应用程序安全问题:伪造 IP 地址有多容易?
我正在处理一个受防火墙保护的应用程序,并且只允许从某些 IP 地址(即应用程序网络服务器)进行访问。
它有点微妙,引入另一个认证/保护层会很麻烦。
我对网络的理解不是很好,因为它不是我的主题,但在我的脑海中,我编造了以下场景:
有人知道我们其中一台应用程序服务器的 IP 地址,并想伪造它来访问另一台应用程序服务器他知道其侦听套接字和协议的应用程序。
因此,他更改了 IP 数据包的标头,以将 Web 服务器 IP 作为发送器。
接下来会发生什么?
答:他的 ISP 拒绝了该数据包并说“嘿,这不是我为您分配的 IP 地址。” - 问题已解决
B:ISP 将数据包传递到下一个级别(他的上行链路...)
让我们假设 ISP 已被攻陷或数据包未经检查就被传递(我不知道是否是这种情况)
接下来会发生什么?
A:运营商拒绝数据包并且说“嘿,该 IP 不在我们同意您正在操作的 IP 范围内!” - 现在,如果我的网络服务器不是由攻击者入侵的同一 ISP 运营 - 问题已解决
B:ISP 不会检查数据包或已被入侵,并将其转发到他的上行链路。
现在我非常确定 IP 地址在通过路由器时会被检查和过滤。否则,这将是完全的无政府状态。
简单来说:想要伪造我的 IP 地址的攻击者需要破坏负责我的 Web 服务器运行的 IP 范围的同一 ISP - 或者该 ISP 不进行数据包检查。
- 这是正确的吗?
好吧,现在我想象我的服务器位于办公室,其 ISP 是一家地区性有线电视公司。
将数据包从我的 IP 地址发送到另一个互联网 IP 需要执行哪些步骤?
(当然,我只是要求了解风险并选择适当的保护!)
我想象找到路由站,该路由站通常位于街边的一些小容器中,仅受锁保护。进去那里。更换电缆或自行插入。
如果您知道自己在做什么,或者是否存在建立经过身份验证的连接所需的真实办公室调制解调器上存储的密钥的加密握手,那么这很可能有效吗?
我正在谈论当今有线互联网的标准。
最后的想法:所以,如果我的源服务器不是一些家庭 ISP,其站点在街上容易受到攻击,我应该很安全,对吧?
我记得 NFS 服务器默认仅依赖 IP 身份验证。因为这很常见 - 有没有 NFS 服务器因伪造 IP 地址而被黑客攻击的例子?
我意识到这个问题被提出得非常非常模糊。这是因为我不确定我在这里所说的一切。我只是想在我认为洞穴饮食可能存在的地方提供一些意见,以便可以确认或消除它们。
总的来说,我很感谢您对此主题的任何评论和个人想法!
I am dealing with an application that is protected by a firewall and only allows access from certain IP-Addresses (which are application webservers).
Its a bit delicate and it would be much hassle to introduce another authentication/protection layer.
My understanding of networking is not great because its not my subject, but in my Head I made up the following scenario:
Someone knows the IP-Address of one of our application servers and wants to fake it to get access to the other application which he knows the listening socket and protocol of.
So he alters the Header of his IP packets to have the Webserver IP as transmitter.
What happens next?
A: His ISP rejects the packet and says "Hey, that is not the IP address you were assigned from me." - Problema Solved
B: The ISP passes the packet on to the next level (his up-link...)
Lets assume the ISP has been compromised or the packet is passed on without inspection (I don't know whether that's the case)
What happens next?
A: The carrier rejects the Packet and says "Hey, that IP is not in the range of IP we agreed you are operating on!" - Now if my webserver isnt operated by the same ISP that my attacker compromised - Problema solved
B: The ISP doesn't inspect the packet or is compromised and forwards it to his up-link.
Now I am quite sure that IP addresses ARE inspected and filtered when passing a router. Otherwise it would be total anarchy.
So to put this straight: An Attacker that wants to fake my IP-Address needs to compromise the VERY same ISP that is in charge of the IP-Range my Webserver operates in - or this ISP does not do packet inspection.
- Is this correct?
Okay now I imagine my server is located in an office and its ISP is a regional cable company.
What would be the steps necessary to send packets from my IP address to another internet IP?
(Of course I am only asking to get aware of the risks and choose proper protection!)
I imagine locating the routing station which is often in some small container at the side of the street that is only protected by a lock. Going in there. Swapping cables or plugging yourself into.
