Modifies IP addresses or TCP/IP headers to forge IP addresses to interact with webpages.

In a sense, if a TCP pseudo connection can be created, it would be easier for D. O. s to implement. Previously, liond8 used this idea to create a new type of D. O. S. Today, I use this idea. However, if you directly forge a TCP three-way handshake without any other processing, it will not work. Because, when the target host receives the counterfeit Syn packet that we sent, it will send back a SYN + ACK packet (that is, the second handshake ). When our system receives this SYN + ACK packet, the system will send back an RST packet because the system does not initiate a real TCP connection, this package will reset the connection of the target host. In this way, the pseudo connection fails to be established.
There are many ways to solve this problem, and the method I want to use here is ARP spoofing. First, we need to perform ARP spoofing on the target host to make it think that we are another machine in the same network segment. Then we can initiate a TCP pseudo connection to the target host in disguise. In this way, even if the target host returns a SYN + ACK packet, this package will not enter our system (because the destination IP address of this package will not be the IP address of the host we disguise, our system will not send RST packets to the target host.
For example, assume we are host a, and now I want to attack host B. First, I first disguise host C for ARP spoofing on B (construct an ARP response packet to B with the IP address of C and the MAC address of a). In this way, b's ARP cache records the MAC address of a corresponding to the IP address of C. Then, we construct a SYN Packet Based on the source IP address of C and initiate a pseudo TCP connection to B. When B receives the SYN packet, it constructs a SYN + ACK packet and sends it to C. However, because the ARP cache of B records that the IP address of C corresponds to the MAC address of A, the SYN + ACK packet is actually sent to. Although this package will be discarded by a's system (because the destination IP address of this package is the IP address of C rather than the IP address of a, a's system will discard this package, we can still directly retrieve the data frame from the link layer. After obtaining this SYN + ACK packet, We need to pretend that C sends back an ACK packet to B again to complete the third handshake. In this way, the three handshakes of the TCP initialization connection are completed, and our pseudo connection is successfully established!
After a pseudo connection is established, we can continue to send data to the target host to ensure the survival of the TCP connection.
Here, there are several issues to be aware of: first, to ensure that the ARP cache of the target host is not changed during the attack, we need to continuously perform ARP spoofing on it; second, in order to prevent the disguised host from initiating communication to the target host during the attack process, refresh the ARP cache of the target host, which will affect our attack, we can also perform ARP spoofing on disguised hosts to increase the chance of successful attacks.

 

