Even very well implemented TCP / IP protocols, because itself has some unsafe places, you can attack TCP / IP networks. These attacks include serial number deception, routing attack, source address spoof and authorized spoof. In addition to introducing IP spoofing attack methods, this paper also describes how to prevent this attack.
The above attack is built in an attacker's computer (including routing) is connected to the Internet. The attack method here is for the defect of TCP / IP itself, not a specific implementation.
In fact, IP deception is not the result of offensive, but the means of attack. Attacks are actually destroyed by trust.
First section IP spoofing principle
trust relationship
In the field of UNIX, trust relationships can be easily obtained. If there is an account on the hosts A and B, it will be found in use, and the corresponding account on A is required when used on host A. When used on host B, the account, host A and B Take you as two users who are not related to each other, it is obviously some inconvenience. In order to reduce this inconvenience, the mutual trust relationship of two accounts can be established in host a and host B. Create a .rhosts file in your HOME directory on your host A and host B. From the host A, enter 'echo "b username"> ~ / .rhosts' in your home directory; from host B, enter 'echo "a username"> ~ / .rhosts' in your home directory. At this point, you can use any hangs whisper that start with R *, such as: rlogin, rcall, rsh, etc., without a verification. These commands will allow an address-based verification, or allow or reject access services based on IP addresses.
The trust relationship here is based on IP address.
Rlogin
Rlogin is a simple client / server program that uses TCP transfer. Rlogin allows users to log in to another host from a host, and if the target host trusts it, Rlogin will allow resources on the target host in the case where the password is not allowed. Safe verification is completely an IP address based on the source. Therefore, according to the above example, we can use rlogin to log in from B to a, and will not be prompted to enter the password.
TCP serial number forecast
IP just sends a packet and guarantees its integrity. If you cannot receive a complete IP packet, the IP sends an ICMP error message to the source address and wants to be resumpted. However, this package may also be lost. Since IP is unconnected, information is not maintained. Each IP packet is loosely transmitted, not the case where the previous and the latter packet is concerned. It should be seen that the IP stack can be modified, and an IP address that is placed in the source address and destination address, that is, provide a false IP address.
TCP provides reliable transmission. Reliability is provided by multi-bit control words in the packet, where the data sequence and data confirmation are represented by SYN and ACK, respectively. The TCP assigns a serial number to each of the data bytes, and the data packet sent by the source address indicated by the source address indicated (the data package sequence confirmed by the destination address ACK is the data package sequence of the source address, not oneself Sended data package sequences). The ACK also carries the next desired data serial number while confirming. Obviously, this reliability provided by TCP is more difficult to foolish with IP.
Sequence number, confirmation and other marker information
Since TCP is reliability based, it provides a mechanism for processing packet loss, repetition, or malfunctions such as sequential disorder. In fact, by assigning sequence numbers to all bytes sent, the TCP ensures reliable transmission by providing a sequence number to the transmitted data. The receiving end utilizes the serial number to ensure the order of data, remove the duplicate packet. The TCP sequence number can be regarded as a 32-bit counter. They are arranged from 0 to 2 ^ 32-1. Data each TCP connection (represented by a certain marking bit) is sequential. The label bit of the sequence number (SYN) is defined in the TCP packet is located at the front end of the data segment. The confirmation bit (ACK) confirms the received data and indicates the next data serial number that is expected to receive. TCP performs flow control through the concept of sliding windows. It is envisaged that the speed of transmitting data is very fast and the receiving end reception speed is slow. In order to ensure that the data is not lost, it is clear that traffic control, coordinating the work rhythm of both communications. The so-called sliding window can understand the buffer size that can be provided in the receiving end. TCP uses a sliding window to tell the sender to provide much buffer to the data it transmits. Since the window is defined by 16 bit Bit, the receiving end TCP can maximize 65,535 bytes of buffering. Thereby, the maximum acceptable data serial number can be calculated using the serial number of the window size and the first data.
Other TCP marks include RST (Connection Reset, RESET THE CONNECTION, PSH (Pressing Function, Push Function), and FIN (no data of the sender, no more data from sender). If the RST is received, the TCP connection will be disconnected immediately. RST is typically sent when the receiving end is received when a packet is not related to the current connection. Sometimes, the TCP module needs to be transferred immediately when it is full, and it is not allowed. A high-level process will trigger the PSH indicator of the TCP header and tell the TCP module to immediately send all the arranged data to the data receiver. FIN indicates an application connection end. When the receiving end receives the FIN, confirm it, it is considered that no data is received.
The TCP serial number prediction was first elaborated by Morris. He predicted using TCP serial numbers, even if there is no response from the server to generate a TCP package sequence. This makes him deceive the host on the local network.
