Principles and prevention of hacker attacks through IP Spoofing

The purpose of this article is to explain the implementation and Prevention Measures of IP spoofing to readers. It requires you to have a small amount of knowledge about Uni x and TCP/IP. If you do not have one, it does not matter. I believe the following instructions can give you sufficient background knowledge.
IP spoofing is a complex technical attack suitable for TCP/IP environments. It consists of several parts. At present, In ternet has become an important means for hackers to attack. Therefore, it is necessary to fully understand its working principles and preventive measures to fully protect its legitimate rights and interests.
In fact, IP spoofing is not an attack, but an attack. Attack is actually the destruction of trust relationships. However, in this article
Spoofing will be regarded as the entire attack involved. We will not discuss any other behavior that destroys the false trust relationship established by using IP spoofing. This article will explain in detail the entire attack process, including the relevant operating system and network information.
Background
Host Definition
A: Target Host
B: trusted host for
X: hosts that cannot be reached
Z: attack host
1 (2): HOST 1 is disguised as host 2
Graphical Symbol Definition
There are several diagrams in this article, which will be explained in the following example:
Time Series
Host
Control
Host B
1
A
-- SYN -->
B
Time Series: the unit of time elapsed, which can be infinitely refined. It is generally considered to be a small unit, indicating the sequence of events.
Host a: the machine that participates in a TCP conversation.
Control: displays the control characters of the TCP Control Field header and the flow direction of the field.
Host B: The machine that participates in a TCP conversation.
In this figure, host A sends the TCP field to host B at the first reference time point, and the SYN control bit in the control field serves as the main information of this TCP field. Unless otherwise stated, we generally do not care about the data section in the TCP field.
Trust Relationship
In Unix
In the field, trust relationships can be easily obtained. If you have an account on host A and host B, you will find that when using host A, you need to enter the corresponding account on host, when using host B, you must enter an account on host B. host a and host B treat you as two unrelated users, which is obviously inconvenient. To reduce this inconvenience, you can set up two accounts in host A and host B? The Zookeeper in the South China Region and the home directory on host B are created in the. rhosts file. From host A, enter echo "B username"> ~ in your home directory ~ /. Rhosts; from host B, enter echo "A username"> ~ in your home directory ~ /. Rhosts
. At this point, you can use any remote call commands starting with r *, such as rlogin, rcall, and rsh without any worries about password verification. These commands allow address-based authentication or allow or deny access services based on IP addresses.
Rlogin
Rlogin is a simple client/server program that uses TCP transmission. Rlogin allows users to log on from one host to another, and if the target host trusts it, Rlogin allows users to use resources on the target host without answering the password. Security Verification is based entirely on the source host's IP address. Therefore, based on the above example, we can use Rlogin
To remotely log on to A from B without being prompted to enter A password.
Internet Protocol (IP)
IP is a non-connection-oriented and unreliable network protocol for TCP/IP protocol groups. It provides address information by two 32bit header fields. IP packets account for a majority of TCP/IP network traffic, which can be said to be the busiest part. IP
The task is to send data packets in the network environment. It does not provide any mechanism to ensure reliability. for reliability requirements, it is done by the upper-layer protocol. The IP address only sends data packets and ensures its integrity. If you cannot receive the complete IP packet, the IP will send an ICMP error message to the source address, and you want to re-process it. However, this package may also be lost (ICMP
Is the Internet Control Message Protocol, Internet Control Message
Protocol is a Protocol used to ensure data transmission according to network conditions, mainly to send different error messages to the IP layer or other layers ). Because the IP address is non-connection-oriented, it does not maintain any connection status information. Each IP packet is sent out loose, regardless of the first and last packets. From this we can easily see that the IP stack can be modified at the source address and? In other words, a false IP address is provided.
Transmission Control Protocol (TCP)
TCP
It is a protocol for connection and reliable transmission in TCP/IP protocol groups. Connection orientation means that the two hosts involved in the dialog must establish a connection before data exchange. Reliability is provided by the multi-bit control word in the data packet, but only two of them are related to our discussion. They are data sequences and data validation, expressed by SYN and ACK respectively. TCP
Assign a serial number to each Data byte and send it to the packet sent from the received source address (the destination address ACK ).

The confirmed data packet sequence is the data packet sequence of the source address, rather than the data packet sequence sent by itself ). ACK also carries the data serial number that is expected to be obtained. Obviously, the reliability provided by TCP is more difficult to fool than the IP address.
Serial number, validation, and other flag Information
Because TCP is based on reliability, it can provide mechanisms to handle packet loss, duplication, Order disorder, and other adverse situations. In fact, by allocating serial numbers to all transmitted bytes, and expecting the receiving end to send these numbers to the sending end? TCP
To ensure reliable transmission. The acceptor uses the serial number to ensure the data sequence and remove repeated data packets. The TCP serial number can be considered as a 32-bit counter. They range from 0 to 232-1.
