ch28.htm

Maximum Security (First Edition) 网络安全 英文版

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 28 -- Spoofing Attacks</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch27/ch27.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch29/ch29.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">28</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Spoofing Attacks</FONT></H1>
</CENTER>
<P>There has never been more controversy about a cracking technique than the controversy
surrounding IP spoofing. IP spoofing is the most talked about and least understood
method of gaining unauthorized entry to a computer system. For example, a well publicized
spoofing case occurred in December, 1994. John Markoff, in his article that appeared
in <I>The New York Times</I> titled &quot;New Form of Attack on Computers Linked
to Internet is Uncovered,&quot; reported:

<DL>
	<DD>The first known attack using the new technique took place on Christmas day against
	the computer of a well-known computer security expert at the San Diego Supercomputer
	Center. An individual or group of unknown intruders took over his computer for more
	than a day and electronically stole a large number of security programs he had developed.
</DL>

<P>That report was not entirely accurate. The IP spoofing technique was not &quot;new,&quot;
nor was it &quot;uncovered.&quot; Rather, it has been known for more than a decade
that IP spoofing was possible. To my knowledge, the first paper written on this subject
was published in February 1985. That paper was titled &quot;A Weakness in the 4.2BSD
UNIX TCP/IP Software,&quot; and it was written by Robert Morris, an engineer at AT&amp;T
Bell Laboratories in Murray Hill, New Jersey.
<H2><FONT COLOR="#000077"><B>IP Spoofing</B></FONT></H2>
<P>Because I want to relay information about IP spoofing as accurately as possible,
I will approach the subject in a slow and deliberate fashion. If you already know
a bit about the technique, you would be wise to skip ahead to the section titled
&quot;Point of Vulnerability: The R Services.&quot;</P>
<P>I should immediately make three points about IP spoofing:

<UL>
	<LI>Few platforms are vulnerable to this technique.<BR>
	<BR>
	
	<LI>The technique is quite complex and is not commonly understood, even by talented
	crackers. It is therefore rare.<BR>
	<BR>
	
	<LI>IP spoofing is very easily prevented.
</UL>

<H3><FONT COLOR="#000077"><B>What Is a Spoofing Attack?</B></FONT></H3>
<P>A spoofing attack involves nothing more than forging one's source address. It
is the act of using one machine to impersonate another. To understand how this occurs,
you must know a bit about authentication.</P>
<P>Every user has encountered some form of authentication. This encounter most often
occurs while connecting to a network. That network could be located in the user's
home, his office, or, as in this case, the Internet. The better portion of authentication
routines known to the average user occur at the application level. That is, these
methods of authentication are entirely visible to the user. The typical example is
when a user is confronted with a password prompt on FTP or Telnet. The user enters
a username and a password; these are authenticated, and the user gains access to
the resource.</P>
<P>On the Internet, application-level authentication routines are the minority. Each
second, authentication routines that are totally invisible to the user occur. The
difference between these routines and application-level authentication routines is
fundamental. In application-level authentication, a machine challenges the user;
a machine requests that the user identify himself. In contrast, non-application-level
authentication routines occur between machines. One machine demands some form of
identification from another. Until this identification is produced and validated,
no transactions occur between the machines engaged in the challenge-response dialog.</P>
<P>Such machine-to-machine dialogs always occur automatically (that is, they occur
without human intervention). In the IP spoofing attack, the cracker attempts to capitalize
on the automated nature of the dialog between machines. Thus, the IP spoofing attack
is an extraordinary method of gaining access because in it, the cracker never uses
a username or password.</P>
<P>This, for many people, is difficult to grasp. Consequently, reports of IP spoofing
have needlessly caused much fear and paranoia on the Internet.
<H3><FONT COLOR="#000077"><B>Who Can Be Spoofed?</B></FONT></H3>
<P>The IP spoofing attack is unique in that it can only be implemented against a
certain class of machines running true TCP/IP. <I>True TCP/IP</I> is any fully fledged
implementation of TCP/IP, or one that--in its out-of-the-box state--encompasses all
available ports and services within the TCP/IP suite. By this, I am referring almost
exclusively to those machines running certain versions of UNIX (only a handful are
easily spoofed). PC machines running DOS, Windows, or Windows 95 are not included
in this group. Neither are Macintoshes running MacOS. (It is theoretically possible
that Macs running A/UX and PCs running Linux could be vulnerable, given the right
circumstances.)</P>
<P>I cannot guarantee that other configurations or services will not later be proven
vulnerable to IP spoofing, but for the moment the list of vulnerable services is
short indeed:

<UL>
	<LI>Any configuration using Sun RPC calls<BR>
	<BR>
	
	<LI>Any network service that utilizes IP address authentication<BR>
	<BR>
	
	<LI>The X Window System from MIT<BR>
	<BR>
	
	<LI>The R services
</UL>

<P><I>Sun RPC</I> refers to Sun Microsystems' standard of Remote Procedure Calls,
which are methods of issuing system calls that work transparently over networks (that
is, of executing commands over remote machines or networks).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The RFC that addresses
	RPC, titled &quot;RPC: Remote Procedure Call Protocol Specification,&quot; can be
	found at <A HREF="http://www.pasteur.fr/other/computer/RFC/10xx/1057"><TT>http://www.pasteur.fr/other/computer/RFC/10xx/1057</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>IP address authentication uses the IP address as an index. That is, the target
machine authenticates a session between itself and other machines by examining the
IP address of the requesting machine. There are different forms of IP authentication,
and most of them are vulnerable to attack. A good discussion about this appears in
a classic paper written by Steve M. Bellovin titled &quot;Security Problems in the
TCP/IP Protocol Suite&quot;:

