Protocol deception Attack and its preventive measures

Many applications think that if a packet can take itself along a route to its destination, and the reply packet can go back to the source, the source The IP address must be valid, and this is an important precondition for the source IP address spoofing attack to be possible.

Assuming that there are two hosts in the same network segment A and B, there is a host X in another network segment . B Grant A certain privilege. x to obtain the same privileges as a, the spoofing attack is as follows: First,X is impersonating A, sending a SYN packet with a random sequence number to host B . Host B responds, echoing a reply packet to a, which equals the original serial number plus 1.

However, at this point the hostAhas been hostXtake advantage of denial of service attacks“Submerged”, causing the hostAservice failure. As a result, the hostAwill beBsent packets are discarded. In order to complete the three-time handshake,Xalso need toBecho a reply packet whose answer number is equal toBtoAsend the serial number of the packet plus1. At this time the hostXThe host cannot be detectedBdata packets (because they are not in the same network segment), only use theTcpSequence number estimation method to predict the order number of the answering packet and send it to the target machineB. If the guesses are correct,BIt is considered that the receivedAckis from the internal hostA. At this point,Xthat gets the hostAon the hostBprivileges and begin to attack these services.

to prevent the source IP Address spoofing behavior, you can take the following measures to protect the system from such attacks as much as possible:

(1) A very easy way toabandon address-based trust policies to prevent such attacks is to discard address-based authentication. The use of the R class to invoke commands remotely is not allowed; Delete the. rhosts file; empty the/etc/hosts.equiv file. This will force all users to use other means of remote communication, such as telnet, ssh,skey, and so on.

(2) We can encrypt a packet before it is sent to the networkusing the encryption method . Although the encryption process requires appropriate changes to the current network environment, it will guarantee the integrity, authenticity and confidentiality of the data.

(3) packet filtering can be configured to allow the router to deny connection requests outside the network to the same IP address within the net . Moreover, when the IP address of the package is not inside the network, the router should not send the packets of the host. One thing to note is that routers can block specific types of packages that attempt to reach the internal network. However, they are also implemented by analyzing the source address of the test. As a result, they can only filter foreign packets that are claimed to be from the internal network, and if your network has an externally trusted host, the routers will not be able to prevent IP spoofing from being impersonating those hosts .

Source Route spoofing Attack

Typically, the path the packet takes from the starting point to the end point is determined by the router located between the two points, and the packet itself knows only where to go and not how. Source routing allows the sender of the packet to write the path the packet is going through into the packet, so that the packet follows an unexpected path to the destination host. The following examples of source IP spoofing are still given in the form of this attack:

Host A enjoys certain privileges of Host B, host X wants to impersonate host A from host b(assuming IP is aaa.bbb.ccc.ddd ) to obtain certain services. First, the attacker modifies the router closest to X so that packets arriving at the router and containing the destination address aaa.bbb.ccc.ddd are destined for the same network as the host X, and then the attacker X Use IP spoofing sends a source route ( specifying the nearest router ) packet to host B . When B echoes the packet, it is routed to the router that was changed. This allows an intruder to impersonate a host in the name of a particular path to obtain certain protected data.

The following two measures are generally used to prevent source-routing spoofing attacks:

1. the best way to deal with this attack is to configure the router so that it discards the messages that come in from the extranet that are claimed to be internal hosts.

2. turn off the source route on the router. Use the command no Ipsource-route.

for more security information, please visit Report Site .

Protocol deception Attack and its preventive measures