应用安全问题：是多么容易伪造的IP地址？ [英] Application Security Concerns: How easy is it to fake an IP-Address?

问题描述

我处理的是受防火墙保护的应用程序，并且只允许某些IP的地址（这是应用程序的网络服务器）。

访问

它有点微妙，这将是太多的麻烦引入另一种身份验证/保护层。

我的网络的了解还不是很大，因为它不是我的主题，但在我的脑海我提出了以下方案：

• 有人知道我们的应用程序服务器的IP地址，并希望假它可以访问他所知道的监听套接字和协议的其他应用程序。




• 于是，他改变了他的IP数据包有Web服务器IP作为发射器的标题。

的发生下一步是什么？的

• 答：他的ISP拒绝数据包并说：嘿，这是不是你离开我分配的IP地址 - Problema解决




• 乙：ISP传递给下一级别的数据包（其上行链路...）

让我们假设的ISP已经失密或者数据包被传递未经检验（我不知道这是否是这种情况）

的发生下一步是什么？的

• 答：承运人拒绝数据包并说：嘿，那IP是不是在我们同意你所操作的IP范围！ - 现在，如果我的心不是网络服务器通过我的攻击者损害了同一个ISP操作 - Problema解决




• B：该ISP不检查数据包或受到损害，并将其转发给他的上行链路

现在我敢肯定，IP地址检查，并通过路由器时进行过滤。否则，这将是总无政府状态。

所以把这个直：想要假冒我的IP地址需要妥协非常相同的ISP是负责IP的范围我的web服务器在运行攻击者 - 或该ISP没有做数据包检查<。 / p>

• 这是正确的？

好了，现在我想我的服务器位于办公室和ISP是一个区域性的有线电视公司。

什么是从我的IP地址的数据包发送到另一个IP网络的必要步骤？

（当然我只是要求获得意识到风险，并选择适当的保护！）

我想查找路由站，往往是在一些小容器在街道的一面，只由一个锁保护。打算在那里。交换电缆或堵塞好自为之吧。

请问这最有可能的工作，如果你知道自己在做什么，还是有需要建立一个认证的连接与存储在真正的办公室调制解调器密钥加密的一些握手？

我说的是今天的有线网络标准。

最后一个念头：所以，如果我的原始服务器是不是有它的弱势车站街道上的一些家庭ISP我应该是pretty安全，正确

我记得NFS服务器依赖于IP认证只是作为默认值。因为这是pretty常见 - 在那里有NFS服务器得到了通过伪造IP地址侵入任何范例

？

我意识到这个问题放在非常非常vagly。这是因为我不知道任何事情我所说的。我只是想给一些投入，我觉得洞穴吃可以，这样他们就可以得到证实或消除。

总的来说，我的任何意见和关于这一主题的个人想法感谢！

解决方案

的现在，我敢肯定，IP地址检查，并通过路由器时进行过滤。的

这假设是不正确，尽管你踏实的水平。 出口过滤，这是这个名字，一般的不的完成。

针对wides主要保护知识产权的$ P $垫欺骗地址是攻击者将不会收到任何回应报文 - 他们都被路由回是legitmately使用IP地址被欺骗的主机。这种攻击被称为盲欺骗，因为攻击者是盲目的工作。

为了发送一个TCP连接上的数据，你必须能够完成TCP三次握手。这需要通过了解另一端使用的初始序列号 - 而且由于TCP初始序列号选择合理的随机 ¹ ，这prevents从能够做到这一点盲目的欺骗攻击。 （另请注意，这样做的不的适用于UDP - 没有某种应用层preventative的，UDP是盲目欺骗显著风险）。

如果攻击者可以看到回来了（比如，因为他是嗅探上行或您的服务器的本地网络）的答复，那么这也并不适用 - 在这种情况下，欺骗TCP连接的不仅是可能的，但平凡

---

^{1。这些天来，反正 - 这并非总是如此}

I am dealing with an application that is protected by a firewall and only allows access from certain IP-Addresses (which are application webservers).

Its a bit delicate and it would be much hassle to introduce another authentication/protection layer.

My understanding of networking is not great because its not my subject, but in my Head I made up the following scenario:

• Someone knows the IP-Address of one of our application servers and wants to fake it to get access to the other application which he knows the listening socket and protocol of.

• So he alters the Header of his IP packets to have the Webserver IP as transmitter.

What happens next?

• A: His ISP rejects the packet and says "Hey, that is not the IP address you were assigned from me." - Problema Solved

• B: The ISP passes the packet on to the next level (his up-link...)

Lets assume the ISP has been compromised or the packet is passed on without inspection (I don't know whether that's the case)

What happens next?

• A: The carrier rejects the Packet and says "Hey, that IP is not in the range of IP we agreed you are operating on!" - Now if my webserver isnt operated by the same ISP that my attacker compromised - Problema solved

• B: The ISP doesn't inspect the packet or is compromised and forwards it to his up-link.

Now I am quite sure that IP addresses ARE inspected and filtered when passing a router. Otherwise it would be total anarchy.

So to put this straight: An Attacker that wants to fake my IP-Address needs to compromise the VERY same ISP that is in charge of the IP-Range my Webserver operates in - or this ISP does not do packet inspection.

• Is this correct?

Okay now I imagine my server is located in an office and its ISP is a regional cable company.

What would be the steps necessary to send packets from my IP address to another internet IP?

(Of course I am only asking to get aware of the risks and choose proper protection!)

I imagine locating the routing station which is often in some small container at the side of the street that is only protected by a lock. Going in there. Swapping cables or plugging yourself into.

Will this most likely work if you know what you are doing or is there some encrypted handshake with keys stored on the real offices modem that is required to built an authenticated connection?

I am talking about today's standards in cable internet.

Last thought: So if my origin server is not some household ISP that has its stations vulnerable on the street i should be pretty safe, right?

I remember that NFS servers relies on IP authentication ONLY as a default. Because this is pretty common - are there any examples where NFS servers got hacked by faking IP addresses?

I realise that this question is put very very vagly. This is because I am not sure about anything I am saying here. I just wanted to give some input where I think the cave-eats could be, so they can be confirmed or eliminated.

Overall I am grateful for any comment and your personal thoughts about that subject!

解决方案

Now I am quite sure that IP addresses ARE inspected and filtered when passing a router.

This assumption is incorrect, despite your level of sureness. "Egress filtering", which is the name of this, is generally not done.

The major protection against widespread spoofing of IP addresses is that the attacker would not recieve any response packets - they would all be routed back to the host that is legitmately using the IP address being spoofed. This kind of attack is known as "blind spoofing", because the attacker is working blind.

In order to send data on a TCP connection, you must be able to finish the TCP "three-way handshake". This requires knowing the initial sequence number used by the opposite end - and since TCP initial sequence numbers are chosen reasonably randomly¹, this prevents a blind spoofing attack from being able to do this. (Note also that this does not apply to UDP - without some kind of application layer preventative, UDP is at significant risk from blind spoofing).

If the attacker can see the replies coming back (say, because he is sniffing the uplink or the local network of your server), then this also doesn't apply - spoofing TCP connections in this case is not just possible but trivial.

---

^{1. These days, anyway - this wasn't always the case.}

这篇关于应用安全问题：是多么容易伪造的IP地址？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！