Abstract: This article discusses the security issues of the three protocols at the network layer. Regarding the ARP protocol , because the computer responds to each ARP response message received and updates its own ARP buffer table, an attacker can use this vulnerability to initiate a man-in-the-middle attack, or use an address conflict to make the target host unable to connect to the Internet. Regarding the ip protocol , because the source address of the ip is unreliable, attackers can use this vulnerability to launch blind flight attacks and use the source routing mechanism to launch man-in-the-middle attacks. This vulnerability can be prevented by unicast reverse verification. Regarding the ICMP protocol , a smurf attack can be initiated by using the echo message, and the route of the host can be changed by using the route redirection message.
table of Contents
The security problem of ARP protocol: ARP spoofing
Security issues of the IP protocol: ip address spoofing
Security Issues of ICMP Protocol
ARP protocol
Function: The IP address resolves to the hardware address of the Agreement
ARP cache table: store the correspondence between the IP address and hardware address of each host on the LAN
ARP process:
- The sender does not know the hardware address of the target device, it broadcasts an ARP request to this network , and every device on this network will receive
- When a device receives an ARP request, if it matches its own IP address, it returns an ARP response packet to the sender , which contains its own hardware address
- When the sender receives the ARP response, it puts the corresponding entry of the target device's IP and hardware address into its own ARP buffer
- After re- send data packets to the target device, just look buffer table that is available
• If the destination ip address is not in this network?
Find the mac address of the gateway router
• What if the communicating parties have not sent data to each other for a period of time ?
The entries in the ARP cache table are cleared, so that the ARP table is always maintained in a small state ( "aging mechanism" )
• When no one responds to the sender's ARP request after a period of time ?
The sender will try again several times, after which the host returns an error report to the user
• Three commands for the ARP cache table
arp -a View the contents of the cache table
arp -d delete the contents of the cache table
arp -s manually formulate the correspondence between ip and mac
The security problem of ARP protocol: ARP spoofing
Vulnerability : When a computer on the LAN receives any ARP response packet, it will update its ARP cache
Attack method : Forged ARP reply packet, the purpose is to change the IP-MAC entry in the victim's ARP cache.
1. Man-in-the- middle attack : The attacker eavesdrops on the communication between normal users through ARP spoofing. In the figure below, the attacker forged the MAC address of C, forged the MAC address of A, intercepted the data packets sent between AC, and successfully launched a man-in-the-middle attack.
2. Address conflict attack : The attacker uses ARP spoofing to achieve the goal of interrupting the victim's network. The attacker randomly forged a MAC address through the ARP response, causing a MAC address conflict and unable to forward.
Security issues of the IP protocol: ip address spoofing
Vulnerability : The IP source address is unreliable. The attacker uses the IP address of another computer to defraud the connection with the destination computer to obtain information or privileges.
1. Blind flying attack : The attacker uses a fake IP address to send data packets to the target host , but does not receive any returned data packets. This is called a flying blind attack, or one-way attack. attack). Because it can only send data packets to the victim, and will not receive any response packets.
2. The attacker is inserted into the data transmission path: due to the dynamic routing mechanism, it is more difficult to implement
Therefore, you can use the source routing mechanism (the user of source routing can specify some or all of the routers that the data packet sent by him passes along the way ), and fill in his ip address into the list of mandatory addresses.
Prevention: Unicast reverse path verification . When the router receives a data packet on port X , it uses the source IP of the data packet to retrieve the routing table. If no match is found , it is determined as an IP spoofing attack and the data packet is discarded.
ICMP protocol
ICMP function: provide error messages when IP packets cannot be transmitted
ICMP application:
ping (determine whether the device can communicate);
traceroute (query the path taken by the sender to the receiver);
Guess the host type (TTL<64, the server may be Linux);
Route redirection (the original host route is not the best route, the default gateway reminds the host to optimize its own host route and send packets)
Security Issues of ICMP Protocol
1. Smurf attack: The attacker forges a large number of ICMP echo request packets, the source address of the packet is the IP address of the victim, and the destination address is the broadcast address of the network segment where the victim is located. Leading to network all network hosts are ICMP responses to this request respond, flooding the victim host, leading to network congestion.
2. Route redirection attack: ICMP redirection information is that the router provides real-time routing information to the host. When a host receives ICMP redirection information, it will update its routing table based on this information. Due to the lack of necessary legitimacy checks, if a hacker wants the attacked host to modify its routing table, the hacker will send an ICMP redirect message to the attacked host, allowing the host to modify the routing table according to the hacker's requirements.