Reinforcement of TCP/IP stack in Unix operating systems (1)

Bkjia.com exclusive Article: the TCP/IP stack is responsible for processing incoming and outgoing IP data packets, and routing data packets to the application that processes the data. Due to its own defects, the openness of the network, and hacker attacks are the main reasons for the security of the interconnected network. TCP/IP, as a standard protocol set used by the Internet, is a key target for hackers to conduct network attacks. TCP/IP protocol groups are currently the most widely used network interconnection protocols. However, TCP/IP protocol groups have some security issues. Thanks to the well-known stability and reliability of Unix operating systems, a large proportion of the operating systems used to provide various Internet services are Unix and Unix operating systems, at present, the Common Unix operating systems running on PC are Linux, BSD, Solaris, AIX, HP-UX and so on. The Unix operating system allows you to configure operations to counter most network-level attacks. This article mainly introduces the TCP/IP stack reinforcement methods for Several Unix operating systems.

There are two types of TCP/IP stack Attacks:

◆ Scan: scanning or tracking footprints are part of the hacker's initial information collection process. Before hackers can attack a system, they need to collect information about the system, such as network layout, operating system type, available system services, and system users. Hackers can deduce possible vulnerabilities Based on the collected information and select the best attack method for the selected target system.

◆ Denial-of-Service (DoS) attacks: Generally, hackers aim at a specific system and break into the system to use it for a specific purpose. The host security of those systems often prevents attackers from gaining control over the host. However, when launching a denial of service attack, attackers do not have to gain control of the system. The goal is to overload the system or network so that they cannot continue to provide services. DoS attacks can have different targets, including bandwidth consumption and resource shortage. Denial of Service attacks are now extended to distributed denial of service attacks.

I. ICMP protocol section

ICMP is a messenger dedicated to logical errors and diagnostics. RFC792 describes it in detail. Any IP network device can send, receive, or operate ICMP messages. Although the ICMP designers did not consider the security issues today, they have designed some basic principles that can make ICMP more effective. Bytes

◆ To ensure that ICMP messages do not overwhelm the IP network, ICMP has no special priority and is always a common traffic. Bytes

◆ ICMP messages are sent as responses to other ICMP messages. This mechanism is designed to prevent the occurrence of an error message from repeatedly producing another error message. Otherwise, it is really a big problem. Bytes

◆ ICMP cannot be sent as a response to multicast or broadcast traffic.

ICMP attacks include:Bytes

◆ Inaccessible destination attack is a denial of service attack: the ICMP Destination cannot reach the message and provides a tool to notify the sender of the attempt to forward the message: because the host specified in the datagram destination address cannot be reached, the message cannot be transmitted. Bytes

◆ Smurf attacks are denial-of-service attacks: Smurf attacks are a terrible form of denial-of-service attacks because of their amplification effect. Smurf attacks use ICMP to respond to messages.

1. Disable ICMP echo broadcast

AIX 5  #no -o directed_broadcast=0 FreeBSD 5-7  #sysctl -w net.inet.icmp.bmcastecho=0 HP-UX 10  #ndd -set /dev/ip ip_respond_to_echo_broadcast 0 #ndd -set /dev/ip ip_forward_directed_broadcasts 0 Linux2.4-2.6 #sysctl -w net.ipv4.icmp_echo_ig#nore_broadcasts=1 The OpenBSD3-4 is already the default setting Solaris 8-10  #ndd -set /dev/ip ip_respond_to_echo_broadcast 0 #ndd -set /dev/ip ip6_respond_to_echo_multicast 0 #ndd -set /dev/ip ip_forward_directed_broadcasts 0

Otherwise, your system may become a tool for Smurf attackers. The Smurf attack is named after the program that initially launched the attack "Smurf. In combination with IP Spoofing and ICMP reply, this attack method floods a large amount of network transmission to the target system, causing the target system to refuse to serve the normal system. Smurf attacks flood the victim host by setting the reply address to the ICMP Response Request (ping) packet of the broadcast address of the victim network, eventually, all hosts on the network will reply to this ICMP Response Request, resulting in network congestion. The more complex Smurf changes the source address to a third-party victim, resulting in a third-party crash.

2. Disable ICMP route redirection

AIX5  #no -o ipig#noreredirects=1 #no -o ipsendredirects=0 FreeBSD 5-7  #sysctl -w net.inet.ip.redirect=0 #sysctl -w net.inet.ip6.redirect=0 HP-UX 10  #ndd -set /dev/ip ip_send_redirects 0 #ndd -set /dev/ip ip_forward_directed_broadcasts 0 Linux2.4-2.6  #sysctl -w net.ipv4.conf.all.accept_redirects=0 #sysctl -w net.ipv6.conf.all.accept_redirects=0 #sysctl -w net.ipv4.conf.all.send_redirects=0 #sysctl -w net.ipv6.conf.all.send_redirects=0 OpenBSD3-4 #sysctl -w net.inet.icmp.rediraccept=0 #sysctl -w net.inet6.icmp6.rediraccept=0 Solaris 8-10  #ndd -set /dev/ip ip_ig#nore_redirect 1 #ndd -set /dev/ip ip6_ig#nore_redirect 1 #ndd -set /dev/ip ip_send_redirects 0 #ndd -set /dev/ip ip6_send_redirects 0

Otherwise, your system may be vulnerable to route table errors.

3 Disable ICMP broadcast Detection

AIX5  #no -o icmpaddressmask=0 FreeBSD 5-7  #sysctl -w net.inet.icmp.maskrepl=0 HP-UX 10  #ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0 #ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 Linux2.4-2.6  #sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 The OpenBSD3-4 is already the default setting Solaris8-10  #ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0 #ndd -set /dev/ip ip_respond_to_timestamp_broadcast