Usually the TCP connection creates a sequence including 3 handshakes. Customer selects and transmits an initial serial number (SEQ flag) ISN C, and sets the flag SYN = 1, tells the server that it needs to be established. The server confirms this transfer and sends its own serial number ISN S, and sets the flag bit ACK, and inform the next expected data serial number is ISN = 1. Customer confirms it again. After three confirmation, the data is started. The whole process is as follows: (C: Client S: Server)
C --- S: SYN (ISN C)
S --- C: SYN (ISN S), ACK (ISN C)
C --- S: ACK (ISN S)
C --- S: Data or S --- C: Data
That is to say to a session, c must get ISN S to confirm. ISN S may be a random number.
Understand the number of sequence numbers to choose the initial serial number and how to change according to time change. It seems that there should be this situation that the sequence number is initialized to 1 after the host is started, but it is not true. The initial serial number is determined by the TCP_INIT function. ISN adds 128,000 per second, if there is a connection, each connection will increase the value of the counter 64000. Obviously, this allows the 32-bit counter to indicate the ISN to reset once every 9.32 hours without connection. This is because this is conducive to minimizing the opportunity to interfere with the current connection. The concept of 2 msl waiting time (not within the scope of this article) is used here. If the initial serial number is freely selected, then the existing serial number cannot be guaranteed is different from previous. Suppose there is such a case, in a routing loop finally jumps out of the loop, returning to the "old" connection (at this time, it is actually different from the existing connection), obviously occurs on existing connections. interference. Suppose an intruder X has a method to predict ISN S. In this case, he may give the following serial numbers to the host T to simulate the real ISN S of the customer:
X --- S: SYN (ISN X), SRC = T
S --- T: SYN (ISN S), ACK (ISN X)
X --- S: ACK (ISN S), SRC = T
Although the message S * t is not X, but X can know its content, therefore can send data. If x is to attack a connection, this connection allows the command to execute, then additional commands can be executed.
So how do I generate random ISN? At the Berkeley system, the initial serial number variable is generated by a constant, when this constant is half, it will start a connection. In this way, if a legal connection is started, it is observed that an ISN S is used, it can be calculated, with high credibility, ISN S is in the next connection attempt.
Morris pointed out, replying to the message
S --- T: SYN (ISN S), ACK (ISN X)
In fact, it does not disappear, and the real host will receive it and try to reconnect. This is not a serious obstacle.
Morris discovered that by imitating a port on T and requesting a connection to that port, he can generate a sequence overflow, so that it looks that the S * t message is lost. Another method, you can wait for T shutdown or restart.
Let's take a detailed introduction.
IP spoof
IP spoof consists of several steps, here is briefly described, then explain it in detail. Do the following assumptions first: First, the target host has been selected. Second, trust model has been discovered and found a host trusted by the target host. In order to perform IP spoof, the hacker performs the following work: Make the trusted host lose its ability to work, and the TCP serial number issued by the target host will guess its data serial number. Then, disguise into trusted hosts, and establish an application connection with the target host based address verification. If successful, hackers can use a simple command to place a system back door for unauthorized operations.
Make the trusted host lose work ability
Once the trusted host is found, in order to disguise it, it often loses its ability to lose its work. Since the attacker will replace the true trusted host, he must ensure that the host that is really trusted cannot receive any valid network data, otherwise it will be exposed. There are many ways to do this. Here is "TCP SYN Submerge".
As mentioned earlier, the first step in establishing a TCP connection is that the client sends SYN requests to the server. Typically, the server will send a SYN / ACK signal to the client. Here the client is determined by the IP address. The client then sends an ACK to the server, and then the data transfer can be done. However, the TCP processing module has a maximum to process parallel SYN requests, which can be considered as a queue length that stores multiple connections. Among them, the number of connections includes connections that have not finally completed three-step hands, including those that have successfully completed handshake, but have not been called called by the application. If the top limit of the queue is reached, the TCP will reject all connection requests until some connection link is processed. Therefore, here is organic to multiply. Hackers tend to send a large SYN request to the TCP port of the offense target, which uses a legal but false IP address (may not boot without booting the host using the legal IP address). The attacked host often sends a response to the IP address, but unfortunately there is no message. At the same time, the IP package will notify the attack host's TCP: The host is not reachable, but unfortunately the TCP will think is a temporary error, and continue to attempt (such as routing the IP address, issue SYN / ACK data Package, etc.) until it is unable to connect.
Of course, there is a lot of valuable time. It is worth noting that hackers do not use those IP addresses that are working, because the true IP holder will receive the SYN / ACK response, and the RST is sent to the attack host, thereby disconnecting connection. The procedure described above can be expressed as the following mode.
1 z (x) --- SYN ---> B
Z (x) --- SYN ---> B
Z (x) --- SYN ---> B
2 x <--- Syn / ACK - B
X <--- Syn / ACK - B
3 x <--- RST --- B
At time 1, the attack host sends a large number of SYN requests to the attack target (at this stage, the trusted host), making its TCP queue full. At time 2, the attack target has a SYN / ACK reaction to the IP address (false IP) it believes. During this period, the TCP module of the attack host will ignore all new requests. Different TCP keep the connection queue have different lengths. BSD is generally 5, Linux is generally 6. Make the trusted host lose the ability to handle new connections, the precious void time won is the time of hackers to attack the target host, which makes it possible to be mounted into a trusted host.
