ch28.htm

Maximum Security (First Edition) 网络安全 英文版

<DL>
	<DD>The Novell SPX/IPX router contains an advanced spoofing algorithm, which keeps
	the ISDN line closed when no useful data transits, even while remote users are connected
	to a server. Spoofing consists [sic] to simulate the traffic, so that the server
	and the remote client both have the impression of being connected without ISDN channels
	open.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The white paper on Lightning's
	MultiCom Software Release 2.0 can be found online at <A HREF="http://www.lightning.ch/products/software/ipx/details.html"><TT>http://www.lightning.ch/products/software/ipx/details.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>There are other router products that perform this function. One is the Ethernet
Router IN-3010/15.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>For further information
	about the Ethernet Router IN-3010/15, visit <A HREF="http://www.craycom.co.uk/prodinfo/inetwork/fsin301x.htm"><TT>http://www.craycom.co.uk/prodinfo/inetwork/fsin301x.htm</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>What Can Be Done to Prevent IP Spoofing Attacks?</B></FONT></H3>
<P>IP spoofing attacks can be thwarted by configuring your network to reject packets
from the Net that claim to originate from a local address (that is, reject packets
that purport to have an address of a workstation on your internal network). This
is most commonly done with a router.</P>
<P>Routers work by applying filters on incoming packets; for example, they can block
particular types of packets from reaching your network. Several companies specialize
in these devices:

<UL>
	<LI>Proteon <A HREF="(http://www.proteon.com/">(<TT>http://www.proteon.com/</TT></A>)
	<LI>Cisco Systems (<A HREF="http://www.cisco.com/"><TT>http://www.cisco.com/</TT></A>)
	<LI>Alantec (<A HREF="http://www.alantec.com/"><TT>http://www.alantec.com/</TT></A>)
	<LI>Livingston (<A HREF="http://www.livingston.com/"><TT>http://www.livingston.com/</TT></A>)
	<LI>Cayman Systems (<A HREF="http://www.cayman.com/"><TT>http://www.cayman.com/</TT></A>)
	<LI>Telebit (<A HREF="http://www.telebit.com/"><TT>http://www.telebit.com/</TT></A>)
	<LI>ACC (<A HREF="http://www.acc.com/"><TT>http://www.acc.com/</TT></A>)
	<LI>Baynetworks-Wellfleet (<A HREF="http://www.baynetworks.com/"><TT>http://www.baynetworks.com/</TT></A>)
</UL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Although routers are a solution
	to the general spoofing problem, they too operate by examining the source address.
	Thus, they can only protect against incoming packets that purport to originate from
	within your internal network. If your network (for some inexplicable reason) trusts
	foreign hosts, routers will not protect against a spoofing attack that purports to
	originate from those hosts. 
<HR>


</BLOCKQUOTE>

<P>Certain security products can also test for your vulnerability to IP spoofing.
Internet Security Systems (ISS), located online at <TT>http://iss.net</TT>, is a
company that offers such products. In fact, ISS offers a trial version that can be
used on a single local host. These tools are quite advanced.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>CAUTION:</B></FONT><B> </B>If you are running a firewall,
	this does not automatically protect you from spoofing attacks. If you allow internal
	addresses to access through the outside portion of the firewall, you are vulnerable!
	
<HR>


</BLOCKQUOTE>

<P>At least one authoritative source suggests that prevention can also be realized
through monitoring your network. This starts with identifying packets that purport
to originate within your network, but attempt to gain entrance at the firewall or
first network interface that they encounter on your wire:

<DL>
	<DD>There are several classes of packets that you could watch for. The most basic
	is any TCP packet where the network portion (Class A, B, or C or a prefix and length
	as specified by the Classless Inter-Domain Routing (CIDR) specification) of the source
	and destination addresses are the same but neither are from your local network. These
	packets would not normally go outside the source network unless there is a routing
	problem, worthy of additional investigation, or the packets actually originated outside
	your network. The latter may occur with Mobile IP testing, but an attacker spoofing
	the source address is a more likely cause.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The previous paragraph
	is excerpted from Defense Information System Network Security Bulletin #95-29. This
	bulletin can be found online at <A HREF="ftp://nic.ddn.mil/scc/sec-9532.txt"><TT>ftp://nic.ddn.mil/scc/sec-9532.txt</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Other Strange and Offbeat Spoofing Attacks</B></FONT></H3>
<P>Other forms of spoofing, such as DNS spoofing, exist. DNS spoofing occurs when
a DNS machine has been compromised by a cracker. The likelihood of this happening
is slim, but if it happens, widespread exposure could result. The rarity of these
attacks should not be taken as a comforting indicator. Earlier in this chapter, I
cited a DDN advisory that documented a rash of widespread attacks against DNS machines.
Moreover, an important CIAC advisory addresses this issue:

