evading attacking nids
play

Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed - PDF document

Dec 29, 2022 •270 likes •397 views

Agenda Network ID Systems Architecture, Problems Evading/Attacking NIDS Insertion, Evasion, DoS Attacks Proposed Solutions Traf fi c Normalization Priyank Porwal Active Mapping COMP 290 Network Intrusion Detection

  1. Agenda • Network ID Systems – Architecture, Problems Evading/Attacking NIDS – Insertion, Evasion, DoS Attacks • Proposed Solutions – Traf fi c Normalization Priyank Porwal – Active Mapping COMP 290 Network Intrusion Detection Systems • Miscellaneous – Evasion with Unicode – Evasion using Polymorphic Shell Code 4/25/2005 Evading/Attacking NIDS 2 NIDS Architecture NIDS Design Considerations • Logical Target of Attacks Sets of Common Intrusion Detection Framework (CIDF) components – Each component a potential point of vulnerability and hence attacks • E-boxes (Event generators) – E.g. Sniffers, Monitors • Possible Attacks on their • A-boxes (Analysis engines) – “Availability” (total shutdown) – E.g. Signature matchers – “Accuracy” (false positives) • D-boxes (Storage systems) – “Completeness” (false negatives) – E.g. Loggers • C-boxes (Countermeasures) • Need to be Reliable, Robust – E.g. Alarms, Firewalls – Avoid false sense of security 4/25/2005 Evading/Attacking NIDS 3 4/25/2005 Evading/Attacking NIDS 4 Problems with NIDS Problems for NIDS [contd…] • Insuf fi cient Information on the Wire • Passive Network Monitors – Not enough to correctly reconstruct the state of – Inherently “fail-open” complex protocol transactions like at end-systems – Cease to provide protection when subverted • Diversity in Protocol Implementations • Vulnerability to Denial of Service – Packet processing differs across end-systems – Process all fl ows to all protected end-systems – Leads to ambiguous interpretations – Being complex systems require lots of resources – Resource starvation problem is not easily solvable • Unknown Internal Network Conditions – Topology, Router con fi gs, Traf fi c congestion, etc. 4/25/2005 Evading/Attacking NIDS 5 4/25/2005 Evading/Attacking NIDS 6

  2. Attacks against NIDS Insertion • Insertion • NIDS accepts packets that an end-system rejects or doesn’t even receive – Stuf fi ng the analyzer with “invalid” packets – Data gets “inserted” into the NIDS’s packet stream • Evasion Sends 2 V R A pkts, 1 with – Slipping “valid” packets past the analyzer smaller TTL Receives Monitors, Drops 1 pkt • DoS NIDS just 1 pkt processes coz TTL=0 2 pkts – Causing resource starvation • Occurs when NIDS is less strict in processing packets than internal network 4/25/2005 Evading/Attacking NIDS 7 4/25/2005 Evading/Attacking NIDS 8 Insertion Example Evasion • An end-system can accept a packet that an Seq# 2 3 3 5 4 1 6 • Attacker’s Data Stream NIDS rejects Data T T X C A A K – Data gets “slipped” past the NIDS • NIDS’s Stream Sends 2 pkts, Seq# 1 2 3 3 4 5 6 Accepts 3rd packet which overwrites 1 with Source V R A Data Route option A T T X A C K 2nd packet data Interprets “ ATXACK ” Monitors 2 pkts, Receives Ignores SR rejects 1 pkt with NIDS 2 pkts option, routes SR option • End-System’s Stream both packets Seq# 1 2 3 3 4 5 6 Rejects 3rd packet for some reason, • Occurs when NIDS is more strict in Data A T T X A C K or does not receive it processing packets than internal network Interprets “ ATTACK ” 4/25/2005 Evading/Attacking NIDS 9 4/25/2005 Evading/Attacking NIDS 10 Evasion Example Real Insertion/Evasion Attacks Seq# • Mostly leverage on basic network and 2 3 3 5 4 1 6 • Attacker’s Data Stream Data protocol ambiguities at the NIDS T X T C A A K – Ambiguous interpretation of header fi elds – Ambiguous handling of header options • NIDS’s Stream Seq# 1 2 3 3 4 5 6 – Ambiguous fragment/segment reassembly Rejects 3rd packet for some reason Data A T X T A C K Interprets “ ATXACK ” • Ambiguities can cause NIDS to accept/reject • End-System’s Stream packets differently than the end-system Seq# 1 2 3 3 4 5 6 Accepts 3rd packet which Data – NIDS and the end-system get different views of overwrites 2nd packet A T X T A C K the same data stream Interprets “ ATTACK ” 4/25/2005 Evading/Attacking NIDS 11 4/25/2005 Evading/Attacking NIDS 12

