The stolen credit card numbers, attacked computer systems, and some other well-known online attacks have attracted many users’ vigilance, making security managers focus on advanced intrusion detection systems, firewalls and other high-level defenses. However, many people forget that no matter how hard they try to strengthen the security of their sites, the vulnerability present in the Internet structure puts them at risk.
Simple features like requesting a connection between two computers create vulnerabilities, and 15% of the reported attacks each year are caused by this vulnerability, because it has not changed much since the date TCP/IP was accepted as the Arpanet Transport Protocol, and IP was originally written in a cohesive community that is trusted internally, so the default is that IP applications think they should trust people.
Denial of Service and data fraud attacks using TCP/IP capabilities can be prevented using security features, routers, or filters built into new IP (IPv6) that can be turned on in most server operating systems. However, these security measures are often overlooked.
Recently, a company has been attacked by a "rediscovery" TCP, a new way to exploit the old problems of TCP: if a hacker can guess the random initial sequence number (ISN) used by two computers to start the sending packet sequence, the hacker can hijack a session. Once the attacker guesses the ISN, he can change the direction of the packet or inject anything into the data stream. It is believed that software vendors have solved this problem using random packet sequence generators. But the result is that this random sequence is not random, it actually contains patterns that make ISN easy to guess.
Another ancient method of IP address spoofing is also common today. Classical TCP/IP attacks like IP spoofing and denial attacks exploiting buffer overflow are still in use. Taking the distributed denial attack as an example, implanting a * horse into an unsuspected server. These servers then flooded many e-commerce sites with a large number of service requests containing fake source IP addresses. The attack caused many servers on these business sites to crash.
Non-IP attacks generally look for vulnerable ports and services in server software or functions like address books and automated mail programs.
Common attacks against TCP/IP
In the 1980s, dozens of attacks against TCP/IP attacked Arpanet. Some of these attacks still exist today. The most common ones include:
1. Smurf Attack: A denial of service attack named after interesting cartoon characters. The Smurf attack takes advantage of the functionality that has been available in most servers that broadcast requests to many computers simultaneously. The attacker forged a legitimate IP address and then broadcasts the request to answer the victim's address by all servers on the network. Since these packets appear to be legal requests from known addresses, all systems in the network answered to this address, and the answers flooded the legal machine and caused a denial of service.
2. SYN Flood: A denial of service attack in which an attacker uses a forged IP address to issue multiple connection (SYN) requests to the target. The target system then sends a confirmation message and waits for an answer. Since the forged IP address does not belong to any actual machine, there will be no answers, keeping the connection open and blocking the legitimate data flow.
3. Source routing tampering: a denial of service and data hijacking attack. In this attack, the attacker tampers with routing table entries (usually on edge routers) so that the data flow sent to a certain site is transferred to another site (on which information can be intercepted) or sent anywhere.
Blocking and filtering
Turning off the "Broadcast" feature on the edge router can block Smurf attacks. Aborting an incomplete SYN request at intervals of three seconds or less often prevents SYN flooding. IP routing packet filtering can capture hijacking attempts. In fact, the filtering function is exactly what TCP/IP protection does.
For example, many victims of recent distributed denial of service attacks are now filtering data streams at their ISP locations instead of waiting for a “flood” to hit their computers. Some victims have also configured their operating systems so that they can interrupt SYN requests faster and change the IP addresses of servers that are subject to denial of service attacks to avoid further attacks.
In addition to firewall and intrusion detection, users can also use the following filtering techniques to prevent TCP/IP attacks:
·Set filter blocking false address or SYN attacks on edge routers.
· Rate-limiting filters that block connection requests and prevent high-capacity attacks.
· Data flow analysis that detects incoming connections that match attack characteristics or tracks the origin of the attack for prosecution.
·Host-based firewalls that prevent denial of service attacks by filtering known attack types.
Since these security features are not the default configuration, IT personnel may not know about them and therefore are not turned on, or they are afraid that filtering will slow them down. But in fact, these characteristics will not have much impact on performance.
For example, Cisco's routers include a feature called unicast reverse path forwarding checking, a reverse IP search feature that has been part of the operating system since Cisco released IOS version 10 three years ago. This capability can detect forged data flows by checking the upstream routing table to see if packets are from their claimed IP addresses. Although these technologies are almost everywhere, users rarely use them.
Worries about performance issues are also the cause of new ISN speculation threats. In mid-1996, manufacturers had the opportunity to adopt a stronger random sequence generator, but most manufacturers were reluctant to adopt it because it was more expensive from the perspective of CPU usage.
Moreover, IPSec is also overlooked by most people. IPSec is a subset of IPv6. It is designed to use public keys to authenticate the computer before it is connected. These two security features, both announced in 1998, can help solve many TCP/IP security issues.
Currently, there are not many manufacturers that truly support IPSec. This is because businesses don't see compelling reasons for adopting IPSec or IPv6, especially VPN tunneling technology has nearly the same functionality as IPSec.
In addition, it takes a certain amount of time to upgrade to IPv6, and everyone needs to upgrade to IPv6 at the same time in the future. Otherwise, due to compatibility issues, those who upgrade first will not be able to access many parts of the Internet. With the advent of wireless Internet devices, the demand for address space will soon explode. At the same time, the need for stronger filtering functions and IP security will also explode. Otherwise, one day, any Internet-connected device, even refrigerators, will be a shady game.
