Analysis on types of protocol spoofing attacks

IP spoofing is an attack by forging the IP address of a host to obtain privileges. Many applications believe that if a data packet can route itself to the destination, the source IP address must be valid, which is the precondition for the Source IP Address Spoofing Attack.

IP Spoofing Attack

IP spoofing is an attack by forging the IP address of a host to obtain privileges. Many applications believe that if a data packet can route itself to the destination and the response packet can return to the source, the source IP address must be valid, this is the premise that the source IP address spoofing attack is possible.

Assume that two hosts A and B exist in the same CIDR block, and two hosts X exist in the other CIDR block. B grants A certain privileges. To obtain the same privileges as a, X spoofing attacks are as follows: First, X impersonates A and sends a syn packet with A random serial number to host B. Host B responds and returns A response packet to A. The response number is equal to the original serial number plus 1. However, at this time, host A has been overwhelmed by host X's DoS attacks, resulting in host A service failure. As A result, host A discards the packets sent by host B. To complete the three-way handshake, X also needs to send A response packet to B, whose response number is equal to the serial number of the data packet sent by B to A plus 1. In this case, Host X cannot detect the data packets of host B (because they are not in the same network segment). Only the TCP sequence number estimation method is used to predict the sequence number of the response packet and send it to target machine B. If the guess is correct, B considers the ACK received from internal host. In this case, X obtains the privileges of host A on host B and starts to attack these services.

To prevent source IP address spoofing, take the following measures to protect the system from such attacks:

· Discard address-based trust policies: an easy way to prevent such attacks is to discard address-based verification. The use of remote call commands of the r class is not allowed; The. rhosts file is deleted; the/etc/hosts. equiv file is cleared. This forces all users to use other remote communication methods, such as telnet, ssh, and skey.

· Encryption: We can encrypt a package before it is sent to the network. Although the encryption process requires proper changes to the current network environment, it will ensure data integrity and authenticity.

· Packet filtering: You can configure a vro to reject connection requests with the same IP address as the Internet. In addition, when the IP address of the package is not in this network, the router should not send the package of this network host.

Note that although a vro can block a specific type of packets trying to reach the internal network. However, they also perform operations by analyzing and testing the source address. Therefore, they can only filter packets that are claimed to be from the internal network. If your network has an externally trusted host, the router will not be able to prevent IP spoofing by impersonating these hosts.

ARP spoofing attacks

In a LAN, IP addresses must be converted to Layer 2 Physical addresses (MAC addresses) through ARP before communication ). The ARP Protocol is of great significance to network security. However, the original design of the ARP method did not take too many security issues into account, leaving many hidden dangers for ARP. ARP spoofing is one of the examples. ARP spoofing uses this Protocol Vulnerability to implement ARP spoofing by forging IP addresses and MAC addresses.

Assume that three hosts A, B, and C are located in the same exchange LAN, the listener is in host A, and host B and C are communicating. Now A wants to sniff data from B-> C, so A can pretend to be C and perform ARP spoofing on B-send A forged ARP response packet to B, in the response packet, the IP address is the IP address of C and the MAC address is the MAC address of. This response packet will refresh the ARP cache of B and let B think that A is C. in details, B thinks that the MAC address mapped to the IP address of C is the MAC address of host. In this way, the data that B wants to send to C is actually sent to A, which achieves the purpose of sniffing. After we sniff the data, we must also forward the data to C to ensure that the communication between B and C is not interrupted.

The above is the basic principle of ARP spoofing-based sniffing. In this method, sniffing A is actually inserted into B-> C, and B's data is sent to A first, then, A forwards the data to C. The data transmission relationship is as follows:

B-> A-> C

B <A <-- C

Then A successfully intercepts the data that B sends to C. The above is a simple example of ARP spoofing.

ARP spoofing attacks

There are two possibilities: one is spoofing the ARP table of the vro; the other is spoofing the ARP table of the Intranet computer. Of course, the two attacks may also be performed at the same time. However, after spoofing transmission, the data sent between the computer and the router may be sent to the wrong MAC address.

The following measures can be taken to prevent ARP Spoofing Attacks:

· Use arp commands on the client to bind the real MAC address of the Gateway

· Static binding of ports and MAC addresses on the vswitch.

· Static binding of IP addresses and MAC addresses on vrouters

· Use arp server to broadcast correct IP-MAC ing tables for all hosts within the CIDR block at a certain interval.

DNS Spoofing Attacks

DNS Spoofing is the most common DNS security problem. When a DNS server falls into a trap and uses an error message from a malicious DNS server, the DNS server will be cheated. DNS spoofing can cause many security problems for vulnerable DNS servers, such as directing users to wrong Internet sites or sending an email to an unauthorized email server. Network attackers usually perform DNS Spoofing using the following methods.

(1) cache Infection

Hackers will skillfully use DNS requests and put data into the cache of an undefended DNS server. The cache information will be returned to the customer during the customer's DNS access, so as to direct the customer to the Web server or email server where the Hacker sets the Trojan, then hackers obtain user information from these servers.

(2) DNS information hijacking

Intruders listen to conversations between the client and the DNS server and guess the DNS query ID that the server returns to the client. Each DNS packet includes an associated 16-bit ID. the DNS server obtains the request source location based on the ID. Hackers send false responses to users before the DNS server, thus deceiving clients to access malicious websites.

(3) DNS redirection

Attackers can redirect DNS name queries to malicious DNS servers. In this way, attackers can obtain the write permission of the DNS server.

The following measures can be taken to prevent DNS Spoofing Attacks:

· Directly access important services using IP addresses, which can at least avoid DNS spoofing attacks. But remember the IP address to be accessed.

· To encrypt all external data streams, the server tries its best to use encryption-supported protocols such as SSH. Generally, users should use software such as PGP to encrypt all data sent to the network. This is not easy.

Source route spoofing attacks

By specifying a route, you can use a fake identity to communicate with other hosts or send fake packets, causing an error on the attacked host. This is the source route attack. Generally, the path from the start point to the end point of the information package is determined by the router between the two points. The data packet itself only knows where to go, but does not know how to proceed. Source routing allows the sender of the information packet to write the path of the data packet into the data packet, so that the data packet follows an unpredictable path of the other party to reach the target host. The following is an example of the Source IP Spoofing Attack:

Host A has some privileges of host B. Host X wants to impersonate host A to obtain certain services from host B (assuming the IP address is aaa. bbb. ccc. ddd. First, the attacker modifies the router closest to X so that it reaches the router and contains the destination address aaa. bbb. ccc. ddd data packets are sent to the network where host X is located. Then, attacker X uses IP spoofing to send source route (specify the nearest router) data packets to host B. When B sends the data packet back, it is transmitted to the changed router. This allows an intruder to obtain some protected data through a special path in the name of a host.

To prevent source route spoofing attacks, the following two measures are generally used:

· The best way to deal with such attacks is to configure a router so that it can discard packets that come in from an external network but claim to be internal hosts.

· Disable the source route on the vro. Run the no ip source-route command.