Hackers break through several common firewall Technologies

I. Basic principles of Firewall

First, we need to understand some basic firewall implementation principles. Currently, firewalls are mainly used for packet filtering, packet filtering for status detection, and application layer proxy firewalls. However, their basic implementations are similar.

│ --- Router ----- Nic │ firewall │ Nic │ ---------- internal network │

Generally, a firewall has more than two network cards, one connecting to an external server and the other connecting to an internal network. When the host network forwarding function is enabled, the network communication between two NICs can pass through directly. When there is a firewall, it is like inserting it between NICs to control all network communication.

When it comes to Access Control, this is the core of the firewall :). The firewall mainly uses an access control table to determine its form, which is generally a series of the following rules:

1 accept from + Source Address, port to + Destination Address, port + action

2 deny... (deny means deny ..)

3 nat... (nat refers to address translation. Later)

After the firewall receives network data packets at the network layer (including the following refining workers), it will match them one by one from the above rules. If yes, it will execute the pre-arranged action! Such as discarding a package ....

However, different firewalls differ in implementation when determining attack behavior. The following describes possible attacks based on the Implementation Principles.

Ii. Attack Packet Filtering Firewall

The packet filtering firewall is the simplest one. It intercepts network packets at the network layer and detects attack behavior according to the firewall rule table. It filters data packets based on their source IP addresses, destination IP addresses, TCP/UDP source ports, and TCP/UDP destination ports !! Attackers are vulnerable to the following attacks:

1. ip Spoofing Attack:

This attack mainly modifies the data packet source, destination address, and port, and imitates some valid data packets to cheat the firewall's detection. For example, an external attacker can change his datagram source address to an internal network address, and the firewall will allow the attacker to view the valid address :). However, if the firewall can match the interface and address, the attack will fail :(

2. DoS Attacks

The simple packet filtering Firewall cannot track the tcp status and is vulnerable to DoS attacks. o. s attack, he may be busy with processing, and forget his own filtering function. :) You can repeat it, but there are few such attacks .!

3. multipart attack

The principle of this attack is: in the IP segment package, all the segment packages use a part offset field to mark the order of the segment package. However, only the first segment contains information about the TCP port number. When an IP shard package uses a group to filter out the firewall, the firewall only determines whether the packet is allowed to pass through the Tcp information of the first shard package. Other subsequent shards are not checked by the firewall and pass the packet directly.

In this way, attackers can first send the first valid IP segment to defraud the firewall for detection, and then encapsulate the next packet segment of malicious data to directly penetrate the firewall, directly reach the internal network host, which threatens the security of the network and host.

4. Trojan attack

The most effective attack to the packet filtering Firewall is a trojan. Once you install a Trojan on the internal network, the firewall is basically powerless.

The reason is: packet filtering firewalls generally only filter low ports (1-1024), but they cannot filter high ports (because some services need to use high ports, so the firewall cannot close the high port), so many Trojans are waiting to open the high port, such as glaciers and subseven...

However, the premise of a Trojan attack is that you must first upload and run the trojan. it is easy for a simple packet filtering firewall. This is not written here. It is probably to exploit the service vulnerabilities open to internal network hosts.

Early firewalls were such simple bag filters, and so far they have very few. The current packet filtering technology is the state detection technology. Next we will talk about the state detection packet filtering firewall.

3. packet filtering for attack status detection

Status detection technology was first proposed by checkpoint, and many firewalls in China claim to have implemented status detection technology.

However, many of them are not implemented. What is status detection?

In a word, status detection is a technology that tracks detection from the establishment of tcp connections to termination.

The original packet filter uses a separate packet to match the rule. However, we know that for the same tcp connection, its data packets are associated before and after, first syn packets,-> data packets => fin packets. The serial numbers before and after data packets are related.

If these relationships are separated and data packets are filtered separately, they are easily spoofed by specially crafted attack data packets !!! For example, nmap Attack Scanning uses syn packets, fin packets, and reset packets to detect the networks behind the firewall .!

On the contrary, a full state detection firewall determines when it initiates a connection. if it complies with the rules, it registers the connection status information (address, port, option) in the memory ..), Subsequent data packets belonging to the same connection do not need to be detected. Directly pass. Some specially crafted attack packets are discarded because they do not register the corresponding status information in the memory. In this way, these attack packets cannot pass through the firewall.

State detection must mention the dynamic rule technology. In status detection, dynamic rules are used to solve the problem of high ports. The implementation principle is: In normal times, the firewall can filter all ports in the internal network (1-65535). It is difficult for external attackers to find the entry point for intrusion, but in order not to affect normal services, when the firewall detects that the Service must open a high port, such as the ftp protocol and irc, the firewall can dynamically Add a rule in the memory to open the relevant High port. After the service is completed, the rule is deleted by the firewall. In this way, security is ensured, and normal services are not affected. The speed is also fast .!

In general, the status detection technology firewall is fully implemented, with high intelligence and automatic response to some scanning attacks. Therefore, attackers must be careful before they can be detected.

However, there are also many attack methods to deal with such firewalls.

1. Protocol tunnel attack

The Protocol tunnel attack idea is similar to the VPN implementation principle. Attackers can hide some malicious attack packets in the header of some protocol groups to penetrate the firewall system to attack internal networks.