Simple features like requesting a connection between two computers create vulnerabilities, and 15% of the reported attacks each year are caused by this vulnerability, because it has not changed much since the date TCP/IP was accepted as the Arpanet Transport Protocol, and IP was originally written in a cohesive community that is trusted internally, so the default is that IP applications think they should trust people.
Denial of Service and data fraud attacks using TCP/IP capabilities can be prevented using security features, routers, or filters built into new IP (IPv6) that can be turned on in most server operating systems. However, these security measures are often overlooked.
Recently, a company has been attacked by a "rediscovery" TCP, a new way to exploit the old problems of TCP: if a hacker can guess the random initial sequence number (ISN) used by two computers to start the sending packet sequence, the hacker can hijack a session. Once the attacker guesses the ISN, he can change the direction of the packet or inject anything into the data stream. It is believed that software vendors have solved this problem using random packet sequence generators. But the result is that this random sequence is not random, it actually contains patterns that make ISN easy to guess.
Another ancient method of IP address spoofing is also common today. Classical TCP/IP attacks like IP spoofing and denial attacks exploiting buffer overflow are still in use. Taking the distributed denial attack as an example, implanting a * horse into an unsuspected server. These servers then flooded many e-commerce sites with a large number of service requests containing fake source IP addresses. The attack caused many servers on these business sites to crash.
Non-IP attacks generally look for vulnerable ports and services in server software or functions like address books and automated mail programs.
Common attacks against TCP/IP
In the 1980s, dozens of attacks against TCP/IP attacked Arpanet. Some of these attacks still exist today. The most common ones include:
1. Smurf Attack: A denial of service attack named after interesting cartoon characters. The Smurf attack takes advantage of the functionality that has been available in most servers that broadcast requests to many computers simultaneously. The attacker forged a legitimate IP address and then broadcasts the request to answer the victim's address by all servers on the network. Since these packets appear to be legal requests from known addresses, all systems in the network answered to this address, and the answers flooded the legal machine and caused a denial of service.
2. SYN Flood: A denial of service attack in which an attacker uses a forged IP address to issue multiple connection (SYN) requests to the target. The target system then sends a confirmation message and waits for an answer. Since the forged IP address does not belong to any actual machine, there will be no answers, keeping the connection open and blocking the legitimate data flow.
3. Source routing tampering: a denial of service and data hijacking attack. In this attack, the attacker tampers with routing table entries (usually on edge routers) so that the data flow sent to a certain site is transferred to another site (on which information can be intercepted) or sent anywhere.
Blocking and filtering
Turning off the "Broadcast" feature on the edge router can block Smurf attacks. Aborting an incomplete SYN request at intervals of three seconds or less often prevents SYN flooding. IP routing packet filtering can capture hijacking attempts. In fact, the filtering function is exactly what TCP/IP protection does.
For example, many victims of recent distributed denial of service attacks are now filtering data streams at their ISP locations instead of waiting for a “flood” to hit their computers. Some victims have also configured their operating systems so that they can interrupt SYN requests faster and change the IP addresses of servers that are subject to denial of service attacks to avoid further attacks.
In addition to firewall and intrusion detection, users can also use the following filtering techniques to prevent TCP/IP attacks:
·Set filter blocking false address or SYN attacks on edge routers.
· Rate-limiting filters that block connection requests and prevent high-capacity attacks.
· Data flow analysis that detects incoming connections that match attack characteristics or tracks the origin of the attack for prosecution.
·Host-based firewalls that prevent denial of service attacks by filtering known attack types.
Since these security features are not the default configuration, IT personnel may not know about them and therefore are not turned on, or they are afraid that filtering will slow them down. But in fact, these characteristics will not have much impact on performance.
For example, Cisco's routers include a feature called unicast reverse path forwarding checking, a reverse IP search feature that has been part of the operating system since Cisco released IOS version 10 three years ago. This capability can detect forged data flows by checking the upstream routing table to see if packets are from their claimed IP addresses. Although these technologies are almost everywhere, users rarely use them.
Worries about performance issues are also the cause of new ISN speculation threats. In mid-1996, manufacturers had the opportunity to adopt a stronger random sequence generator, but most manufacturers were reluctant to adopt it because it was more expensive from the perspective of CPU usage.
Moreover, IPSec is also overlooked by most people. IPSec is a subset of IPv6. It is designed to use public keys to authenticate the computer before it is connected. These two security features, both announced in 1998, can help solve many TCP/IP security issues.
Currently, there are not many manufacturers that truly support IPSec. This is because businesses don't see compelling reasons for adopting IPSec or IPv6, especially VPN tunneling technology has nearly the same functionality as IPSec.
In addition, it takes a certain amount of time to upgrade to IPv6, and everyone needs to upgrade to IPv6 at the same time in the future. Otherwise, due to compatibility issues, those who upgrade first will not be able to access many parts of the Internet. With the advent of wireless Internet devices, the demand for address space will soon explode. At the same time, the need for stronger filtering functions and IP security will also explode. Otherwise, one day, any Internet-connected device, even refrigerators, will be a shady game.