Full Disclosure mailing list archives
Re: Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Sat, 29 May 2004 00:50:37 +0200 (CEST)
On Fri, 28 May 2004, Mike Frantzen wrote:
This has been a known attack at least since Ptacek and Newsham's seminal paper on IDS evasions.
As far as I can see, they describe an attack where the attacker uses IDS's own MAC address to route frames directly to this box; this is usually prevented (or difficult to carry out) if the listening interface is an IP-less span port or bridge node, as it is the case at almost all times nowadays. I describe an attack in which the IDS itself is not targeted, but quite simply, a different MAC address belonging to an innocent bystander is used to inject an IP frame that matches an existing connection. This should fool a "transparent" IDS, based on the assumption that link-layer information is stripped prior to TCP stream identification, which I expect is the case with a good deal of IDS systems out there. So there is a difference that makes the attack IMO a bit more of a concern in a typical setup, which is still not to say I will lose sleep over it. Cheers, -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-05-29 00:44 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: IDS WIth TCP Reset and SPAN, (continued)
- Re: IDS WIth TCP Reset and SPAN Ron DuFresne (May 27)
- Re: IDS WIth TCP Reset and SPAN Jason (May 27)
- Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Zalewski (May 27)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Aaron Turner (May 27)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Jim Bauer (May 28)
- Re: Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Zalewski (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Oliver Friedrichs (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Jim Bauer (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Srini (May 28)
- Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Mike Frantzen (May 28)
- Re: Re: Bypassing "smart" IDSes with misdirected frames? (long and boring) Michal Zalewski (May 28)
- RE: IDS WIth TCP Reset and SPAN Ron DuFresne (May 27)