1 / 24

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection. ------------------------------------------------ 2006 11/16 囧. Signature Analysis. Looks for a specific sequence of data/packets/string…etc…

adara
Download Presentation

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Insertion, Evasion and Denial of Service:Eluding Network Intrusion Detection ------------------------------------------------2006 11/16 囧

  2. Signature Analysis • Looks for a specific sequence of data/packets/string…etc… • for example the “phf” in “GET/ cgi-bin/phf • This sequence or data pattern is the signature. This is the method that most modern IDS use.

  3. Problems with NIDS • There is not enough information on wire to make good judgments about what is going on • Since all packets must pass this IDS it is inherently vulnerable to DoS attacks

  4. Not enough info? • Time difference between IDS and end user • Some systems may or may not accept certain packets

  5. Vulnerable to DoS • IDS is “fail-open” meaning traffic continues when IDS fails (because they are passive) • Even use IDS countermeasures to deny service

  6. ATTACKS!!! • 3 attack types • Insertion • Evasion • Resource Starvation

  7. INSERTION • An IDS can accept a packet that an endsystem rejects.

  8. EVASION • Getting IDS to not see Data that the network may see • Get IDS to reject certain packets… that the systems will accept!! • Kind of opposite of insertion, but same idea -> discrepency between IDS and inner network

  9. Examples • Bad Header Fields • IP Options • IP Fragmentation • Overlap • TCP Malformed Header Fields • TCP Options • TCP Stream Reassembly

  10. Bad Header Fields • Checksum • TTL • DF flag 如果NIDS允許的最大封包長度大於其監視的系統,我們就可以使包含垃圾訊息的分組大小介於兩者之間,從而在IDS中插入垃圾訊息

  11. IP Options • strict source routed

  12. IP Fragmentation • Basic Reassembly Problems -- order? -- flood fragments -- TTL

  13. IP Fragmentation • Overlapping Fragments Frag1 offset=0 size=256 Frag2 offset=248,size=256

  14. TCP Malformed Header Fields • CODE • Checksum

  15. TCP Options • Window scale and timestamp • 這兩個選項可能出現在非SYN segment中。 • IDS不知道end system是否會接受此封包

  16. TCP Stream Reassembly • Retransmission • Basic Reassembly Problems -- IDS沒有sequence numbers功能 • Window size

  17. DoS • Fail-open • Resource Exhaustion • Abusing Reactive ID Systems

  18. Resource Exhaustion • resource exhaustion • Memory (IP碎片攻擊 , TCP Connect Flooding ) • CPU computation time can be slowed to infinity • Disk space (d-box) can run out(Log Flooding )

  19. Abusing Reactive ID Systems • Use IDS to deny others of service (spoof addresses) • Force IDS to block DNS servers

  20. The Evaluations • 4 most popular NIDS in 1998 • Attack examples • .phf cgi script insertion attack • IP frag attack • Bad checksums, no acks, data in syn packet • etc…

  21. The Results • None handled IP frag correctly • ? = Couldn’t test • + = saw attack • - = blind to attack

  22. Implication for future • In particular IDS need to reconstruct frags right • Basic attacks should not be reacted to or they could be used to deny service to users • Availability of source code could help

More Related