Http://soft.yesky.com/security/hkjj/408/2053408.shtml2005-08-01 16: 31 Author: Zhao Biao Source: Heiji responsibility Editor: wilderness
Even if the TCP/IP protocol is well implemented, the TCP/IP network can be attacked due to its own security. These attacks include serial number spoofing, route attacks, Source Address Spoofing, and authorization spoofing. In addition to the IP spoofing attack method, this article also describes how to prevent this attack.
The above attacks are based on the attacker's computer (including routes) connected to the Internet. The attack method here is targeted at the defects of TCP/IP itself, rather than a specific implementation.
In fact, IP spoofing is not an attack, but an attack. Attack is actually the destruction of trust relationships.
IP spoofing Principle
Trust Relationship
In the Unix field, trust relationships can be easily obtained. If you have an account on host a and host B, you will find that when using host a, you need to enter the corresponding account on host,
When using host B, you must enter an account on host B. host a and host B treat you as two unrelated users, which is obviously inconvenient. To reduce this inconvenience, you can create two accounts on host a and host B.
. Create the. rhosts file in your home directory on host a and host B. From host a, enter 'echo "B in your home directory
Username "> ~ /. Rhosts'; enter 'echo "a username" in your home directory from host B"
> ~ /. Rhosts'
. At this point, you can use Remote logins starting with R *, such as rlogin, rcall, and RSH without any worries about password verification. These commands allow address-based verification,
Or allow or deny access services based on IP addresses.
Here, the trust relationship is based on IP addresses.
Rlogin
Rlogin is a simple client/server program that uses TCP transmission. Rlogin
Allows users to log on from one host to another, and if the target host trusts it, Rlogin
Resources on the target host can be used without a password. Security Verification is based entirely on the source host's IP address. Therefore, based on the above example, we can use Rlogin
To remotely log on to A from B without being prompted to enter a password.
TCP serial number Prediction
The IP address only sends data packets and ensures its integrity. If you cannot receive the complete IP packet, the IP will send an ICMP packet to the source address
Error message, and you want to re-process it. However, this package may also be lost. Because the IP address is non-connection-oriented, it does not maintain any connection status information. Each IP packet is sent out loose, regardless of the previous
And the last packet. It can be seen that the IP stack can be modified, and any IP address meeting the requirements can be placed in the source address and destination address, that is, a false IP address is provided.
TCP provides reliable transmission. Reliability is provided by the multi-bit control word in the data packet. The most important is the data sequence and data validation, which are expressed by SYN and ACK respectively. TCP
Assign a serial number to each Data byte and send it to the packet sent from the received source address (the destination address ACK ).
The confirmed data packet sequence is the data packet sequence of the source address, rather than the data packet sequence sent by itself ). Ack also carries the data serial number that is expected to be obtained. Obviously, TCP provides
This reliability is more difficult to fool than IP.
Serial number, validation, and other flag Information
Because TCP is based on reliability, it can provide mechanisms to handle packet loss, duplication, Order disorder, and other adverse situations. In fact, by allocating serial numbers to all transmitted bytes, and
The receiving end is expected to provide the receiving confirmation for the data sent by the sending end, so that TCP can ensure reliable transmission. The acceptor uses the serial number to ensure the data sequence and remove repeated data packets. TCP
The serial number can be considered as a 32-bit counter. They are from 0 to 2 ^ 32-1
. The data exchanged by each TCP connection (represented by a certain flag) is sequentially numbered. In a TCP packet, the identifier of the serial number (SYN) is defined at the front end of the Data Segment. Confirmation bit
(ACK) confirms the received data and specifies the serial number of the data to be received next time.
TCP uses the sliding window concept to control traffic. It is assumed that when the sending end sends data quickly but the receiving end receives the data slowly, it is necessary to ensure that the data is not lost.
Control traffic and coordinate the working pace of both parties. The so-called sliding window can be understood as the buffer size provided by the acceptor. TCP uses a sliding window to tell the sender to extract the data it sends.
Buffer size. Because the window is defined by 16 bits, the receiving end TCP
It can provide a buffer of up to 65535 bytes. Therefore, you can use the window size and the serial number of the first data to calculate the maximum data serial number that can be received.
Other TCP flag BITs include RST (Connection Reset, reset the connection), PSH (push function), and fin
(The sender has no data, no more data from sender ). If the RST is received, the TCP connection is immediately disconnected. RST
It is usually sent when the receiving end receives a packet unrelated to the current connection. In some cases, the TCP module needs to transmit data immediately instead of waiting until the entire segment is full. A high-level process will be triggered in
The PSH mark of the TCP header, and tells the TCP module to immediately send all the arranged data to the data receiving end. Fin
Indicates that an application connection has ended. When the receiving end receives the fin, it determines that it will not receive any data.
TCP serial number prediction was first elaborated by Morris on this security vulnerability. He uses TCP serial number prediction to generate a TCP packet sequence even if no response is received from the server. This allows him to cheat hosts on the local network.
