IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Preventing layer 3/4 evasions

From: Vern Paxson <vern () ICSI Berkeley EDU>
Date: Sat, 22 Dec 2007 23:48:22 -0800
I'm curious about the market status quo and trends in the area of how 
network IDS/IPS products are dealing with layer 3/4 evasion techniques 


As far as I've been able to determine, it's in fact difficult to discern
just what IDS/IPS products do about evasion and how effectively.  Many of
them state that they're evasion-resistant, but there aren't enough particulars
to understand how strong the claims might be.  To this end, I'm currently
working with Christian Kreibich and some colleagues on developing a framework
for testing an IDS/IPS for its vulnerability to a variety of layer 3/4/7
evasions, as I think this problem remains under-addressed by vendors and
underappreciated by customers.  If we can work towards some community
evasion benchmarks, this will help provide market pressures to strenghen
products with better evasion resilience.  (Some IDS tests already include
evasion evaluations, but to my knowledge the tests are proprietary and so
it's difficult externally to gauge the significance of the results they
produce.)


... The Handley/Paxson/Kreibich paper from Usenix01 lists 
three approaches (not counting "use a host-based IDS" :-) ):
1. inline normalization
2. profiling the intranet and using target-specific algorithms
3. bifurcating analysis


Note, scheme #3 (as noted in the paper) is fundamentally limited.  There's
also a 4th approach, which is to have the end system work in conjunction
with the NIDS in real-time.  See for example our paper

        H. Dreger, C. Kreibich, V. Paxson and R. Sommer, Enhancing the
        Accuracy of Network-based Intrusion Detection with Host-based
        Context, Proc. Conference on Detection of Intrusions and Malware
        and Vulnerability Assessment (DIMVA) 2005.

        http://www.icir.org/vern/papers/dimva05.pdf


 From what I've read, Snort is going route #2, with the Sourcefire RNA 
system doing the profiling.


By the way, we also have a paper on this approach:

        U. Shankar and V. Paxson, Active Mapping: Resisting NIDS Evasion
        Without Altering Traffic, Proc. IEEE Symposium on Security and
        Privacy, May 2003.

        http://www.icir.org/vern/papers/activemap-oak03.pdf

One significant difficulty is the mapping information becoming out
of date due to churn.


- Does Snort's decision indicate any sort of consensus that #2 is the 
best approach, or would that be considered controversial?


I would certainly say (speaking from the ivory tower) that there isn't
consensus for #2, and my own leaning is towards #1.

                Vern

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: