Re: Important Comments re: INtrusion Detection

[Barney Wolff <barney () databus com>]

> Date: Fri, 20 Feb 1998 12:43:32 -0600 (CST)
> From: Aleph One <aleph1 () dfw net>
>
> The point is that an IDS may be able to detect the anomalous traffic
> but not the attack hidden by such traffic which makes their signature
> database quite useless.

I don't assert that an IDS cannot be fooled.  I do assert, tentatively
and without great confidence, that an IDS that alarms on *anything*
that it does not recognize as safe, will not stay silent during an
attack.  It will, of course, alarm conditions that are not attacks, at
some rate.

> > What's being missed here, imho, is that the great majority of attacks
> > use packets/streams that lie far outside the boundaries of legitimate
> > use, despite perhaps being legal IP or TCP.
>
> The are much more subtle attacks that fall within normal IP traffic.
> In particular the one described by Vern in his paper, using the IP time to
> live field, is very difficult to detect. The attacker may send the same
> packet twice, once with a TTL long enough for the victim to see it and
> another with the TTL long enough for the IDS to see it but short enough
> for the victim to not see it. Now the IDS has to try to figure out which
> packet it should use to recreate the stream. This types of packets can be
> seen normally on the network when a retransmit takes a different route
> with a different number of hops than the original packet.

Again, packets that expire within the destination organization's network
are not all that common other than by deliberate use for traceroute-like
work.  Certainly not unknown, though.  Does anybody have stats on how
often TCP packets just barely make it to the destination?  Of course,
an IDS must get fairly close to the hosts it is meant to monitor,
especially if internal attacks are part of the job description.

> > As with firewalls, it can be useful to think about IDS as "deny what I
> > don't recognize as permitted" rather than "permit what I don't recognize
> > as denied".
>
> The problem is the network IDS's cant "deny" anthing. They are fully
> passive.

I debated whether to include the sentence "For an IDS, s/deny/alarm/g."
but decided it was being too cute.  Besides, all the action-spy flicks
I watched as a tot had alarms going off followed by the massive doors
relentlessly closing, with the hero just slipping through.  Those were
IDS's that did cause a blocking response.

Barney Wolff  <barney () databus com>