The steps of this Lab are very clear, like it~
- IP fragmentation mechanism & attack
- ICMP redirect attack
- Reverse path filtering & protection
Task 1
Task 1A
No tricks, copy the code and send three IP fragments
You can change the offset for the
last two. The last flag should be set to 0.
When the destination host captures the packet, you can see that after receiving all parts of a data packet, it will be spliced into a complete UDP data packet.
Task 1B
As I taught in the previous class, IP fragmentation attacks (Teardrop,
but now the system is optimized, there are fewer
1
First, the first two fragments are required to partially overlap, where K=8
The specific principle is that when the offsets of IP fragments overlap, the system will calculate the number of overlapped bytes K, move the pointer of the second fragment backward by K bytes, and then splice the remaining content to the first After shards, the overlapping part of the second shard is ignored.
Post code: The
packet capture also finds that the overlapping part of B is directly ignored:
2
Then the second shard is directly included in the first
shard (this is the principle of Teardrop
Same, the second shard is swallowed directly
Regarding sending 1 first and sending 2 later & sending 2 first and then sending 1, what is the difference between my sisters...
Because in the IP protocol, even if IP fragments arrive out of order, they will be kept in the cache instead of discarded, so it can be spliced Get the same result
Task 1C
emm is the entire large package.
Note that ip.len and udp.len should be counted randomly, otherwise an error will be reported if the length exceeds
Capture Kangkang, because of the MTU limit, a total of 45 pieces
Task 1D
At first glance, the old DoS attacked the
second offset directly. After receiving the second fragment, the destination host will allocate a 64k memory buffer, start a timer, and wait for other fragments; subsequent fragments When it arrives, the data is copied to the buffer for splicing. If a large number of such data packets are received within the valid time of the timer, the memory space of the host will be exhausted quickly, forming a DoS attack
(However, now that the system is optimized, it should not be successful...
Task 2
Configure the environment step by step. When
constructing the ICMP redirect packet, the src of ip is the gateway (disguised as the default gateway), dst is the victim host
icml.gw is the attack host
ip2 src is the victim host, and dst is the B host
Check the Redirect written in Kangkang capital by capturing the packet , and it is indeed routed by the attacking host.
Q1
Try
it with a remote host (not a host in the subnet) Of course, it won’t work, but it’s changed back to the default gateway if something is wrong
Q2
Try again with a host that does not exist in the subnet
Same, if something is wrong or use the default gateway
Task 3
Follow the environment carefully~
Task 3B
A adds a piece of routing information from
B to B adds a piece of routing information from A
A ping/telnet B can work, no problem
B is fine
Task 3B
Then there is reverse path filtering
1
The original address of spoof in the same subnet is
no problem. The route from host A to host B is set to 192.168.60.1 in Task 3B, and the default gateway of host A is also 192.168.60.1, which is sent to the external network address of 10.0.2. Data packets will be routed by the same address, and data packets will not be dropped
B caught it
R can also be caught (both network cards can be used, one in and one out)
2
The original address of spoof in the same subnet is
not possible. The route from host A to host B is set to 192.168.60.1 in Task 3B, and 192.168.60.3 is in the same subnet as host B, and the data packets sent will not It is sent to the default gateway, and the reverse path filtering detects that the interface for receiving and sending the data packet is different, and the data packet will be discarded
So B can’t catch it, R can only enter without forwarding
3
The original address of the spoof external network is
also fine, the route from host A to host B is set to 192.168.60.1 in Task 3B, and the default gateway of host A is also 192.168.60.1, and the data sent to the external network address 1.2.3.4 Packets will be routed by the same address, and data packets will not be dropped
B caught
R is also capable of both (one in and one out)
No big guys can thank, just thank SeedLab for the tutorial, it is really clear
❀.( ´▽` )❀
Refer to a material:
https://www.cnblogs.com/rookieDanny/p/13224619.html