Feasibility Analysis of bypass Blocking

Bypass blocking is to use the bypass listening method to obtain data packets on the Internet, and then restore the protocol and block the packets based on the content. The advantage of this type of technology is that it does not affect the speed of Internet access and has no special requirements for users. In general, it is connected to the egress of the Internet without affecting the stability of the original network.
 
The following methods can be used to manage networks and block illegal connections through bypassing:
 
1. Send a TCP Reset Packet
2. establish temporary rules through linkage with gateway Products
3. Implement arp-based blocking.
 
First, let's take a look at TCP Reset. We take IDS as an example. IDS is a typical network security device that listens through a bypass and blocks it through TCP Reset. Ids tcp Reset implementation method. When IDS finds an illegal connection, IDS will send a tcp reset packet to both ends of the communication to actively disconnect the connection, at this time, the stack of both parties will interpret the RESET package as a response from the other end, then stop the entire communication process, release the buffer and cancel all TCP status information. At this time, the attack data packets may still be in the TCP/IP stack buffer of the target host operating system and are not submitted to the application. Because the buffer is cleared, the attack will not occur.
 
For a RESET package, the premise of the RESET package sent by IDS is to know the current serial number and confirmation number of the entire session. Otherwise, the RESET package will be ignored. We assume that a session must have a confirmation number of 152. If the confirmation number of the RESET package you sent is 142, the stack will ignore an invalid data packet or damaged data packet.
 
On the other hand, all IDS have a delay in responding to attacks, because IDS takes a certain amount of time to capture packets, monitor attacks, generate RESET packets, and finally issue a RESET. Many IDS use The libpcap library to capture packets. Most IDS are built on BSD-like systems, while BSD uses BPF (Berkeley Packet Filters) to capture packets, BPF will open a large buffer by default. In a typical network, IDS will issue a RESET packet with a delay of about half a second. On Linux and Solaris platforms, the performance is slightly better, but there must be a delay.
 
In addition, TCP Rest also has great limitations for network applications. It can only send blocking information for standard TCP connections and is powerless for UDP sessions. In addition, some network application software is very powerful in session connection persistence, and the effect of TCP Reset packets on them is negligible.
 
By interacting with the Gateway product, you can send temporary rules to the firewall and send a temporary ACL list to the vro or vswitch to block the current session.
 
This method has the following problems:
 
1. The first is the issue of the Linkage protocol. "Linkage" has always been a very fashionable concept in the network security field. Although it has been in the year 56 s, it has not been fully developed so far. Currently, the implementation of linkage is centered on an existing manufacturer. The products of other manufacturers are interconnected with a product of the core manufacturer with the support of some semi-public sdks. In this way, the existing and multi-product functions are linked, but the actual results are not linked.
 
2. Lagging linkage information. Even if the product and the firewall have a good linkage method, the IDS product finds an illegal connection during the detection and generates a temporary rule to send it to the firewall. The firewall applies this rule to block this connection; there are three latencies in this process. 1. IDS discovers illegal connections and generates Temporary Rules; 2. Rules are transmitted to the firewall; 3. Firewall Application rules. It is recommended that the total time of these three demos be less than two seconds. In this process, IDS is detected when IDS detects illegal connections, if a worm or Trojan occurs during the connection, the two-second delay is enough to successfully attack.
 
3. When a large-scale illegal connection is encountered, IDS will add temporary rules to the firewall for each session, which will inevitably increase the number of temporary firewall rules and reduce the efficiency of the firewall, delay in forwarding of firewall packets, causing firewall paralysis and network interruption.
 
Finally, let's take a look at arp-based blocking. There are three methods of ARP spoofing, ARP poisoning, and ARP attacks. First, understand the principles of ARP. ARP is used to match or resolve an IP address to an appropriate MAC address. All network devices have an ARP table, it temporarily remembers all the IP addresses and MAC addresses that the device has matched. The ARP table ensures that the device does not need to repeat ARP requests from a computer that has been communicating with itself. An ARP attack occurs when someone tries to change the information in the ARP table of the MAC and IP addresses without authorization. In this way, we can forge an ARP response packet so that the ARP table of the host is incorrectly connected and cannot be connected to the gateway, thus blocking the connection.
 
This blocking method is very effective, but it also causes a problem. It not only blocks illegal connections, but also blocks legal connections, this has a great impact on normal network applications.
 
In conclusion, bypass blocking is not feasible in practical application.