Re: Firewall-fooling techniques

[Göran Sandahl <goran () gsandahl net>]

Thank you for all the replys! 

I've read some posts at SecurityFocus (I've been trying to dig for a 
reference, but I've can't seem to find it again) regarding the different 
techniques stated in the urls and whitepapers that some of you supplied. [1] 
[2] The post at securitfocus said something like "all these attacks are old, 
and aren't likely to be used anymore". All the material I've got is from 2002 
and back (all the way to 1998, and thats 7 years ago, hard to believe). So, 
are polymorphic shellcode, fragmentation and basic stringmatching weaknessses 
"up-to-date" methods of fooling IDS's? Or, can someone please in short terms 
describe what kind of traffic IDSs have problem detecting today.  And how 
will the bad guys do it tomorrow?

Thanks in advance! 

Cheers
Göran Sandahl

[1] http://www.securityfocus.com/infocus/1577
[2] http://citeseer.nj.nec.com/ptacek98insertion.html

-- 
Göran Sandahl
location:    stockholm, sweden
mail:        goran () gsandahl net
web:         http://gsandahl.net

On Tuesday 25 January 2005 02.37, Don Parker wrote:
> You may want to look into shellcode obfuscation. While it may not fool
> every IDS out there it certainly fools a great many analysts.
>
> --------------------------------------------------------------
> Don Parker, GCIA GCIH
> Intrusion Detection & Incident Handling Specialist
> Bridon Security & Training Services
> http://www.bridonsecurity.com
> voice: 1-613-302-2910
> --------------------------------------------------------------
>
> On Mon Jan 24 13:48 , Krzysztof Cabaj  sent:
> > Hi,
> >
> > > I'm looking for some basic information on "techniques" on
> > > "fooling" >firewalls
> > > and IDSs. Like using fragmented packages to fool packet-filtering
> > > firewalls
> > > etc.. Any suggestions on such techniques, and perhaps some
> > > references to
> > > online litterature.. ?
> >
> > I think this is good begining ... maybe not recent, but for
> > beginning perfect.
> >
> > T.H Ptacek, T.N. Newsham.: Insertion, Evasion, and Denial of
> > Service: Eluding Network Intrusion Detection, January 1998,
> > URL:http://citeseer.nj.nec.com/ptacek98insertion.html
> >
> > And some for application layer
> > Whisker library for fooling IDS which look at HTTP traffic.
> > http://www.ussrback.com/docs/papers/IDS/whiskerids.html
> >
> > Best regards,
> > Chris
> >
> > --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > --------------------------------------------------------------------------
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------

-- 
Göran Sandahl
location:    stockholm, sweden
mail:        goran () gsandahl net
web:         http://gsandahl.net

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------