insertion, evasion and denial of service: eluding network intrusion detection...
TRANSCRIPT
Insertion, Evasion and Denial of Service:
Eluding Network Intrusion Detection
------------------------------------------------
Aaron BeachSpring 2004
Abstract:
Since it is critical to the overall security of a network and its
possible usage in forensic analysis, it is reasonable to assume that IDS’s are themselves logical
targets for attack or deception.
Common Intrusion Detection Framework
• E-boxes – event generators– Provides information about events
• A-boxes – analysis engines– Analyze and extract relevent info
• D-boxes – storage mechanisms– Stores info from E and A boxes
• C-boxes – countermeasures– More than just alarm, preventing further attacks
Network ID and Passive Analysis
• Host-based ID– Good at discerning attacks that involve one
user, or one system– Bad a general network (low-level) intrusion
• Network based ID– Good at raw-network (low-level) detection– Bad at discerning what exactly is happening
on one computer
Signature Analysis
• Some attacks carry the same IP fragment signature.
• Looks for a specific sequence of data/packets/string…etc…
• This sequence or data pattern is the signature. This is the method that most modern IDS use.
Need for Reliability
• Flawed systems can create a dangerous false sense of security
• If the presence of an IDS is known it is a logical target for attack
• If a system is inaccurate.. Or its unreliability is known ..the weakness can be used against the network
Vulnerability Points
• Each component can fail… and could make the system fail– E, A, D, or C boxes can fail… why and how?
• E – Without the eyes IDS would be blind
• A – With analysis there is no detection
• D – Wtihout D there is no record
• C – Without C attacks may continue
Problems with NIDS
• There is not enough information on wire to make good judgments about what is going on
• Since all packets must pass this IDS it is inherently vulnerable to DoS attacks
Not enough info?
• Time difference between IDS and end user
• Some systems may or may not accept certain packets
• The IDS doesn’t know the internal state of the memory and functionality of the end users.. This can effect how the packets are handled
• All together IDS may not know what is going on in the system
Vulnerable to DoS
• IDS is “fail-open” meaning traffic continues when IDS fails (because they are passive)
• Even use IDS countermeasures to deny service
ATTACKS!!!
• 3 attack types– Insertion– Evasion– Resource Starvation
INSERTION
• Inserting information into the IDS that does not exist elsewhere (such as packets that the end users treat differently or ignore)
• IP fragments and TCP segments if arrived out of order and varying in size will result in overlapping of old data. It is imperative the IDS resolves this issue consistent with the hosts it is protecting.
• If IDS looks for “GET /cgi-bin/phf?” may be attack… but maybe it doesn’t see what end user sees
Example of different overlap
EVASION
• Getting IDS to not see Data that the network may see
• Evading the detection
• Get IDS to reject certain packets… that the systems will accept!!
• Kind of opposite of insertion, but same idea -> discrepency between IDS and inner network
Real World Examples
• TCP requires fragments to be reassembled
• So, attacker can make the IDS and end user assemble different packets… how can they do this?
Examples• IP TTL doesn’t reach end user
• Packet too large for end user
• Destination configured different
• Different time outs depending on OS
• Overlap.. Like we saw
• End user rejects certain options
• PAWS… drop old time stamps
• Deals with sequence #’s different
DoS – Destroy Resources
• Fail-open (remember)
• Bugs in software… can cause crash
• But usually… resource exhaustion– Memory (Queue of connection states)– CPU computation time can be slowed to infinity– Disk space (d-box) can run out
Real World Example
• BPF (Berkley packet filter)
• Stored in kernel buffer, when full packets are dropped
• Force CPU to do useless work, find out what takes up CPU time and do it over and over again
• IP fragmentation uses up much resources
More examples!!
• Attacker finds operations that require a lot of memory and targets them until no more memory
• Solution: Garbage collection– Problems: May stop legitimate connections
and may not keep up with collection
• Use IDS to deny others of service (spoof addresses, frame others)
• Force IDS to block DNS servers??
The Evaluations
• 4 most popular NIDS in 1998
• Attack examples– .phf cgi script insertion attack– IP frag attack– Bad checksums, no acks, data in syn packet– etc…
The Results• None handled IP frag
correctly• ? = Couldn’t test• + = saw attack• - = blind to attack• Tests reveal serious
flaws that any “savvy” attacker could exploit
The NIDSs• “ISS RealSecure”
– Doesn’t even try to reassemble packets properly (doesn’t look at sequence number)
• “WheelGroup NetRanger”– Super expensive… doesn’t check syn packet for
data. Doesn’t seem to validate checksums
• AbirNet SessionWall-3– Failed on syn info, and could get order thrown off
• Network Flight Recorder– Checksums, data without ack, extra syns
Implication for future
• In particular IDS need to reconstruct frags right
• Basic attacks should not be reacted to or they could be used to deny service to users
• IDS testing needs to be implemented
• Availability of source code could help
Final questions
• How have things changed since then?
• Why do they always refer to attackers as feminine? “she…”