Serial number sampling and guess
As mentioned earlier, to attack the target host, you must know the data package serial number used by the target host. Now let's discuss how hackers are predicted. They first set up a normal connection with a port of the attacked host (SMTP is a good choice). Typically, this process is repeated several times and stores the ISN sent by the target host. Hackers also need to estimate the RTT time (round trip time) between his host and the trusted host, this RTT time is made by multiple statistics. RTT is very important for estimating the next ISN. The previous ISN has increased 128,000 per second, and 64000 is added each time. It is not difficult to estimate the size of the ISN. It is 128,000 multiplied by half of RTT. If the target host has just established a connection, then add a 64000. After estimating the ISN size, attack immediately begins. When a hackstal false TCP packet enters the target host, different situations are different depending on the accuracy of the estimated: • If the estimated serial number is accurate, the incoming data will be placed in the received buffer for use.
• If the estimated serial number is less than the expected number, it will be abandoned.
• If the estimated serial number is greater than the expected number, and within the sliding window (the previous buffer), the data is considered to be a future data, and the TCP module will wait for other missing data. If the estimated serial number is greater than the expected number, and not within the sliding window (previous buffer), TCP will discard the data and return a desired data serial number. Hereinafter, the hacker's host cannot receive the returned data serial number.
1 z (b) ---- SYN ---> a
2 B <--- Syn / Ack --- A
3 z (b) ----- ACK ---> a
4 z (b) ----- psh ---> a
Attacker disguised into the IP address of the trusted host, this host is still in the pause state (the foregoing loss processing power), then send a connection request to the 513 port of the target host, such as time 1 Indicated. At time 2, the target host responds to the connection request, sends the SYN / ACK packet to the trusted host (if the trusted host is in a normal operating state, then it is considered an error and immediately returns the RST packet to the target host, but at this time It is on a pause state). According to the plan, the trusted host will abandon the SYN / ACK packet. At time 3, the attacker sends an ACK packet to the target host, which uses the previously estimated serial number plus 1 (because it is confirmed). If an attacker estimates correct, the target host will receive the ACK. The supravenm is induced to pour it (2) 鹄 鹄 鹄 T 谑 Stupid?, Will start data transmission. Generally, an attacker will place a back door in the system to invade. The 'CAT >> ~ / .rhosts' will often be used. This is because this method is quickly, simply paved the road for the next invasion.
One way to attack this TCP serial number is to use NetStat services. In this attack, intruders simulate a host shutdown. If there is NetStat on the target host, it provides a must-have serial number on the other port. This cancels all the needs to be guess. Typical attack tool and attack process: hunt
IP deception
Preventive points is that the key to this attack is the change speed of relatively rough initial serial number variables in the Berkeley system. The TCP protocol requires this variable to increase 25,000 times per second. Berkeley uses relatively slow speed. However, the most important thing is to change the interval, not the speed.
We consider whether a counter works in work at 250,000 Hz. We first ignore other connections, just consider this counter to change in a fixed frequency.
In order to know the current serial number, send a SYN package and receive a reply:
X --- S: SYN (ISN X)
S --- x: SYN (ISN S), ACK (ISN X) (1)
The first fraud package that triggers the next serial number, can immediately follow the server's reaction to this package:
X --- S: SYN (ISN X), SRC = T (2)
The serial number ISN S is used to respond:
S --- T: SYN (ISN S), ACK (ISN X)
It is uniquely determined by the message received by the first message and the server. This number is the exact time of X and S. In this way, if deception can accurately measure and generate this time, even a 4-U clock cannot repel this attack.
Abandon address-based trust strategy
A very easy way to prevent such attacks is to give up the address-based verification. The R * class remote call command is not allowed; delete the .rhosts file; empty the /etc/hosts.equiv file. This will force all users to use other remote communication methods such as Telnet, SSH, SKEY, and more.
Cut filter
If your network is connected to the Internet via the router, you can use your router to make packet filtering. Gree consider that only your internal LAN can use trust relationship, while the host on the internal LAN is carefully processed for hosts other than LAN. Your router can help you filter out all requests from the outside to establish a connection to internal.
Encryption method
Another obvious way to prevent IP spoof is to require encrypted transmission and verification during communication. When there are multiple means and time, it may be possible to encrypt the method.
Use randomized initial serial numbers
A very important factor that hacker attacks is achieved is that the serial number is not randomly selected or randomly increased. Bellovin describes a method of making up for TCP, which is to divide the serial number space. Each connection will have its own independent serial number space. The serial number will remain in the previous way, but there is no significant relationship in these serial number spaces. It can be explained by the following formula:
ISN = m f (localhost, localport, remotehost, remotEport
M: 4 microsecond timer
F: Encrypt the Hash function.
The serial number generated by F should not be calculated or guess for external. Bellovin suggests F is a Hash function that combines connection identifiers and special vector (random number, start-up password)