  3. Ambiguities at NIDS Reasons for Ambiguities • Differences in Protocol Implementations Related Field Ambiguity (Decision problem for NIDS) TTL Will the packet reach the end-system before TTL becomes 0? – Non-conformance to Protocol Standards Length, DF Will all downstream links be able to transmit this big packet – Every OS has a different protocol stack without fragmenting (DF bit set)? IP Option(s) Will the end-system/routers accept packet with this IP option(s)? E.g. (Strict) Source Route option • Con fi gurations TCP option(s) Will the end-system accept packet with this TCP option(s)? – End-system and router con fi gurations Data Will the end-system accept data in SYN packet? ToS Does the packet conform to all internal routers (DiffServ)? • Options IP Frag Offset How will the end-system reassemble overlapping fragments? TCP Seq No. How will the end-system reassemble overlapping segments? – Application/Socket level options 4/25/2005 Evading/Attacking NIDS 13 4/25/2005 Evading/Attacking NIDS 14 IP Fragment Reassembly IP Fragment Reassembly [contd…] • Time-Out • Overlapping Fragments – Different fragment time-out periods between NIDS – How will the end-system handle the overlap? and end-system – Whether to prefer old or new data? – Attacker can wait after sending some fragments – Different OSs handle overlap differently • To let them time-out either at NIDS or at end-system – When should NIDS time-out stored fragments? Operating System IP Fragment Overlap Behavior Windows NT 4.0 Always favors old data • Storing fragments dropped by end-host (Insertion) 4.4 BSD Favors new data for forward overlap • Storing fragments for too long (DoS attacks) Linux Favors new data for forward overlap • Dropping fragments stored by end-host (Evasion) Solaris 2.6 Always favors old data HP-UX 9.01 Favors new data for forward overlap Irix 5.3 Favors new data for forward overlap 4/25/2005 Evading/Attacking NIDS 15 4/25/2005 Evading/Attacking NIDS 16 Transport Layer Ambiguities Transport Layer Ambiguities [contd…] • TCP 3-way Handshake (TCB creation) • TCP Header Fields – Require full handshake? – Allow invalid fl ag combinations? • Misses already active connections – Accept data in SYN packets? – Sync sequence nos. in between? • Attacker can easily desync NIDS • TCP Options • Best to sync on outbound SYN-ACK packets – Accept/reject options in non-SYN packets? • TCP Teardown • Only if sent and accepted in an earlier SYN – When to time-out inactive connections? • MSS (Maximum Segment Size) option in SYN only • No implicit TCP connection time-out – PAWS (Protection Against Wrapped Sequence Nos.) – FIN and RST to terminate the connection • End-systems implementing PAWS expect TS (TimeStamp) • FIN is acknowledged, RST not acknowledged option in all segments 4/25/2005 Evading/Attacking NIDS 17 4/25/2005 Evading/Attacking NIDS 18

