IDS mailing list archives
Re: Firewall-fooling techniques
From: Richard Bejtlich <taosecurity () gmail com>
Date: Thu, 17 Feb 2005 05:55:58 -0500
On Sun, 13 Feb 2005 00:00:31 +0100, Göran Sandahl <goran () gsandahl net> wrote:
Or, can someone please in short terms describe what kind of traffic IDSs have problem detecting today. And how will the bad guys do it tomorrow?
Hello, Chapter 18 of my book addresses this subject. [0] The problem is broader than running traffic through Fragrouter, and depends on the attacker's goal. Some techniques are designed to fool an analyst, not the IDS. Here is a summary: - Promote anonymity -- Attack from a stepping-stone -- Attack using a spoofed source address -- Attack from a netblock not owned by the intruder (advertise BGP routes) -- Attack from a trusted host -- Attack from a familiar netblock -- Attack the client, not the server -- Use public intermediaries - Evade detection -- Time attacks properly -- Distribute attacks through Internet space -- Employ encryption -- Appear normal - Degrade or deny collection -- Employ decoys -- Consider volume attacks -- Attack the sensor -- Separate analysts from their consoles Sincerely, Richard http://www.taosecurity.com [0] The Tao of Network Security Monitoring: Beyond Intrusion Detection, http://www.taosecurity.com/books.html -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Firewall-fooling techniques Göran Sandahl (Feb 16)
- Re: Firewall-fooling techniques Richard Bejtlich (Feb 20)