Will this most likely work if you know what you are doing or is there some encrypted handshake with keys stored on the real offices modem that is required to built an authenticated connection?
I am talking about today's standards in cable internet.
Last thought: So if my origin server is not some household ISP that has its stations vulnerable on the street i should be pretty safe, right?
I remember that NFS servers relies on IP authentication ONLY as a default. Because this is pretty common - are there any examples where NFS servers got hacked by faking IP addresses?
I realise that this question is put very very vagly. This is because I am not sure about anything I am saying here. I just wanted to give some input where I think the cave-eats could be, so they can be confirmed or eliminated.
Overall I am grateful for any comment and your personal thoughts about that subject!
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
现在我非常确定 IP 地址在通过路由器时会被检查和过滤。
尽管您很确定,但这种假设是不正确的。 “出口过滤”(即其名称)通常不完成。
防止广泛的 IP 地址欺骗的主要措施是攻击者不会收到任何响应数据包 - 它们都会被路由回合法使用被欺骗的 IP 地址的主机。这种攻击被称为“盲目欺骗”,因为攻击者是盲目进行的。
为了在TCP连接上发送数据,必须能够完成TCP“三次握手”。这需要知道对方使用的初始序列号 - 并且由于 TCP 初始序列号是合理随机选择的1,这可以防止盲目欺骗攻击执行此操作。 (另请注意,这不适用于 UDP - 如果没有某种应用层预防措施,UDP 就会面临盲目欺骗的巨大风险)。
如果攻击者可以看到返回的回复(例如,因为他正在嗅探服务器的上行链路或本地网络),那么这也不适用 - 在这种情况下欺骗 TCP 连接不仅是可能的,而且是微不足道的。
1.无论如何,现在情况并非总是如此。
Now I am quite sure that IP addresses ARE inspected and filtered when passing a router.
This assumption is incorrect, despite your level of sureness. "Egress filtering", which is the name of this, is generally not done.
The major protection against widespread spoofing of IP addresses is that the attacker would not recieve any response packets - they would all be routed back to the host that is legitmately using the IP address being spoofed. This kind of attack is known as "blind spoofing", because the attacker is working blind.
In order to send data on a TCP connection, you must be able to finish the TCP "three-way handshake". This requires knowing the initial sequence number used by the opposite end - and since TCP initial sequence numbers are chosen reasonably randomly1, this prevents a blind spoofing attack from being able to do this. (Note also that this does not apply to UDP - without some kind of application layer preventative, UDP is at significant risk from blind spoofing).
If the attacker can see the replies coming back (say, because he is sniffing the uplink or the local network of your server), then this also doesn't apply - spoofing TCP connections in this case is not just possible but trivial.
1. These days, anyway - this wasn't always the case.
在 LAN 内部,这取决于路由器/交换机/集线器的配置方式。但我认为欺骗应该经常发生。
我不认为 IP 地址受到检查。因此,您可以发送带有伪造的发送者 IP 的 UDP 数据包。但您不会收到答案,因为服务器会将其发送给该 IP 的真正所有者。
这意味着您不能简单地在 TCP 中伪造 IP,因为建立连接需要握手。
如果响应将通过您的路由器,您就可以伪造某人的 IP。因此,网络管理员可以伪造其 LAN 内的所有 IP,ISP 可以伪造其网络内的所有 IP,而运营商可以伪造许多国际连接上的 IP,前提是它们通过他进行路由。
最后,还有可能滥用 BGP 来修改该 IP 通过您的计算机的路由。但并不是每个人都可以访问 BGP,您可能需要成为 ISP 才能获得它。然后,由于 BGP 路由变化受到监控,因此该操作可能会被检测到。
Inside a LAN it depends on how your routers/switches/hubs are configured. But I think spoofing should be possible quite often.
I don't think the IP address is inspected. Thus you can send UDP packets with forged sender IP. But you won't receive the answer since the server will send it to the real owner of that IP.
This means you can't simply fake an IP in TCP since establishing the connection needs a handshake.
You can forge the IP of somebody if the response will go through your router. So a network admin can fake all IPs inside his LAN, an ISP all IPs inside his net, and a carrier can fake IPs on many international connections, provided they get routed through him.
Finally there is the possibility of abusing BGP to modify the routes for that IP to go through your computer. But not everybody has access to BGP, you probably need to become an ISP to get it. And then the manipulation will probably be detected because BGP route changes are monitored.