IMCAFS

Home

on hijacking in the internet

Posted by deaguero at 2020-03-27
all

PS: whether the content in the uncertain article will be hijacked in the harmonious Internet can be understood as that the response content of the normal user's request is tampered with before the response is returned, or the request content of the normal user is illegally obtained to replace the request. Whether it's an individual or a company, hijacking will happen more or less, from ARP attacks to link hijacking of carriers to g * f * W of China. The author works in an Internet company, only according to some of the situations encountered to talk about, deep and wide content can only let more experience to talk about, for the content of this article also welcome you to clap bricks.

1、 DNS hijack

Figure 1 was originally thought to be a poison attack on the operator's DNS. However, with the in-depth analysis, it is found that in the affected areas, the IP returned by recursion to 13 root DNS servers is not only a simple poison attack on the operator's DNS. And we're looking at 61.49.43.2 This IP is also analyzed and found to be a reverse proxy server of nginx. When users visit our business, they insert a section of JS code into the returned page. The function is to obtain the user and password in the user input box before the user logs in (the transmission password of the business itself is encrypted), and then submit it to a page of this server. Finally, resume the normal login of users. The whole process is almost unaffected by users. At the same time, we also found that this business of other Internet companies will be affected. If we directly resolve the domain names of similar businesses of other companies to this IP, we found that the inserted code will change according to the business, which is very targeted. Even Gmail has an impact. Here is the inserted JS code:

Finally, the problem was solved not because we found the cause of the problem, but because of our feedback to "relevant departments", the hijacking stopped.

2、 Link hijacking

3、 ARP attack

Figure four It can be seen from the screenshot that, like the previous link layer hijacking, the user receives two response packets, which are also hijacked according to TTL. However, from TTL, it is different from the hijacking of the previous operators. The normal packet TTL is 46, while the hijacked packet TTL is 110. Generally speaking, the server will not change the default TTL value. The default TTL for Linux is 64, and the default TTL for windows is 128. From packet grabbing The difference between the TTL in and the default TTL is 18. We infer that the hijacking happened in the partner's computer room. For the same C segment, the attack server should be a Windows Server. Feed back the problem to the partners, let them and contact the computer room for processing, and the final result is that there is a Windows Server in the same C segment to continuously carry out ARP attacks.

Four, summary

In fact, there is no good summary. Whether it's individuals or enterprises, we can only try to do our best. What we can't control is always uncontrollable. Just as life is like rape, if you can't resist, you can only enjoy it silently. Over~!