For example, many firewalls that allow ICMP echo requests, ICMP echo responses, and UDP groups to pass are vulnerable to ICMP and UDP tunneling attacks. Loki and lokid (attacked client and server) are effective tools for implementing such attacks. In actual attacks, the attacker must first install the lokid server on a system in the internal network, and then the attacker can use the loki client to remotely execute the attack command (corresponding to the IP Group) embedded in the ICMP or UDP packet header, and then sent to the internal network server lokid, which executes the command and returns the result in the same way. By

Because many firewalls allow access from ICMP and UDP groups, attackers can attach malicious data to normal groups to bypass firewall authentication, the command below successfully reaches the target host is used to start the lokid server program:

Lokid-p CI Cvl

The loki client program is started as follows:

Loki Cd172.29.11.191 (target host)-p CI Cv1 Ct3

In this way, lokid and loki jointly provide a backdoor that passes through the firewall system to access the target system.

2. FTP-pasv bypass Firewall Authentication attacks

FTP-pasv attacks are one of the most important means to intrude into the firewall. Currently, many firewalls cannot filter such attacks. For example, the CheckPoint Firewall-1 looks for the "227" string in each package while monitoring the FTP server's packet sent to the client. If such a package is found, the target address and port are extracted from the package, and the target address is verified. After the package is passed, the TCP connection to the address is allowed.

With this feature, attackers can try to connect to servers and services protected by the firewall.

3. Bounce Trojan attack

A bounce Trojan is the most effective way to deal with such a firewall. The attacker regularly connects to a host controlled by an external attacker through a rebound trojan in the internal network. Because the connection is initiated internally, the firewall (any firewall) considers it a legal connection, therefore, the blind zone of the firewall is basically here. Firewalls cannot distinguish between Trojan connections and legitimate connections.

But the limitation of this attack is: you must first install this Trojan !!! The first step of all Trojans is critical!

Iv. Attack proxy

A proxy is a firewall running on the application layer. In essence, it starts two connections: one is from the customer to the proxy, and the other is from the proxy to the target server.

The implementation is relatively simple, just like the previous one, filtering based on rules. Because the running speed on the application layer is slow/1

There are many attack proxy methods.

Here we will take wingate as an example to briefly describe it. (Too tired)

WinGate is a Windows 95/NT proxy firewall software widely used. Internal users can access the external network through a host installed with WinGate, but it also has several security vulnerabilities.

Hackers often exploit these security vulnerabilities to obtain unauthorized Web, Socks, and Telnet access from WinGate, thus disguising them as the identity of the WinGate host to launch attacks against the next attack target. Therefore, such attacks are very difficult to track and record.

Most of the causes of WinGate security vulnerabilities are that the Administrator does not properly set the WinGate proxy firewall software based on the actual network conditions, but simply allows the software to run after the default settings are installed, this gives attackers the opportunity.

1. Unauthorized Web Access

Some WinGate versions (such as 2.1d running in the NT System) allow external hosts to access the Internet completely anonymously under misconfiguration. Therefore, external attackers can use the WinGate host to launch various Web attacks (such as CGI vulnerability attacks) on the Web server ), at the same time, because all Web attack packets pass through Tcp port 80, it is difficult to track the attacker's source.

Detection

The following method can be used to detect a security vulnerability on a WinGate Host:

1) connect to the Internet with a non-filtered connection (for example, a dial-up connection.

2) direct the proxy server address of the browser to the WinGate host to be tested.

If the browser can access the Internet, the WinGate host has an unauthorized Web Access Vulnerability.

2. Unauthorized Socks access

In the default configuration of WinGate, Socks proxy (Tcp port 1080) also has a security vulnerability. As with the Web Proxy (Tcp port 80), external attackers can use the Socks proxy to access the Internet.

Prevention

To prevent the security vulnerability of WinGate attacks, administrators can restrict the binding of specific services. On a multi-host system, perform the following steps to limit how proxy services are provided.

1. Select Socks or WWWProxyServer.

2. Select the Bindings tag.

3. Press ConnectionsWillBeAcceptedOnTheFollowingInterfaceOnly and specify the internal interface of the WinGate server.

Unauthorized Telnet access

WinGate is the most threatening security vulnerability. By connecting to the Telnet service of a misconfigured inGate server, attackers can use others' hosts to hide their traces and launch attacks at will.

Detection

The following method can be used to detect a security vulnerability on a WinGate Host:

1. Use telnet to connect to a WinGate server.

[Root @ happy/tmp] # telnet172.29.11.191

Trying172.29.11.191 ....

Connectedto172.29.11.191.

Escapecharacteris '^]'.

Wingate> 10.50.21.5

2. If the above response text is received, enter the website to be connected.

3. If you see a logon prompt for the new system, the server is vulnerable.

Connectedtohost10.50.21.5... Connected

SunOS5.6

Login:

Countermeasure

The method to prevent this security vulnerability is similar to that to prevent unauthorized Socks access. This problem can be solved simply by limiting the binding of specific services in WinGate. Generally, the system administrator of a multihost system can perform the following steps:

1. Select the TelnetSever attribute.

2. Select the Bindings tag.

3. Press ConnectionsWillBeAcceptedOnTheFollowingInterfaceOnly and specify the internal interface of the WinGate server.

V. Post

The attack with a firewall is not just one of the above points. If I have something wrong, let's say it.

For a long time, hackers have been studying the techniques and techniques used to attack the firewall. The attack techniques and techniques are becoming more and more intelligent and diversified. However, the process of attacking the firewall by hackers may be divided into three types of attacks.

The first type of attack firewall is to detect which firewall system is installed on the target network and find out which services the firewall system allows. We call it a firewall attack detection.

The second type of attack firewall is to bypass the firewall's authentication mechanism by means of address spoofing, TCP serial number attacks, and thus damage the firewall and internal network.

The third type of attack firewall is to find, use the firewall system to implement and design security vulnerabilities to launch targeted attacks. This attack is difficult, but destructive.