Presentation is loading. Please wait.

Presentation is loading. Please wait.

Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ------------------------------------------------ Aaron Beach Spring 2004.

Published byNehemiah Elkington Modified over 10 years ago

Similar presentations

Presentation on theme: "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ------------------------------------------------ Aaron Beach Spring 2004."— Presentation transcript:

1 Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ------------------------------------------------ Aaron Beach Spring 2004

2 Abstract: Since it is critical to the overall security of a network and its possible usage in forensic analysis, it is reasonable to assume that IDS’s are themselves logical targets for attack or deception.

3 Common Intrusion Detection Framework E-boxes – event generators –Provides information about events A-boxes – analysis engines –Analyze and extract relevent info D-boxes – storage mechanisms –Stores info from E and A boxes C-boxes – countermeasures –More than just alarm, preventing further attacks

4 Network ID and Passive Analysis Host-based ID –Good at discerning attacks that involve one user, or one system –Bad a general network (low-level) intrusion Network based ID –Good at raw-network (low-level) detection –Bad at discerning what exactly is happening on one computer

5 Signature Analysis Some attacks carry the same IP fragment signature. Looks for a specific sequence of data/packets/string…etc… This sequence or data pattern is the signature. This is the method that most modern IDS use.

6 Need for Reliability Flawed systems can create a dangerous false sense of security If the presence of an IDS is known it is a logical target for attack If a system is inaccurate.. Or its unreliability is known..the weakness can be used against the network

7 Vulnerability Points Each component can fail… and could make the system fail –E, A, D, or C boxes can fail… why and how? E – Without the eyes IDS would be blind A – With analysis there is no detection D – Wtihout D there is no record C – Without C attacks may continue

8 Problems with NIDS There is not enough information on wire to make good judgments about what is going on Since all packets must pass this IDS it is inherently vulnerable to DoS attacks

9 Not enough info? Time difference between IDS and end user Some systems may or may not accept certain packets The IDS doesn’t know the internal state of the memory and functionality of the end users.. This can effect how the packets are handled All together IDS may not know what is going on in the system

10 Vulnerable to DoS IDS is “fail-open” meaning traffic continues when IDS fails (because they are passive) Even use IDS countermeasures to deny service

11 ATTACKS!!! 3 attack types –Insertion –Evasion –Resource Starvation

12 INSERTION Inserting information into the IDS that does not exist elsewhere (such as packets that the end users treat differently or ignore) IP fragments and TCP segments if arrived out of order and varying in size will result in overlapping of old data. It is imperative the IDS resolves this issue consistent with the hosts it is protecting. If IDS looks for “GET /cgi-bin/phf?” may be attack… but maybe it doesn’t see what end user sees

13 Example of different overlap

14 EVASION Getting IDS to not see Data that the network may see Evading the detection Get IDS to reject certain packets… that the systems will accept!! Kind of opposite of insertion, but same idea -> discrepency between IDS and inner network

15 Real World Examples TCP requires fragments to be reassembled So, attacker can make the IDS and end user assemble different packets… how can they do this?

16 Examples IP TTL doesn’t reach end user Packet too large for end user Destination configured different Different time outs depending on OS Overlap.. Like we saw End user rejects certain options PAWS… drop old time stamps Deals with sequence #’s different

17 DoS – Destroy Resources Fail-open (remember) Bugs in software… can cause crash But usually… resource exhaustion –Memory (Queue of connection states) –CPU computation time can be slowed to infinity –Disk space (d-box) can run out

18 Real World Example BPF (Berkley packet filter) Stored in kernel buffer, when full packets are dropped Force CPU to do useless work, find out what takes up CPU time and do it over and over again IP fragmentation uses up much resources

19 More examples!! Attacker finds operations that require a lot of memory and targets them until no more memory Solution: Garbage collection –Problems: May stop legitimate connections and may not keep up with collection Use IDS to deny others of service (spoof addresses, frame others) Force IDS to block DNS servers??

20 The Evaluations 4 most popular NIDS in 1998 Attack examples –.phf cgi script insertion attack –IP frag attack –Bad checksums, no acks, data in syn packet –etc…

21 The Results None handled IP frag correctly ? = Couldn’t test + = saw attack - = blind to attack Tests reveal serious flaws that any “savvy” attacker could exploit

22 The NIDSs “ISS RealSecure” –Doesn’t even try to reassemble packets properly (doesn’t look at sequence number) “WheelGroup NetRanger” –Super expensive… doesn’t check syn packet for data. Doesn’t seem to validate checksums AbirNet SessionWall-3 –Failed on syn info, and could get order thrown off Network Flight Recorder –Checksums, data without ack, extra syns

23 Implication for future In particular IDS need to reconstruct frags right Basic attacks should not be reacted to or they could be used to deny service to users IDS testing needs to be implemented Availability of source code could help

24 Final questions How have things changed since then? Why do they always refer to attackers as feminine? “she…”

Download ppt "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection ------------------------------------------------ Aaron Beach Spring 2004."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
NS-H0503-02/11041 Attacks. NS-H0503-02/11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.

NS-H /11041 Attacks. NS-H /11042 The Definition Security is a state of well-being of information and infrastructures in which the possibility.
Transmission Control Protocol (TCP)

Transmission Control Protocol (TCP)
CISCO NETWORKING ACADEMY PROGRAM (CNAP)

CISCO NETWORKING ACADEMY PROGRAM (CNAP)
Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.

Availability Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Aspects of Computer.
IS333, Ch. 26: TCP Victor Norman Calvin College 1.

IS333, Ch. 26: TCP Victor Norman Calvin College 1.
Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.

Denial of Service & Session Hijacking.  Rendering a system unusable to those who deserve it  Consume bandwidth or disk space  Overwhelming amount of.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
1 Reading Log Files. 2 Segment Format

1 Reading Log Files. 2 Segment Format
(4.4) Internet Protocols Layered approach to Internet Software 1.

(4.4) Internet Protocols Layered approach to Internet Software 1.
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 7 “Denial-of-Service-Attacks”.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Network Intrusion Detection Systems Presented by Keith Elliott.

Network Intrusion Detection Systems Presented by Keith Elliott.
Distributed Denial of Service Attacks CMPT 471 1 Distributed Denial of Service Attacks Darius Law.

Distributed Denial of Service Attacks CMPT Distributed Denial of Service Attacks Darius Law.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.

Similar presentations

Ads by Google