IDS mailing list archives
Re: Session Hijacking
From: Dragos Ruiu <dr () kyx net>
Date: Mon, 7 Mar 2005 23:04:35 -0800
-----Original Message----- From: Dragos Ruiu [mailto:dr () kyx net] Sent: Saturday, March 05, 2005 11:23 PM To: Mike Frantzen; Terry Ray Cc: focus-ids () lists securityfocus com Subject: Re: Session Hijacking On March 2, 2005 11:07 pm, Mike Frantzen wrote:Question, I am learning about session hijacking, and I was wondering if an IPS has the capabilities to detect and prevent this type of attack? If so how exactly would the IPS prevent a session hijacking?It's pretty much impossible to prevent full-knowledge session hijacking when the hijacker is on a local network with who he is hijacking. You pretty much have to be their switch.It's an administrative hassle... but locking down mac addresses to switch physical ports _is_ a good idea... and raises the bar on hijacking.
On March 7, 2005 06:18 am, Angel L Rivera wrote:
Not quite - a little arp poisoning and spoofed mac address would defeat this control - it does make it harder but not impossible. An IPS might detect the arp poisoning attempt but you would need to have sensor on each switch.
You must be thinking of something else. In a locked down configuration, where mac->port is pre-specified arp is not needed. You can disable ARP. You can even extend this to host workstations, whereby ip->mac address assignments are preassigned, e.g.: /usr/sbin/arp -s 1.2.3.4 00:01:02:03:04:05:06 permanent Older MS OSes used to let permanent entries be overwritten by gratuitous arp's but I think this has been fixed in more recent releases. Spoofed mac addresses are not possible to transmit once ACLs are put in at the switch for macs addresses on a per port basis. (VACLs in Cisco-speak) DIsabling ARP kills CAM filling attacks. There are some less drastic options, like "arp inspection" available on some switches. For workstations once fixed arp assignments are in place you can firewall off arp traffic with a software firewall or use other arp disabling techniques if permanent ARP entries aren't "permanent enough". This has the added benefit of removing all those annoying and overly chatty arp broadcasts when you are looking at full packet capture traces :-). In some networks it can even significantly reduce network load and many other good effects - if you can suffer the extra configuration work. A good article on this and other L2 lockdown from the IOS perspective is: http://www.informit.com/articles/article.asp?p=174313&seqNum=2&rl=1 and http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_7_5/conf_gd/acc_list.htm#1020673 for ACL docs... As I said, it _is_ and administrative hassle, and adds moves changes encounter a new dimension of work in this environment. But it _will_ raise the bar quite high on MITM :-) amongst its many benefits. Your IDS/IPS can then stop mucking with ARP altogether :-). (I have yet to see useful arp tracking in any IDS/IPS anyway it's too switch monitor dependent, and noisy. :-). cheers, --dr -- World Security Pros. Cutting Edge Training, Tools, and Techniques Vancouver, Canada May 4-6 2005 http://cansecwest.com pgpkey http://dragos.com/ kyxpgp -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Session Hijacking Terry Ray (Mar 02)
- Re: Session Hijacking Mike Frantzen (Mar 04)
- Re: Session Hijacking Dragos Ruiu (Mar 06)
- RE: Session Hijacking Angel L Rivera (Mar 07)
- Re: Session Hijacking Dragos Ruiu (Mar 09)
- Re: Session Hijacking Dragos Ruiu (Mar 09)
- RE: Session Hijacking Angel L Rivera (Mar 09)
- Re: Session Hijacking Dragos Ruiu (Mar 10)
- Re: Session Hijacking Dragos Ruiu (Mar 06)
- Re: Session Hijacking Mike Frantzen (Mar 04)
- RE: Session Hijacking Omar Herrera (Mar 07)