Network spoofing methods and Attack and Defense

It is a very practical tactic to seduce the enemy. Many military strategists, politicians, and entrepreneurs have talked about this tactic in ancient and modern times and in Chinese and foreign countries. This tactic is no exception in network attack defense. system administrators also use this tactic. Because every network system has security vulnerabilities, if they are of high value, they may be exploited by intruders. Usually, people will take the initiative to make up for these vulnerabilities or defects. If the system administrator has a hand, it can make intruders believe that the system has security defects and direct them to these wrong resources, that is, "trapping the enemy in depth ". Of course, we also need to "know ourselves, know ourselves, and know what we want" to win ". Administrators can also track intruders and fix possible system security vulnerabilities before intruders. This can be vividly compared to "walking with a bull's nose ".

I. Exploring network spoofing Methods

Network administrators and intruders are always incompatible with each other at work. It is hard to say what roles are outside of work. In practice, we can use reverse thinking to guess the Attacking Techniques and intentions of intruders, hold his "nose", and choose based on our designed will, and gradually consume his resources. In this way, the intruders may feel that it is still challenging to achieve the expected goal. In general, the methods of network spoofing can be considered from the following aspects.

1. Bait: Honey Pot and distributed Honey Pot

The earliest use of network spoofing is the Honey Pot technology, which is like a bait. It places a small number of attractive targets (that is, the Honey Pot) Where intruders can easily discover them, it falls into the trap. Many technical means are used, including inserting error information and hiding. The former includes redirection routing, forgery of false information, and setting of traps. The latter includes hiding services, multiple paths, and maintaining the confidentiality of security status information. In this way, intruders can concentrate their technology and energy on the Honey Pot instead of other truly valuable normal systems and resources. Therefore, this bait must be "delicious and delicious" as much as possible ".

Although the Honey Pot technology can be quickly switched, the Honey Pot technology has little impact on a slightly advanced network intrusion. Therefore, the distributed Honey Pot technology came into being. It will spread the Honey Pot in the normal system and resources of the network and use idle service ports to act as spoofing, this increases the possibility of intruders being cheated. The distributed Honey Pot technology has two direct effects: Distribution of spoofing to a wider range of IP addresses and port spaces, and increase the percentage of spoofing across the network, this increases the likelihood of spoofing than security vulnerabilities discovered by intruders.

The distributed Honey Pot technology is not perfect, and its limitations are reflected in three aspects: First, it does not work for network scans that exhaust the entire space search; second, it only provides a relatively low spoofing quality. Third, it only reduces the security vulnerabilities of the entire search space. Moreover, a more serious drawback of this technology is that it is only valid for remote scanning. If the intrusion has partially entered the network system and is in the observation (such as sniffing) rather than the active scanning phase, the real network service is transparent to intruders, then this deception will be ineffective.

2. true and false "Li Yun": Space deception Technology

A computer system has multi-host capability, that is, a host with numerous IP addresses can be implemented on a computer with only one ethernet card. In fact, now, research institutions can bind more than 4000 IP addresses to a PC running Linux, and each IP address also has its own MAC address. This technology can be used to create spoofing that fills up a large segment of address space, with very low costs. The fraudulent space technology is to increase the workload of intruders by increasing the search space, so as to achieve security protection. So many different frauds can be implemented on a computer. When the hacker's scanner accesses the external router of the network system and detects this spoofing service, it can also redirect all network traffic of the scanner to spoofing, the subsequent remote access becomes the continuation of this deception.

From the protection effect, placing network services on all these IP addresses will undoubtedly increase the workload of intruders, because they need to decide which services are real, which services are forged, especially when more than 40 thousand such IP addresses are placed in a system with forged network services. In addition, in this case, the spoofing service is more easily discovered by the scanner. By enticing intruders to be fooled, the intrusion time is increased, which consumes a large amount of resources of the intruders, this greatly reduces the likelihood of real network services being detected.

Of course, the network traffic and service redirection must be kept strictly confidential when such spoofing is adopted, because once exposed, attacks will occur, as a result, intruders can easily distinguish any known and effective service from the spoofing method used to test the hacker's scan detection and response.

3. Confused user information: organization information spoofing and multi-address conversion

In the face of the continuous improvement of network attack technology, a network spoofing technology cannot always succeed. Therefore, it is necessary to continuously improve the spoofing quality so that intruders cannot distinguish legitimate services from spoofing. Multi-address translation and organization information spoofing can effectively confuse opponents.

If the Organization's DNS server contains an individual