IDS mailing list archives
Re: Preventing layer 3/4 evasions
From: Vern Paxson <vern () ICSI Berkeley EDU>
Date: Sat, 22 Dec 2007 23:48:22 -0800
I'm curious about the market status quo and trends in the area of how network IDS/IPS products are dealing with layer 3/4 evasion techniques
As far as I've been able to determine, it's in fact difficult to discern just what IDS/IPS products do about evasion and how effectively. Many of them state that they're evasion-resistant, but there aren't enough particulars to understand how strong the claims might be. To this end, I'm currently working with Christian Kreibich and some colleagues on developing a framework for testing an IDS/IPS for its vulnerability to a variety of layer 3/4/7 evasions, as I think this problem remains under-addressed by vendors and underappreciated by customers. If we can work towards some community evasion benchmarks, this will help provide market pressures to strenghen products with better evasion resilience. (Some IDS tests already include evasion evaluations, but to my knowledge the tests are proprietary and so it's difficult externally to gauge the significance of the results they produce.)
... The Handley/Paxson/Kreibich paper from Usenix01 lists three approaches (not counting "use a host-based IDS" :-) ): 1. inline normalization 2. profiling the intranet and using target-specific algorithms 3. bifurcating analysis
Note, scheme #3 (as noted in the paper) is fundamentally limited. There's also a 4th approach, which is to have the end system work in conjunction with the NIDS in real-time. See for example our paper H. Dreger, C. Kreibich, V. Paxson and R. Sommer, Enhancing the Accuracy of Network-based Intrusion Detection with Host-based Context, Proc. Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA) 2005. http://www.icir.org/vern/papers/dimva05.pdf
From what I've read, Snort is going route #2, with the Sourcefire RNA system doing the profiling.
By the way, we also have a paper on this approach: U. Shankar and V. Paxson, Active Mapping: Resisting NIDS Evasion Without Altering Traffic, Proc. IEEE Symposium on Security and Privacy, May 2003. http://www.icir.org/vern/papers/activemap-oak03.pdf One significant difficulty is the mapping information becoming out of date due to churn.
- Does Snort's decision indicate any sort of consensus that #2 is the best approach, or would that be considered controversial?
I would certainly say (speaking from the ivory tower) that there isn't consensus for #2, and my own leaning is towards #1. Vern ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Preventing layer 3/4 evasions Steve Reinhardt (Dec 20)
- Re: Preventing layer 3/4 evasions Vern Paxson (Dec 26)
- RE: Preventing layer 3/4 evasions Srinivasa R. Addepalli (Dec 26)