Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection

1
Insertion, Evasion and Denial of ServiceEluding
Network Intrusion Detection
------------------------------------------------
Aaron BeachSpring 2004
2
Abstract

• Since it is critical to the overall security of a
  network and its possible usage in forensic
  analysis, it is reasonable to assume that IDSs
  are themselves logical targets for attack or
  deception.

3
Common Intrusion Detection Framework

• E-boxes event generators
• Provides information about events
• A-boxes analysis engines
• Analyze and extract relevent info
• D-boxes storage mechanisms
• Stores info from E and A boxes
• C-boxes countermeasures
• More than just alarm, preventing further attacks

4
Network ID and Passive Analysis

• Host-based ID
• Good at discerning attacks that involve one user,
  or one system
• Bad a general network (low-level) intrusion
• Network based ID
• Good at raw-network (low-level) detection
• Bad at discerning what exactly is happening on
  one computer

5
Signature Analysis

• Some attacks carry the same IP fragment
  signature.
• Looks for a specific sequence of
  data/packets/stringetc
• This sequence or data pattern is the signature.
  This is the method that most modern IDS use.

6
Need for Reliability

• Flawed systems can create a dangerous false sense
  of security
• If the presence of an IDS is known it is a
  logical target for attack
• If a system is inaccurate.. Or its unreliability
  is known ..the weakness can be used against the
  network

7
Vulnerability Points

• Each component can fail and could make the
  system fail
• E, A, D, or C boxes can fail why and how?
• E Without the eyes IDS would be blind
• A With analysis there is no detection
• D Wtihout D there is no record
• C Without C attacks may continue

8
Problems with NIDS

• There is not enough information on wire to make
  good judgments about what is going on
• Since all packets must pass this IDS it is
  inherently vulnerable to DoS attacks

9
Not enough info?

• Time difference between IDS and end user
• Some systems may or may not accept certain
  packets
• The IDS doesnt know the internal state of the
  memory and functionality of the end users.. This
  can effect how the packets are handled
• All together IDS may not know what is going on in
  the system

10
Vulnerable to DoS

• IDS is fail-open meaning traffic continues when
  IDS fails (because they are passive)
• Even use IDS countermeasures to deny service

11
ATTACKS!!!

• 3 attack types
• Insertion
• Evasion
• Resource Starvation

12
INSERTION

• Inserting information into the IDS that does not
  exist elsewhere (such as packets that the end
  users treat differently or ignore)
• IP fragments and TCP segments if arrived out of
  order and varying in size will result in
  overlapping of old data. It is imperative the IDS
  resolves this issue consistent with the hosts it
  is protecting.
• If IDS looks for GET /cgi-bin/phf? may be
  attack but maybe it doesnt see what end user
  sees

13
Example of different overlap
14
EVASION

• Getting IDS to not see Data that the network may
  see
• Evading the detection
• Get IDS to reject certain packets that the
  systems will accept!!
• Kind of opposite of insertion, but same idea -gt
  discrepency between IDS and inner network

15
Real World Examples

• TCP requires fragments to be reassembled
• So, attacker can make the IDS and end user
  assemble different packets how can they do this?

16
Examples

• IP TTL doesnt reach end user
• Packet too large for end user
• Destination configured different
• Different time outs depending on OS
• Overlap.. Like we saw
• End user rejects certain options
• PAWS drop old time stamps
• Deals with sequence s different

17
DoS Destroy Resources

• Fail-open (remember)
• Bugs in software can cause crash
• But usually resource exhaustion
• Memory (Queue of connection states)
• CPU computation time can be slowed to infinity
• Disk space (d-box) can run out

18
Real World Example

• BPF (Berkley packet filter)
• Stored in kernel buffer, when full packets are
  dropped
• Force CPU to do useless work, find out what takes
  up CPU time and do it over and over again
• IP fragmentation uses up much resources

19
More examples!!

• Attacker finds operations that require a lot of
  memory and targets them until no more memory
• Solution Garbage collection
• Problems May stop legitimate connections and may
  not keep up with collection
• Use IDS to deny others of service (spoof
  addresses, frame others)
• Force IDS to block DNS servers??

20
The Evaluations

• 4 most popular NIDS in 1998
• Attack examples
• .phf cgi script insertion attack
• IP frag attack
• Bad checksums, no acks, data in syn packet
• etc

21
The Results

• None handled IP frag correctly
• ? Couldnt test
• saw attack
• - blind to attack
• Tests reveal serious flaws that any savvy
  attacker could exploit

22
The NIDSs

• ISS RealSecure
• Doesnt even try to reassemble packets properly
  (doesnt look at sequence number)
• WheelGroup NetRanger
• Super expensive doesnt check syn packet for
  data. Doesnt seem to validate checksums
• AbirNet SessionWall-3
• Failed on syn info, and could get order thrown
  off
• Network Flight Recorder
• Checksums, data without ack, extra syns

23
Implication for future

• In particular IDS need to reconstruct frags right
• Basic attacks should not be reacted to or they
  could be used to deny service to users
• IDS testing needs to be implemented
• Availability of source code could help

24
Final questions

• How have things changed since then?
• Why do they always refer to attackers as
  feminine? she