19.3 Hacking Through IDSs

In order to help you plan your security strategy, this section shows how hackers commonly exploit vulnerabilities in IDSs.

19.3.1 Fragmentation

Fragmentation or packet splitting is the most common attack against network IDSs, and it used to stump all commercial NIDSs designed several years ago. By splitting packets into smaller pieces, hackers can often fool the IDS. A stateful IDS reassembles fragmented packets for analysis, but as throughput increases , this process consumes more resources and becomes less accurate. There is a seemingly infinite number of fragmentation tricks that one can employ , leading either to evasion or to overloading the NIDS's anti-evasion capabilities.

19.3.2 Spoofing

In addition to fragmenting data, it is also possible to spoof the TCP sequence number that the network IDS sees. For example, if a post-connection SYN packet with a forged sequence number is sent, the IDS becomes desynchronized from the host because the host drops the unexpected and inappropriate SYN, whereas the IDS resets itself to the new sequence number. Thus, the IDS ignores the true data stream, since it is waiting for a new sequence number that does not exist. Sending an RST packet with a forged address that corresponds to the forged SYN can close this new connection to the IDS.

Overall, network IDSs do not know how the target host will interpret the incoming traffic. Thus, malicious network communication may be designed to be seen differently by the IDS than by the target host. Only the real target's awareness will allow most of the NIDS's problems to be solved .

19.3.3 Protocol Mutation

Whisker by RFP (available from http://www.wiretrip.net) is a software tool designed to hack web servers by sneaking carefully deformed HTTP requests past the IDS. For example, a typical CGI-bin request has the following standard HTTP format:

 GET /cgi-bin/script.cgi HTTP/1.0 

Obfuscated HTTP requests can often fool IDSs that parse web traffic. For example, if an IDS scans for the classic phf exploit:

 /cgi-bin/phf 

we can often fool it by adding extra data to our request. We could issue this request:

 GET /cgi-bin/subdirectory/../script.cgi HTTP/1.0 

In this case, we request a subdirectory and then use /../ to move to the parent directory and execute the target script. This way of sneaking in the back door is referred to as directory traversal , and it is one of the most well-known exploits of all time.

Whisker automates a variety of such anti-IDS attacks. As a result, Whisker is known as an anti-IDS (AIDS) tool. Whisker has split into two projects, whisker (the scanner) and libwhisker (the Perl module used by whisker).

Modern IDSs (such as Snort) attempt to normalize traffic before analysis through the use of various preprocessors. The normalization techniques seek to make the traffic look more uniform ”for example, by removing ambiguities in packet headers and payloads and by presenting a simple flow to match with intrusion patterns. However, the number of possible mutations is a few bits short of infinite. Thus, the arms race continues.

19.3.4 Attacking Integrity Checkers

As outlined earlier, the typical integrity checker host IDS computes the checksum and collects information about files ("initialize mode"). Then, the program periodically checks for changes (using the "check mode"). In addition, the system administrator can update the file signature after reconfiguring the system ("update mode"). Depending on the implementation of the host IDS, each of those modes can be attacked .

An attacker can modify the host IDS software itself, can send the wrong information to a host IDS central console, or can compromise the system between scheduled integrity checks. Also, some kernel-based attack programs will be missed by such an IDS because they will "correct" the system itself, making it effectively "lie" to the IDS. For detailed analysis of host IDS attacks, refer to the paper "Ups and Downs of UNIX/Linux Host-Based Security Solutions" (listed in Section 19.7).