Next: The Sting prototype
Up: Implementation
Previous: Implementation
Most operating systems provide two mechanisms for low-level network
access: raw sockets and packet filters. A raw socket
allows an application to directly format and send packets with few
modifications by the underlying system. Using raw sockets it is
possible to create our own TCP segments and send them into the
network. Packet filters allow an application to acquire copies
of raw network packets as they arrive in the system. This mechanism
can be used to receive acknowledgments and other control messages from
the network. Unfortunately, another copy of each packet is also
relayed to the TCP stack of the host operating system; this can cause
some difficulties. For example, if sting sends a TCP SYN
request to the target, the target responds with a SYN of its own.
When the host operating system receives this SYN it will respond with
a RST because it is unaware that a TCP connection is in progress.
An alternative implementation would be to use a secondary IP address
for the sting application, and implement a user-level proxy ARP
service. This would be simple and straightforward, but has the
disadvantage that users of sting would need to request a second IP
address from their network administrator. For this reason, we have
resisted this approach.
Finally, many operating systems are starting to provide proprietary
firewall interfaces (e.g. Linux, FreeBSD) that allow the user to
filter outgoing or incoming packets. The former ability could be used
to intercept packets arriving from the target host, while the later
ability could be used to suppress the responses of the host operating
system. We are investigating this approach for a future version.
Next: The Sting prototype
Up: Implementation
Previous: Implementation
Stefan Savage
8/31/1999