCP sequences
The prediction, even if there is no response from the server, one TCP package sequence is generated. This makes him deceive the host on the local network. through
Chang TCP connection creates a sequence including 3 handshakes. Customer selection and transfer an initial serial number (SEQ flag) ISN C, and set the flag bit
SYN = 1 tells the server that it needs to be established. The server confirms this transmission and sends its own serial number ISN S, and sets the flag bit ACK,
At the same time, inform the next expected data serial number is ISN = 1. Customer confirms it again. After three confirmation, the data is started. The whole process is as follows
Looking: (C: Client S: Server) C --- S: SYN (ISN C) S --- C: SYN (ISN S), ACK (ISN C) C --- S: ACK (ISN S) C --- S: Data or
S --- C: Data that is to say to a session, c must be confirmed by ISN S. ISN S may be a random number. How to choose the initial number
The serial number and how it is important according to time change. It seems that there should be this situation, when the sequence number started after the host is started, but actually not
in this way. The initial serial number is determined by the TCP_INIT function. ISN increases 128000 per second, if there is a connection, each connection will increase the numerical value of the counter
Plus 64000. Obviously, this allows the 32-bit counter to indicate the ISN to reset once every 9.32 hours without connection. This is because this is conducive to minimizing the opportunity to interfere with the current connection. The concept of 2MSL waiting time (not in this
Within the scope of the discussion. If the initial serial number is freely selected, then the existing serial number cannot be guaranteed is different from previous. Assume that there is such a kind
Situation, the packet in a routing loop finally jumped out of the loop, returned to the "old" connection (at this time, it is different from the existing connection of the former),
Interference of existing connections will obviously occur. Suppose an intruder X has a method to predict ISN S. In this case, he may put the following serial number
Give the host T to simulate the real ISN S: X --- S: SYN (ISN X), SRC = T S - T: SYN (ISN S), ACK (ISN X) x --- : ACK
(ISN S), SRC = T Although the message S * t is not X, X can know its content, so it can send data. If X is to attack a connection,
This connection allows the command to execute, then additional commands can be executed. So how do I generate random ISN? In the Berkeley system, the initial sequence number change
The amount is generated by a constant plus one second, when this constant is half, it will start a connection. In this way, if a legal connection is started and observed
An ISN S is in use, it can be calculated, with high credibility, ISN S is used in the next connection attempt. Morris pointed out, replying to message s --- T: SYN
(ISN S), the ACK (ISN X) does not disappear, and the real host will receive it and try to reconnect. This is not a serious obstacle. Morris
Discover, by imitation of a port on t, request a connection to that port, he can generate a sequence overflow, so that it looks up to S * t message lost
Lose. Another method, you can wait for T shutdown or restart. Let's take a detailed introduction. IP spoofing IP spoof consists of several steps,
Here is a brief description, then explain the detailed explanation. Do the following assumptions first: First, the target host has been selected. Second, the trust model has been sent
Now, a host trusted by the target host. Hackers make the following work in order to make IP deception: make the trusted host lose work
Force, the TCP serial number issued by the sampling target host, guess its data serial number. Then, disguise into a trusted host, and establish a role
The marker is based on the address verification application connection. If successful, hackers can use a simple command to place a system back door for non-authorization
Work. Make the trusted host lose its ability to discover the trusted host, in order to disguise it, it often causes its ability to lose its work. Due to the attacker
To replace the true trusted host, he must ensure that the host that is truly trusted cannot receive any valid network data, otherwise it will be exposed. Promise
Multi-way can do this. Here is "TCP SYN Submerge". As mentioned earlier, the first step in establishing a TCP connection is that the client is sent to the server.
Send SYN request. Typically, the server will send a SYN / ACK signal to the client. Here the client is determined by the IP address. Client subsequently to the server
Send an ACK, then the data transfer can be made. However, the TCP processing module has a maximum limit of processing parallel SYN requests, which can be considered
Put multiple connecting queues. Among them, the number of connections includes connections that have not finally completed three-step hands, including those that have successfully completed handshake, but have not been called called by the application. If the upper limit of the queue is reached, the TCP will reject all connection requests until some connection is processed.
link. Therefore, here is organic to multiply. Hackers tend to send a large number of SYN requests to the TCP port of the offense target, which is made
With a legitimate but false IP address (may not boot using the host of the legal IP address). And the attack host is often to the IP address
Send a response, but unfortunately there is no message. At the same time, the IP package will notify the attack host's TCP: The host is not arriving, but unfortunately the TCP will recognize
In order to temporarily and continue to be connected (such as continuing to route the IP address, issue SYN / ACK packets, etc.) until it is unable to
connection. Of course, there is a lot of valuable time. It is worth noting that hackers will not use those IP addresses that are working, because this
As a result, the real IP holder will receive the SYN / ACK response, and the RST is sent to the attack host, thereby disconnecting. The process described above can be
To expressed as the following mode. 1 z (x) --- SYN ---> B Z (x) --- SYN ---> B Z (x) ---
SYN ---> B 2 x <--- Syn / Ack - B x <--- SYN / ACK - B 3 x <--- RST ---
Attack 1, the attack host sent a large number of SYN requests to the attack target (at this stage, the trusted host), making its TCP queue full. in
At time 2, the attack target made SYN / ACK reactions to the IP address (false IP) it believed. During this period, the TCP module attacked the host
Will neglect all new requests. Different TCP keep the connection queue have different lengths. BSD is generally 5, Linux is generally 6. Be
Trust the host lost the ability to handle new connections, the precious void time earned is hacker to attack the target host, which makes it disguised into trust
The host is possible. Serial number sampling and guess have been mentioned above, to attack the target host, you must know the data package sequence used by the target host
number. Now let's discuss how hackers are predicted. They first set up with a port of the attacked host (SMTP is a good choice)
A normal connection. Typically, this process is repeated several times and stores the ISN sent by the target host. Hackers also need to estimate his master
The RTT time (round trip time) between the machine and the trusted host, this RTT time is obtained by multiple statistics. RTT is estimated next
ISN is very important. The previous ISN has increased 128,000 per second, and 64000 is added each time. It is not difficult to estimate the size of ISN now.
