Common methods and prevention of IP address theft

At present, IP address theft is very common. Many "attackers" use address theft to avoid tracking and hiding their own identities. IP address theft infringes on the rights and interests of normal network users and has a huge negative impact on network security and normal network operation, identifying effective preventive measures is an urgent issue.

Common Methods for IP address theft and their prevention mechanisms

IP address theft refers to the use of unauthorized IP addresses to configure computers on the Internet. There are two methods for IP address theft:

First, you can simply modify the IP address for theft. If you use an IP address that is not obtained legally When configuring or modifying the configuration, IP address theft is formed. Because an IP address is a protocol logical address and a value that needs to be set and modified at any time, you cannot modify the IP address of the local machine.

The second is to modify the IP-MAC address at the same time. For the problem of simply modifying the IP address, many units are using IP-MAC bundling technology to solve. But IP-MAC bundling technology cannot prevent users from modifying the IP-MAC. The MAC address is the hardware address of the network device. For Ethernet, it is also known as the NIC address. The MAC address on each Nic must be unique among all Ethernet devices. It is allocated by IEEE and fixed on the NIC. However, some MAC addresses compatible with NICs can be modified through the configuration program. If you change the IP address and MAC address of a computer to the IP address and MAC address of another legitimate host, then the IP-MAC bundling technology is powerless. In addition, for some NICs whose MAC addresses cannot be directly modified, you can also modify the MAC address through the software, that is, by modifying the underlying network software to spoof the upper-layer software.

At present, it is found that the commonly used method of IP address theft is to regularly scan the ARP (address resolution protocol) Table of the routers of the network, get the current IP address and the IP-MAC control relationship, and the valid IP address table, the IP-MAC table compares, if inconsistent, there is an illegal access behavior. In addition, you can also detect IP address theft from the user's fault report (a message indicating a MAC address conflict occurs when an IP address is being stolen. On this basis, the common prevention mechanisms include: IP-MAC binding technology, proxy server technology, IP-MAC-USER authentication and authorization and transparent gateway technology.

These mechanisms have certain limitations, such as IP-MAC bundling technology user management is very difficult; transparent gateway technology requires a dedicated machine for data forwarding, the machine is easy to become a bottleneck. More importantly, these mechanisms do not completely prevent the damage caused by IP address theft. They only prevent IP address theft from directly accessing external network resources. As a matter of fact, because the IP address hacker still has the freedom to completely act in the IP subnet, on the one hand, this behavior will interfere with the use of legitimate users: on the other hand, attackers may exploit this vulnerability to attack other machines and network devices in the subnet. If a proxy server exists in the subnet, hackers can also obtain out-of-network resources through various means.

At present, IP address theft is very common. Many "attackers" use address theft to avoid tracking and hiding their own identities. IP address theft infringes on the rights and interests of normal network users and has a huge negative impact on network security and normal network operation, identifying effective preventive measures is an urgent issue. NIC address. The MAC address on each Nic must be unique among all Ethernet devices. It is allocated by IEEE and fixed on the NIC. However, some MAC addresses compatible with NICs can be modified through the configuration program. If you change the IP address and MAC address of a computer to the IP address and MAC address of another legitimate host, then the IP-MAC bundling technology is powerless. In addition, for some NICs whose MAC addresses cannot be directly modified, you can also modify the MAC address through the software, that is, by modifying the underlying network software to spoof the upper-layer software.

Common Methods for IP address theft and their prevention mechanisms

IP address theft refers to the use of unauthorized IP addresses to configure computers on the Internet. There are two methods for IP address theft:

First, you can simply modify the IP address for theft. If you use an IP address that is not obtained legally When configuring or modifying the configuration, IP address theft is formed. Because an IP address is a protocol logical address and a value that needs to be set and modified at any time, you cannot modify the IP address of the local machine.

The second is to modify the IP-MAC address at the same time. For the problem of simply modifying the IP address, many units are using IP-MAC bundling technology to solve. But IP-MAC bundling technology cannot prevent users from modifying the IP-MAC. The MAC address is the hardware address of the network device.

At present, it is found that the commonly used method of IP address theft is to regularly scan the ARP (address resolution protocol) Table of the routers of the network, get the current IP address and the IP-MAC control relationship, and the valid IP address table, the IP-MAC table compares, if inconsistent, there is an illegal access behavior. In addition, you can also detect IP address theft from the user's fault report (a message indicating a MAC address conflict occurs when an IP address is being stolen. On this basis, the common prevention mechanisms include: IP-MAC binding technology, proxy server technology, IP-MAC-USER authentication and authorization and transparent gateway technology.

