There are so many vulnerabilities in tcp/ip protocol?

According to the 2020 China's Internet network security monitoring data analysis report for the first half of this year shows that , Malware controls the server 、 Denial of service attacks （DDoS） And other network attacks have continued unabated . today , Network attack has become a threat to network information security 、 One of the main factors of business information security .

Network attack refers to the act of attacking the software, hardware and system data of the network system by using the loopholes and security defects of the network .TCP/IP Protocol is the basic protocol of network , From the beginning of the design did not consider the network will face so many threats , This has led to many attack methods . Because the communication in the network comes from the data packet , Through the automatic acquisition and decoding analysis of data packets , It can quickly discover and trace network attacks .

TCP/IP agreement

The industry will generally TCP/IP The protocol stack is divided into four layers ： The link layer 、 The network layer 、 Transport layer and application layer .

• Link layer is mainly used to process data in physical media （ Ethernet 、 Token ring, etc ） The transmission of , Implementation of network card interface network driver ;
• Network layer adopts IP Protocol is the core of the whole protocol stack , Its main function is to route and forward packets , Internet Interconnection and congestion control are realized ;
• The transport layer provides end-to-end communication for applications between hosts , This layer defines two protocols, namely TCP And UDP;
• The main function of the application layer is to process the logic of the application , Like file transfer 、 Name query and network management, etc , The protocols in this layer are based on TCP Agreed FTP File transfer protocol 、HTTP Hypertext transfer protocol and based on UDP Protocol domain name service DNS etc. .

TCP/IP Protocol model hierarchy diagram

because TCP/IP The protocol has four layers and each layer has functions 、 The agreements are different , Therefore, the attack methods for different protocol layers are also different ： Attacks on the link layer , It is mainly to physically destroy the network hardware and infrastructure or forcibly change the router route ;IP Deal with the ARP Protocols are the two most important protocols in the network layer , Attacks against the network layer , There are mainly IP Fragment attack 、ARP Cheating, etc ; because TCP Deal with the UDP Protocols are the two most important protocols in the transport layer , Therefore, there are many attacks on the transport layer , Include DOS Attack, etc ; The protocol of application layer is the most in the whole protocol stack , Therefore, the number of attacks against this layer is extremely large , The common ones are DNS Cheating, etc .

ARP attack

ARP（Address Resolution Protocol, Address resolution protocol ）, Put the network host's IP Address resolution into MAC Address , Each host device has a ARP cache （ARP Cache）, By checking your own ARP cache , Then judge （ If there is , You can map directly ; If there is no , You can broadcast ARP Request package ）;

Then check the target in the packet IP Address with their own IP The address is consistent , If the same , Can send ARP Respond to , inform MAC Address ;

When the source node receives ARP After responding to the packet , Can get the target host IP Address and MAC Add address pair mapping table entries to your own ARP In cache .

ARP How the protocol works

ARP The attack is through forgery IP Address and MAC Address to achieve ARP cheating , By making a lot of ARP Traffic is blocking the network , The attacker just keeps sending out fake ARP The response package can change the target host ARP In the cache IP-MAC entry , Cause network interruption or man in the middle attack , therefore ARP Attacks are often called ARP cheating .

Even though ARP Attacks can only be carried out on Ethernet and the threshold is very low , The impact is huge , For example, there will be a network disconnection attack 、 The flow is limited 、 Account theft, etc . Network operation and maintenance can take ARP Defense mechanisms , For example, by deploying a network image on the switch , Grab suspicious packets for analysis , It can also be combined with DHCP Listen 、IP Source protection and other technologies , Maintain network security .

DoS attack

TCP Protocols are stream based , Connection oriented reliable communication mode , It can reduce the bandwidth overhead caused by retransmission in the case of poor network .

say concretely ,TCP There are three steps to establishing a connection , Each step connects the sender and receiver at the same time , Be commonly called “ Three handshakes ”： The sender sends out SYN package , Get into SYN_SENT state , Indicates the server port and initial serial number that you plan to connect to , Wait for the receiver to confirm ;

The receiver receives SYN package , send out SYN_ACK, Confirm the sender , Get into SYN_RECV state ; The sender receives SYN_ACK package , Send... To the receiving end ACK, The connection between the two sides has been established .

TCP Three handshakes

because TCP Protocol is a connection oriented transmission control protocol , therefore DoS The main purpose of the attack is to make the user's host or network unable to receive or process external requests . For example, by creating a large amount of useless data , Causing network congestion , Make the attacked host unable to communicate with the outside world ;

Take advantage of duplicate connection defects , Send repeated service requests over and over again , Make it unable to process other requests properly ;

Or take advantage of protocol defects , Repeatedly send attack data , Occupying host or system resources , Cause crash, etc .

Simply speaking ,DoS（Denial of Service） Denial of service attacks usually use packets to flood the local system , Respond to external legitimate requests by disturbing or seriously hindering local services , Crash the local system .

SYN flood Attacks are the most common DoS Attack types . The attacker himself IP Source address masquerade , Send... To the local system TCP Connection request ;

Local system reply SYN-ACK To the masquerade address , The local system cannot receive RST news , Can't receive ACK Respond , Will always be semi connected , Until we run out of resources . Attackers send connection requests faster than TCP Time out releases resources faster , Use repeated connection requests , Causes the local service to be unable to receive other connections .

solve SYN flood The best way to do this is to have a good preventive strategy , Through network performance management tools , Automatically filter suspicious packets , To shorten the SYN Timeout Time , Set up SYN Cookie, Set... For each request Cookie, If you receive one in a short time IP Duplication SYN message , It's considered an attack , Abandon the idea IP Address .

DNS attack

IP The protocol is to transfer packets from the original device to the destination device , Need to rely on IP Address and IP Router .IP The address is machine language , Usually longer , So even though IP The address is unique , But it's not convenient to remember and use , On this basis, people invented DNS.DNS（Domain Name System） Domain name system , Domain names are usually short , It's both readable and practical . Because domain name and IP There is a one-to-one correspondence between addresses , therefore , When surfing the Internet, just enter the domain name in the address bar , The system will resolve the domain name directly , Translate the domain name into IP Address .

After the domain name search , The domain name server will keep the domain name record , Each record will contain the domain name and IP Address . If an address of the DNS server is artificially modified , Then you can manipulate the user's access address manually , This kind of behavior is called “ Domain name hijacking ”.“ Domain name hijacking ” The originator of is the domain name server provider , Therefore, the effective way to solve this problem is to discard or replace the domain name server .

except “ Domain name hijacking ” Outside , There's another common DNS The attack is called “ Domain name pollution ” or “ Domain name deception ”. When the computer sends “ Domain name query ” To the domain name server , The DNS will send the response back to the computer , Sending requests and receiving information is a process , There will be a time lag in the middle , A cyber attack will... Before receiving information , Fake error response to computer , Then the message is an error IP.

In the face of network attacks , We need to raise safety awareness , Actively and responsibly maintain the system , Strengthen the firewall settings , Network attacks can also be traced by analyzing packets .

Through the network data acquisition and decoding analysis , Grasp the most subtle changes in the network , Configure effective alarm information for the eigenvalue or behavior of network attack , It can quickly locate attacks in the network .

You can also use network performance management tools with security protection function , For example, Tiandan network performance management NPM, Support TCP Port scanning 、ARP Attack and DOS Automatic analysis of suspicious data packets such as attacks , Realize automatic alarm , Ensure the normal transmission and use of data information .

Please chat privately about infringement official account deletion