IP address restriction is considered a weak form of access control since attackers may be able to circum vent such restrictions by spoofing the source addresses of IP packets.. See Also
Trang 1IP address spoofing IP fragmentation attack
network ID and subnet mask, uses IP address restric
tion Access may then be either allowed or denied for
each address or block of addresses Another example is
the Apache Web server, where access to Web content
can be controlled using IP addresses by configuring the
.htaccess file on UNIX platforms
IP address restriction is considered a weak form of
access control since attackers may be able to circum
vent such restrictions by spoofing the source addresses
of IP packets
Notes
A related method of controlling access is domain name
restriction, which restricts access based on the Domain
Name System (DNS) domain to which the host trying to
obtain access belongs
See Also: access control, htaccess, IP address spoof
ing, Rlogin, spoofing
IP address spoofing
The process of falsifying the source Internet Protocol
(IP) address of IP packets
Overview
IP address spoofing (or simply, IP spoofing) is a method
used by intruders to impersonate trusted systems By
default, routers generally ignore source IP addresses
when routing packets, and they use only destination IP
addresses to ensure packets reach their intended desti
nation The result is that an attacker who forges IP packets
containing source addresses of trusted systems may be
able to circumvent router security and initiate denial of
service (DoS) attacks, redirect traffic, or hijack sessions
using man-in-the-middle (MITM) attacks
IP spoofing is especially a hazard on UNIX platforms
running such applications as Rsh or Rlogin that authen
ticate connections using source IP addresses stored in
.rhosts files IP address authentication is a weak form of
authentication supported by many UNIX applications
and should be replaced by password authentication to
ensure security
The standard approach for preventing IP spoofing attacks is to configure ingress filters on routers or fire-walls in order to deny any inbound traffic whose source address is from a trusted host on your internal network When an intrusion detection system (IDS) detects such traffic, there is a high probability that a spoofing attack
is under way Encryption of traffic between routers and external hosts is another effective way of protecting against spoofing attacks
Notes Tools used by attackers to launch spoofing attacks include Dsniff, Hunt, Ipspoof, and Spoofit
See Also: Dsniff, ingress filtering, rhosts, spoofing
IP fragmentation attack
An attack that uses fragmented Internet Protocol (IP) packets
Overview The IP standard supports fragmentation to allow IP packets to traverse different types of transmission media, for example, to travel between two local area networks (LANs) over a wide area network (WAN) connection Fragmentation can also be used to attack IP hosts, however, and by deliberately crafting fragmented
IP packets, it may be possible for attackers to circum vent firewall protection, hide traffic from intrusion detection systems (IDSs), or create denial of service (DoS) conditions to prevent legitimate users from accessing network services
Early forms of fragmentation attacks were able to cir cumvent firewall restrictions because of the fact that firewall products didn’t apply their rules until frag
mented packets had been reassembled As a result, fire-wall products were found to be vulnerable to DoS attack by continually sending them large numbers of forged initial fragments until the internal resources of the firewall were consumed Tools used to initiate such attacks included Jolt2, Teardrop, and Nmap Most fire-wall vendors have since modified their products to pro tect against such attacks A tool called Fragrouter can
I
153
Trang 2IP address spoofing IP fragmentation attack
network ID and subnet mask, uses IP address restric
tion Access may then be either allowed or denied for
each address or block of addresses Another example is
the Apache Web server, where access to Web content
can be controlled using IP addresses by configuring the
.htaccess file on UNIX platforms
IP address restriction is considered a weak form of
access control since attackers may be able to circum
vent such restrictions by spoofing the source addresses
of IP packets
Notes
A related method of controlling access is domain name
restriction, which restricts access based on the Domain
Name System (DNS) domain to which the host trying to
obtain access belongs
See Also: access control, htaccess, IP address spoof
ing, Rlogin, spoofing
IP address spoofing
The process of falsifying the source Internet Protocol
(IP) address of IP packets
Overview
IP address spoofing (or simply, IP spoofing) is a method
used by intruders to impersonate trusted systems By
default, routers generally ignore source IP addresses
when routing packets, and they use only destination IP
addresses to ensure packets reach their intended desti
nation The result is that an attacker who forges IP packets
containing source addresses of trusted systems may be
able to circumvent router security and initiate denial of
service (DoS) attacks, redirect traffic, or hijack sessions
using man-in-the-middle (MITM) attacks
IP spoofing is especially a hazard on UNIX platforms
running such applications as Rsh or Rlogin that authen
ticate connections using source IP addresses stored in
.rhosts files IP address authentication is a weak form of
authentication supported by many UNIX applications
and should be replaced by password authentication to
ensure security
The standard approach for preventing IP spoofing attacks is to configure ingress filters on routers or fire-walls in order to deny any inbound traffic whose source address is from a trusted host on your internal network When an intrusion detection system (IDS) detects such traffic, there is a high probability that a spoofing attack
is under way Encryption of traffic between routers and external hosts is another effective way of protecting against spoofing attacks
Notes Tools used by attackers to launch spoofing attacks include Dsniff, Hunt, Ipspoof, and Spoofit
See Also: Dsniff, ingress filtering, rhosts, spoofing
IP fragmentation attack
An attack that uses fragmented Internet Protocol (IP) packets
Overview The IP standard supports fragmentation to allow IP packets to traverse different types of transmission media, for example, to travel between two local area networks (LANs) over a wide area network (WAN) connection Fragmentation can also be used to attack IP hosts, however, and by deliberately crafting fragmented
IP packets, it may be possible for attackers to circum vent firewall protection, hide traffic from intrusion detection systems (IDSs), or create denial of service (DoS) conditions to prevent legitimate users from accessing network services
Early forms of fragmentation attacks were able to cir cumvent firewall restrictions because of the fact that firewall products didn’t apply their rules until frag
mented packets had been reassembled As a result, fire-wall products were found to be vulnerable to DoS attack by continually sending them large numbers of forged initial fragments until the internal resources of the firewall were consumed Tools used to initiate such attacks included Jolt2, Teardrop, and Nmap Most fire-wall vendors have since modified their products to pro tect against such attacks A tool called Fragrouter can
I
153