[Post] principles and prevention of hacker attacks through IP Spoofing

The purpose of this article is to explain the implementation and Prevention Measures of IP spoofing to readers. It requires you to have a little knowledge about UNIX and TCP/IP. If you do not have one, it does not matter. I believe the following instructions can give you sufficient background knowledge.

IP spoofing is a complex technical attack suitable for TCP/IP environments. It consists of several parts. Currently, in the Internet field, it has become an important means for hackers to attack. Therefore, it is necessary to fully understand its working principles and preventive measures to fully protect its legitimate rights and interests.

In fact, IP spoofing is not an attack, but an attack. Attack is actually the destruction of trust relationships. However, in this article, IP spoofing will be considered as an entire attack. We will not discuss other behavior that destroys the false trust relationship established by IP spoofing. This article will explain in detail the entire attack process, including the relevant operating system and network information.

Background

Host Definition

A: Target Host

B: trusted host for

X: hosts that cannot be reached

Z: attack host

1 (2): HOST 1 is disguised as host 2

Graphical Symbol Definition

There are several diagrams in this article, which will be explained in the following example:

Time Series host a Controls host B

1 A -- syn --> B

Time Series: the unit of time elapsed, which can be infinitely refined. It is generally considered to be a small unit, indicating the sequence of events.

Host a: the machine that participates in a TCP conversation.

Control: displays the control characters related to the header of the TCP Control Field and the flow direction of the field.

Host B: The machine that participates in a TCP conversation.

In this figure, host a sends the TCP field to host B at the first reference time point, and the SYN control bit in the control field serves as the main information of this TCP field. Unless otherwise stated, we generally do not care about the data section in the TCP field.

Trust Relationship

In the Unix field, trust relationships can be easily obtained. If you have an account on host a and host B, you will find that when using host a, you need to enter the corresponding account on host, when using host B, you must enter an account on host B. host a and host B treat you as two unrelated users, which is obviously inconvenient. To reduce this inconvenience, you can establish mutual trust between two accounts on host a and host B. Create the. rhosts file in your home directory on host a and host B. From host a, enter 'echo "B username"> ~ in your home directory ~ /. Rhosts'; from host B, enter 'echo "a username"> ~ in your home directory ~ /. Rhosts '. At this point, you can use any remote call commands starting with R *, such as rlogin, rcall, and RSH without any worries about password verification. These commands allow address-based authentication or allow or deny access services based on IP addresses.

Rlogin

Rlogin is a simple Client/ServerProgramIt uses TCP transmission. Rlogin allows users to log on from one host to another, and if the target host trusts it, rlogin allows users to use resources on the target host without answering the password. Security Verification is based entirely on the source host's IP address. Therefore, based on the above example, we can use rlogin to remotely log on to A from B without being prompted to enter a password.

Internet Protocol (IP)

IP is a non-connection-oriented and unreliable network protocol for TCP/IP protocol groups. It provides address information by two 32bit header fields. IP packets account for a majority of TCP/IP network traffic, which can be said to be the busiest part. The IP address is used to send data packets in the network environment. It does not provide any mechanism to ensure reliability. The requirements for reliability are implemented by the upper layer protocol. The IP address only sends data packets and ensures its integrity. If you cannot receive the complete IP packet, the IP will send an ICMP error message to the source address, and you want to re-process it. However, this packet may also be lost (ICMP is the Internet Control Message Protocol, which is used to ensure data transmission according to network conditions, it mainly sends different error messages to the IP layer or other layers ). Because the IP address is non-connection-oriented, it does not maintain any connection status information. Each IP packet is sent out loose, regardless of the first and last packets. From this we can easily see that we can modify the IP stack and add any IP addresses that meet the requirements in the source and destination addresses, that is, provide false IP addresses.

Transmission Control Protocol (TCP)

TCP is a connection-oriented protocol that provides reliable transmission in TCP/IP protocol groups. Connection orientation means that the two hosts involved in the dialog must establish a connection before data exchange. Reliability is provided by the multi-bit control word in the data packet, but only two of them are related to our discussion. They are data sequences and data validation, expressed by SYN and ACK respectively. TCP assigns a serial number to each Data byte and can confirm the data packet sent to the received and source address (the packet sequence confirmed by the destination address Ack is the data packet sequence of the source address, instead of the data packet sequence sent by yourself ). Ack also carries the data serial number that is expected to be obtained. Obviously, the reliability provided by TCP is more difficult to fool than the IP address.

