Re: Firewall-fooling techniques

[Richard Bejtlich <taosecurity () gmail com>]

On Sun, 13 Feb 2005 00:00:31 +0100, Göran Sandahl <goran () gsandahl net> wrote:
> Or, can someone please in short terms
> describe what kind of traffic IDSs have problem detecting today.  And how
> will the bad guys do it tomorrow?

Hello,

Chapter 18 of my book addresses this subject. [0]  The problem is
broader than running traffic through Fragrouter, and depends on the
attacker's goal. Some techniques are designed to fool an analyst, not
the IDS.  Here is a summary:

- Promote anonymity
 -- Attack from a stepping-stone
 -- Attack using a spoofed source address
 -- Attack from a netblock not owned by the intruder (advertise BGP routes)
 -- Attack from a trusted host
 -- Attack from a familiar netblock
 -- Attack the client, not the server
 -- Use public intermediaries
- Evade detection
 -- Time attacks properly
 -- Distribute attacks through Internet space
 -- Employ encryption
 -- Appear normal
- Degrade or deny collection
 -- Employ decoys
 -- Consider volume attacks
 -- Attack the sensor
 -- Separate analysts from their consoles

Sincerely,

Richard
http://www.taosecurity.com

[0] The Tao of Network Security Monitoring: Beyond Intrusion
Detection, http://www.taosecurity.com/books.html

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------