  4. TCP Stream Reassembly TCP Segment Reassembly [contd…] • Requires Sequence No. Tracking • Overlapping Segments – How will the end-system handle the overlap? • Requires Congestion-Window Tracking – Whether to prefer old or new data? – Normally data past the window is discarded – Different OSs handle overlap differently – Time lag between NIDS and end-system w.r.t Operating System TCP Segment Overlap Behavior window change events can be a problem Windows NT 4.0 Always favors old data FreeBSD 2.2 Favors new data for forward overlap • Missing Data Linux Favors new data for forward overlap – Due to out-of-order arrival or packet drop? Solaris 2.6 Favors new data for forward overlap HP-UX 9.01 Favors new data for forward overlap – NIDS cannot request retransmission AIX 3.25 Favors new data for forward overlap Irix 5.3 Favors new data for forward overlap 4/25/2005 Evading/Attacking NIDS 19 4/25/2005 Evading/Attacking NIDS 20 Denial of Service Attacks Denial of Service Attacks [contd…] • Basic problem • Memory – NIDS needs to simulate the operation of all – Target state management operations protected end-systems and internal network • TCP 3-way Handshake (TCP Control Block - TCB) • Fragment/Segment reassembly • Scarce Resources • Network Bandwidth – CPU cycles, memory, disk space, bandwidth – Target NIDS’s inability to capture and process packets at line speed • CPU Cycles – Target computationally expensive operations • Reactive Systems • Fragment/Segment reassembly – Trigger alarms ( false positives) • Encryption/Decryption – Prevent valid access by spoofed addresses 4/25/2005 Evading/Attacking NIDS 21 4/25/2005 Evading/Attacking NIDS 22 Tests Test Examples • Targeted several IP/TCP problems • Mimicked PHF web-server attack – GET /cgi-bin/phf? – Possible execution of arbitrary code – Supposed to be detected by all NIDSs tested • RealSecure • NetRanger • SessionWalli3 • Network Flight Recorder (NFR) 4/25/2005 Evading/Attacking NIDS 23 4/25/2005 Evading/Attacking NIDS 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro Abdelgawad / REcon 2016 line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl The Remote Metamorphic Engine xor eax, 0

683 views • 50 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are

EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are

EVADING DEEP INSPECTION FOR FUN AND SHELL Who we are Olli-Pekka Niemi An; Levomki Chief Research Officer, Senior Vulnerability Stoneso9

1.02k views • 57 slides
Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata

Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata

Motivation Optimal Evading Strategies Active/Redundant Pursuers Simulations Optimal Evading Strategies and Task Allocation in Multi-Pursuer Single-Evader Problems Venkata Ramana Makkapati and Panagiotis Tsiotras Dynamics and Control Systems

526 views • 27 slides
APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who

APTs Way: Evading your EBNIDS Ali Abbasi Jos Wetzels Who we are? Ali Abbasi : PhD student in Distributed and Embedded System Security Group

921 views • 43 slides
Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on&

Evading&Android&Run?me&Analysis& via&& Sandbox&Detec?on& &&&&&&&&&&&&&&&&Timothy&Vidas,&Nicolas&Chris?n&

526 views • 28 slides
The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias

The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias Vallentin 1 , Robin Sommer 2,3, Jason Lee 2 , Craig Leres 2 Vern Paxson 3,2 , and Brian Tierney 2 1 TU Mnchen 2 Lawrence Berkeley National

409 views • 25 slides
Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal

Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal

Bruteforcing in the Shadows Evading Automated Detection Martin Draar, Jan Vykopal {drasar|vykopal}@ics.muni.cz Institute of Computer Science Masaryk University Brno, Czech Republic FloCon 2012 January 12, Austin, Texas Part I Network

898 views • 22 slides
Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue

Your state is not mine: a closer look at evading stateful internet censorship Zhongjie Wang, Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside Background The Great Fire Wall (GFW) A

322 views • 28 slides
Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu

Automatically Evading Classifiers A Case Study on PDF Malware Classifiers Weilin Xu David Evans Yanjun Qi University of Virginia Machine Learning is Solving Our Problems Fake Fake Spam IDS

1.07k views • 34 slides
Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National

Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National

Monitoring Network Security with the Open-Source Bro NIDS Robin Sommer Lawrence Berkeley National Laboratory & International Computer Science Institute rsommer@lbl.gov http://www.icir.org DOE Network Security Monitoring Technical Summit at

922 views • 49 slides
Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue

Your State is Not Mine: A Closer Look at Evading Stateful Internet Censorship Zhongjie Wang , Yue Cao, Zhiyun Qian, Chengyu Song, Srikanth V Krishnamurthy University of California, Riverside 1 Internet Censorship Key technology: Deep Packet