Serial number, validation, and other flag Information

Because TCP is based on reliability, it can provide mechanisms to handle packet loss, duplication, Order disorder, and other adverse situations. In fact, TCP can ensure reliable transmission by allocating serial numbers to all transmitted bytes and expecting the receiving end to provide the receiving confirmation for the data sent by the sending end. The acceptor uses the serial number to ensure the data sequence and remove repeated data packets. The TCP serial number can be considered as a 32-bit counter. They are arranged from 0 to 232-1. The data exchanged by each TCP connection (represented by a certain flag) is sequentially numbered. In a TCP packet, the identifier of the serial number (SYN) is defined at the front end of the Data Segment. Ack confirms the received data and specifies the serial number of the data to be received.

TCP uses the sliding window concept to control traffic. It is assumed that when the sending end sends data quickly but the receiving end receives the data slowly, in order to ensure that the data is not lost, it is necessary to control the traffic and coordinate the working pace of both parties. The so-called sliding window can be understood as the buffer size provided by the acceptor. TCP uses a sliding window to tell the sender how much buffer the data sent by it can provide. Because the window is defined by 16 bits, the receiving end TCP can provide a buffer of up to 65535 bytes. Therefore, you can use the window size and the serial number of the first data to calculate the maximum data serial number that can be received.

Other TCP flag BITs include RST (Connection Reset, reset the connection), PSH (push function), and fin (the sender has no data, no more data from sender ). If the RST is received, the TCP connection is immediately disconnected. RST is usually sent when the receiving end receives a packet unrelated to the current connection. In some cases, the TCP module needs to transmit data immediately instead of waiting until the entire segment is full. A high-level process will trigger the PSH mark in the TCP header and tell the TCP module to immediately send all the arranged data to the data receiving end. Fin indicates that an application connection has ended. When the receiving end receives the fin, it determines that it will not receive any data.

TCP connection Establishment

To exchange data using TCP connections, you must first establish a connection between hosts. A TCP connection can be established in three steps, called the three-step handshake method. If host a runs the rlogin client program and wants to connect to the rlogin daemon server program on host B, connection process 1 is shown.
1 A --- SYN ---> B
2 A <-- SYN/ack -- B
3 A --- ack ---> B

Figure 1
Note that the TCP modules of host a and host B use their serial numbers respectively. At Moment 1, the client sets the flag SYN = 1 to tell the server that it needs to establish a connection. At the same time, the client places its initial serial number (ISN) in the serial number field seq in its TCP header, and tells the server that the serial number indicates that the domain is valid and should be checked. At Moment 2, after the server receives the SYN above, the response is to send your isn and ACK to the client and inform the client of the Data serial number (ISN + 1) to be obtained ). The client confirms the ISN of the server at 3rd. Data transmission is now available.

Increasing isn and serial number

It is important to know how to select the initial sequence number and how to change the sequence number based on time. It seems that this should happen when the serial number is initialized to 1 after the host is started, but this is not actually the case. The initial serial number is determined by the tcp_init function. ISN increases by 128000 per second. If a connection occurs, the counter value increases by 64000 for each connection. Obviously, this means that the 32-bit counter of ISN is reset every 9.32 hours without connection. This is because it helps minimize the chance that the information of the old connection will interfere with the current connection. Here we use the 2msl wait time concept (not covered in this article ). If the initial serial number is randomly selected, the existing serial number cannot be different from the previous one. Assume that a packet in a routing loop jumps out of the loop and returns to the "old" connection (which is actually different from the existing connection in the former ), apparently, it will interfere with existing connections.

Port Number

To provide concurrent access to the TCP module, TCP provides a user interface called a port. The port is used by the operating system kernel to identify different network processes, that is, to strictly distinguish the entry of the transport layer (that is, IP addresses do not care about their existence ). The TCP port and the IP address provide end-to-end network communication. In fact, any Internet connection can be described by four elements at any time: source IP address, source IP address port number, destination IP address and destination IP address port number. Server programs are generally bound to standard port numbers. For example, rlogin daemon is bound to TCP port 513.

