Using IP address spoofing to break through firewall _ Web surfing

General access control is mainly set up in the firewall, the establishment of some security policies: such as the internal LAN resources do not allow the external users of the network; the undefended area (also known as the demilitarized Zone) can be used for internal or external local area networks, where resources are allowed to be limited to users of the extranet. ; You can enable external users to access the Web servers in the Demilitarized zone (DMZ area), and so on.

In-depth analysis of the firewall technology, the use of firewall configuration and implementation of vulnerabilities, it can be implemented attacks. In general, effective attacks are done from relevant subnets because they are trusted by firewalls, and although success depends on other factors such as opportunities, it is worth trying for attackers.

The most common way to break through the firewall system is IP address spoofing, which is also the basis of a series of other attack methods. This method is used because of the shortcomings of the IP itself. The IP protocol sends IP packets based on the destination address entry in the IP header. If the destination address is an address within the local network, the IP packet is sent directly to the destination. If the destination address is not within the local network, the IP packet is sent to the gateway and the gateway decides where to send it. This is the IP routing ip packet method.

IP routing IP packets do not check the IP source address provided in the IP header, and the IP source address in the IP header is considered to be the IP address of the machine that sent the packet. When the destination host receiving the packet is to communicate with the source host, it communicates with the source host with the IP source address in the IP header of the IP packet received as the destination address of the IP packet it sends. This kind of data communication method of IP is very simple and efficient, but it is also a security hidden trouble of IP, many network security accidents are caused by the disadvantage of IP.

This type of attack is very dangerous when hackers or intruders use spoofed IP forwarding addresses to produce bogus data groupings disguised as packet filters from internal stations. All the signs about whether the groups that are involved are really internal or external groupings that look like the inside are lost. As long as the system discovers that the sending address is within its own scope, it treats and passes the packet internally.

Usually the TCP connection between host A and Host B (intermediate or no firewall) is established through host A to Host B, while the confirmation of A and B is only based on the initial serial number generated by host A and verified by Host B isn. Three steps are specified:

Host a generates its isn, transmits it to host B, requests to establish the connection, B receives the ISN with the SYN flag from a, returns its own isn with the reply message ack to A;a and sends B to ISN and the reply message ack back to B. Now, normally, the TCP connection between host A and B is established.

B----SYN----> A
B <----syn+ack----A
B----ACK----> A

Suppose C attempts to attack a, because A and B are mutually trusted, and if C already knows B, which is trusted by a, then the solution is to make B's network function paralyzed and prevent other things from interfering with its attack. The SYN Flood is commonly used here. The attacker sent many Tcp-syn packets to the attacked host. The source address of these Tcp-syn packages is not the IP address of the host on which the attacker resides, but rather the IP address that the attacker fills in. When the attacked host receives the Tcp-syn packets sent by the attacker, assigns a certain resource to a TCP connection and sends a tcp-(Syn+ack) Reply packet to the destination host for the destination address of the source address in the received packet (that is, the attacker's own spoofed IP address).

Because the attacker's own spoofed IP address must be a carefully chosen non-existent address, the attacked host will never be able to receive an answer packet from the tcp-(syn+ack) packet it sent out, thus the host's TCP status opportunity is in a waiting state. If the TCP state machine of the attacked host has time-out control, the resources allocated for the connection are reclaimed until the timeout is exceeded. Therefore, if an attacker sends enough TCP-SYN packets to the attacked host and is fast enough, the TCP module of the attacked host must be denied service because it cannot allocate the new TCP connection to the system resources. And even if the attacker's network administrator hears the attacker's packet is unable to determine who the attacker is based on the source address information of the IP header.

When B's network function is temporarily paralyzed, C must now find ways to determine the current isn of a. Connect to port 25 first, because SMTP has no security check mechanism, similar to the previous one, but this time you need to record the isn of a, as well as the approximate RTT (round) for C to a. This step repeats several times to find the average of the RTT. Once c knows the isn base value of a and increases the rule, it is possible to calculate the time from C to a RTT/2. Then immediately into the attack, otherwise between this there are other hosts with a connection, isn will be more than expected.

C sends a data segment request connection with a SYN flag to a, but the source IP is changed to B. A to B loopback syn+ack data segment, B has been unable to respond, B's TCP layer simply discards A's loopback data segment. This time C needs to suspend for a short while, let a have enough time to send Syn+ack, because C can't see this package. Then c again disguised as B to send an ACK to a, at which time the sent data section with Z predicted a isn+1. If the prediction is accurate, the connection is established and data transfer begins.

The problem is that even if the connection is established, a still sends the data to B, rather than c,c still can't see the data segment A to B, and C must send a command to a by the protocol standard fake B, and the attack completes. If the prediction is inaccurate, a will send a data segment with the RST flag to terminate the connection abnormally, C only to start over. With the isn of correcting predictions, an attacker would eventually establish a meeting with the target host. In this way, an attacker can log on to the target host as a legitimate user without further confirmation. If repeated tests allow the target host to receive root logins to the network, the entire network can be fully controlled.

C (B)----SYN----> A
B <----syn+ack----A
C (B)----ACK----> A
C (B)----PSH----> A

IP spoofing attacks take advantage of the fact that the RPC server relies only on the IP address of the source for security verification, and the most difficult part of the attack is to predict the isn of a. The attack is more difficult, but the likelihood of success is great. C must accurately foresee information that may be sent from a to B, and what response information a expects from B, which requires the attacker to be quite familiar with the protocol itself. It also needs to be understood that this attack cannot be done in an interactive state and must be written to complete. In the preparation phase, of course, you can use tools such as NetXRay for protocol analysis.

While IP spoofing attacks are quite difficult, we should be acutely aware that this is a very widespread attack that often begins here. It is easier to prevent such attacks. The security hidden trouble caused by the IP itself is not fundamentally eliminated at present. We can only take some remedies to minimize the harm caused by it. The ideal way to defend against this attack is for each LAN-connected gateway or router to test the IP packets from the outside before deciding whether to allow external IP packets to enter the LAN. If the IP packet's IP source address is the IP address of the LAN to which it is to enter, the IP packet is rejected by the gateway or router and is not allowed to enter the LAN.

Although this method can solve the problem well, considering that some Ethernet cards receive their own packets, and in practical applications, there is often a trust relationship between the local area network and the local area network to share resources, this scheme does not have good practical value. Another ideal way to defend against this attack is to verify the IP source address when the IP data is packet out of the LAN. That is, each LAN-connected gateway or router verifies the IP source address from the IP packet before deciding whether to allow the LAN to be emitted by the IP packet within the LAN.

If the IP packet's IP source address is not an IP address within its local area network, the IP packet is rejected by the gateway or router, and the packet is not allowed to leave the LAN. In this way, an attacker would need to use at least the IP address in their local area network to pass through a gateway or router that connects to the LAN. If an attacker is to attack, the IP source address of the IP packet it emits will be easy to find out who committed the attack. Therefore, it is recommended that each ISP or LAN gateway router should check and filter the IP source address of the IP packet. If every gateway router does this, IP Source address spoofing will basically not work. In a situation where not every gateway and router can do this at the moment, network system members can only manage their own networks as closely as possible to guard against possible attacks.