The general access control is mainly set in the firewall, and some security strategies are developed: such as the resource of the internal local area network does not allow external online users; no fire zone (also known as non-military zone) can be internal or external LAN, where resources are allowed Users of external networks are limited; allowing external users to access a non-military zone (DMZ area) web server, etc.. In-depth analysis of firewall technology, using firewall configuration and exploitation, can implement it. Under normal circumstances, effective attacks are carried out from the related subnet, because these URLs have been trusted by the firewall, although the success is still on other factors such as opportunities, but it is worth a try for attackers.
Breakthrough firewall systems The most common way is IP address spoof, and it is also the basis for other series of attack methods. The reason why this method is used because IP itself. The IP protocol sends an IP packet based on the destination address item in the IP header. If the destination address is the address within the local network, the IP package is sent directly to the destination. If the destination address is not in the local network, the IP package will be sent to the gateway, and then determine where it will be sent. This is a method of IP routing IP packets. IP routing IP packets When the IP source address provided in the IP head does not do anything, and the IP source address in the IP header is considered to send the IP address of the machine that transmits the package. When receiving the destination host of the packet to communicate with the source host, it uses the source host as the destination address of the IP packet transmitted by the IP packet of the received IP package. Although this data communication method of IP is very simple and efficient, it is also a security hazard of IP. Many network security accidents are caused by the shortcomings of IP.
The hacker or invader uses the forged IP sending address to generate false data packets, and the packet filter from the internal station is very dangerous. The packet involved is truly internal or external packets have been packaged. It seems that there is any signs of the internal. As long as the system finds that the send address is within its own range, it treats the packet to treat and make it pass.
Typically, host A and host B are connected (middle or no firewalls), and the host A is proposed to host B, and the confirmation between the A and B is only generated by host A and the initial sequence of host B verification. ISN. Specifically three steps:
Host A generates its ISN, transmitted to host B, requests to establish a connection; B receives the ISN from A with the SYN flag, returns your own ISN along with the answer information ACK to a; A and then B is transmitted ISN and response information ACK is returned to B. At this point, the normal situation, the TCP connection of the host A and B is established.
B ---- SYN ----> A B <---- SYN ACK ---- A B ---- ACK ----> A
Suppose C attempts to attack A, because A and B are mutual trust, if C already knows B trusted by A, then it is necessary to make B's network function to be paralyzed, prevent anything from interfering with your attack. The usual use here is SYN FLOOD. An attacker sends a lot of TCP-SYN packages to the attacked host. The source address of these TCP-SYN packets is not an IP address of the host of the attacker, but an attacker's own IP address you fill in. When the attacker receives the TCP-SYN package sent by the attacker, a certain resource is allocated for a TCP connection, and the source address (ie the attacker's own IP address) in the received packet is The destination address is transmitted to the target of the TCP- (SYN ACK). Since the attacker's own IP address must be a carefully selected address, the attacked host will never receive the TCP- (Syn ACK) package of the TCP- (SYN ACK) package, which is attacked the TCP of the host. The status opportunity is waiting. If the TCP status machine of the attacked host has timeout control, the resource allocated for the connection will be reclaimed until the timeout is timeout. Therefore, if an attacker sends a sufficient TCP-SYN package to the attacked host, it is enough, the TCP module that is attacked the host will definitely be in service reject because it cannot be assigned to the system resources for the new TCP connection. And even if the administrator of the network is located, the attacker's data packet is also unable to determine who the attacker is based on the source address information of the IP header. When B network function is temporarily paralyzed, now c must find ways to determine a current ISN. First, the 25 port is connected, because SMTP is no security check mechanism, similar to the front, but this time you need to record a ISN, and the rough RTT (Round Trip Time) of C to A. This step is to repeat multiple times to find the average of RTT. Once c knows the ISN base value and increase law of A, it can calculate the time from c to a requires RTT / 2. Then enter the attack immediately, otherwise there are other hosts between this, and ISN will be more expected.
C Send a data segment with the SYN flag to a request connection, just the source IP is changed to B. A Turn to b to the SYN ACK data segment, B has not responded that the TCP layer of B is simply discarding A return data segment. At this time, C needs to pause a small party, let A have enough time to send SYN ACK, because C can't see this package. The C is then disguised to a B-to-A to send ACK, and the data segment transmitted at this time is ISN 1 of Z predicted A. If the forecast is accurate, the connection is established, the data transfer begins. The problem is that even if the connection is established, A will still send data to b, not C, C still can't see the data segment sent to B, and C must send a command to a command according to the protocol standard counterfeit B, so the attack is completed. If the prediction is not accurate, a will send a data segment with the RST flag to terminate the connection, and C is only from the head. With the continuous correction of the forecast ISN, the attacker will eventually establish a meeting with the target host. In this way, the attacker logs in to the target host as a legal user, without further confirmation. If the repeated trial allows the target host to receive the root login of the network, you can fully control the entire network.
C (b) ---- SYN ----> A B <---- SYN ACK ---- A C (b) ---- ACK ----> A C (b) - - psh ----> a
IP spoofing attacks take advantage of the RPC server only on the characteristics of the source IP address for security checks, and the most difficult place is to predict A's ISN. The difficulty of attack is relatively large, but the possibility of success is also very likely. C must be accurately foreseen that may be sent from A to B, and A expecting what response information from B, which requires attackers to be quite familiar with the agreement itself. At the same time, it is necessary to understand that this attack is not possible to complete in an interaction state, and must write the program. Of course, the protocol analysis can be used in the preparation phase. Although IP spoofing attacked is quite difficult, we should be aware that this kind of attack is very broad, and the invasion is often started here. It is easier to prevent this attack. The security hidden dangers caused by the deficiencies of IP itself are currently unable to be fundamentally eliminated. We can only take some compensation measures to reduce the hazards to minimize. The most ideal way to defend this attack is that the gateway or router of each connected domain network or the router is verified to test the external IP packet before deciding whether the external IP packet is allowed to enter the LAN. If the IP source address of the IP package is the IP address within the local area to enter, the IP package is rejected by the gateway or router, and does not allow access to the local area network. Although this method can solve problems well, consider that some Ethernet cards receive their own packets, and often need mutual trust relationship between local area networks and local area networks in practical applications to share resources, this solution There is no good actual value. Another ideal method for defending this attack is to verify its IP source address when IP data is packet out of the LAN. That is, the gateway or router of each connected domain network is prior to whether or not the IP packets within the local domain network are allowed to issue a local area network, the IP source address from the IP packet is checked. If the IP source address of the IP package is not the IP address within its local area, the IP package is rejected by the gateway or router, and the package is not allowed to leave the LAN. In this way, the attacker needs at least the IP address in its local area to connect to the gateway or router of the LAN. If an attacker wants to attack, it will easily find the attack according to the IP source address of the IP packet it. It is therefore recommended that each ISP or a gateway router of the LAN will perform the inspection and filtering of the IP source address of the IP source address. If each gateway router has done this, IP source address spoof will basically not work. In the case where every gateway and router can do this, the network system member can only manage the network as much as possible to prevent the possible attacks as much as possible to prevent possible attacks.
