|< Day Day Up >|
19.3 Hacking Through IDSs
In order to help you plan your security strategy, this section shows how hackers commonly exploit vulnerabilities in IDSs.
is the most common attack against network IDSs, and it used to stump all commercial NIDSs designed several
In addition to fragmenting data, it is also possible to spoof the TCP sequence number that the network IDS sees. For example, if a post-connection SYN packet with a forged sequence number is sent, the IDS becomes desynchronized from the host because the host
Overall, network IDSs do not know how the target host will interpret the incoming traffic. Thus, malicious network communication may be designed to be seen differently by the IDS than by the target host. Only the real target's awareness will allow most of the NIDS's problems to be
19.3.3 Protocol Mutation
by RFP (available from http://www.wiretrip.net) is a software tool designed to hack web servers by sneaking
GET /cgi-bin/script.cgi HTTP/1.0
Obfuscated HTTP requests can often fool IDSs that parse web traffic. For example, if an IDS
we can often fool it by adding extra data to our request. We could issue this request:
GET /cgi-bin/subdirectory/../script.cgi HTTP/1.0
In this case, we request a subdirectory and then use /../ to move to the parent directory and execute the target script. This way of sneaking in the back door is referred to as directory traversal , and it is one of the most well-known exploits of all time.
Whisker automates a variety of such anti-IDS attacks. As a result, Whisker is known as an anti-IDS (AIDS) tool. Whisker has split into two projects, whisker (the scanner) and libwhisker (the Perl module used by whisker).
Modern IDSs (such as Snort) attempt to normalize traffic before analysis through the use of various preprocessors. The normalization techniques seek to make the traffic look more uniform ”for example, by removing
19.3.4 Attacking Integrity Checkers
As outlined earlier, the typical integrity checker host IDS computes the checksum and collects information about files ("initialize mode"). Then, the program periodically checks for changes (using the "check mode"). In addition, the system administrator can update the file signature after reconfiguring the system ("update mode"). Depending on the implementation of the host IDS, each of those modes can be
An attacker can modify the host IDS software itself, can send the wrong information to a host IDS central console, or can compromise the system between scheduled integrity checks. Also, some kernel-based attack programs will be missed by such an IDS because they will "correct" the system itself, making it effectively "lie" to the IDS. For detailed analysis of host IDS attacks, refer to the paper "Ups and Downs of UNIX/Linux Host-Based Security Solutions" (listed in Section 19.7).
|< Day Day Up >|