A TCP connection usually establishes a sequence that includes three handshakes. The customer selects and transmits an initial serial number (SEQ flag) isn
C, and set the flag SYN = 1 to tell the server that it needs to establish a connection. The server confirms the transfer and sends its own serial number isn
S, and set the flag ACK, and inform the next expected data serial number is ISN = 1. The customer confirms it again. After the three confirmations, data transmission starts. The process is as follows:
(C: client s: Server)
C---S: SYN (isn c)
S---C: SYN (isn s), Ack (isn c)
C---S: ACK (ISN seconds)
C---S: data or S---C: Data
That is to say, for a session, C must be confirmed by isn s. ISN s may be a random number.
It is important to know how to select the initial sequence number and how to change the sequence number based on time. It seems that this should happen when the serial number is initialized to 1 after the host is started, but this is not actually the case. Initial
The serial number is determined by the tcp_init function. ISN increases by 128000 per second. If a connection occurs, the counter value increases by 64000 for each connection. Obviously, this makes it used to represent
The 32-bit counter of ISN, every 9.32
Reset once every hour. This is because it helps minimize the chance that the information of the old connection will interfere with the current connection. Here we use 2msl
The concept of wait time (not covered in this article ). If the initial serial number is randomly selected, the existing serial number cannot be different from the previous one. Assume that there is a situation in which
The packet finally jumps out of the loop and returns to the "old" connection (which is actually different from the existing connection of the former), which will obviously interfere with the existing connection.
Assume that an intruder X has a way to predict isn s. In this case, he may send the following serial number to host t to simulate the real isn s of the customer:
X---S: SYN (isn x), src = T.
S---T: SYN (isn s), Ack (isn x)
X---S: ACK (isn s), src = T
Although the message S * t is not X, X can know its content and therefore send data. If X wants to launch an attack on a connection and the connection allows command execution, other commands can also be executed.
So how to generate random ISNs? In the Berkeley system, the initial serial number variable is generated by a constant plus one per second. When this constant is half done, a connection starts. In this way, if you start a valid connection and observe that an isn s is in use, you can calculate it with high reliability. isn s is used in the next connection attempt.
Morris pointed out that the reply message
S---T: SYN (isn s), Ack (isn x)
In fact it does not disappear. The real host will receive it and try to reconnect. This is not a serious obstacle.
Morris found that by imitating a port on T and requesting a connection to that port, he could generate a serial overflow, making it look that S * t messages are lost. Another method is to wait until you know that t is shut down or restarted.
The following is a detailed introduction.
IP Spoofing
IP spoofing consists of several steps. Here we will briefly describe it and then explain it in detail. First, the target host is selected. Second, the trust mode has been discovered and found
A host trusted by the target host. To perform IP spoofing, hackers can perform the following tasks: Make the trusted host unable to work, and sample the TCP
The data serial number. Then, disguise as a trusted host and establish an application connection with the target host based on address verification. If successful, hackers can use a simple command to place
System backdoor for unauthorized operations.
Deploy Trusted Hosts
Once a trusted host is discovered, it is often unable to work in disguise. Because the attacker will replace the truly trusted host, he must ensure that the truly trusted host cannot receive any valid network data; otherwise, the host will be exposed. There are many ways to do this. Here we will introduce "tcp syn flood ".
As mentioned above, the first step to establish a TCP connection is that the client sends a SYN request to the server. Generally, the server sends SYN/ack
Signal. The client is determined by the IP address. The client then sends an ACK to the server, and then the data can be transmitted. However, the TCP processing module has a top priority for processing parallel SYN requests.
It can be seen as the length of the queue that stores multiple connections. Among them, the number of connections includes the three-step handshake method that is not ultimately completed, but also the three-step handshake that has been successfully completed, but has not been called by the application
. If the maximum queue limit is reached, TCP rejects all connection requests until some connection links are processed. Therefore, there is an opportunity to multiply.
Hackers often send a large number of SYN requests to the target TCP port. The source address of these requests uses a valid but false IP address (the host that may use the valid IP address does not
Boot ). The attacked host often sends a response to the IP address, but it is a pity that there is no audio message. At the same time, the IP packet will notify the TCP of the attacked HOST: the host cannot be reached, but unfortunately
TCP considers it a temporary error and tries to connect (for example, continuing to route the IP address, sending SYN/ACK packets, etc.) until you are sure you cannot connect.
Of course, this time has passed a lot of valuable time. It is worth noting that hackers will not use the IP addresses that are currently working, because in this way, the real IP address holder will receive a SYN/ack response and then send the RST to the attacked host, disconnect. The procedure described above can be expressed as follows.
1 Z (x) --- SYN ---> B
Z (x) --- SYN ---> B
Z (x) --- SYN ---> B
2 x <--- SYN/ack -- B
X <--- SYN/ack -- B
3 x <--- rst --- B
At the moment 1, the attack host puts a large number of SYN
The request is sent to the Attacked Target (the trusted host at this stage) to fill the TCP queue. At Moment 2, The Attacked Target makes a request to the IP address (fake IP address) It believes.
SYN/ack response. During this period, the TCP module of the attacked host ignores all new requests. The length of the TCP persistence connection queue varies. BSD
It is generally 5, and Linux is generally 6. The trusted host loses the ability to process new connections. The precious time it takes is the time when hackers attack the target host, which disguises it as a trusted host.
