Analysis on network spoofing

Part 1: Defense Technology of Network Spoofing

Abstract: This article will show you an emerging technology in network security technology-network spoofing through simple language.

Definition of network spoofing:

In the recent period, Britain, the United States, France, Germany and other countries are actively studying network spoofing technology and are actively applying this technology to the military! So what is network spoofing technology? Why is it so fascinating for Western powers to study it?

In fact, network spoofing uses intruders to profit from information systems and adopts appropriate technologies based on inherent weaknesses of information network systems, disguise information network systems as valuable resources that can be considered by intruders to be attack-able and stolen (in fact, these resources are unimportant or forged ), this can mislead intruders into these wrong resources. This technology can significantly increase the workload of intruders (workload, intrusion complexity, and uncertainty), so that intruders do not know whether their intrusion is successful. More importantly, it can also enable the defender to track the source of intruders by using its detection technology in a timely manner, and detect and fix possible severe system vulnerabilities in the system in a timely manner!

The role of network spoofing:

In any aspect, system vulnerabilities are inevitable and can be exploited by intruders. This provides us with the possibility of implementing the network spoofing technology. There are several main scenarios of network spoofing:

Disrupt the intrusion intention of intruders and make intrusion choices according to your meaning.

It can quickly detect intruders and promptly discover their technical means and intention.

Systems that consume large numbers of intruders can access resources, making it difficult to intrude.

We believe that a good network spoofing solution can make intruders feel that they are not very easy to intrude into the resources they want, but a process of hard work, and be sure that your attack process is successful and effective.

Specific network spoofing technologies:

1. Bait Technology (Honey Pot and distributed Honey Pot)

This technology places a small number of attractive "targets", that is, what we call bait, where intruders are easy to find, the purpose is to use this method to attract the attention and technology of intruders to the bait We place, so as to protect our truly valuable resources. With the development of network technology, people have discovered and used the distributed bait technology, that is, distributing the bait to multiple idle IP addresses and network interface cards to increase the success rate of network spoofing.

Network spoofing is generally implemented by hiding and inserting error messages. The former includes hiding services, multiple paths, and maintaining the confidentiality of security status information, the latter includes redirection routing, counterfeit information, and trap settings. Combining these technical methods, the earliest network spoofing technology was the Honey Pot technology, which places a small number of attractive targets (we call them Honey Pot) in areas that can be easily discovered by intruders, to trick intruders into being fooled.

The goal of this technology is to find an effective way to influence intruders so that they can concentrate their technology and energy on the Honey Pot instead of other truly valuable normal systems and resources. The Honey Pot technology can also quickly switch once an intrusion attempt is detected.

However, the Honey Pot technology has little impact on a slightly advanced network intrusion. Therefore, the distributed Honey Pot technology came into being. It will spread the Honey Pot in the normal system and resources of the network and use idle service ports to act as spoofing, this increases the possibility of intruders being cheated. It has two direct effects: one is to distribute spoofing to a wider range of IP addresses and port space, and the other is to increase the percentage of spoofing in the entire network, this increases the likelihood of spoofing than security vulnerabilities discovered by intruders.

Despite this, the distributed Honey Pot technology still has limitations, which are reflected in three aspects: First, it does not work for network scans that exhaust the entire space search; second, it only provides a relatively low spoofing quality. Third, it only reduces the security vulnerabilities of the entire search space. Moreover, a more serious drawback of this technology is that it is only valid for remote scanning. If the intrusion has partially entered the network system and is in the observation (such as sniffing) rather than the active scanning phase, the real network service is transparent to intruders, then this deception will be ineffective.

2. It is a space deception technology.

This technology uses a computer system with multiple IP addresses and network interface attributes to increase the workload by adding intruders to search for IP address spaces, so as to achieve network security protection. Currently, research institutions can use a network system composed of 16 computers to implement Spoofing with tens of thousands of address spaces. From the perspective of the use of space spoofing technology, placing fake and unimportant information resources on these IP addresses will greatly increase the workload of intruders and increase the intrusion time, it consumes the resources of intruders, greatly reducing the probability of real network services being detected.

The fraudulent space technology is to increase the workload of intruders by increasing the search space, so as to achieve security protection. The multi-homed capability of computer systems enables hosts with numerous IP addresses on computers with only one ethernet card, each IP address also has its own MAC address. This technology can be used to create spoofing that fills up a large segment of address space, with very low costs. In fact, existing research institutions can bind more than 4000 IP addresses to a Linux PC. This means that a network system composed of 16 computers can be used to spoof the entire B-class address space. Although there seems to be a lot of different spoofing, it can actually be achieved on a computer.