. The data exchanged by each TCP connection (represented by a certain flag) is sequentially numbered. In a TCP packet, the identifier of the serial number (SYN) is defined at the front end of the Data Segment. ACK confirms the received data and specifies the next period
The serial number of the data to be received.
TCP uses the sliding window concept to control traffic. It is assumed that when the sending end sends data quickly but the receiving end receives the data slowly, in order to ensure that the data is not lost, it is necessary to control the traffic and coordinate the working pace of both parties. The so-called sliding window can be understood as the buffer size provided by the acceptor. TCP uses a sliding window to tell the sender
The buffer size of the data it sends. Because the window is defined by 16 bits, the receiving end TCP can provide a buffer of up to 65535 bytes. Therefore, you can use the window size and the serial number of the first data to calculate the maximum data serial number that can be received.
Other TCP flag BITs include RST (connection Reset, Reset the connection), PSH (Push fun ction), and FIN (the sender has No data, No more data from sender ). If the RST is received, the TCP connection is immediately disconnected. RST
It is usually sent when the receiving end receives a packet unrelated to the current connection. In some cases, the TCP module needs to transmit data immediately instead of waiting until the entire segment is full. A high-level process will trigger the PSH mark in the TCP header and tell the TCP module to immediately send all the arranged data to the data receiving end. FIN
Indicates that an application connection has ended. When the receiving end receives the FIN, it determines that it will not receive any data.
TCP connection Establishment
To exchange data using TCP connections, you must first establish a connection between hosts. A TCP connection can be established in three steps, called the three-step handshake method. If host A runs the rlogin client program and wants to connect to the rlogin daemon server program on host B, connection process 1 is shown.
1 A --- SYN ---> B
2 A <-- SYN/ACK -- B
3 A --- ACK ---> B
Figure 1
Note that the TCP modules of host A and host B use their serial numbers respectively. At Moment 1, the client sets the flag SYN = 1 to tell the server that it needs to establish a connection. At the same time, the client places its initial serial number (ISN) in the serial number field SEQ in its TCP header, and tells the server that the serial number indicates that the domain is valid and should be checked. At Moment 2, the server is? After Zhang SONGXIA's zooyn, he responded by sending his ISN and ACK to the client and notifying him that the next expected data serial number is (ISN + 1 ). The client confirms the ISN of the server at 3rd. Data transmission is now available.
| Increasing ISN and serial number
It is important to know how to select the initial sequence number and how to change the sequence number based on time. It seems that this should happen when the serial number is initialized to 1 after the host is started, but this is not actually the case. The initial serial number is determined by the tcp_ini t function. ISN increases by 128000 per second. If a connection occurs, the counter value is increased by 64 for each connection.
000. Obviously, this means that the 32-bit counter of ISN is reset every 9.32 hours without connection. This is because it helps minimize the chance that the information of the old connection will interfere with the current connection. Here we use 2MSL
The concept of wait time (not covered in this article ). If the initial serial number is randomly selected, the existing serial number cannot be different from the previous one. Assume that a packet in a routing loop jumps out of the loop and returns to the "old" connection (which is actually different from the existing connection in the former ), apparently, it will interfere with existing connections.
Port Number
To provide concurrent access to the TCP module, TCP provides a user interface called a port. The port is used by the operating system kernel to identify different network processes, that is, to strictly distinguish the entry of the transport layer (that is, IP
Do not care about their existence ). The TCP port and IP address provide end-to-end network communication. In fact, any Internet connection can be described by four elements at any time: source IP address, source IP address port number, destination IP address and destination IP address port number. Server programs are generally bound to standard port numbers. For example, rlogin daemon is bound to TCP port 513.
IP Spoofing
IP spoofing consists of several steps. Here we will briefly describe it and then explain it in detail. First, the target host is selected. Second, the trust mode has been discovered and a host trusted by the target host has been found. To perform IP spoofing, hackers can perform the following tasks: Make the trusted host unable to work, and sample the TCP
The data serial number. Then, disguise as a trusted host and establish an application connection with the target host based on address verification. If successful, hackers can use a simple command to place a system backdoor for unauthorized operations.
IP spoofing is an unpleasant attack.
A very important fact that is often ignored is that IP spoofing is an inconspicuous attack. Attackers will replace the truly trusted host, thus undermining the security system of the target host. Hackers often use the methods described below to make the truly trusted host unable to work. When a host with a low degree of security is communicating with a trusted host, is it on the Internet? When the catfish reaches the Swordsmanship sac, it can be used to import fresh and powerful tips. Why does it make trouble? A large number of data packets that mimic it are sent to the target host. Sadly, the target host has no feeling at all. TCP packets imitated by attackers