IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Session Hijacking

From: Dragos Ruiu <dr () kyx net>
Date: Mon, 7 Mar 2005 23:04:35 -0800
-----Original Message-----
From: Dragos Ruiu [mailto:dr () kyx net]
Sent: Saturday, March 05, 2005 11:23 PM
To: Mike Frantzen; Terry Ray
Cc: focus-ids () lists securityfocus com
Subject: Re: Session Hijacking

On March 2, 2005 11:07 pm, Mike Frantzen wrote:

Question, I am learning about session hijacking, and I was wondering
if an IPS has the capabilities to detect and prevent this type of
attack? If so how exactly would the IPS prevent a session hijacking?


It's pretty much impossible to prevent full-knowledge session hijacking
when the hijacker is on a local network with who he is hijacking.  You
pretty much have to be their switch.


It's an administrative hassle... but locking down mac addresses to switch
physical ports _is_ a good idea... and raises the bar on hijacking.


On March 7, 2005 06:18 am, Angel L Rivera wrote:

Not quite - a little arp poisoning and spoofed mac address would defeat
this control - it does make it harder but not impossible.  An IPS might
detect the arp poisoning attempt but you would need to have sensor on each
switch.



You must be thinking of something else. In a locked down configuration,
where mac->port is pre-specified arp is not needed. You can disable ARP.

You can even extend this to host workstations, whereby ip->mac
address assignments are preassigned, e.g.:

/usr/sbin/arp -s 1.2.3.4 00:01:02:03:04:05:06 permanent

Older MS OSes used to let permanent entries be overwritten by
gratuitous arp's but I think this has been fixed in more recent releases.

Spoofed mac addresses are not possible to transmit once ACLs are
put in at the switch for macs addresses on a per port basis. 
(VACLs in Cisco-speak) DIsabling ARP kills CAM filling attacks.
There are some less drastic options, like "arp inspection" available
on some switches.

For workstations once fixed arp assignments are in place you can 
firewall off arp traffic with a software firewall or use other arp 
disabling techniques if permanent ARP entries aren't "permanent enough".
This has the added benefit of removing all those annoying and 
overly chatty arp broadcasts when you are looking at full packet
capture traces :-). In some networks it can even significantly reduce
network load and many other good effects - if you can suffer
the extra configuration work.

A good article on this and other L2 lockdown from the IOS perspective is:

http://www.informit.com/articles/article.asp?p=174313&seqNum=2&rl=1

and 

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_5/conf_gd/acc_list.htm#1020673

for ACL docs...

As I said, it _is_ and administrative hassle, and adds moves
changes encounter a new dimension of work in this environment.
But it _will_ raise the bar quite high on MITM :-) amongst its
many benefits.

Your IDS/IPS can then stop mucking with ARP altogether :-).
(I have yet to see useful arp tracking in any IDS/IPS anyway 
it's too switch monitor dependent, and noisy. :-).

cheers,
--dr

-- 
World Security Pros. Cutting Edge Training, Tools, and Techniques
Vancouver, Canada       May 4-6 2005  http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: