I. Analysis of IP address theft methods
There are various methods of IP address theft, and the common methods are as follows:
1、Static modification of IP address
For any TCP/IP implementation, IP addresses are mandatory for its user configuration. If a user uses an IP address other than the one assigned by the authorized authority when configuring TCP/IP or modifying TCP/IP configuration, IP address theft has occurred. Since an IP address is a logical address, a value that needs to be set by the user, it is not possible to restrict users from statically modifying the IP address unless a DHCP server is used to assign the IP address, but then this poses other administrative problems.
2、Modify IP-MAC address in pairs
For static modification of IP addresses, many units are now using static routing technology to solve the problem. For static routing technology, there is a new development of IP theft technology, that is, pair modification of IP-MAC address. MAC address is the hardware address of the device, for our commonly used Ethernet, that is, commonly known as the address of the computer network card. The MAC address of each NIC must be unique among all Ethernet devices, it is assigned by IEEE, is solidified on the NIC, and generally cannot be changed at will. However, some compatible NICs nowadays have MAC addresses that can be modified using the NIC configuration program. If the IP address and MAC address of one computer are changed to the IP address and MAC address of another legitimate host, then the static routing technology is powerless.
In addition, for those NICs whose MAC addresses cannot be directly modified, users can also use software methods to modify the MAC address, i.e., by modifying the underlying network software to achieve the purpose of deceiving the upper layer network software.
3、Dynamic modification of IP address
For some master hackers, it is not very difficult to directly write programs to send and receive packets on the network, bypass the upper layer network software, and dynamically modify their IP addresses (or IP-MAC address pairs) to achieve IP spoofing.
Second, prevention technology research
For the IP theft problem, network experts have adopted various prevention techniques. Nowadays, the more common prevention techniques are mainly based on the hierarchical structure of TCP/IP, and different methods are used at different levels to prevent IP address theft.
The most radical solution to IP addresses is to use switches for control, i.e., control at TCP/IP layer 2: single-address mode of operation using ports provided by switches, i.e., each port of the switch allows only one host to access the network through that port, and access to hosts with any other address is denied. But the biggest drawback of this solution is that it requires all switches on the network to provide user access, which is not a solution that can be universally adopted today when switches are relatively expensive.
The main basis of adopting the router isolation approach is that MAC address as the Ethernet card address is globally unique and cannot be changed. This is achieved by regularly scanning the ARP table of each router on the campus network through the SNMP protocol to obtain the current IP and MAC cross-reference, and comparing them with the legal IP and MAC addresses in advance, if they are not the same, the access is illegal. For illegal access, there are several ways to stop it, such as :
a. Overwrite illegal IP-MAC table entries with the correct IP-to-MAC address mapping;
b. Send ICMP unreachable spoof packets to illegally accessed hosts to interfere with their data delivery;
c. Modify the router’s access control list to disable illegal access.
Another way to implement router isolation is to use static ARP tables, where the mapping of IP to MAC addresses in the router is not obtained by ARP, but by using static settings. In this way, when the IP address and MAC address of the illegal access do not match, the frames forwarded by the router according to the correct static settings will not reach the illegal host.
Router isolation technology can better solve the problem of IP address theft, but it can’t do anything about such IP address theft if illegal users target its theoretical basis to destroy and modify IP-MAC addresses in pairs.
3、Firewall and proxy server
IP address theft can also be better solved by using a combination of firewall and proxy server:The firewall is used to isolate the internal network from the external network, and users access the external network through a proxy server. The use of such an approach is to put IP theft into the application layer to solve the problem, changing IP management to the management of user identity and password, because the user’s use of the network is ultimately to use the network application. The advantage of such an implementation is that theft of IP addresses can only be used within the subnet, losing the meaning of theft; legitimate users can choose any IP host to use to access external network resources through a proxy server, while unprivileged users do not have the identity and password to use the external network, even if they steal the IP.
The disadvantages of using firewalls and proxy servers are also obvious. Since using a proxy server to access the external network is not transparent to the user, it increases the trouble of user operation; in addition, user management is a problem for a large number of user groups (e.g. students in universities).