FIREWALL & SECURITY
DHTTP imposes similar requirements on firewalls as many other protocols. In particular, the firewall must open a limited time “hole” to the client UDP and TCP ports specified in a DHTTP request, so that the DHTTP response can get through. Modern firewalls provide this functionality for other protocols and are capable for maintaining the necessary state from previous requests.
If interception proxies are allowed to use their true IP addresses, the firewall must let packets with an arbitrary source IP address through the hole to the client ports. This is a deviation from existing firewalls that only allow incoming packets from the IP address matching the destination IP address of the request packet that opened the hole. For learning this IP address requires an attacker to have the ability to intercept request packets. Even if the attacker succeeds in intercepting request packets, the attacker still has to learn the correct client port number to get through the firewall, and it has only short time to guess the port before the hole closes. To complicate guessing port numbers, a client using DHTTP in the clear can frequently change its port numbers, every time choosing a different random port number. Secondly if the attacker, able to guess the port number rightly in the time and passed through the firewall, the client would discard its packets because they will not match a valid request ID number. The possibility of guessing the 8-byte request ID in a given time stamp is very rare.
While many OS kernels seem to allocate smallest available port numbers, changing it to random numbers is straightforward. Random request ID can be safely dismissed. Learning the correct request ID would again require intercepting the request.
Potential denial of service attack on the client machine by flooding it with packets containing wrong request IDs could afflict limited damage because the guessed port will remain valid only for the duration of the current hole. Current
Web servers are much easier (because they have a permanent hole for incoming connections to a well-known port) and more enticing targets for these attacks. The attacker can also attempt a SYN attack against a DHTTP server by sending DHTTP requests for large objects to arbitrary other DHTTP servers with the attacked server’s IP address as the source address. A simple defense against such an attack is to allocate non-overlapping port number ranges to DHTTP servers and clients, allowing servers to discard SYN packets to client ports.
Both DHTTP and existing HTTP are vulnerable to an imposter with a capability to intercept and examine request packets. In particular, such imposter can substitute the legitimate content with its own. In existing HTTP, it would do so by learning the intended Web server IP address, and in DHTTP by learning the client port number and request ID. Only an encrypted version of the protocol, be it HTTP or DHTTP, can protect against such an attack.
0 comments:
Post a Comment
Thanks for your Valuable comment