<DL>
	<DD>Although you might be willing to accept the risks associated with using these
	services for now, you need to consider the impact that spoofed DNS information may
	have...It is possible for intruders to spoof BIND into providing incorrect name data.
	Some systems and programs depend on this information for authentication, so it is
	possible to spoof those systems and gain unauthorized access.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The previous paragraph
	is excerpted from the CIAC advisory titled &quot;Domain Name Service Vulnerabilities.&quot;
	It can be found online at <A HREF="http://ciac.llnl.gov/ciac/bulletins/g-14.shtml"><TT>http://ciac.llnl.gov/ciac/bulletins/g-14.shtml</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>DNS spoofing is fairly difficult to accomplish, even if a cracker has compromised
a DNS server. One reason is that the cracker may not be able to accurately guess
what address DNS client users are going to request. Arguably, the cracker could assume
a popular address that is likely to appear (<A HREF="http://www.altavista.digital.com"><TT>www.altavista.digital.com</TT></A>,
for example) or he could simply replace all address translations with the arbitrary
address of his choice. However, this technique would be uncovered very quickly.</P>
<P>Could a cracker implement such an attack wholesale, by replacing all translations
with his own address and still get away with it? Could he, for example, pull from
the victim's environment the address that the user really wanted? If so, what would
prevent a cracker from intercepting every outgoing transmission, temporarily routing
it to his machine, and routing it to the legitimate destination later? Is it possible
via DNS spoofing to splice yourself into all connections without being discovered?
Probably not for more than several minutes, but how many minutes are enough?</P>
<P>In any event, in DNS spoofing, the cracker compromises the DNS server and explicitly
alters the hostname-IP address tables. These changes are written into the translation
table databases on the DNS server. Thus, when a client requests a lookup, he or she
is given a bogus address; this address would be the IP address of a machine completely
under the cracker's control.</P>
<P>You may be wondering why DNS attacks exist. After all, if a cracker has already
compromised the name server on a network, what more can be gained by directing DNS
queries to the cracker's own machine? The answer lies primarily in degrees of compromise.
Compromising the name server of a network does not equal compromising the entire
network. However, one can use the system to compromise the entire network, depending
on how talented the cracker is and how lax security is on the target network. For
example, is it possible to convince a client that the cracker's machine is really
the client's local mail server?</P>
<P>One interesting document that addresses a possible new technique of DNS spoofing
is &quot;Java Security: From HotJava to Netscape and Beyond,&quot; by Drew Dean,
Edward W. Felten, and Dan S. Wallach. The paper discusses a technique where a Java
applet makes repeated calls to the attacker's machine, which is in effect a cracked
DNS server. In this way, it is ultimately possible to redirect DNS lookups from the
default name server to a remote untrusted one. From there, the attacker might conceivably
compromise the client machine or network.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>&quot;Java Security:
	From HotJava to Netscape and Beyond&quot; is located online at <A HREF="http://www.cs.princeton.edu/sip/pub/oakland-paper-96.pdf"><TT>http://www.cs.princeton.edu/sip/pub/oakland-paper-96.pdf</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>DNS spoofing is fairly easy to detect, however. If you suspect one of the DNS
servers, poll the other authoritative DNS servers on the network. Unless the originally
affected server has been compromised for some time, evidence will immediately surface
that it has been cracked. Other authoritative servers will report results that vary
from those given by the cracked DNS server.</P>
<P>Polling may not be sufficient if the originally cracked server has been compromised
for an extended period. Bogus address-hostname tables may have been passed to other
DNS servers on the network. If you are noticing abnormalities in name resolution,
you may want to employ a script utility called <I>DOC</I> (domain obscenity control).
As articulated in the utility's documentation:

<DL>
	<DD>DOC (domain obscenity control) is a program which diagnoses misbehaving domains
	by sending queries off to the appropriate domain name servers and performing a series
	of analyses on the output of these queries.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>DOC is available online
	at <A HREF="ftp://coast.cs.purdue.edu/pub/tools/unix/doc.2.0.tar.Z"><TT>ftp://coast.cs.purdue.edu/pub/tools/unix/doc.2.0.tar.Z</TT></A>.
	Other techniques to defeat DNS spoofing attacks include the use of reverse DNS schemes.
	Under these schemes, sometimes referred to as tests of your forwards, the service
	attempts to reconcile the forward lookup with the reverse. This technique may have
	limited value, though. With all likelihood, the cracker has altered both the forward
	and reverse tables. 
<HR>


</BLOCKQUOTE>

<H2><FONT COLOR="#000077"><B>Summary</B></FONT></H2>
<P>Spoofing is popular now. What remains is for the technique to become standardized.
Eventually, this will happen. You can expect point-and-click spoofing programs to
hit the circuit within a year or so.</P>
<P>If you now have or are planning to establish a permanent connection to the Internet,
discuss methods of preventing purportedly internal addresses from entering your network
from the void with your router provider (or your chief network engineer). I say this
for one reason: Spoofing attacks will become the rage very soon.</P>
<CENTER>
<P>
<HR>
<A HREF="../ch27/ch27.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch29/ch29.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A><BR>
<BR>
<BR>
<IMG SRC="../button/corp.gif" WIDTH="284" HEIGHT="45" ALIGN="BOTTOM" ALT="Macmillan Computer Publishing USA"
BORDER="0"></P>

<P>&#169; <A HREF="../copy.htm">Copyright</A>, Macmillan Computer Publishing. All
rights reserved.
</CENTER>


</BODY>

</HTML>