Re: Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)

[Michal Zalewski <lcamtuf () ghettot org>]

On Fri, 28 May 2004, Mike Frantzen wrote:

> This has been a known attack at least since Ptacek and Newsham's seminal
> paper on IDS evasions.

As far as I can see, they describe an attack where the attacker uses IDS's
own MAC address to route frames directly to this box; this is usually
prevented (or difficult to carry out) if the listening interface is an
IP-less span port or bridge node, as it is the case at almost all times
nowadays.

I describe an attack in which the IDS itself is not targeted, but quite
simply, a different MAC address belonging to an innocent bystander is used
to inject an IP frame that matches an existing connection. This should
fool a "transparent" IDS, based on the assumption that link-layer
information is stripped prior to TCP stream identification, which I expect
is the case with a good deal of IDS systems out there.

So there is a difference that makes the attack IMO a bit more of a
concern in a typical setup, which is still not to say I will lose sleep
over it.

Cheers,
-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-05-29 00:44 --

   http://lcamtuf.coredump.cx/photo/current/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html