Content deleted Content added
m Aready in Category:Computer security exploits |
m →Polymorphism: clean up, replaced: IEEE Security Privacy → IEEE Security & Privacy |
||
| (5 intermediate revisions by 5 users not shown) | |||
Line 7:
=== Encoding ===
Application layer protocols like [[Hypertext Transfer Protocol|HTTP]] allow for multiple encodings of data which are interpreted as the same value. For example, the string "cgi-bin" in a [[Uniform Resource Locator|URL]] can be encoded as "%63%67%69%2d%62%69%6e" (i.e., in hexadecimal).<ref name=":12">{{Cite journal|
Attacks on encrypted protocols such as [[HTTPS]] cannot be read by an IDS unless the IDS has a copy of the private key used by the server to encrypt the communication.<ref name=":04">{{Cite journal|
=== Polymorphism ===
Signature-based IDS often look for common attack patterns to match malicious traffic to signatures. To detect [[buffer overflow]] attacks, an IDS might look for the evidence of [[NOP slide]]s which are used to weaken the protection of [[address space layout randomization]].<ref name=":32">{{Cite journal|
To obfuscate their attacks, attackers can use [[Polymorphic code|polymorphic shellcode]] to create unique attack patterns. This technique typically involves encoding the payload in some fashion (e.g., [[XOR]]-ing each byte with 0x95), then placing a decoder in front of the payload before sending it. When the target executes the code, it runs the decoder which rewrites the payload into its original form which the target then executes.<ref name=":12" /><ref name=":32" />
Polymorphic attacks don't have a single detectable signature, making them very difficult for signature-based IDS, and even some anomaly-based IDS, to detect.<ref name=":12" /><ref name=":32" /> [[Shikata ga nai]] ("it cannot be helped") is a popular polymorphic encoder in the [[Metasploit Project|Metasploit]] framework used to convert malicious [[shellcode]] into difficult-to-detect polymorphic shellcode using XOR additive feedback.<ref>{{cite web|url=http://www.rapid7.com/db/modules/encoder/x86/shikata_ga_nai|title=Polymorphic XOR Additive Feedback Encoder|work=rapid7.com}}</ref>
Line 24:
One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by [[IP fragmentation|fragmenting]] them, but an [[Adversary (cryptography)|adversary]] can also simply craft packets with small payloads.<ref name=":12" /> The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.
By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order,
=== Overlapping fragments and TCP segments ===
Line 46:
=== Memory exhaustion ===
In order to match certain signatures, an IDS is required to keep [[State (computer science)|state]] related to the connections it is monitoring. For example, an IDS must maintain "TCP control blocks" (TCBs), chunks of memory which track information such as sequence numbers, window sizes, and connection states (ESTABLISHED, RELATED, CLOSED, etc.), for each TCP connection monitored by the IDS.<ref name=":04" /> Once all of the IDS's [[random-access memory]] (RAM) is consumed, it is forced to
If the IDS doesn't [[Garbage collection (computer science)|garbage collect]] TCBs correctly and efficiently, an attacker can exhaust the IDS's memory by starting a large number of TCP connections very quickly.<ref name=":04" /> Similar attacks can be made by fragmenting a large number of packets into a larger number of smaller packets, or send a large number of out-of-order TCP segments.<ref name=":04" />
| |||