Sieciowy atak na Nowy Ekran

Nowy Ekran padł ofiarą ataku TCP spoofing

Zacznę od końca:

kto używa Linux może obronić się przed atakiem na NE za pomocą reguły iptables (firewall systemowy):

iptables -A INPUT -s 199.189.249.113 -p tcp –tcp-flags RST RST -j DROP

   lub – jeśli używamy innych reguł – aby wstawić naszą na początek łańcucha:

iptables -I INPUT 1 -s 199.189.249.113 -p tcp –tcp-flags RST RST -j DROP

Trochę teorii:

http://tools.ietf.org/html/rfc4953

Network Working Group                                          J.  Touch
Request for Comments: 4953                                       USC/ISI
Category: Informational                                        July 2007

                 Defending TCP Against Spoofing Attacks

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2007).

Abstract

   Recent analysis of potential attacks on core Internet infrastructure
   indicates an increased vulnerability of TCP connections to spurious
   resets (RSTs), sent with forged IP source addresses (spoofing).  TCP
   has always been susceptible to such RST spoofing attacks, which were
   indirectly protected by checking that the RST sequence number was
   inside the current receive window, as well as via the obfuscation of
   TCP endpoint and port numbers.  For pairs of well-known endpoints
   often over predictable port pairs, such as BGP or between web servers
   and well-known large-scale caches, increases in the path bandwidth-
   delay product of a connection have sufficiently increased the receive
   window space that off-path third parties can brute-force generate a
   viable RST sequence number.  The susceptibility to attack increases
   with the square of the bandwidth, and thus presents a significant
   vulnerability for recent high-speed networks.  This document
   addresses this vulnerability, discussing proposed solutions at the
   transport level and their inherent challenges, as well as existing
   network level solutions and the feasibility of their deployment.
   This document focuses on vulnerabilities due to spoofed TCP segments,
   and includes a discussion of related ICMP spoofing attacks on TCP
   connections.

Tak wygląda to w praktyce. Czerwone linie to pakiety TCP RST wysyłane przez sabotażystę. Z punktu widzenia naszej przeglądarki odpowiada to mniej więcej takiej wymianie "uprzejmości":

– Przeglądarka: czy mogę zobaczyć stronę główną?
– Sabotażysta (głosem NE): spier…