1 / 14

黄蓉的网络安全诡计 - 网络协议 安全攻防训练

路由欺骗. 黄蓉的网络安全诡计 - 网络协议 安全攻防训练. 江健 2011.06.08. 故事接龙. To be continue…. 技术手段. 局域网 Spoofed ICMP Redirect Message 欺骗对象:单个主机 广域网 Forged BGP announcement: IP Prefix Hijacking 欺骗对象:路由器. ICMP Redirect Message. ICMP type 5 正常应用场景 H1 通过 R1 发送数据给 H2 R1 发现 H1 应该有一条更好的路由 R2

coy
Download Presentation

黄蓉的网络安全诡计 - 网络协议 安全攻防训练

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 路由欺骗 黄蓉的网络安全诡计 - 网络协议安全攻防训练 江健 2011.06.08

  2. 故事接龙 • To be continue…

  3. 技术手段 • 局域网 • Spoofed ICMP Redirect Message • 欺骗对象:单个主机 • 广域网 • Forged BGP announcement: IP Prefix Hijacking • 欺骗对象:路由器

  4. ICMP Redirect Message • ICMP type 5 • 正常应用场景 • H1 通过R1 发送数据给H2 • R1 发现 H1应该有一条更好的路由R2 • 下一跳是R2,而且R2和R1以及H1在同一子网 • R1发送ICMP Redirect • 告诉H1,到H2从走更近 • H1修改路由表,添加一条<dst:H2, nexhop:R2>的记录

  5. 条件 • 触发 • R1是路由器 • 正常主机不会发送 ICMP Redirect • echo “1” > /proc/sys/net/ipv4/ip_forward • R1和R2以及H1在同一子网 • 在R1看来,H1可以直接到R2,不需要通过R1转发 • 数据包未加IP源路由选项 • 生效 • H1接受ICMP Redirect消息 • echo “1” > /proc/sys/net/ipv4/conf/*/accept_redirects • 其他验证条件,各操作系统不同 • 源ip地址必须是H1的default gw • H2必须和H1不同网段

  6. Abuse • 攻击者利用伪造的ICMP Redirect Message • DoS [重定向DNS服务器,比如166.111.8.28] • MITM ? • 窃听,篡改,on-path spoofing

  7. 小结 • Vulnerability • ICMP Redirect消息没有来源认证机制(origin authenticity) • Attacks in the wild • 好像很少 • Current Practice • 禁止接受ICMP Redirect Message • 正常的用途还常见吗? • 有限的能力 • 用来做DoS还行 • 在内网MITM受限 • 重定向单个地址 [网段?] • 截获单边流量

  8. IP Prefix Hijacking

  9. History • Public Incidents • April 1997: AS 7007 incident • December 24, 2004: TTNet in Turkey • January 22, 2006: Con-Edison hijacks big chunk of the Internet • February 24, 2008: Pakistan's attempt to block YouTube • April 8, 2010: Chinese ISP hijacks the Internet  • Causes • Malicious AS or Misconfiguration ?

  10. Research • Anomaly detection • Monitoring and detecting • Secure BGP Protocol • PKI, Binding IP Prefix and ASN • S-BGP, so-BGP etc. • Measurement • Survey TCP-179 routes in the Internet

  11. 总结 • 欺骗的来源: origin authenticity • 其他: Confidentiality, Integrity • Internet is a wide-open virtual space • 很少有基础协议,服务是带有(强)验证机制的 • IP Packet • DNS (cookie-based) • … • What we can do? • 认证, 检测, or …

  12. 参考文献 • RFC 792, INTERNET CONTROL MESSAGE PROTOCOL • 通过ICMP协议redirect实现DoS攻击 • http://blog.chinaunix.net/space.php?uid=20318579&do=blog&cuid=2234002 • SING • https://sourceforge.net/projects/sing/ • http://en.wikipedia.org/wiki/IP_hijacking

More Related