Principles of ip Spoofing and theft

Principles of ip Spoofing and theft
The IP spoofing technology is complicated. It is not easy to figure out a tiger as a cat. However, as a conventional attack method, it is necessary to understand its principles, at least for your own security defense, and it is easy to defend against attacks. Assume that the customer on B runs rlogin to communicate with rlogind On A: 1. B sends A data segment with SYN flag to notify A to establish A TCP connection. Set the sequence number in the TCP header to the initial ISN value of the current connection. 2. A will return A data segment with the SYS + ACK mark to B, inform His ISN, confirm the first data segment sent by B, and set the acknowledge number to ISN + 1 of B. 3. B confirms the data segment received by A and sets acknowledge number to ISN + 1 of. B -- SYN --> AB <---- SYN + ACK ---- a B -- ACK --> the sequence number used by A TCP is A 32-bit counter, ranging from 0 to 4294967295. TCP selects an initial serial number ISN for each connection. To prevent three handshakes due to delay or retransmission, ISN cannot be selected randomly. Different systems have different algorithms. Understanding how TCP allocates ISN And ISN changes over time is important for successful IP spoofing attacks. Call RPC commands Based on Remote procedures, such as rlogin, rcp, and rsh, according to/etc/hosts. equiv and $ HOME /. the rhosts file performs security verification. The essence is to confirm the user identity based on the source IP address, so as to allow or reject user RPC. Description of IP spoofing attacks: 1. Assume that Z attempts to attack A, and A trusts B. The so-called trust refers to the related settings in/etc/hosts. equiv and $ HOME/. rhosts. Note: How can I know that A trusts B? There is no definite solution. My advice is to pay attention to the collection of clues. A successful attack is not due to technical knowledge, but to the wide and informative collection of information. I use a technology that I think is a sense of accomplishment, but it is no more clever than asking questions on the wine table. The attack only takes success as the ultimate goal and does not care about the means. 2. If Z already knows the trusted B, you should try to temporarily paralyze B's network functions to avoid interference to the attack. The famous SYN flood is often a prelude to an IP spoofing attack. See the framework of a concurrent server:

Int initsockid, newsockid; if (initsockid = socket (...)) <0) {error ("can't create socket");} if (bind (initsockid ,...) <0) {error ("bind error");} if (listen (initsockid, 5) <0) {error ("listen error");} (; {newsockid = accept (initsockid ,...); /* blocking */if (newsockid <0) {error ("accept error");} if (fork () = 0) {/* sub-process */close (initsockid); do (newsockid);/* process client requests */exit (0);} close (newsockid );}

 