IP Spoofing

IP spoofing consists of several steps. Here we will briefly describe it and then explain it in detail. First, the target host is selected. Second, the trust mode has been discovered and a host trusted by the target host has been found. In order to perform IP spoofing, hackers can perform the following tasks: to make the trusted host unable to work, sample the TCP serial number issued by the target host, and guess its data serial number. Then, disguise as a trusted host and establish an application connection with the target host based on address verification. If successful, hackers can use a simple command to place a system backdoor for unauthorized operations.

IP spoofing is an unpleasant attack.

A very important fact that is often ignored is that IP spoofing is an inconspicuous attack. Attackers will replace the truly trusted host, thus undermining the security system of the target host. Hackers often use the methods described below to make the truly trusted host unable to work. When a host with a low degree of security is communicating with a trusted host, an attacker in a dark corner of the Internet can actually pause a truly trusted host, A large number of data packets that mimic it are sent to the target host. Sadly, the target host has no feeling at all. The TCP packets imitated by the attacker reach the target address, while the TCP packets sent from the target address to the truly trusted host never reach the attacker's host (the real IP addresses of the two are different ). Of course, once the TCP packet sent by the target address reaches the host that is truly trusted, the information will be canceled even though it enters the protocol stack and reaches the TCP processing module. Therefore, attackers need to know what the target host sends and what kind of response is expected. Although the attacker cannot see the content sent by the target host, it can predict the content to be sent. Attackers will attack these contents in a bid.

Trust Mode

After selecting an attack target, the hacker needs to determine the trust mode of the host. For the sake of discussion, we assume that the target host does trust a host. It is not easy to find out who a host trusts or who is not. 'Showmount E' can show where the file system is export, and 'rpcinfo' can also provide valuable information. If you obtain sufficient background information about the target host, it is not difficult to launch an attack. If all attempts fail, hackers attempt to access adjacent IP addresses to obtain valuable information.

Deploy Trusted Hosts

Once a trusted host is discovered, it is often unable to work in disguise. Because the attacker will replace the truly trusted host, he must ensure that the truly trusted host cannot receive any valid network data; otherwise, the host will be exposed. There are many ways to do this. Here, I will only discuss one method, namely "TCP SYN flood ". As mentioned above, the first step to establish a TCP connection is that the client sends a SYN request to the server. Generally, the server sends a SYN/ack signal to the client. The client is determined by the IP address. The client then sends an ACK (see Figure 1) to the server, and then the data can be transmitted. However, the TCP processing module has a maximum number of concurrent SYN requests, which can be considered as the queue length for storing multiple connections. Among them, the number of connections includes the three-step handshake method that is not finally completed, but also the connections that have been successfully completed but not called by the application. If the maximum queue limit is reached, TCP rejects all connection requests until some connection links are processed. Therefore, there is an opportunity to multiply. Hackers often send a large number of SYN requests to the target TCP port. The source address of these requests uses a valid but false IP address (the host using the valid IP address may not start up ). The attacked host often sends a response to the IP address, but it is a pity that there is no audio message. At the same time, the IP packet will notify the TCP of the attacked HOST: the host cannot be reached, but unfortunately TCP will think it is a temporary error, and continue to try the connection (for example, continue to route the IP address, send SYN/ACK packets, etc.) until you are sure you cannot connect. Of course, this time has passed a lot of valuable time. It is worth noting that hackers will not use the IP addresses that are currently working, because in this way, the real IP address holder will receive a SYN/ack response and then send the RST to the attacked host, disconnect. The process described above can be represented as the pattern in Figure 2.
1 Z (x) --- SYN ---> B
Z (x) --- SYN ---> B
Z (x) --- SYN ---> B
......
2 x <--- SYN/ack -- B
X <--- SYN/ack -- B
......
3 x <--- rst --- B
Figure 2
At Moment 1, the attacking host sends a large number of SYN requests to the Attacked Target (the trusted host in this stage) to fill the TCP queue. At Moment 2, The Attacked Target generates a SYN/ack response to the IP address (fake IP address) It believes. During this period, the TCP module of the attacked host ignores all new requests. The length of the TCP persistence connection queue varies. BSD is generally 5, and Linux is generally 6. The trusted host loses its ability to process new connections. The precious time it wins is the time when hackers attack the target host, which makes it possible to disguise it as a trusted host.

