Open API Gateway practices (b)

How to design and replay them open API gateway of a lightweight attack and defense

Article Address: blog.piaoruiqing.com/blog/2019/0...

Foreword

Last article, "Open API Gateway Practice (a)" the interface design mentioned timestampand noncethe role of the two parameters are used for anti-replay replay attacks and defenses on paper discusses the first two questions thrown.:

What is the replay attack
How to defend against replay attacks

What is replay attacks (Replay Attacks)

What is the 重放first example:

Open the browser debugging tools and access a website, find a network tool and select the right request ReplayFigure:

The above 重放operation is the interface to the more commonly used debugging tools, this operation allows us to skip the authentication information generation process, initiated direct repeats several times a valid request.

And 重放攻击is a common hacker attacks, also known 重播攻击, 回放攻击refers to the attacker sends a destination host 已接收过的数据, in order to achieve the purpose of deceiving the system, mainly used for identity authentication process, undermine the validity of certification.

For understandable examples:

The server provides the play money interface, the user A request to the server to initiate a play money $ 5 operation (with the signature and encryption), server receives the data and correct play money to the user B.
But this request was intercepted by hackers to (that is, user B may dry (¯ ▽ ¯) "), hackers will send a request to the server unchanged, the server repeatedly incorrectly play money to the user B. (Of course, these are payment is built on the service side of the power did not do so on preventive measures, a low level of security provided)
Although the A-initiated request has signed and encrypted, but do not need to crack this B data, just 同样的数据repeat to the server will be able to achieve the purpose of deception.

Analog replay attack

experiment equipment

No.	name	Quantity	Remark
1	server	2	10.33.30.101 - real server 10.33.30.100 - fake server
2	domain name	1	replay-test.piaoruiqing.com (10.33.30.101)
3	`DNS`server	1	It used to simulate the `DNS`hijacking

Experimental Procedure

Start the server, and the request interface receives the response data.
Hijacking DNS (modified DNS server address in the router analog hijacking), intercepts the request and data.
Repeat sent to the server to intercept data (replay attack).

Course record

Ready to work

DNS configuration, the domain name will replay-test.piaoruiqing.compoint to IP intranet server. And start the server.

Normal request

Use postmaninitiate a normal request, which has been in the signature Pre-request-scriptgeneration.

To intercept data through DNS hijacking

Modify the network dnsmasqconfiguration, the domain name replay-test.piaoruiqing.compointing to fake server 10.33.30.100.

At this time, the replay-test.piaoruiqing.comwill send a request is initiated to the fake server (10.33.30.100), manually save the requested data down. Since the request with the signature, and the attacker did not get private key, so that the request can not be tampered with, but can be a replay attack FIG counterfeit server request data has been successfully received:

[Copyright]
This article published in Pu Ruiqing's blog , allows non-commercial use reproduced, reprinted but must retain the original author Pu Ruiqing and links: blog.piaoruiqing.com . If the authorization aspects of consultation or cooperation, please contact E-mail: piaoruiqing @ Gmail. COM .

Replay request

Using a step down to save data, the server sends a request directly to the real (with the signature data) shown in FIG.:

In fact, signatures, encryption and other means and does not protect against replay attack because the attacker has to intercept data request data is correct, if not break its contents, you can also replay the original data sent to the server to achieve the purpose of deception.

How to defend against replay attacks

Baidu Encyclopedia

加随机数: Advantages of this method is certified both sides with no time synchronization, both sides remember the used random numbers, such as discovery packet has previously used random numbers, that it is the replay attack disadvantage is the need for additional preservation used random. number, if a longer period of time record, save and query large overhead.
加时间戳: This method advantage is that no additional information to save other drawback is that the authenticator and the need for accurate time synchronization, synchronization is better, the less likely the attack, but when the system is very large, while across the wider region, to do. accurate time synchronization is not very easy.
加流水号: That both sides added to the message a gradually increasing integer, as long as it receives a discrete serial packet (too large or too small), it finds that there is a threat to the reproduction method advantage is no time synchronization, save. a small amount of information than random way. the disadvantage is that once an attacker to decrypt the message successfully, you can get the serial number, which is incremented each time the serial deception certified end.

In actual use, often in combination with 1 and 2, the validity of the time stamp is determined whether the random number already exists, the validity outer discarded.

Replay attack defense practice

We have taken 时间戳+ 随机数ways to achieve a simple replay attack interceptors. Complementary timestamp and the random number, the valid range of time both to distinguish whether a playback request by checking whether the random number is present in the cache, but also (same cache valid time range and time) after the cache miss by the time stamp to verify whether the request is reproduced in FIG.:

code show as below:

@Resource
private ReactiveStringRedisTemplate reactiveStringRedisTemplate;

private ReactiveValueOperations<String, String> reactiveValueOperations;

@PostConstruct
public void postConstruct() {
    reactiveValueOperations = reactiveStringRedisTemplate.opsForValue();
}

@Override
protected Mono<Void> doFilter(ServerWebExchange exchange, WebFilterChain chain) {
    // 此处的`ATTRIBUTE_OPEN_API_REQUEST_BODY`是前面过滤器存入的
    OpenApiRequest<String> body 
        = exchange.getRequiredAttribute(ATTRIBUTE_OPEN_API_REQUEST_BODY);
    if (!ObjectUtils.allNotNull(body, body.getTimestamp(), body.getNonce())) {
        return fail(exchange);
    }
    Long gmt = System.currentTimeMillis();
    // (一)
    if (gmt + effectiveTimeRange < body.getTimestamp() || 
        gmt - effectiveTimeRange > body.getTimestamp()) {
        return fail(exchange);
    }
    // (二)
    return reactiveValueOperations.setIfAbsent(MessageFormat.format(
            KEY_REPLAY_NONCE, body.getAppId(), body.getNonce()),
            String.valueOf(System.currentTimeMillis()),
            Duration.ofMillis(effectiveTimeRange * 2L))
        .log(LOGGER, Level.FINE, true)
        .flatMap(approved -> approved ? 
                 chain.filter(exchange) : fail(FORBIDDEN, exchange)
            );

复制代码

(一): Request time exceeds the time range will be rejected.
(二): Cache expiration time is equal to the effective span of time, the random number if the cache already exists, is rejected.

Epilogue

Replay attack defense of key points:

And recording the cache request identifier, requesting a check of accepting, refusing reproduction, i.e. noncestored in the buffer, the same rejectionnonce
Random manner may result in excessive cache, it needs to be filtered with a time stamp, the time stamp is not always rejected within the effective range.

Replay attack is a common and effective means of attack, the harm can not be ignored, although it is possible to guarantee the accuracy of the data by the operational level, but the system will still cause unnecessary overhead, filtered playback request at the gateway layer is a a good choice.

If this article helpful, please point a praise it (¯ ▽ ¯) "for you