TCP serial number Prediction
The IP address only sends data packets and ensures its integrity. If you cannot receive the complete IP packet, the IP will send an ICMP error message to the source address, and you want to re-process it. However, this package may also be lost. Because the IP address is non-connection-oriented, it does not maintain any connection status information. Each IP packet is sent out loose, regardless of the first and last packets. It can be seen that the IP stack can be modified, and any IP address meeting the requirements can be placed in the source address and destination address, that is, a false IP address is provided.
TCP provides reliable transmission. Reliability is provided by the multi-bit control word in the data packet. The most important is the data sequence and data validation, which are expressed by SYN and ACK respectively. TCP assigns a serial number to each Data byte and can confirm the data packet sent to the received and source address (the packet sequence confirmed by the destination address Ack is the data packet sequence of the source address, instead of the data packet sequence sent by yourself ). Ack also carries the data serial number that is expected to be obtained. Obviously, the reliability provided by TCP is more difficult to fool than the IP address.
Serial number, validation, and other flag Information
Because TCP is based on reliability, it can provide mechanisms to handle packet loss, duplication, Order disorder, and other adverse situations. In fact, TCP can ensure reliable transmission by allocating serial numbers to all transmitted bytes and expecting the receiving end to provide the receiving confirmation for the data sent by the sending end. The acceptor uses the serial number to ensure the data sequence and remove repeated data packets. The TCP serial number can be considered as a 32-bit counter. They are arranged from 0 to 2 ^ 32-1. The data exchanged by each TCP connection (represented by a certain flag) is sequentially numbered. In a TCP packet, the identifier of the serial number (SYN) is defined at the front end of the Data Segment. Ack confirms the received data and specifies the serial number of the data to be received.
TCP uses the sliding window concept to control traffic. It is assumed that when the sending end sends data quickly but the receiving end receives the data slowly, in order to ensure that the data is not lost, it is necessary to control the traffic and coordinate the working pace of both parties. The so-called sliding window can be understood as the buffer size provided by the acceptor. TCP uses a sliding window to tell the sender how much buffer the data sent by it can provide. Because the window is defined by 16 bits, the receiving end TCP can provide a buffer of up to 65535 bytes. Therefore, you can use the window size and the serial number of the first data to calculate the maximum data serial number that can be received.
Other TCP flag BITs include RST (Connection Reset, reset the connection), PSH (push function), and fin (the sender has no data, no more data from sender ). If the RST is received, the TCP connection is immediately disconnected. RST is usually sent when the receiving end receives a packet unrelated to the current connection. In some cases, the TCP module needs to transmit data immediately instead of waiting until the entire segment is full. A high-level process will trigger the PSH mark in the TCP header and tell the TCP module to immediately send all the arranged data to the data receiving end. Fin indicates that an application connection has ended. When the receiving end receives the fin, it determines that it will not receive any data.
TCP serial number prediction was first elaborated by Morris on this security vulnerability. He uses TCP serial number prediction to generate a TCP packet sequence even if no response is received from the server. This allows him to cheat hosts on the local network.
A TCP connection usually establishes a sequence that includes three handshakes. The customer selects and transmits an initial serial number (SEQ flag) Isn C and sets the flag SYN = 1 to tell the server that it needs to establish a connection. The server confirms the transfer, sends its own serial number isn S, sets the flag ACK, and notifies the next expected data serial number isn = 1. The customer confirms it again. After the three confirmations, data transmission starts. The entire process is as follows: (C: client s: Server)
C---S: SYN (isn c)
S---C: SYN (isn s), Ack (isn c)
C---S: ACK (ISN seconds)
C---S: data or S---C: Data
That is to say, for a session, C must be confirmed by isn s. ISN s may be a random number.
It is important to know how to select the initial sequence number and how to change the sequence number based on time. It seems that this should happen when the serial number is initialized to 1 after the host is started, but this is not actually the case. The initial serial number is determined by the tcp_init function. ISN increases by 128000 per second. If a connection occurs, the counter value increases by 64000 for each connection. Obviously, this means that the 32-bit counter of ISN is reset every 9.32 hours without connection. This is because it helps minimize the chance that the information of the old connection will interfere with the current connection. Here we use the 2msl wait time concept (not covered in this article ). If the initial serial number is randomly selected, the existing serial number cannot be different from the previous one. Assume that a packet in a routing loop jumps out of the loop and returns to the "old" connection (which is actually different from the existing connection in the former ), apparently, it will interfere with existing connections.
Assume that an intruder X has a way to predict isn s. In this case, he may send the following serial number to host t to simulate the real isn s of the customer:
X---S: SYN (isn x), src = T.
S---T: SYN (isn s), Ack (isn x)
X---S: ACK (isn s), src = T
Although the message S * t is not X, X can know its content and therefore send data. If X wants to launch an attack on a connection and the connection allows command execution, other commands can also be executed.
So how to generate random ISNs? In the Berkeley system, the initial serial number variable is generated by a constant plus one per second. When this constant is half done, a connection starts. In this way, if you start a valid connection and observe that an isn s is in use, you can calculate it with high reliability. isn s is used in the next connection attempt.
Morris pointed out that the reply message
S---T: SYN (isn s), Ack (isn x)
In fact it does not disappear. The real host will receive it and try to reconnect. This is not a serious obstacle.
Morris found that by imitating a port on T and requesting a connection to that port, he could generate a serial overflow, making it look that S * t messages are lost. Another method is to wait until you know that t is shut down or restarted.
IP Spoofing
IP spoofing consists of several steps. Here we will briefly describe it and then explain it in detail.
. First, the target host is selected. Second, the trust mode has been discovered and a host trusted by the target host has been found. In order to perform IP spoofing, hackers can perform the following tasks: to make the trusted host unable to work, sample the TCP serial number issued by the target host, and guess its data serial number. Then, disguise as a trusted host and establish an application connection with the target host based on address verification. If successful, hackers can use a simple command to place a system backdoor for unauthorized operations.
Deploy Trusted Hosts
Once a trusted host is discovered, it is often unable to work in disguise. Because the attacker will replace the truly trusted host, he must ensure that the truly trusted host cannot receive any valid network data; otherwise, the host will be exposed. There are many ways to do this. Here we will introduce "tcp syn flood ".
As mentioned above, the first step to establish a TCP connection is that the client sends a SYN request to the server. Generally, the server sends a SYN/ack signal to the client. The client is determined by the IP address. The client then sends an ACK to the server, and then the data can be transmitted. However, the TCP processing module has a maximum number of concurrent SYN requests, which can be considered as the queue length for storing multiple connections. Among them, the number of connections includes the three-step handshake method that has not been finalized, but also includes those that have been successfully completed handshake, but has not been applied Program The called connection. If the maximum queue limit is reached, TCP rejects all connection requests until some connection links are processed. Therefore, there is an opportunity to multiply.
Hackers often send a large number of SYN requests to the target TCP port. The source address of these requests uses a valid but false IP address (the host using the valid IP address may not start up ). The attacked host often sends a response to the IP address, but it is a pity that there is no audio message. At the same time, the IP packet will notify the TCP of the attacked HOST: the host cannot be reached, but unfortunately TCP will think it is a temporary error, and continue to try the connection (for example, continue to route the IP address, send SYN/ACK packets, etc.) until you are sure you cannot connect.