These mechanisms have certain limitations, such as IP-MAC bundling technology user management is very difficult; transparent gateway technology requires a dedicated machine for data forwarding, the machine is easy to become a bottleneck. More importantly, these mechanisms do not completely prevent the damage caused by IP address theft. They only prevent IP address theft from directly accessing external network resources. As a matter of fact, because the IP address hacker still has the freedom to completely act in the IP subnet, on the one hand, this behavior will interfere with the use of legitimate users: on the other hand, attackers may exploit this vulnerability to attack other machines and network devices in the subnet. If a proxy server exists in the subnet, hackers can also obtain out-of-network resources through various means.

Use Port location to block IP address theft in a timely manner

A switch is the main network device of a LAN. It works on the data link layer and forwards and filters packets based on MAC addresses. Therefore, each vswitch maintains a MAC address table corresponding to the port. The MAC addresses of any host directly connected to a vswitch or in the same broadcast domain are saved in the MAC address table of the vswitch. The SNMP (Simple Network Management protocol) Management station can communicate with the SNMP proxy of each switch to obtain the MAC address table corresponding to the port saved by each switch, to form a real-time Switch-Port-MAC table. Compare the Real-Time Switch-Port-MAC table with the obtained valid complete table to quickly detect whether the Switch Port has an invalid MAC address, you can further determine whether IP address theft has occurred. If the same MAC address appears on the non-cascade ports of different switches at the same time, it means that the IP-MAC is stolen in pairs.

After detecting address theft, the system has actually located the port of the switch. Then, you can query the complete Switch-Port-MAC table created in advance to immediately locate the room where theft occurs.

After an address theft occurs, you can immediately take appropriate measures to block the impact of the theft, technically, the SNMP management station can send an SNMP message to the switch proxy to shut down the port where the IP address is stolen. In this way, the machine that steals the IP address cannot have any connection with other machines in the network, of course, it cannot affect the normal operation of other machines.

You can change the management status of port shutdown. In the MIB (Management Information Base), there is a read/write object ifAdminStatus (Object ID number is 1.3.6.1.2.1.2.2.1.7) that represents the port Management status. You can assign different values to ifAdminStatus to change the port Management status, that is, "1"-enable port, "2"-disable port, and "3"-for testing.

In this way, the management station can send a Set Request to the vswitch to disable and enable the corresponding port, for example, to disable port 2 of A vswitch (192.168.1.1, you can send the following information to the vswitch:

Set ("private" 192.168.1.1 1.3.6.1, 2.1.2.2.1.7.2.0.2 ).

Combined with the IP-MAC binding technology, through the switch port management, you can quickly find and block the IP address theft in actual use, especially to solve the problem of IP-MAC pair theft, at the same time, it does not affect the network operation efficiency. A switch is the main network device of a LAN. It works on the data link layer and forwards and filters packets based on MAC addresses. Therefore, each vswitch maintains a MAC address table corresponding to the port. The MAC addresses of any host directly connected to a vswitch or in the same broadcast domain are saved in the MAC address table of the vswitch. The SNMP (Simple Network Management protocol) Management station can communicate with the SNMP proxy of each switch to obtain the MAC address table corresponding to the port saved by each switch, to form a real-time Switch-Port-MAC table. Compare the Real-Time Switch-Port-MAC table with the obtained valid complete table to quickly detect whether the Switch Port has an invalid MAC address, you can further determine whether IP address theft has occurred. If the same MAC address appears on the non-cascade ports of different switches at the same time, it means that the IP-MAC is stolen in pairs.

After detecting address theft, the system has actually located the port of the switch. Then, you can query the complete Switch-Port-MAC table created in advance to immediately locate the room where theft occurs.

After an address theft occurs, you can immediately take appropriate measures to block the impact of the theft, technically, the SNMP management station can send an SNMP message to the switch proxy to shut down the port where the IP address is stolen. In this way, the machine that steals the IP address cannot have any connection with other machines in the network, of course, it cannot affect the normal operation of other machines.

You can change the management status of port shutdown. In the MIB (Management Information Base), there is a read/write object ifAdminStatus (Object ID number is 1.3.6.1.2.1.2.2.1.7) that represents the port Management status. You can assign different values to ifAdminStatus to change the port Management status, that is, "1"-enable port, "2"-disable port, and "3"-for testing.

In this way, the management station can send a Set Request to the vswitch to disable and enable the corresponding port, for example, to disable port 2 of A vswitch (192.168.1.1, you can send the following information to the vswitch:

Set ("private" 192.168.1.1 1.3.6.1, 2.1.2.2.1.7.2.0.2 ).

Combined with the IP-MAC binding technology, through the switch port management, you can quickly find and block the IP address theft in actual use, especially to solve the problem of IP-MAC pair theft, at the same time, it does not affect the network operation efficiency.