528 views • 33 slides
Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 1 1 Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have

733 views • 48 slides
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats

476 views • 26 slides
Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes are pervasive In-network

Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes are pervasive In-network

Exposing and Evading Middlebox Policies DAVID CHOFFNES Middleboxes are pervasive In-network functionality can be really helpful Security (IPS) Performance (proxies) Fairness (traffic management) 2 Middleboxes are pervasive

617 views • 37 slides
Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula,

Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula,

Malware: Viruses CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca Portnoff, Nate

555 views • 28 slides
Speech Technologies and Its Impact on Clinical Decision Making Rose Reedy, BSN, RN, C and JAMES

Speech Technologies and Its Impact on Clinical Decision Making Rose Reedy, BSN, RN, C and JAMES

Speech Technologies and Its Impact on Clinical Decision Making Rose Reedy, BSN, RN, C and JAMES ZADINSKY, MS Case Study: Dwight David Eisenhower Army Medical Center This case study provides an overview of one military treatment facility's (MTF)

113 views • 9 slides
2010 ADA Facilities and Equipment STANDARDS Kaylan M. Dunlap, CASp, ADAC, LPTA Evan Terry

2010 ADA Facilities and Equipment STANDARDS Kaylan M. Dunlap, CASp, ADAC, LPTA Evan Terry

Accessible Medical Facilities and 8/29/2018 Equipment Accessible Medical 2010 ADA Facilities and Equipment STANDARDS Kaylan M. Dunlap, CASp, ADAC, LPTA Evan Terry Associates, LLC Learning Objectives Review accessibility requirements

631 views • 47 slides
4/20/2018 Welcome Special Kids, Special Care NICU Consortium Meeting April 25, 2018 Huffington

4/20/2018 Welcome Special Kids, Special Care NICU Consortium Meeting April 25, 2018 Huffington

4/20/2018 Welcome Special Kids, Special Care NICU Consortium Meeting April 25, 2018 Huffington Post 9:15 am Dr. Jens Top 10 Fun and Easy Strategies for Primitive Reflex Integration, In Infants and Children Jennifer Spiric, PT, DPT, Kids In

517 views • 14 slides
1 Please Fill Out the Signup Sheet Announcements Important stuff: Python lab: Next

1 Please Fill Out the Signup Sheet Announcements Important stuff: Python lab: Next

Course Webpage Introduction to Artificial Intelligence http://cs.nyu.edu/~fergus/teaching/ai/pmwiki.php V22.0472-001 Fall 2009 Lecture 1: Introduction Lecture 1: Introduction Rob Fergus Dept of Computer Science, Courant Institute, NYU

376 views • 6 slides
1 Virus Pseudocode Virus A Trojan Horse? Some say YES: Purpose of infected program is overt

1 Virus Pseudocode Virus A Trojan Horse? Some say YES: Purpose of infected program is overt

Introduction Malicious Logic: a set of instructions that cause violation of security policy Malicious Logic Idea taken from Troy: to breach an impenetrable perimeter, have someone from the inside unknowingly bring you inside Example:

481 views • 19 slides
Python Plus osquery Today I'm giving an introduction to osquery in general and accessing it from

Python Plus osquery Today I'm giving an introduction to osquery in general and accessing it from

Python Plus osquery Today I'm giving an introduction to osquery in general and accessing it from python in specific, since osquery is a versatile enough tool that you can interact with it in multiple ways: Allister Banks @allister on the

486 views • 16 slides
Analys ing data with GNU R Nils Kammenhuber Technis che Univers itt Mnchen Sources for s

Analys ing data with GNU R Nils Kammenhuber Technis che Univers itt Mnchen Sources for s

Analys ing data with GNU R Nils Kammenhuber Technis che Univers itt Mnchen Sources for s ome of thes e s lides Gilberto Cmara Instituto Nacional de Pesquisas Espaciais Manfred Jobmann T echnische Universitt Mnchen

1.98k views • 185 slides

More recommend