Yes.
Serial number sampling and Prediction
As mentioned above, to attack the target host, you must know the data packet serial number used by the target host. Now let's discuss how hackers make predictions. They are connected to one of the attacked hosts first.
Port (SMTP is a good choice) to establish a normal connection. Generally, this process is repeated several times and the ISN sent by the destination host is stored. The hacker also needs to estimate his host and
The RTT time (round-trip time) between Trusted Hosts. the RTT time is obtained through multiple statistical averages. RTT
It is very important to estimate the next ISN. As mentioned above, ISN increases by 128000 per second and ISN increases by 64000 per connection. Now it is not difficult to estimate the size of ISN. It is
128000 multiplied by half of RTT. If the target host has just established a connection, add a 64000 connection. After estimating the ISN size, the system immediately starts the attack. When the hacker's virtual
When a false TCP packet enters the target host, it may vary depending on the estimated accuracy:
· If the estimated serial number is accurate, the incoming data will be placed in the receiving buffer for use.
· If the estimated serial number is smaller than the expected number, it will be abandoned.
· If the estimated serial number is greater than the expected number and is within the sliding window (the buffer mentioned above), the data is considered as a future data, the TCP module will wait for other missing numbers
Data. If the estimated serial number is greater than the expected number and is not in the sliding window (the buffer described above), TCP will discard the data and return a desired data serial number. We will mention
The hacker's host cannot receive the returned data serial number.
1 Z (B) ---- SYN --->
2 B <--- SYN/ack ---
3 Z (B) ----- ack --->
4 Z (B) ----- PSH --->
Attackers pretend to be the IP addresses of trusted hosts.
At this time, the host is still in the pause state (previously described as the loss of processing capabilities), and then sends a connection request to the target host's port 513 (rlogin port number), as shown in time 1. At the moment
2. The target host responds to the connection request and sends SYN/ACK packets to the trusted host (if the trusted host is in normal working status, it will be regarded as an error and the RST will be returned to the target host immediately
Packet, but it is paused at this time ). According to the plan, the trusted host will discard the SYN/ACK packet. Then, at moment 3, the attacker sends an ACK packet to the target host.
The serial number of the surface estimation is added with 1 (because it is being confirmed ). If the attacker estimates it is correct, the target host will receive the ACK
. To start data transmission. Generally, attackers place a backdoor in the system for intrusion. 'Cat ++>
~ /. Rhosts ′. This is because this method quickly and simply paves the way for the next intrusion.
A method similar to this TCP serial number attack is to use the netstat service. In this attack, intruders simulate a host shutdown. If the target host has netstat, it can provide the required serial number on another port. This removes the need for all guesses.
Protection against IP Spoofing
The main point of prevention is that the key to this attack is the speed at which the initial serial number variable with a relatively rough number changes in the Berkeley system. TCP requires that this variable be increased by 25000 times per second. Berkeley is relatively slow. However, the most important thing is to change the interval, not the speed.
We will consider whether the next counter is helpful when it works at 25Hz. We ignore other connections and only consider changing the counter at a fixed frequency.
To know the current serial number, send a SYN Packet and receive a reply:
X---S: SYN (isn x)
S---X: SYN (isn s), Ack (isn x) (1)
The first spoofing packet triggers the next serial number and immediately follows the server's response to the packet:
X---S: SYN (isn x), src = T (2)
Serial number isn S is used to respond:
S---T: SYN (isn s), Ack (isn x)
It is the only choice between the first message and the message received by the server. This number is the exact round-trip time between x and S. In this way, if spoofing can accurately measure and generate this time, even a 4-u clock will not be able to fight back this attack.
Discard address-based trust policies
An easy way to prevent such attacks is to discard address-based verification. The use of remote call commands of the r * class is not allowed; The. rhosts file is deleted; the/etc/hosts. equiv file is cleared. This forces all users to use other remote communication methods, such as telnet, ssh, and skey.
Filter packets
If your network is connected to the Internet through a router, you can use your router to filter packets. Make sure that only your internal LAN can use the trust relationship, and hosts on the internal LAN should be careful when dealing with hosts outside the LAN. Your vro helps you filter out all external requests that you want to establish a connection with the internal server.
Use encryption methods
Another obvious way to prevent IP spoofing is to require encrypted transmission and verification during communication. When multiple methods coexist, the encryption method may be the most suitable.
Use random initial serial number
An important factor for successful hacker attacks is that serial numbers are not randomly selected or randomly added. Bellovin
A method to make up for TCP deficiency is described, that is, to split the serial number space. Each connection has its own serial number space. The serial number will still be added in the previous method, but not in the serial number Space
There is a clear relationship. The following formula can be used to describe:
ISN = m + f (localhost, localport, remotehost, remoteport)
M: 4 microsecond Timer
F: encrypt the hash function.
The serial number generated by F should not be calculated or guessed externally. Bellovin suggests that F is a hash function that combines the connection identifier and special vector (random number, based on the start time password.