The second parameter in the listen function is 5, which indicates the maximum number of connection requests allowed on initsockid. If the number of connection requests on initsockid reaches 5 at a time point, TCP will discard the connection requests that will arrive at initsockid. Note that once the connection is established through a three-way handshake and the accept call has processed the connection, the TCP Connection Request team column has a blank position. Therefore, this 5 does not mean that the initsockid can only accept five connection requests. SYN flood is a kind of Denial of Service. As a result, B's network function is temporarily interrupted. Z sends multiple SYN-marked Data Segment request connections to B, note: Replace the source IP address with a Host X that does not exist. B sends SYN + ACK data segments to X, but no ACK from X appears. B's IP layer will report B's TCP layer, X is not reachable, But B's TCP layer ignores this and thinks it is only temporary. Therefore, B can no longer receive normal connection requests on this initsockid. Z (X) ---- SYN ----> B Z (X) ---- SYN ----> B ...... X <---- SYN + ACK ---- B ...... I think this will temporarily paralyze the B network function, but I always feel wrong. Although B cannot receive TCP connection requests on initsockid, it can receive requests on another initsockid. This SYN flood should only be for specific services (ports) and should not affect the global situation. Of course, if the connection request is sent continuously, the ping flood packet should be used to make the TCP/IP of B busy handling load increase. As for SYN flood, I have the opportunity to separately inject a token about Dos. There are many ways to make the network function of B stand by, depending on the specific situation, and I will not go into details. 3. Z must determine the current ISN of. First, connect to port 25 (SMTP does not have A security verification mechanism), which is similar to Port 1. However, this time we need to record the ISN of, and the approximate RTT (round trip time) from Z to ). This step must be repeated multiple times to obtain the average value of the RTT. Now Z knows the ISN Base Value and increase law of A (for example, increasing 128000 per second and increasing 64000 per connection), and also knows the time required for RTT/2 from Z to. The attack must be launched immediately. Otherwise, another host is connected to A, and the ISN is 64000 more than expected. 4. Z sends a syn-encoded data segment request to A for connection, but the source IP address is changed to B. Note that this is for the TCP513 port (rlogin ). A sends SYN + ACK data segments to B, and B cannot respond. The TCP layer of B simply discards A's send data segments. 5. Z pause for A moment, so that A has enough time to send SYN + ACK, Because Z cannot see this package. Then Z again disguised as B to send ACK to A. At this time, the data segment sent contains the ISN + 1 of A predicted by Z. If the prediction is accurate, the connection is established and data transmission starts. The problem is that even if the connection is established, A will still send data to B, instead of Z. Z still cannot see the data segment from A to B, Z must mask the header and follow the rlogin protocol standards to impersonate B and send "cat ++> ~ /. Rhosts "and the attack is complete. If the prediction is inaccurate, A will send A data segment with the RST mark to terminate the connection, and Z will only start from scratch. Z (B) -- SYN --> AB z (B) -- ACK --> AZ (B) -- PSH --> ...... 6. IP spoofing attacks take advantage of the vulnerability that the RPC server only relies on the source IP address for security verification. We recommend that you read the source code of rlogind. The most difficult part of an attack is to predict the ISN of. I think it is difficult to attack, but it is very likely to succeed. It seems a bit contradictory. In this case, the intruder controls A vro between A and B. If Z is the vro, then A forwards the data segment to B. Now Z can see it, obviously, the attack difficulty suddenly decreases a lot. Otherwise, Z must accurately predict the information that may be sent from A to B and what response information A expects from B, which requires attackers to be quite familiar with the protocol itself. At the same time, you must understand that such attacks cannot be completed in the interactive State, and must be completed by a program. Of course, you can use tools such as netxray for protocol analysis in the preparation phase. 7. If Z is not a vro, can I consider combining ICMP redirection and ARP spoofing technologies? I have not analyzed it carefully. I just want to guess it. And it is closely related to the specific network topology between A, B, and Z. In some cases, the attack difficulty is obviously greatly reduced. Note that IP spoofing attacks are initiated from the wide area network in theory and are not limited to local networks. This is also the charm of such attacks. An IP spoofing attack is used to obtain A shell on A. For many advanced intruders, obtaining the shell of the target host is not far from the root permission, the easiest thing to think of is the buffer overflow attack. 8. Some may ask why Z cannot directly set its IP address to B? This is a tough question to answer. It is necessary to analyze the network topology. Of course, there are also problems such as ARP conflicts and failure to access the gateway. Check whether there is an ARP conflict in the IP Spoofing Attack Process. Recall the ARP spoofing attack I mentioned earlier. If the ARP Cache of B is not affected, there will be no ARP conflict. If Z attempts to parse the Mac address of A or the MAC address of the router when sending A data segment to A, it will inevitably send an ARP request packet, however, the source IP address and the source MAC address in the ARP request packet are both Z, which naturally does not cause ARP conflicts. The ARP Cache will only be changed by the ARP packet and will not be affected by the IP packet. Therefore, it is certain that there is no ARP conflict during the IP spoofing attack. On the contrary, if Z modifies its own IP address, this ARP burst may occur, as shown in the specific situation. B is attacked together in the attack. The purpose is to prevent B from interfering with the attack process. If B is down, it would be better. 9. The fakeip has been gaining popularity. I scanned the port and found that its tcp port 113 is connected to the income connection. There is no direct connection with IP Spoofing and security verification. Of course, this is not as much as its name implies, and there is no action on the IP layer. 10. I have another question about predicting ISN. It is how to cut the TCP connection between A and B as A third party, which is actually A problem of predicting the sequence number. It is also difficult to try. If Z is the router between A and B, it is unnecessary. Or Z uses other technologies to listen to the communication between A and B. Otherwise, prediction is too difficult. The author mentioned port 25 connecting to port A in step 3. What I don't understand is the relationship between ISN and port 25 of port 513? It seems that you need to look at the Source Code implemented inside TCP/IP. Despite the difficulty of IP spoofing attacks, we should be aware that such attacks are very extensive and intrusion often begins here. It is easier to prevent such attacks, such as deleting all/etc/hosts. equiv, $ HOME /. rhosts file, modify/etc/inetd. conf file, making the RPC mechanism unable to run, and killing portmapper and so on. Set the router to filter packets from the outside, while the source address is an internal IP address. Cisio products have such features. However, the router only prevents external intrusion. What about internal intrusion? Tcp isn selection is neither random nor random, which allows attackers to follow the rules, modify ISN-related code, and select a good algorithm, making it difficult for attackers to find a regular pattern. It is estimated that Linux is easy to implement. What about Solaris, irix, hp-Unix, And AIX? Although sigh was not very well written, I finally learned about the IP spoofing attack. I tried to predict the sequence number, not ISN, and tried to cut off a TCP connection, which made it very difficult. It takes time and patience to find a regular expression instead of making predictions blindly. Now we are more and more aware of what is the kind of spirit that never gives up forever. Behind the legend we yearn for, there is such silence and perseverance. I hope we will learn this, not flashy and noisy. A ready-made bug is enough for you to get the root permission. But what are you doing? Do you understand? We are too superficial.