RSS |
 |
| F E A T U R E | |
|
|
|
Evading NIDS With Silly Packet Games November 13, 2000 |
||
|
|
If you've followed the IDS scene, you are probably sick of reading about the various packet games that fool NIDS products. Unfortunately, some network IDS vendors apparently still don't get it. More then a year after we first called a number of vendors out on this painful shortcoming, and almost three years since Thomas H. Ptacek and Timothy N. Newsham first published a white paper about the problems (see secinf.net/info/ids/idspaper/idspaper.html), the issues still exist. Thankfully, some of the big players, like Cisco and ISS, have finally addressed some of these techniques in the latest revisions of their products. Rest assured we'll be testing the effectiveness of their implementations. For the uninitiated, there are a number of tricks you can use to evade network-based intrusion-detection devices. Among them are fragmenting packets, monkeying with the ordering of TCP streams and fragmenting RPC calls. The concepts detailed in Ptacek and Newsham's paper were driven home when Dug Song, who at the time was working for Anzen (an IDS vendor), wrote a program called fragrouter. Fragrouter is an open-source tool for implementing some of the packet-mangling techniques Ptacek and Newsham discussed. While the concept is not rocket science, Song's program is a practical implementation of a tool that was embraced on a global scale by vendors and intruders. So if the white paper wasn't enough, intruders now have the actual tools to bypass most systems...and bypass they do. Vendors of intrusion-detection technology face some tough challenges, but this is one that should have been put in the bag years ago.
|
|
|
|
PAGE: 1 I 2 I 3 I 4 I 5 I 6 I FIRST PAGE |
||
