Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion?

From: Joseph McCray (joe@learnsecurityonline.com)
Date: Sun Sep 30 2007 - 04:53:24 EDT

• Next message: seclt yuri: "Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion?"
• Previous message: vijay.upadhyaya@gmail.com: "Re: Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion?"
• In reply to: seclt yuri: "Are Fragmentation Attacks Still Used for IDS/IPS Evasion?"
• Next in thread: seclt yuri: "Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Last year I was doing some IDS/IPS Evasion research, and it was a lot of
fun (just ungodly time consuming). I would say that yes a great deal
many older IDS/IPS evasion techniques like fragmentation work against
modern I{D|P}S solutions.

Real World:
===========
The key thing that I'm running into in my auditing work that I think is
more important is identifying whether or not there is an Active Network
I{D|P}S or Load Balancing solution in place, before you can even
consider bypassing it.

I think you run into the most issues with a Passive IDS Solution. It's
really difficult to identify whether one is in use or not because it
probably won't have an IP address, and it doesn't block your attacks.
Then it's even harder to know what vendor it is, and IMHO almost
impossible to know which signatures it has loaded.

That being said - speaking as a former IDS analyst I remember we got
more than our fair share of compromises identified by means other than
the IDS (usually an admin or user notifying us because the box was
acting funny). A lot of times the attack went undetected, and the
attacker was an idiot and did something really noisy on the box after
having compromised it (this happened a lot) that the IDS would detect.

There are tools out there that can help you identify whether an Active
Filtering solution is in place. For me that's the first thing I do after
doing my footprinting - before I do any port or vulnerability scanning I
look for Load Balancing, and Active Network Filtering. If neither one
are in place then I open up the flood gates and scan until heart is
content.

Lab Environment:
================
If you are in a lab environment where you can actually see what is
getting by the IDS, and what isn't, then yes it's actually pretty easy
even without Metasploit. Add Metasploit to the picture and it's game
over. I honestly don't think Network-based IDS/IPS solutions have a
chance with a vulnerable host on the network against Metasploit.

If you want any of my notes from that IDS/IPS research from last year
let me know.

Take care,

-- 
Joe McCray
Toll Free:  1-866-892-2132
Email:      joe@learnsecurityonline.com
Web:        https://www.learnsecurityonline.com
Learn Security Online, Inc.
* Security Games        * Simulators
* Challenge Servers     * Courses
* Hacking Competitions  * Hacklab Access
"The only thing worse than training good employees and losing them 
is NOT training your employees and keeping them." 
        - Zig Ziglar

• application/pgp-signature attachment: This is a digitally signed message part

• Next message: seclt yuri: "Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion?"
• Previous message: vijay.upadhyaya@gmail.com: "Re: Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion?"
• In reply to: seclt yuri: "Are Fragmentation Attacks Still Used for IDS/IPS Evasion?"
• Next in thread: seclt yuri: "Re: Are Fragmentation Attacks Still Used for IDS/IPS Evasion?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:08 EDT