<DL>
	<DD>If available, the easiest mechanism to abuse is IP source routing. Assume that
	the target host uses the reverse of the source route provided in a TCP open request
	for return traffic...The attacker can then pick any IP source address desired, including
	that of a trusted machine on the target's local network.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>&quot;Security Problems
	in the TCP/IP Protocol Suite&quot; by Steve M. Bellovin can be found on the Web at
	<A HREF="ftp://ftp.research.att.com/dist/internet_security/ipext.ps.Z"><TT>ftp://ftp.research.att.com/dist/internet_security/ipext.ps.Z</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Point of Vulnerability: The R Services</B></FONT></H3>
<P>In the UNIX environment, the R services are rlogin and rsh. The <I>r</I> represents
the word <I>remote</I>. These two programs are designed to provide users with remote
access to other machines on the Internet. Although these programs may be compared
to programs of a similar ilk (for example, people often liken rlogin to Telnet),
these programs (or services) are unique:

<UL>
	<LI>rlogin provides a means to remotely log in to another machine. It is similar
	to Telnet. Today, rlogin is generally restricted to local use. Few networks support
	long-distance remote rlogin sessions because rlogin has been deemed a security problem.<BR>
	<BR>
	
	<LI>rsh allows you to start an instance of the shell on a remote machine. It can
	be used to execute commands on a remote host. For example, in a completely unrestricted
	network environment, you could print the password file of a remote machine to the
	local one by issuing the command <TT>rsh our_target.com cat /etc/passwd &gt;&gt;
	our_target.com_passwd</TT>. rsh, as you might expect, is a huge security hole and
	it is usually disabled.
</UL>

<P>The R services are vulnerable to IP spoofing attacks.
<H3><FONT COLOR="#000077"><B>How Spoofing Attacks Work</B></FONT></H3>
<P>Spoofing attacks differ from random scanning and other techniques used to ascertain
holes in the system. Spoofing attacks occur only <I>after</I> a particular machine
has been identified as vulnerable. By the time the cracker is ready to conduct a
spoofing attack, he or she knows the target network is vulnerable and which machine
is to be attacked.
<H4><FONT COLOR="#000077"><B>Trust Relationships and Spoofing Generally</B></FONT></H4>
<P>Nearly all forms of spoofing (and there are types other than IP spoofing) rely
on trust relationships within the target network. By trust, I don't mean human or
application-layer trust. Instead, I refer to trust between machines.</P>
<P>Chapter 18, &quot;Novell,&quot; briefly discusses spoofing of a hardware address
on an Ethernet network. This is accomplished by redefining the network address of
the workstation used to perform the spoof. In Novell networks, this is commonly accomplished
by redefining this value in the <TT>NET.CFG</TT> file, which contains parameters
that are loaded upon boot and connection to the network. <TT>NET.CFG</TT> includes
many options for altering the configuration by hand (which is useful, because conventional
configurations sometimes fail to come out correctly). To sidestep possible problems
with factory configurations, changes may be made directly to the interface using
this file. Options include number of buffers, what protocols are to be bound to the
card, port number, MDA values, and the node address.</P>
<P>Hardware address spoofing is, to a certain extent, also dependent upon the card.
Cards that do not allow for software-driven settings of the hardware address are
generally useless in this regard. You might be able to report an address, but in
most instances, the technique does not actually work. Older cards support software-driven
alteration of the address, usually with a jumper setting. (This is done by shorting
out the jumper pins on the card.) A good example is the old Western Digital Ethernet
card. Newer cards are more likely to automatically allow software-driven changes,
whereas IRQ settings may still be a jumper issue. It is likely, however, that in
the near future, Ethernet cards may not have jumpers at all due to the fact that
plug-and-play technology has emerged.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Jumpers are small plastic sheaths
	that slip over pins on a computer card (this card could be an Ethernet card, a motherboard,
	a modem, or a hard disk drive controller). These plastic jumpers are typically used
	to set addresses on such cards. The manufacturer of the card generally includes a
	manual on their product which shows the locations of jumpers on the board. Such manuals
	also usually describe different ways of configuring your jumpers. A jumper <I>pin
	set</I> consists of two pins. If these pins are covered by a plastic jumper sheath,
	they are deemed to be shorted out. Shorting out different jumpers alters the configuration
	of the card. Jumper pin sets are typically arranged in a row on the board. For example,
	a modem that has jumpers to assign IRQ addresses will probably have four or five
	jumper pin sets. By covering various combinations of these pin sets with plastic
	jumper sheaths, you can change the IRQ from three to four, five, seven, and so forth.
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>CAUTION:</B></FONT><B> </B>Never use MAC addresses as an
	index for authentication. Mac addresses on most modern cards can be changed easily
	using existing software or quickly hacked code. It is argued that MAC address spoofing
	is difficult because when two machines have the same MAC address on the same segment,
	communication failures and crashes result. Note, however, that this is not always
	true. This generally happens when both are trying to reach the same resource or when
	the active protocol is IPX (NetWare). In a passive state, these could co-exist, particularly
	in a TCP/IP environment. Nonetheless, there is no guarantee that the packets will
	arrive in a pristine state. 
<HR>


</BLOCKQUOTE>

<P>This type of spoofing works because each machine on a given network segment trusts
its pals on that same segment. Barring the installation of a hub that hardwire-routes
packets to each machine, at least a few trust relationships between machines will
exist within a segment. Most commonly, those machines know each other because their
addresses are listed within some database on each machine. In IP-based networks,