今天遇到一个问题, 修改host文件访问本机遇到http 401.1。
经过排查发现是一个叫做loop back check检查的配置的原因.
什么是loop back check呢?
这个配置是用来防止reflection attack的. 这个配置生效之后, 使用FQDN或者自定义的host header(与机器名不匹配)时, 那么NTLM认证会失败.
那么什么是reflection attack呢?
这种攻击的主要思想就是使用trick, 让被攻击的机器提供给attacker它自己的challenge的答案.
过程如下:
- The attacker initiates a connection to a target.
- The target attempts to authenticate the attacker by sending it a challenge.
- The attacker opens another connection to the target, and sends the target this challenge as its own.
- The target responds to the challenge.
- The attacker sends that response back to the target on the original connection.
参考资料:
Reflection attack
http://en.wikipedia.org/wiki/Reflection_attack
You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or a later version
http://support.microsoft.com/kb/896861
什么是loopback check?
http://www.cnblogs.com/awpatp/archive/2010/03/11/1683672.html