TAILIEUCHUNG - security fundamentals for e commerce phần 6

kết nối và xóa các sự kiện từ bảng nhà nước. Ngược lại với cơ chế chuyển tiếp, các cổng cơ chế phân chia chi phí của bảo hộ giữa các máy chủ tường lửa và máy trừ các máy chủ tường lửa không gửi một tin nhắn ACK với các máy chủ trên riêng của mình. | 194 Security Fundamentals for E-Commerce connection and deletes the event from the state table. In contrast to the relay mechanism the gateway mechanism divides the cost of protection between the firewall host and the server. The passive gateway mechanism is similar to the gateway mechanism except that the firewall host does not send an ACK message to the server on its own. It waits instead for an ACK message to come from the client. The waiting time timeout period is shorter however than the timeout of the server s backlogged connection. After the firewall s timeout has expired the firewall host sends a RST message to the server. With this mechanism an outstanding connection stays in the server s backlog queue longer than with the gateway mechanism. TCP Sequence Number Prediction In the second TCP handshake message a TCP server is expected to send a random sequence number SNS. Unfortunately as described in 6 this sequence number is not always really random but predictable. For example in BSD UNIX systems the initial sequence number is incremented by a constant value d once per second and by d 2 at each connection attempt. A malicious client may initiate several connections to the server and observe the sequence numbers. On the basis of those observations the client can try to predict the sequence number that will be used at the next connection attempt. Suppose the malicious client wants to impersonate an honest client that is trusted by the server. In the first handshake message see Figure the malicious client sends a SYN message with a spoofed IP address that of the honest client to the server. The server responds with a SYN ACK message carrying a new sequence number SNs. The SYN ACK message is sent to the honest client so the malicious client never receives it. Unfortunately since the malicious client can predict SNs it does not need the SYN ACK message to be able to respond with an ACK message that looks as if it has come from the honest client. .

TỪ KHÓA LIÊN QUAN
Đã phát hiện trình chặn quảng cáo AdBlock
Trang web này phụ thuộc vào doanh thu từ số lần hiển thị quảng cáo để tồn tại. Vui lòng tắt trình chặn quảng cáo của bạn hoặc tạm dừng tính năng chặn quảng cáo cho trang web này.