Insertion, Evasion and Denial of Service:

Eluding Network Intrusion Detection

------------------------------------------------

Aaron BeachSpring 2004

Abstract:

Since it is critical to the overall security of a network and its

possible usage in forensic analysis, it is reasonable to assume that IDS’s are themselves logical

targets for attack or deception.

Common Intrusion Detection Framework

• E-boxes – event generators– Provides information about events

• A-boxes – analysis engines– Analyze and extract relevent info

• D-boxes – storage mechanisms– Stores info from E and A boxes

• C-boxes – countermeasures– More than just alarm, preventing further attacks

Network ID and Passive Analysis

• Host-based ID– Good at discerning attacks that involve one

user, or one system– Bad a general network (low-level) intrusion

• Network based ID– Good at raw-network (low-level) detection– Bad at discerning what exactly is happening

on one computer

Signature Analysis

• Some attacks carry the same IP fragment signature.

• Looks for a specific sequence of data/packets/string…etc…

• This sequence or data pattern is the signature. This is the method that most modern IDS use.

Need for Reliability

• Flawed systems can create a dangerous false sense of security

• If the presence of an IDS is known it is a logical target for attack

• If a system is inaccurate.. Or its unreliability is known ..the weakness can be used against the network

Vulnerability Points

• Each component can fail… and could make the system fail– E, A, D, or C boxes can fail… why and how?

• E – Without the eyes IDS would be blind

• A – With analysis there is no detection

• D – Wtihout D there is no record

• C – Without C attacks may continue

Problems with NIDS

• There is not enough information on wire to make good judgments about what is going on

• Since all packets must pass this IDS it is inherently vulnerable to DoS attacks

Not enough info?

• Time difference between IDS and end user

• Some systems may or may not accept certain packets

• The IDS doesn’t know the internal state of the memory and functionality of the end users.. This can effect how the packets are handled

• All together IDS may not know what is going on in the system

Vulnerable to DoS

• IDS is “fail-open” meaning traffic continues when IDS fails (because they are passive)

• Even use IDS countermeasures to deny service

ATTACKS!!!

• 3 attack types– Insertion– Evasion– Resource Starvation

INSERTION

• Inserting information into the IDS that does not exist elsewhere (such as packets that the end users treat differently or ignore)

• IP fragments and TCP segments if arrived out of order and varying in size will result in overlapping of old data. It is imperative the IDS resolves this issue consistent with the hosts it is protecting.

• If IDS looks for “GET /cgi-bin/phf?” may be attack… but maybe it doesn’t see what end user sees

Example of different overlap

EVASION

• Getting IDS to not see Data that the network may see

• Evading the detection

• Get IDS to reject certain packets… that the systems will accept!!

• Kind of opposite of insertion, but same idea -> discrepency between IDS and inner network

Real World Examples

• TCP requires fragments to be reassembled

• So, attacker can make the IDS and end user assemble different packets… how can they do this?

Examples• IP TTL doesn’t reach end user

• Packet too large for end user

• Destination configured different

• Different time outs depending on OS

• Overlap.. Like we saw

• End user rejects certain options

• PAWS… drop old time stamps

• Deals with sequence #’s different

DoS – Destroy Resources

• Fail-open (remember)

• Bugs in software… can cause crash

• But usually… resource exhaustion– Memory (Queue of connection states)– CPU computation time can be slowed to infinity– Disk space (d-box) can run out

Real World Example

• BPF (Berkley packet filter)

• Stored in kernel buffer, when full packets are dropped

• Force CPU to do useless work, find out what takes up CPU time and do it over and over again

• IP fragmentation uses up much resources

More examples!!

• Attacker finds operations that require a lot of memory and targets them until no more memory

• Solution: Garbage collection– Problems: May stop legitimate connections

and may not keep up with collection

• Use IDS to deny others of service (spoof addresses, frame others)

• Force IDS to block DNS servers??

The Evaluations

• 4 most popular NIDS in 1998

• Attack examples– .phf cgi script insertion attack– IP frag attack– Bad checksums, no acks, data in syn packet– etc…

The Results• None handled IP frag

correctly• ? = Couldn’t test• + = saw attack• - = blind to attack• Tests reveal serious

flaws that any “savvy” attacker could exploit

The NIDSs• “ISS RealSecure”

– Doesn’t even try to reassemble packets properly (doesn’t look at sequence number)

• “WheelGroup NetRanger”– Super expensive… doesn’t check syn packet for

data. Doesn’t seem to validate checksums

• AbirNet SessionWall-3– Failed on syn info, and could get order thrown off

• Network Flight Recorder– Checksums, data without ack, extra syns

Implication for future

• In particular IDS need to reconstruct frags right

• Basic attacks should not be reacted to or they could be used to deny service to users

• IDS testing needs to be implemented

• Availability of source code could help

Final questions

• How have things changed since then?

• Why do they always refer to attackers as feminine? “she…”