Re: Foolin an IDS ?

[Thomas Ptacek <tqbf () arbor net>]

Research subsequent to the papers that Paxson, Newsham, and I wrote 
established the term "vantage point problem" to describe the failure 
mode where a monitoring system gets tripped up by the differences 
between its own protocol logic and the logic of a real implementation 
of that protocol on an end system.

We've seen vantage point problems in a variety of places --- probably 
most notably in HTTP and in SMB.

My considered opinion is that vantage point problems are the "buffer 
overflow" vulnerability of the monitoring/integrity field.

I think most people would concede at this point that the best solution 
to buffer overflow attacks is to preclude them from existing: automatic 
bounds checking, least-privilege OS enforcement, and stack/heap 
integrity guards. Chasing the "next" buffer overflow and following the 
discover/wait/publish/patch cycle is probably not an effective 
strategy.

Similarly, the real solution for the vantage point problem is to 
preclude consistency problems --- by proxying, scrubbing, or moving 
functionality closer to the end-systems.

So I guess that I'm saying that you're right, David, and that there are 
lots of places to look besides TCP headers for these problems.

On Dec 1, 2004, at 4:49 PM, Maynor, David (ISS Atlanta) wrote:
> Aside from looking at this the best way to learn to evade IDS/IPS is an
> understanding of the protocols that they are protecting. This doesn't
> mean just TCP/UDP; this also means things like MSRPC, HTTP, SSL and
> such.

---
Thomas H. Ptacek // Product Manager, Arbor Networks
(734) 327-0000


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------