Hacking Through IDSs
In order to help you plan your security strategy, this section will show you how hackers exploit vulnerabilities in IDSs.
, or packet splitting, is the most common attack against IDSs. By splitting packets into smaller pieces, hackers can often fool the IDS. A
In addition to fragmenting data, it is also possible to spoof the TCP sequence number that the IDS sees. For example, by sending a post-connection SYN packet with a forged sequence number, the IDS will be desynchronized from the host. That is because the host will drop the unexpected and inappropriate SYN, whereas the IDS might reset itself to the new sequence number. Thus, the IDS will ignore the true data stream, because it is waiting for a new sequence number that does not exist. Sending a RST packet with a forged address that corresponds to the forged SYN can also close this new connection to the IDS.
Whisker (available from http://www.wiretrip.net) is a software tool designed to hack Web servers by sneaking
GET /cgi-bin/script.cgi HTTP/1.0
Obfuscated HTTP requests can often fool IDSs that parse Web traffic. For example, if an IDS
/cgi-bin/phfthen you can often fool it by adding extra data to your request. For example, you can issue this request:
GET /cgi-bin/subdirectory/../script.cgi HTTP/1.0
In this case, you request a subdirectory, and then use the /../ to move back up to the parent directory and execute the target script. This sneaking in the back door is referred to as directory traversal , and is one of the most well-known exploits of all time.
Whisker automates a variety of such anti-IDS attacks. Because of this, Whisker is known as an Anti-IDS (AIDS) . Whisker has split into two projects: whisker (the scanner), and libwhisker (Perl module used by whisker) and has been updated regularly.
The Future of IDSs
As shown here, the field of intrusion detection is still in its infancy. In addition, as hackers
Table 14.1. Potential Solutions to Future Difficulties in IDSs
The following sections will examine each of these growing problems, along with a potential solution.
IPsec is becoming a popular standard for securing data over a network. IPsec is a set of security standards designed by the Internet Engineering Task Force (IETF) to provide end-to-end protection of private data. Implementing this standard enables an enterprise to transport data across an untrustworthy network such as the Internet while preventing hackers from corrupting, stealing, or spoofing private communication.
By securing packets at the network layer, IPsec provides application-transparent encryption services for IP network traffic, as well as other access
To account for IPsec, future IDSs will need to be embedded throughout each level of a host's TCP/IP stack. This will enable the IDS to watch data as it is unencapsulated and
Strict Anomaly Detection
Another growing problem is that as both the speed and complexity of attacks continue to increase, IDSs are struggling to keep pace. One answer to this dilemma might be the growing use of
strict anomaly detection
. This means that every abnormality, no matter how minor, is
Again, such a method would require that the IDS move onto individual
How would you design an IDS that
For example, at the packet level, the host-based anomaly detector would scan packets as they are processed up the stack. You could ask the IDS to monitor any of the following:
Similarly, at the application level, you can ask the anomaly detector to scan for unusual fluctuations in the following system characteristics:
When any abnormality is
Host Versus Network-Based IDS
The increasing use of switched networks hinders IDSs that monitor the network using promiscuous-mode passive protocol analysis. It is therefore becoming more difficult to monitor multiple hosts
Geometric Display of Data
As bandwidth and attack complexity
One solution to this problem is the geometric display of data. Humans understand geometric
Guide to Wireless Network Security
Darknet: Hollywood's War Against the Digital Generation
ARRL Ham Radio License Manual: All You Need to Become an Amateur Radio Operator (Arrl Ham Radio License Manual) (Arrl Ham Radio License Manual)
Wireless Communications Security (Artech House Universal Personal Communications)