In terms of effectiveness, placing network services on all these IP addresses will undoubtedly increase the workload of intruders, because they need to decide which services are real and which services are forged, in particular, more than 40 thousand such IP addresses are placed in a system with forged network services. In addition, in this case, the spoofing service is more easily discovered by the scanner. By enticing intruders to be fooled, the intrusion time is increased, which consumes a large amount of resources of the intruders, this greatly reduces the likelihood of real network services being detected.

When the hacker's scanner accesses the external router of the network system and detects a spoofing service, it can also redirect all network traffic of the scanner to spoofing, the subsequent remote access becomes the continuation of this deception.

Of course, network traffic and service switching (redirection) must be kept strictly confidential when such spoofing is adopted, because once exposed, attacks will occur, as a result, intruders can easily distinguish any known and effective service from the spoofing method used to test the hacker's scan detection and response.

Precautions for implementing network spoofing

In the face of the ever-increasing network attack technology, any network spoofing technology needs to be improved to be able to resist the attack technology.

• Network Traffic Simulation

The purpose of generating simulation traffic is to prevent traffic analysis from detecting spoofing. There are two ways to generate simulated traffic in the spoofing system. One way is to copy the real network traffic in real time or in reproduction, which makes the spoofing system very similar to the real system because all access connections are copied. The second method is to generate counterfeit traffic remotely so that intruders can discover and use it.

• Dynamic Network Configuration

The real network changes over time. If spoofing is static, long-term surveillance by intruders will result in invalid spoofing. Therefore, you need to dynamically configure the spoofing network to simulate normal network behavior, so that the spoofing network also changes as the real network changes over time. To make it effective, the spoofing feature should also reflect the characteristics of the real system as much as possible. For example, if the computer in the office is shut down after work, spoofing computers should be shut down at the same time. Other things, such as holidays, weekends, and special moments, must also be considered; otherwise, intruders may find deception.

• Multiple address translation)

Multiple Address conversions can separate the spoofing network from the real network, so that the real computer can be used to replace the low-reliability spoofing, increasing the indirect and concealment. The basic concept is to redirect the proxy service (implemented by rewriting the proxy server program) and perform address translation by the proxy service, make the same source and destination addresses maintained in the spoofing system as in the real system. From m. n. o. p enters. b. c. the access to the g interface will undergo a series of address translation-from. f. c. g is sent to 10. n. o. p to 10. g. c. f. Finally, the data packet spoofing form is removed from the m. n. o. p to. b. c. g. In addition, you can bind the spoofing service to the host that provides the same type and configuration as the host that provides the real service, thus significantly improving the authenticity of the spoofing. You can also try dynamic multi-address conversion.

• Create organization information Spoofing

If an organization provides access to personal and system information, spoofing must also reflect the information in some way. For example, if the organization's DNS server contains detailed information about the personal system owner and its location, you need to have a spoofed owner and its location in the spoofed DNS list, otherwise, spoofing is easily discovered. Moreover, forged people and locations also require forged information such as salaries, budgets, and personal records.

In short, what we need to do is to make the attacker feel that the target he is attacking is a real target or that he cannot identify that the target he is attacking, convince him that his efforts are based on his will.

Part 2: network spoofing attack technology

Any security technology will have its own technology, and network spoofing technology is no exception. In defense, there is network spoofing technology, and in attack technology, there is also network spoofing technology. This network spoofing technology is very different from the network spoofing technology mentioned above.

Definition: network spoofing means that attackers can use the network parameters of the Local Machine to authenticate the network verification device so that they can obtain the same rights as the real host on the network, to attack the entire network.

Dangers caused by network spoofing:

• The verification function of the entire network system is ineffective. Attackers can attack the entire network without bypassing the network verification device.

• Network spoofing allows network security administrators to relax their management of the entire network.

Specific scam techniques for network spoofing:

• ARP spoofing technology

This technology poses more practical challenges to network security administrators, this is because it really makes us feel that a hacker is attacking your host, and you can avoid it without making enough patches for the host. Network spoofing technology such as this requires a security administrator to have a considerable network knowledge and network wiring technology to avoid it.

We know that in the TCP environment, the route table defines how an IP package goes, when the IP packet arrives at the network, the host must have a Mac address to determine the response. Therefore, we can say that, only when the Mac address in the IP package and the Mac address of the host in the network are the same will the machine respond to this IP package. Therefore, there is an arp --> mac conversion table in the memory of each host. It is usually a dynamic conversion table (note that the arp table can be set to static in the routing ). That is to say, the corresponding table will be refreshed by the host as needed. This is because the Ethernet transmission on the subnet layer is * 48-bit mac