Security Incidents mailing list archives
Re: Statefull inspection on IDS - Stick
From: Joe Klemencic <JKlemenc () FNAL GOV>
Date: Thu, 8 Mar 2001 11:02:21 -0600
This was released on 3/7 to the FOCUS-IDS list regarding STICK: Please respond to Cortez <coretez () 8THPORT COM> Sent by: Focus on Intrusion Detection Systems <FOCUS-IDS () SECURITYFOCUS COM> To: FOCUS-IDS () SECURITYFOCUS COM cc: Subject: Re: Statefull inspection on IDS - Stick Over the last couple months I've been finishing up work on a tool called stick. I was planning to release a paper in the coming week and the tool in a month or two from now when IDS vendors have had time to make modifications to handle it. The tool uses the Snort rule set and produces a C program via lex that when compiled will produce an IP packet capable of triggering that rule from a spoofed IP range (or all possible IP addresses) into a target IP range. A function is produced for each rule and a loop then executes these rules in a random order. The tool currently produces these at about 250 alarms per second. A Linux based snort will hit 100% CPU and start dropping packets. The stress on recording and disk IO is another problem. ISS Real Secure dies two seconds after the attack begins. This was tested numerous times. Other IDS and even sniffers (especially with DNS lookups) had problems of their own. I will be trying to release the code to IDS vendors over the next couple of months in order for them to make changes they see fit. The tool was initially designed to test bandwidth and stress on IDS, but it obviously can be used in a malicious manner and that is not my intent. A draft paper can be seen at http://www.eurocompton.net/stick/ ... please ignore the spelling and grammar changes. A more technical paper and analysis will hopefully be briefed at Blackhat if DT approves it. Coretez G. Sent by: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM> To: INCIDENTS () SECURITYFOCUS COM cc: Subject: Stick DOS There has been word of a possible DOS that will be released on the 15th of this month that will have the capability of taking down stateless firewalls. The DOS is called "Stick". It is supposed to send numerous malformed packets from spoofed sources. Does anybody out on the list have any information on how to prevent this from happening or any information whatsoever on the DOS. Any help would be greatly appreciated.
Current thread:
- Re: Statefull inspection on IDS - Stick Joe Klemencic (Mar 08)