Serial number sampling and Prediction

As mentioned above, to attack the target host, you must know the data packet serial number used by the target host. Now let's discuss how hackers make predictions. They first establish a normal connection with a port of the attacked host (SMTP is a good choice. Generally, this process is repeated several times and the ISN sent by the destination host is stored. The hacker also needs to estimate the RTT time (round-trip time) between his host and the trusted host. The RTT time is obtained through multiple average statistics. RTT is very important for estimating the next ISN. As mentioned above, ISN increases by 128000 per second and ISN increases by 64000 per connection. Now it is not difficult to estimate the size of ISN. It is 128000 multiplied by half of RTT. If the target host has just established a connection, add a 64000. After estimating the ISN size, the system immediately starts the attack. When a hacker's false TCP data packet enters the target host, different situations may occur according to the estimated accuracy:

· If the estimated serial number is accurate, the incoming data will be placed in the receiving buffer for use.

· If the estimated serial number is smaller than the expected number, it will be abandoned.

· If the estimated serial number is greater than the expected number and is within the sliding window (the buffer mentioned above), the data is considered as a future data, the TCP module waits for other missing data. If the estimated serial number is greater than the expected number and is not in the sliding window (the buffer described above), TCP will discard the data and return a desired data serial number. The hacker's host cannot receive the returned data serial number.

Destructive behavior ......

Figure 3 shows the entire attack process.
1 Z (B) ---- SYN --->
2 B <--- SYN/ack ---
3 Z (B) ----- ack --->
4 Z (B) ----- PSH --->
......
Figure 3
The attacker pretends to be the IP address of the trusted host. At this time, the host is still in the stopped State (as mentioned earlier), and then sends port 513 (rlogin port number) to the target host) send a connection request, as shown in time 1. At Moment 2, the target host responds to the connection request and sends SYN/ACK packets to the trusted host (if the trusted host is in normal working status, it is regarded as an error and immediately returns the RST packet to the target host, but it is paused ). According to the plan, the trusted host will discard the SYN/ACK packet. Then, at moment 3, the attacker sends an ACK packet to the target host. The ack uses the estimated serial number plus 1 (because it is being confirmed ). If the attacker estimates it is correct, the target host will receive the Ack. Now, the connection has been formally established. Data transmission starts at time 4. Generally, attackers place a backdoor in the system for intrusion. 'Cat ++> ~ is often used ~ /. Rhosts ′. This is because this method quickly and simply paves the way for the next intrusion.

Working Principle Analysis

IP spoofing succeeds because the foundation of the Trust Service is only based on the network address verification. IP addresses are prone to forgery. The most difficult part of the attack process is serial number estimation. The accuracy is the key to success.

Preventive actions

Discard address-based trust policies

An easy way to prevent such attacks is to discard address-based verification. The use of remote call commands of the r * class is not allowed; The. rhosts file is deleted; the/etc/hosts. equiv file is cleared. This forces all users to use other remote communication methods, such as telnet, ssh, and skey.

Filter packets

If your network is connected to the Internet through a router, you can use your router to filter packets. Make sure that only your internal LAN can use the trust relationship, and hosts on the internal LAN should be careful when dealing with hosts outside the LAN. Your vro helps you filter out all external requests that you want to establish a connection with the internal server.

Use encryption methods

Another obvious way to prevent IP spoofing is to require encrypted transmission and verification during communication. When multiple methods coexist, the encryption method may be the most suitable.

Use random initial serial number

An important factor for successful hacker attacks is that serial numbers are not randomly selected or randomly added. Bellovin describes a way to make up for TCP deficiency, that is, to split the serial number space. Each connection has its own serial number space. The serial number will still be increased in the previous method, but there is no obvious relationship between these serial number spaces. The following formula can be used to describe:

ISN = m + f (localhost, localport, remotehost, remoteport)

M: 4 microsecond Timer

F: encrypt the hash function.

The serial number generated by F should not be calculated or guessed externally. Bellovin suggests that F is a hash function that combines the connection identifier and special vector (random number, based on the start time password ).