Use IP Address Spoofing to break through firewall deep technical analysis

Use IP Address Spoofing to break through firewall deep technical analysis

General access control is mainly set in the firewall to develop some security policies: for example, the resources of the internal LAN are not allowed to be used by users on the external network; the area is not protected (also known as the non-military zone) it can be an internal or external LAN, where resources allow users of the external network to use to a limited extent; external users can access the Web servers of the DMZ zone.

In-depth analysis and research on the firewall technology, and the use of firewall configuration and implementation vulnerabilities can launch attacks on it. Under normal circumstances, effective attacks are carried out from related subnets, because these websites are trusted by the firewall. Although success or failure depends on opportunities and other factors, however, it is worth a try for attackers.

The most common method to break through the firewall system is IP Address Spoofing, which is also the basis for a series of other attack methods. This method is used because of its own shortcomings. The IP protocol sends IP data packets based on the destination address in the IP header. If the destination address is an address in the local network, the IP packet is directly sent to the destination. If the destination address is not in the local network, the IP packet will be sent to the gateway, and the gateway determines where to send it. This is a method for routing IP packets.

When an IP address is routed to an IP packet, the IP source address provided in the IP header is not checked, and the IP Source Address in the IP header is the IP address of the machine that sends the packet. When the target host receiving the packet needs to communicate with the source host, it uses the IP Source Address in the IP header of the received IP packet as the destination address of the IP packet sent by it, to communicate with the source host. Although this data communication method of IP is very simple and efficient, it is also a security risk of IP. Many network security accidents are caused by the disadvantages of IP.

Hackers or Intruders use fake IP addresses to generate fake data groups and install them as group filters from internal sites. Such attacks are very dangerous. There are signs that the groups involved are actually internal or external groups packaged, which seem to have been exhausted. As long as the system finds that the Sending address is within its own range, it treats the group as internal communication and allows it to pass.

Generally, the TCP connection between host a and host B (with or without a firewall in the middle) is established through host a's request to host B, in the meantime, the confirmation of A and B is only based on the initial serial number isn generated by host a and verified by host B. There are three steps:

Host a generates its isn and sends it to host B to establish a connection. After B receives the ISN from a with the SYN mark, return the ISN and ack of the response information to a. A then sends the ISN and ack of the response information to B. Now, normally, the TCP connection between host a and host B is established.

B ---- SYN ---->

B <---- SYN + ACK ----

B ---- ack ---->

Assume that C tries to attack a because A and B are mutually trusted. If C already knows B trusted by A, it is necessary to make B's network function paralyzed, prevent other things from interfering with your own attacks. SYN flood is widely used here. Attackers send many TCP-Syn packets to the attacked host. The source address of these TCP-SYN packages is not the IP address of the attacker's host, but the IP address entered by the attacker. When the attacked host receives the TCP-SYN package sent by the attacker, it allocates some resources for a TCP connection, in addition, a TCP-(SYN + ACK) response packet is sent to the target host at the source address of the received packet (that is, the IP address forged by the attacker.

Because the attacker's forged IP address must be a specially selected non-existent IP address, the attacked host will never receive the response packet of the TCP-(SYN + ACK) packet sent out by the attacker, therefore, the TCP status of the attacked host is waiting. If the TCP state machine of the attacked host has time-out control, resources allocated for the connection will not be reclaimed until the time-out. So if the attacker sends enough TCP-SYN packets to the attacked host and is fast enough, the TCP module of the attacked host is definitely in a service denial status because it cannot allocate system resources for the new TCP connection. Even if the administrator of the network where the attacked host is located listens to the attacker's data packets, the attacker cannot identify the attacker based on the source address information of the IP header.

When B's network functions are temporarily paralyzed, C must find a way to determine a's current ISN. First, connect to port 25, because SMTP does not have a security verification mechanism, which is similar to the previous one. However, this time we need to record the ISN of, and the approximate RTT (round trip time) from C to ). This step must be repeated multiple times to obtain the average value of the RTT. Once C knows the ISN base value of A and the increment law, it can calculate the time required for RTT/2 from C to. Then immediately enters the attack, otherwise there will be other hosts connected to a, And ISN will be more than expected.

C sends a syn-encoded data segment request to A, but the source IP address is changed to B. A sends SYN + ACK data segments to B, and B cannot respond. The TCP layer of B simply discards A's send data segments. At this time, C needs to pause for a moment so that a has enough time to send SYN + ACK because C cannot see this package. Then C disguised B as sending ack to a again. At this time, the data segment sent contains the ISN + 1 of A with Z prediction. If the prediction is accurate, the connection is established and data transmission starts.

The problem is that, even if the connection is established, a still sends data to B, instead of C, C still cannot see the data segment from A to B, c must bypass the head and impersonate B to send commands to a according to protocol standards, so the attack is complete. If the prediction is inaccurate, a will send a data segment with the RST mark to terminate the connection, and C will only start from scratch. As the predicted ISN is constantly corrected, attackers will eventually establish a meeting with the target host. In this way, attackers log on to the target host as legitimate users without further confirmation. If repeated tests enable the target host to receive root logins to the network, the entire network can be fully controlled.

C (B) ---- SYN ---->

B <---- SYN + ACK ----

C (B) ---- ack ---->

C (B) ---- PSH ---->

IP spoofing attacks take advantage of the vulnerability that RPC servers rely solely on source IP addresses for security verification. The most difficult part of the attack is to predict the ISN of. The attack is difficult, but the possibility of success is also high. C must accurately predict the information that may be sent from A to B, and what response information a expects from B, which requires attackers to be quite familiar with the protocol itself. At the same time, you must understand that such attacks cannot be completed in the interaction state, and must be written.ProgramComplete. Of course, you can use tools such as netxray for protocol analysis in the preparation phase.

Although IP spoofing attacks are quite difficult, we should be aware that such attacks are very extensive and intrusion often begins here. It is easier to prevent such attacks. Security risks caused by IP defects cannot be fundamentally eliminated at present. We can only take some remedial measures to minimize the harm it causes. The best way to defend against such attacks is: each gateway or router connected to the LAN checks the IP packets from the outside before deciding whether to allow external IP packets to enter the LAN. If the IP address of the IP package is the IP address in the LAN to be accessed, the IP address package is denied by the gateway or router and cannot be accessed.

This method can solve the problem well, but considering that some Ethernet cards receive their own data packets, in addition, in practical applications, there is often a mutual trust relationship between the LAN and the LAN to share resources. This solution does not have good practical value. Another ideal method to defend against such attacks is to verify the IP source address when IP data is packets out of the LAN. That is to say, each gateway or router connected to the LAN checks the IP source address from this IP packet before deciding whether to allow IP packets inside the LAN to be sent to the LAN.

If the IP Source Address of the IP package is not the IP address of the local area network, the package is denied by the gateway or vro, and the package is not allowed to leave the local area network. In this way, the attacker must at least use the IP address in the LAN to connect to the gateway or router of the LAN. If an attacker is launching an attack, it is easy to find out who is launching the attack based on the IP Address Source Address of the IP packet sent by the attacker. Therefore, it is recommended that each ISP or LAN Gateway Router inspect and filter the outgoing IP packets from the IP source address. If each Gateway Router does this, IP Source Address Spoofing will basically not work. When not every gateway or router can achieve this, the network system staff can only monitor the network managed by themselves as closely as possible to guard against possible attacks.