View IP spoofing, ARP spoofing, ARP attack horse and route (route) security from large-scale rule addressing events

Source: Internet
Author: User

Source:A non-Alibaba Cloud Region

"In addition to understanding how to handle the thing's certificates, Yan Xiu's expert also needs to think about it from the beginning of science. Although the credential can provide important evidence and evidence, to solve the entire problem, you need to use a header string to upload all the evidence. Among the more than six thousand cases that I handled, I encountered a case where I tried to solve the case with a unique thing certificate. "-- Li Changyu

This large-scale event has been noticed by all walks of life. We have written two articles (Here,Here) Our research on events. It makes sense for everyone to pay attention to this incident. Because of this large specification site, it takes a long time-what happened in the end? After drawing our opinions, we received a lot of questions from our friends. As a result, we wrote another answer, but we still have many questions, we receive emails and messages from our website. In this forum, we will organize all our questions and our answers into an article and take the opportunity to answer them, I would like to discuss what is IP spoofing, none-blind IP spoofing, ARP spoofing, ARP Trojans, and so on for your testing. In addition, we have received many emails or comments from our netizens. We are very enthusiastic and grateful, everyone's encouragement is our greatest motivation. We will continue to work hard to acknowledge your recognition of our studies. Please do not submit any suggestions for your reference.

[Latest event Development]
1. CiscoThe alert notice was updated on April 9, March 12.The first sentence of the whole story is "non-blind TCP spoofing or other types of attacks: 「 Reports indicate that some TCP traffic that is passed through certain Taiwanese networks is being redirected to malicious websites. (when the TCP traffic passes through some network segments of the Network, some users who use the network may be affected ). This is consistent with our research results. The attacker is on the route. In addition, we did not say that attacking the route program is in the role of route"R"(Vro), we have always said that attacking the route program is on the route, and the word difference is a lot.

2.Juniper also agreed with our research: "Juniper first entered the Ministry of Science and Technology of China, said Lin Jing, according to the certificate provided by Alibaba technology and so on this (12) Day, the mysterious website attack may occur on the route 210.65.20.241 to 211.22.33.225, but the router of the medium Telecom may be specified) the mobility or intrusion capability is not high. 」 We didn't say it was a problem with the vroute. We have been attacking the route program on the route and proved through research, some attack programs are within 7 hours of our TTL =. This is a DNS attack, which is different from Man-in-the-middle attack, however, we have implemented our views based on actual information and data certificates, and have also been recognized by CISCO and Juniper.

3. The focus of this study is not "whether it is a router problem 」. The conclusion is that, first, it is determined that there is none-blind IP spoofing, rather than the DNS attack, and there is no ARP attack. This is different from others' opinions. Second, from the perspective of the incoming packets and the attack volume content (insert iframe), the attacker cannot modify the original packet, you cannot avoid Original or hidden packets, or avoid real packets arriving earlier than fake packets. Third, some attack programs exist in TTL <= 7 channels. We have always said that a problem occurs on the route but not on the route "r". When you read the article, you should note that.

[How many Man-in-the-middle (MITM)?]

First, we define the document "Man-in-the-middle" (MITM ).Definition of wikipedia: 「 In cryptography, the man-in-the-middle attack or bucket-brigade attack (often abbreviated MITM), sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims andRelays messages between them, Making them believe that they are talking directly to each other over a private connection when in factEntire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in your circumstances (for example, the owner of a public wireless access point can in principle conducting ct mitm attacks on the users ). 」

According to this definition, MITM needs to merge into the following: attack programZookeeper"Send" traffic between the two victims andControlThe whole traffic.

[Why ARP spoofing?]

Our WorkshopDefinition of wikipediaARP spoofing refers to the objective of making itself a MITM on a similar Ethernet using fake ARP packets. In this case, it should be noted that ARP is not the only method or the most simple method to listen to packets. First, ARP spoofing can only be used on Ethernet B. Second, when ARP spoofing is used, you must assume the role of "middle person, all traffic must be sent in the middle. Otherwise, the network may be interrupted, which requires a certain amount of computing power.

[Why ARP Trojans?]

ARP trojans do not have a definite definition. Because of this attack technique, more than one attack technique is used, our definition here is as follows: attackers use similar html ">ZxarpsThis tool first converts itself into a MITM using ARP spoofing on ethernet-like, and then (optional) insert the intent iframe in the HTTP response to attack the intent. According to this definition, this method includes two attack technologies:

1. ARP spoofing attacks to gain MITM status.
2.TCP session hijackingTo modify the TCP packet and insert iframe. In factZxarpsOne of the functions worth noting.ZxarpsThe TCP session hijacking of is complete, because it will handle the TCP packet and modify the SEQ/ACK packet in the TCP packet. Due to the fact that its TCP session hijacking is complete, in most cases, we cannot see the usual traffic except for the same B-Way broadcast domain (or vlan) low, it is not easy to merge traffic.

[Why None-blind IP spoofing?]

None-blind IP spoofingAttackers can listen to TCP/IP traffic and generate false packets of TCP s/n pairs, and successfully make the victim think of as a real packet. However, unlike the well-performed TCP session hijacking, the true and false packets in none-blind spoofing will be sent to the victims at the same time. Therefore, in the routing or on the victim end, you can always use the traffic control feature to extract none-blind IP spoofing. Different from the blind IP spoofing and none-blind IP spoofing, which must produce a large number of packets because the hacker cannot hear the traffic, the effect can be achieved-this is one of the important reasons the attacker loves it. When the TCP session hijacking cannot be compiled into a good situation, or when there is no need to do it, the attacker often quits (change) however, refer uses none-blind IP spoofing. Because None-blind IP spoofing needs to be able to listen to traffic, it must be used with other NLP techniques. ARP spoofing is one of the methods, but it is not the only method or the most simple method.

[Why did you decide that this is "none-blind IP spoofing" instead of what other people say, DNS attacks or ARP attacks?]

If it is a DNS attack, the user will not notice that the website is being accessed, and the website column of the attacker will display the correct website. Therefore, the DNS attack is excluded. The first two articles (Here,HereAccording to the published packets, the non-blind IP spoofing is determined. So far, we can't see whether ARP Trojans are accompanied. We don't have a direct certificate, so we didn't say it, but we certainly didn't. Non-blind IP spoofing is the actual thing we can say.

Why didn't we say it was ARP Trojans? Based on the following points:

1. Because, according to the above definitionZxarpsThis tool is used for ARP attacks. First, unless we are in the same vlan, it is very difficult to detect traffic anomalies, we won't see the true or false packets at the same time.

2. from the perspective of the attacker's fake package content, it is impossible to change the original package clearly. There is no way to prevent the real package from being released, there is no way to avoid fake packets from being too slow to fail, so the opposite party has implemented many methods. If ARP attacks can be avoided, these will be avoided-but this is not the case in reality. The content of a fake package is as follows:

</body>

Why should we use this seemingly clumsy iframe insertion method? The reason is that it cannot effectively escalate to the MITM position, and the original package can be changed. Let's think about it again.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.