Transcript Insertion, Evasion and Denial of Service: Eluding Network Intrusion

Insertion, Evasion and Denial
of Service:
Eluding Network Intrusion Detection
-----------------------------------------------Aaron Beach
Spring 2004
Abstract:
Since it is critical to the overall
security of a network and its
possible usage in forensic analysis,
it is reasonable to assume that
IDS’s are themselves logical
targets for attack or deception.
Common Intrusion Detection
Framework
• E-boxes – event generators
– Provides information about events
• A-boxes – analysis engines
– Analyze and extract relevent info
• D-boxes – storage mechanisms
– Stores info from E and A boxes
• C-boxes – countermeasures
– More than just alarm, preventing further attacks
Network ID and Passive Analysis
• Host-based ID
– Good at discerning attacks that involve one
user, or one system
– Bad a general network (low-level) intrusion
• Network based ID
– Good at raw-network (low-level) detection
– Bad at discerning what exactly is happening
on one computer
Signature Analysis
• Some attacks carry the same IP fragment
signature.
• Looks for a specific sequence of
data/packets/string…etc…
• This sequence or data pattern is the
signature. This is the method that most
modern IDS use.
Need for Reliability
• Flawed systems can create a dangerous
false sense of security
• If the presence of an IDS is known it is a
logical target for attack
• If a system is inaccurate.. Or its
unreliability is known ..the weakness can
be used against the network
Vulnerability Points
• Each component can fail… and could
make the system fail
– E, A, D, or C boxes can fail… why and how?
•
•
•
•
E – Without the eyes IDS would be blind
A – With analysis there is no detection
D – Wtihout D there is no record
C – Without C attacks may continue
Problems with NIDS
• There is not enough information on wire to
make good judgments about what is going
on
• Since all packets must pass this IDS it is
inherently vulnerable to DoS attacks
Not enough info?
• Time difference between IDS and end user
• Some systems may or may not accept certain
packets
• The IDS doesn’t know the internal state of the
memory and functionality of the end users..
This can effect how the packets are handled
• All together IDS may not know what is going
on in the system
Vulnerable to DoS
• IDS is “fail-open” meaning traffic continues
when IDS fails (because they are passive)
• Even use IDS countermeasures to deny
service
ATTACKS!!!
• 3 attack types
– Insertion
– Evasion
– Resource Starvation
INSERTION
• Inserting information into the IDS that does not
exist elsewhere (such as packets that the end
users treat differently or ignore)
• IP fragments and TCP segments if arrived out of
order and varying in size will result in overlapping
of old data. It is imperative the IDS resolves this
issue consistent with the hosts it is protecting.
• If IDS looks for “GET /cgi-bin/phf?” may be
attack… but maybe it doesn’t see what end user
sees
Example of different overlap
EVASION
• Getting IDS to not see Data that the
network may see
• Evading the detection
• Get IDS to reject certain packets… that
the systems will accept!!
• Kind of opposite of insertion, but same
idea -> discrepency between IDS and
inner network
Real World Examples
• TCP requires fragments to be
reassembled
• So, attacker can make the IDS and end
user assemble different packets… how
can they do this?
Examples
•
•
•
•
•
•
•
•
IP TTL doesn’t reach end user
Packet too large for end user
Destination configured different
Different time outs depending on OS
Overlap.. Like we saw
End user rejects certain options
PAWS… drop old time stamps
Deals with sequence #’s different
DoS – Destroy Resources
• Fail-open (remember)
• Bugs in software… can cause crash
• But usually… resource exhaustion
– Memory (Queue of connection states)
– CPU computation time can be slowed to infinity
– Disk space (d-box) can run out
Real World Example
• BPF (Berkley packet filter)
• Stored in kernel buffer, when full packets
are dropped
• Force CPU to do useless work, find out
what takes up CPU time and do it over
and over again
• IP fragmentation uses up much resources
More examples!!
• Attacker finds operations that require a lot
of memory and targets them until no more
memory
• Solution: Garbage collection
– Problems: May stop legitimate connections
and may not keep up with collection
• Use IDS to deny others of service (spoof
addresses, frame others)
• Force IDS to block DNS servers??
The Evaluations
• 4 most popular NIDS in 1998
• Attack examples
– .phf cgi script insertion attack
– IP frag attack
– Bad checksums, no acks, data in syn packet
– etc…
The Results
• None handled IP frag
correctly
• ? = Couldn’t test
• + = saw attack
• - = blind to attack
• Tests reveal serious
flaws that any “savvy”
attacker could exploit
The NIDSs
• “ISS RealSecure”
– Doesn’t even try to reassemble packets properly
(doesn’t look at sequence number)
• “WheelGroup NetRanger”
– Super expensive… doesn’t check syn packet for
data. Doesn’t seem to validate checksums
• AbirNet SessionWall-3
– Failed on syn info, and could get order thrown off
• Network Flight Recorder
– Checksums, data without ack, extra syns
Implication for future
• In particular IDS need to reconstruct frags
right
• Basic attacks should not be reacted to or they
could be used to deny service to users
• IDS testing needs to be implemented
• Availability of source code could help
Final questions
• How have things changed since then?
• Why do they always refer to attackers as
feminine? “she…”