The most common method to break through firewall systems is IP address spoofing, which is also the basis of a series of other attack methods. The reason for using this method is because of the shortcomings of the IP itself. The IP protocol sends IP packets based on the destination address item in the IP header. If the destination address is an address within the local network, the IP packet is sent directly to the destination. If the destination address is not within the local network, the IP packet will be sent to the gateway, and the gateway will decide where to send it. This is how IP routes IP packets. When IP routing IP packets, no check is made on the IP source address provided in the IP header, and it is believed that the IP source address in the IP header is the IP address of the machine sending the packet. When the destination host that receives the packet is to communicate with the source host, it uses the IP source address in the IP header of the received IP packet as the destination address of the IP packet it sends to communicate with the source host data. Although the data communication method of IP is very simple and efficient, it is also a security risk for IP. Many network security accidents are caused by the shortcomings of IP.
Hackers or intruders use fake IP sending addresses to generate fake data packets and disguise themselves as packet filters from internal stations. This type of attack is very dangerous. All signs of whether the packets involved are truly internal or external are packaged to look like internal. As long as the system finds that the sending address is within its own range, it treats the packet in internal communication and allows it to pass.
Usually, the TCP connection between host A and host B (with or without a firewall) is established through host A to request host B, and the confirmation of A and B during this period is based only on the initial serial number ISN generated by host A and verified by host B. There are three specific steps:
Host A generates its ISN and transmits it to host B, requesting to establish a connection; after receiving the ISN with the SYN flag from A, it returns its own ISN together with the reply information ACK; then A transmits B to the ISN and the reply information ACK to B. At this point, normally, the TCP connection between host A and B is established.
B ---- SYN ----> A
B <---- SYN+ACK ---- A
B ---- ACK ----> A
Suppose C attempts to attack A, because A and B trust each other. If C already knows B trusted by A, then it is necessary to paralyze B's network function to prevent other things from interfering with its own attacks. SYN flood is commonly used here. The attacker sends many TCP-SYN packets to the attacked host. The source address of these TCP-SYN packets is not the IP address of the host where the attacker is located, but the IP address filled in by the attacker himself. When the attacked host receives the TCP-SYN packet sent by the attacker, it will allocate certain resources to a TCP connection, and will send a TCP-(SYN+ACK) reply packet to the destination host with the source address in the received data packet (i.e. the IP address forged by the attacker himself) as the destination address. Since the IP address forged by the attacker must be a carefully selected non-existent address, the attacked host will never receive the reply packet of the TCP-(SYN+ACK) packet it sent out, so the TCP state chance of the attacked host is in a waiting state. If the TCP state machine of the attacked host has timeout control, the resources allocated for the connection will not be recycled until the timeout. Therefore, if the attacker sends enough TCP-SYN packets to the attacked host and is fast enough, the TCP module of the attacked host will definitely be in a service denial state because it cannot allocate the new TCP connection to the system resources. And even if the administrator of the network where the attacking host is located listens to the attacker's data packet, he cannot determine who the attacker is based on the source address information of the IP header.
When B's network function is temporarily paralyzed, C must now find ways to determine A's current ISN. First, connect to port 25 because SMTP has no security verification mechanism, similar to the previous one, but this time, it is necessary to record the ISN of A and the rough RTT (round trip time) from C to A. This step must be repeated several times to find the average value of RTT. Once C knows the ISN base value and increase law of A, it can calculate the time it takes RTT/2 from C to A. Then immediately enter the attack, otherwise there are other hosts connected to A in between, and the ISN will be more than expected.
C sends A the data segment with the SYN flag to request connection, but the source IP is changed to B. A sends back the SYN+ACK data segment to B, but B can no longer respond. B's TCP layer simply discards A's loopback data segment. At this time, C needs to pause for a short time to allow A to send SYN+ACK because C cannot see this packet. Then C then disguises itself as B and sends ACK to A, and the data segment sent at this time has the ISN+1 of A predicted by Z. If the prediction is accurate, the connection is established and the data transfer begins. The problem is that even if the connection is established, A will still send data to B, instead of C. C still cannot see the data segment sent by A to B. C must cover his head and send commands to A in accordance with the protocol standards, so the attack is completed. If the prediction is inaccurate, A will send a data segment with the RST flag to terminate the connection abnormally, C can only start over again. As the predicted ISN is constantly corrected, the attacker will eventually establish a meeting with the target host. In this way, the attacker logs into the target host as a legitimate user without further confirmation. If trial and error enable the target host to receive ROOT logins to the network, then there is complete control of the entire network.
C(B) ---- SYN ----> A
B <---- SYN+ACK ---- A
C(B) ---- ACK ----> A
C(B) ---- PSH ----> A
IP spoofing attacks take advantage of the RPC server's feature that only depends on the source IP address for security verification. The most difficult part of the attack is to predict the ISN of A. The attack is relatively difficult, but the possibility of success is also very high. C must accurately foresee the information that may be sent from A to B, and what response information A expects from B, which requires the attacker to be quite familiar with the protocol itself. At the same time, it is necessary to understand that this kind of attack cannot be completed in an interactive state, and must be completed by writing a program. Of course, in the preparation stage, tools such as netxray can be used for protocol analysis.
Although IP spoofing attacks are quite difficult, we should be aware that this kind of attack is very widespread and invasions often start here. It is relatively easy to prevent this attack. The security risks caused by defects in IP itself cannot be fundamentally eliminated. We can only take some remedies to minimize the harm it causes. The ideal way to defend against such attacks is to check the IP packets from outside before deciding whether to allow external IP packets to enter the LAN. If the IP source address of the IP packet is the IP address in the LAN to which it wants to enter, the IP packet will be rejected by the gateway or router and will not be allowed to enter the LAN. Although this method can solve the problem well, considering that some Ethernet cards receive their own data packets, and in practical applications, there is often a need for mutual trust relationships to share resources, this solution does not have good practical value. Another ideal way to defend against such attacks is to check the IP source address when the IP packet is out of the LAN. That is, each gateway or router connecting to the LAN checks the IP source address from the IP packet before deciding whether to allow IP packets within the LAN to be sent out of the LAN. If the IP source address of the IP packet is not the IP address within the LAN where it is located, the IP packet will be rejected by the gateway or router, and the packet will not be allowed to leave the LAN. In this way, an attacker needs to use at least the IP address within the LAN where he is located to pass through the gateway or router connecting to the LAN. If an attacker wants to conduct an attack, it will be easy to find who carried out the attack based on the IP source address of the IP packet it sends. Therefore, it is recommended that every ISP or LAN gateway router check and filter out the IP source address of the outgoing IP packets. If every gateway router does this, IP source address spoofing will basically not work. In the current situation where not every gateway and router can do this, network system personnel can only monitor the network they manage as closely as possible to prevent possible attacks.