It is a 128,000 multiplied by half, if the target host has just established a connection, then add a 64000. After estimating the ISN size, attack immediately begins. When a hacking is fake TCP packet into the target host, different feelings will occur depending on the estimated accuracy.
: • If the estimated serial number is accurate, the incoming data will be placed in the receive buffer for use. · If the estimated serial number is smaller than expected
The figures will be given away. · If the estimated serial number is greater than the expected number, and within the sliding window (the previous buffer), then
This data is considered to be a future data, and the TCP module will wait for other missing data. If the estimated serial number is greater than the expected number,
The sliding window (previous buffer), then TCP will discard the data and return a desired data serial number. Here will be mentioned,
The hacker's host cannot receive the returned data serial number. 1 z (b) ---- SYN ---> A 2 B <--- SYN / ACK --- A 3Z
(B) ----- Ack ---> a 4 z (b) ----- psh ---> A attacker disguised into the IP address of the trusted host, at this time
The host is still in the pause state (the foregoing loss processing power), then sends a connection request to the 513 port of the target host.
As shown in time. At time 2, the target host responds to the connection request, send the SYN / ACK packet to the trusted host (if the trusted host is in
Normal working status, it will be considered an error and immediately returns the RST packet to the target host, but it is in a pause state). According to the plan, letter
The host will abandon the SYN / ACK packet. Then at time 3, the attacker sends an ACK packet to the target host, the ACK uses the previous estimated sequence
No. 1 (because it is confirmed). If an attacker estimates correct, the target host will receive the ACK. To play, you will start data transfer. general
Land, the attacker will place a back door in the system to invade. The 'CAT >> ~ / .rhosts' will often be used. This is because this is because
The way is quickly, simply paved the way for the next invasion. One way to attack this TCP serial number is to use NetStat services.
In this attack, intruders simulate a host shutdown. If there is NetStat on the target host, it provides a must-have a must
number. This cancels all the needs to be guess. The point of prevention of IP deception is that the key to this attack is the relatively rough initial serial number variable.
Change speed in the Berkeley system. The TCP protocol requires this variable to increase 25,000 times per second. Berkeley uses relatively slow speed
degree. However, the most important thing is to change the interval, not the speed. We consider whether a counter works in work at 250,000 Hz. I
They first ignore other connections, only considering this counter to change in a fixed frequency. In order to know the current serial number, send a SYN package, receive a reply: X --- S: SYN (ISN X) S - X: SYN (ISN S), ACK (ISN X) (1) First A fraud package, it triggers the next serial number,
Follow the react to this package immediately: X --- S: SYN (ISN X), SRC = T (2) Serial number ISN S is used to respond: S - T: SYN (ISN
S), ACK (ISN X) is uniquely determined by the message received by the first message and server. This number is the exact time of X and S. In this way, if
Deception can accurately measure and produce this time, even if a 4-U clock does not repel this attack. Abandon address-based trust strategy to block this
A very easy way for class attacks is to give up the address-based verification. The R * class remote call command is not allowed; delete .rhosts text
Parts; empty the /etc/hosts.equiv file. This will force all users to use other remote communication methods such as Telnet, SSH, SKEY, and more. Packet
Filter If your network is accessible through the router, you can use your router to make packet filtering. Confident only your internal LAN
With trust relationship, the host on the internal LAN is carefully processed. Your router can help you filter out all from
External and want to establish a connection with the internal connection. Another obvious way to prevent IP spoofing using an encryption method is to require encrypted transmission and inspection during communication.
certificate. When there are multiple means and time, it may be possible to encrypt the method. One of the heavy realization of hacker attacks using randomized initial serial numbers
The factor is that the serial number is not randomly selected or randomly increased. Bellovin describes a method of compensating for TCP, which is divided.
Space. Each connection will have its own independent serial number space. The serial number will remain in the previous way, but in these serial number spaces
There is a significant relationship. You can explain the following formula: ISN = m f (localhost, localport, remotehost, remoteport)
M: 4 microsecond timer F: encrypts the Hash function. The serial number generated by F should not be calculated or guess for external.
Bellovin suggests F is a Hash function that combines connection identifiers and special vectors (random numbers, start-up passwords).
