Use IP Address Spoofing to break through firewall deep technical analysis

Source: Internet
Author: User

FirewallAfter in-depth analysis and research, the technology can be implemented by exploiting the vulnerabilities set and implemented by the firewall.Attack. Under normal circumstances, effective attacks are carried out from the relevant subnet, because these websites are trusted by the firewall. Although Success and Failure depend on opportunities and other factors, however, it is worth a try for attackers.

The most common method to break through the firewall system isIP addressSpoofing is also the basis of other attack methods. This method is used because of its own shortcomings. The IP protocol sends IP data packets based on the destination address in the IP header. If the destination address is an address in the local network, the IP packet is directly sent to the destination. If the destination address is not in the local network, the IP packet will be sent to the gateway, and the gateway determines where to send it. This is a method for routing IP packets.

When an IP address is routed to an IP packet, the IP source address provided in the IP header is not checked, and the IP Source Address in the IP header is the IP address of the machine that sends the packet. When the target host receiving the packet needs to communicate with the source host, it uses the IP Source Address in the IP address header of the received packet as the destination address of the IP packet sent by it, to communicate with the source host. Although this data communication method of IP is very simple and efficient, it is also a security risk of IP. Many network security accidents are caused by the disadvantages of IP.

Hackers or Intruders use fake IP addresses to generate fake data groups and install them as group filters from internal sites. Such attacks are very dangerous. There are signs that the groups involved are actually internal or external groups packaged, which seem to have been exhausted. As long as the system finds that the Sending address is within its own range, the system treats the group as internal communication and allows it to pass.

Generally, TCP connections between host A and host B (with or without firewalls in the middle) are established through host A's request to host B, in the meantime, the confirmation of A and B is only based on the initial serial number ISN generated by host A and verified by host B. There are three steps:

Host A generates his ISN and sends it to host B to establish A connection. After B receives the ISN from A with the SYN mark, return the ISN and ACK of the response information to A. A then sends the ISN and ACK of the response information to B. Now, the TCP connection between host A and host B is established normally.

 
 
  1. B ---- SYN ----> A  
  2.  
  3. B <---- SYN+ACK ---- A  
  4.  
  5. B ---- ACK ----> A 

Assume that C tries to attack A because A and B are mutually trusted. If C already knows B trusted by A, it is necessary to make B's network function paralyzed, prevent other things from interfering with your own attacks. SYN flood is widely used here. Attackers send many TCP-SYN packets to the attacked host. The source address of these TCP-SYN packages is not the IP address of the attacker's host, but the IP address entered by the attacker. When the attacked host receives a TCP-SYN packet sent by the attacker, it will allocate a certain amount of resources for a TCP connection, and will receive the source address in the packet, that is, the attacker's own forged IP address) sends a TCP-SYN + ACK response packet to the target host for the destination address.

Because the attacker's own forged IP address must be carefully selected does not exist address, so the host will never receive the attack he sent out of the TCP-SYN + ACK) packet response packet, therefore, the TCP status of the attacked host is waiting. If the TCP state machine of the attacked host has time-out control, resources allocated for the connection will not be reclaimed until the time-out. So if the attacker sends enough TCP-SYN packets to the attacked host and is fast enough, the TCP module of the attacked host is definitely in a service denial status because it cannot allocate system resources for the new TCP connection. Even if the administrator of the network where the attacked host is located listens to the attacker's data packets, the attacker cannot identify the attacker based on the source address information of the IP header.

When B's network functions are temporarily paralyzed, C must try to determine A's current ISN. First, connect to port 25, because SMTP does not have A security verification mechanism, which is similar to the previous one. However, this time we need to record the ISN of, and the approximate RTT (round trip time) from C to ). This step must be repeated multiple times to obtain the average value of the RTT. Once C knows the ISN base value of A and the increment law, it can calculate the time required for RTT/2 from C to. Then, the attack will be launched immediately. Otherwise, there will be other hosts and A connections between them, and the ISN will be more than expected.

C sends a syn-encoded data segment request to A, but the source IP address is changed to B. A sends SYN + ACK data segments to B, and B cannot respond. The TCP layer of B simply discards A's send data segments. At this time, C needs to pause for A moment so that A has enough time to send SYN + ACK because C cannot see this package. Then C disguised B as sending ACK to A again. At this time, the data segment sent contains the ISN + 1 of A with Z prediction. If the prediction is accurate, the connection is established and data transmission starts.

The problem is that, even if the connection is established, A still sends data to B, instead of C, C still cannot see the data segment from A to B, C must bypass the head and impersonate B to send commands to A according to protocol standards, so the attack is complete. If the prediction is inaccurate, A will send A data segment with the RST mark to terminate the connection, and C will only start from scratch. As the predicted ISN is constantly corrected, attackers will eventually establish a meeting with the target host. In this way, attackers log on to the target host as legitimate users without further confirmation. If repeated tests enable the target host to receive ROOT logins to the network, the entire network can be fully controlled.

 
 
  1. C(B) ---- SYN ----> A  
  2.  
  3. B <---- SYN+ACK ---- A  
  4.  
  5. C(B) ---- ACK ----> A  
  6.  
  7. C(B) ---- PSH ----> A 

IP spoofing attacks take advantage of the vulnerability that RPC servers rely solely on source IP addresses for security verification. The most difficult part of the attack is to predict the ISN of. The attack is difficult, but the possibility of success is also very high. C must accurately predict the information that may be sent from A to B, and what response information A expects from B, which requires attackers to be quite familiar with the protocol itself. At the same time, you must understand that such attacks cannot be completed in the interactive State, and must be completed by a program. Of course, you can use tools such as netxray for protocol analysis in the preparation phase.

Although IP spoofing attacks are quite difficult, we should be aware that such attacks are very extensive and intrusion often begins here. It is easier to prevent such attacks. Security risks caused by IP defects cannot be fundamentally eliminated at present. We can only take some remedial measures to minimize the harm it causes. The best way to defend against such attacks is: each gateway or router connected to the LAN checks the IP packets from the outside before deciding whether to allow external IP packets to enter the LAN. If the IP address of the IP package is the IP address in the LAN to be accessed, the IP address package is denied by the gateway or router and cannot be accessed.

This method can solve the problem very well, but considering some Ethernet cards receive their own packets, in addition, in practical applications, there is often a mutual trust relationship between the LAN and the LAN to share resources. This solution does not have good practical value. Another optimal method to defend against such attacks is to verify the IP source address when IP data is packets out of the LAN. That is to say, each gateway or router connected to the LAN checks the IP source address from this IP packet before deciding whether to allow IP packets inside the LAN to be sent to the LAN.

If the IP address of the IP package is not the IP address of the local area network, the package is denied by the gateway or vro. In this way, the attacker must at least use the IP address in the LAN to connect to the gateway or router of the LAN. If an attacker is launching an attack, the source IP address of the IP packet sent by the attacker can easily find out who is launching the attack. Therefore, it is recommended that each ISP or LAN Gateway Router inspect and filter the outgoing IP packets from the IP source address. If each Gateway Router does this, IP Source Address Spoofing will basically not work. When not every gateway or router can achieve this, the network system staff can only monitor the network managed by themselves as closely as possible to guard against possible attacks. (T114)

This article describes how to use IP Address Spoofing to break through the firewall's deep technology. I hope you can learn more about this.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.