Insertion,_Evasion_and_Denial_of_Service

Insertion,EvasionandDenialofService:EludingNetworkIntrusionDetection------------------------------------------------AaronBeachSpring2004Abstract:Sinceitiscriticaltotheoverallsecurityofanetworkanditspossibleusageinforensicanalysis,itisreasonabletoassumethatIDS’sarethemselveslogicaltargetsforattackordeception.CommonIntrusionDetectionFramework•E-boxes–eventgenerators–Providesinformationaboutevents•A-boxes–analysisengines–Analyzeandextractreleventinfo•D-boxes–storagemechanisms–StoresinfofromEandAboxes•C-boxes–countermeasures–Morethanjustalarm,preventingfurtherattacksNetworkIDandPassiveAnalysis•Host-basedID–Goodatdiscerningattacksthatinvolveoneuser,oronesystem–Badageneralnetwork(low-level)intrusion•NetworkbasedID–Goodatraw-network(low-level)detection–BadatdiscerningwhatexactlyishappeningononecomputerSignatureAnalysis•SomeattackscarrythesameIPfragmentsignature.•Looksforaspecificsequenceofdata/packets/string…etc…•Thissequenceordatapatternisthesignature.ThisisthemethodthatmostmodernIDSuse.NeedforReliability•Flawedsystemscancreateadangerousfalsesenseofsecurity•IfthepresenceofanIDSisknownitisalogicaltargetforattack•Ifasystemisinaccurate..Oritsunreliabilityisknown..theweaknesscanbeusedagainstthenetworkVulnerabilityPoints•Eachcomponentcanfail…andcouldmakethesystemfail–E,A,D,orCboxescanfail…whyandhow?•E–WithouttheeyesIDSwouldbeblind•A–Withanalysisthereisnodetection•D–WtihoutDthereisnorecord•C–WithoutCattacksmaycontinueProblemswithNIDS•Thereisnotenoughinformationonwiretomakegoodjudgmentsaboutwhatisgoingon•SinceallpacketsmustpassthisIDSitisinherentlyvulnerabletoDoSattacksNotenoughinfo?•TimedifferencebetweenIDSandenduser•Somesystemsmayormaynotacceptcertainpackets•TheIDSdoesn’tknowtheinternalstateofthememoryandfunctionalityoftheendusers..Thiscaneffecthowthepacketsarehandled•AlltogetherIDSmaynotknowwhatisgoingoninthesystemVulnerabletoDoS•IDSis“fail-open”meaningtrafficcontinueswhenIDSfails(becausetheyarepassive)•EvenuseIDScountermeasurestodenyserviceATTACKS!!!•3attacktypes–Insertion–Evasion–ResourceStarvationINSERTION•InsertinginformationintotheIDSthatdoesnotexistelsewhere(suchaspacketsthattheenduserstreatdifferentlyorignore)•IPfragmentsandTCPsegmentsifarrivedoutoforderandvaryinginsizewillresultinoverlappingofolddata.ItisimperativetheIDSresolvesthisissueconsistentwiththehostsitisprotecting.•IfIDSlooksfor“GET/cgi-bin/phf?”maybeattack…butmaybeitdoesn’tseewhatenduserseesExampleofdifferentoverlapEVASION•GettingIDStonotseeDatathatthenetworkmaysee•Evadingthedetection•GetIDStorejectcertainpackets…thatthesystemswillaccept!!•Kindofoppositeofinsertion,butsameidea-discrepencybetweenIDSandinnernetworkRealWorldExamples•TCPrequiresfragmentstobereassembled•So,attackercanmaketheIDSandenduserassembledifferentpackets…howcantheydothis?Examples•IPTTLdoesn’treachenduser•Packettoolargeforenduser•Destinationconfigureddifferent•DifferenttimeoutsdependingonOS•Overlap..Likewesaw•Enduserrejectscertainoptions•PAWS…dropoldtimestamps•Dealswithsequence#’sdifferentDoS–DestroyResources•Fail-open(remember)•Bugsinsoftware…cancausecrash•Butusually…resourceexhaustion–Memory(Queueofconnectionstates)–CPUcomputationtimecanbeslowedtoinfinity–Diskspace(d-box)canrunoutRealWorldExample•BPF(Berkleypacketfilter)•Storedinkernelbuffer,whenfullpacketsaredropped•ForceCPUtodouselesswork,findoutwhattakesupCPUtimeanddoitoverandoveragain•IPfragmentationusesupmuchresourcesMoreexamples!!•Attackerfindsoperationsthatrequirealotofmemoryandtargetsthemuntilnomorememory•Solution:Garbagecollection–Problems:Maystoplegitimateconnectionsandmaynotkeepupwithcollection•UseIDStodenyothersofservice(spoofaddresses,frameothers)•ForceIDStoblockDNSservers??TheEvaluations•4mostpopularNIDSin1998•Attackexamples–.phfcgiscriptinsertionattack–IPfragattack–Badchecksums,noacks,datainsynpacket–etc…TheResults•NonehandledIPfragcorrectly•?=Couldn’ttest•+=sawattack•-=blindtoattack•Testsrevealseriousflawsthatany“savvy”attackercouldexploitTheNIDSs•“ISSRealSecure”–Doesn’teventrytoreassemblepacketsproperly(doesn’tlookatsequencenumber)•“WheelGroupNetRanger”–Superexpensive…doesn’tchecksynpacketfordata.Doesn’tseemtovalidatechecksums•AbirNetSessionWall-3–Failedonsyninfo,andcouldgetorderthrownoff•NetworkFlightRecorder–Checksums,datawithoutack,extrasynsImplicationforfuture•InparticularIDSneedtoreconstructfragsright•Basicattacksshouldnotbereactedtoortheycouldbeusedtodenyservicetousers•IDStestingneedstobeimplemented•AvailabilityofsourcecodecouldhelpFinalquestions•Howhavethingschangedsincethen?•Whydotheyalwaysrefertoattackersasfeminine?“she…”