Content deleted Content added
Update Denial of service intro |
m →Polymorphism: clean up, replaced: IEEE Security Privacy → IEEE Security & Privacy |
||
| (46 intermediate revisions by 23 users not shown) | |||
Line 1:
'''Intrusion
▲'''Intrusion Detection System evasion techniques''' are modifications made to attacks in order to prevent detection by an [[Intrusion Detection System]] (IDS). Almost all published evasion techniques modify network attacks. The 1998 paper ''[http://citeseer.ist.psu.edu/ptacek98insertion.html Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection]'' popularized IDS evasion, and discussed both evasion techniques and areas where the correct interpretation was ambiguous depending on the targeted computer system. The 'fragroute' and 'fragrouter' programs implement evasion techniques discussed in the paper. Many web vulnerability scanners, such as 'Nikto', 'whisker' and 'Sandcat', also incorporate IDS evasion techniques.
Most IDSs have been modified to detect or even reverse basic evasion techniques, but IDS evasion (and countering IDS evasion) are still active fields.
==Obfuscation==
An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. In
=== Encoding ===
Application layer protocols like [[Hypertext Transfer Protocol|HTTP]] allow for multiple encodings of data which are interpreted as the same value. For example, the string "cgi-bin" in a [[Uniform Resource Locator|URL]] can be encoded as "%63%67%69%2d%62%69%6e" (i.e., in hexadecimal).<ref name=":12">{{Cite journal|last1=Cheng|first1=Tsung-Huan|last2=Lin|first2=Ying-Dar|last3=Lai|first3=Yuan-Cheng|last4=Lin|first4=Po-Ching|title=Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems|journal=IEEE Communications Surveys & Tutorials|volume=14|issue=4|pages=1011–1020|doi=10.1109/surv.2011.092311.00082|year=2012|citeseerx=10.1.1.299.5703|s2cid=1949199 }}</ref> A web server will view these as the same string and act on them accordingly. An IDS must be aware of all of the possible encodings that its end hosts accept in order to match network traffic to known-malicious signatures.<ref name=":12" /><ref name=":22">{{Cite journal|last1=Corona|first1=Igino|last2=Giacinto|first2=Giorgio|last3=Roli|first3=Fabio|title=Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues|journal=Information Sciences|volume=239|pages=201–225|doi=10.1016/j.ins.2013.03.022|year=2013}}</ref>
Attacks on encrypted protocols such as [[HTTPS]] cannot be read by an IDS unless the IDS has a copy of the private key used by the server to encrypt the communication.<ref name=":04">{{Cite journal|last1=Ptacek|first1=Thomas H.|last2=Newsham|first2=Timothy N.|date=1998-01-01|title=Insertion, evasion, and denial of service: Eluding network intrusion detection|citeseerx=10.1.1.119.399}}</ref> The IDS won't be able to match the encrypted traffic to signatures if it doesn't account for this.
=== Polymorphism ===
Signature-based IDS often look for common attack patterns to match malicious traffic to signatures. To detect [[buffer overflow]] attacks, an IDS might look for the evidence of [[NOP slide]]s which are used to weaken the protection of [[address space layout randomization]].<ref name=":32">{{Cite journal|last1=Chaboya|first1=D. J.|last2=Raines|first2=R. A.|last3=Baldwin|first3=R. O.|last4=Mullins|first4=B. E.|date=2006-11-01|title=Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion|journal=IEEE Security & Privacy|volume=4|issue=6|pages=36–43|doi=10.1109/MSP.2006.159|s2cid=11444752 |issn=1540-7993}}</ref>
To obfuscate their attacks, attackers can use [[Polymorphic code|polymorphic shellcode]] to create unique attack patterns. This technique typically involves encoding the payload in some fashion (e.g., [[XOR]]-ing each byte with 0x95), then placing a decoder in front of the payload before sending it. When the target executes the code, it runs the decoder which rewrites the payload into its original form which the target then executes.<ref name=":12" /><ref name=":32" />
== Fragmentation and small packets ==▼
Polymorphic attacks don't have a single detectable signature, making them very difficult for signature-based IDS, and even some anomaly-based IDS, to detect.<ref name=":12" /><ref name=":32" /> [[Shikata ga nai]] ("it cannot be helped") is a popular polymorphic encoder in the [[Metasploit Project|Metasploit]] framework used to convert malicious [[shellcode]] into difficult-to-detect polymorphic shellcode using XOR additive feedback.<ref>{{cite web|url=http://www.rapid7.com/db/modules/encoder/x86/shikata_ga_nai|title=Polymorphic XOR Additive Feedback Encoder|work=rapid7.com}}</ref>
One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by [[IP fragmentation|fragmenting]] them, but an [[Adversary (cryptography)|adversary]] can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.▼
== Evasion ==
By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet reassemblers but not the target computer.▼
Attackers can evade IDS by crafting packets in such a way that the end host interprets the attack payload correctly while the IDS either interprets the attack incorrectly or determines that the traffic is benign too quickly.<ref name=":04" />
▲=== Fragmentation and small packets ===
== Overlapping fragments ==▼
▲One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by [[IP fragmentation|fragmenting]] them, but an [[Adversary (cryptography)|adversary]] can also simply craft packets with small payloads.<ref name=":12" /> The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.
▲By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order,
An IDS evasion technique is to craft a series of packets with [[Transmission Control Protocol|TCP sequence numbers]] configured to overlap. For example, the first packet will include 80 bytes of payload but the second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data.▼
▲=== Overlapping fragments and TCP segments ===
▲
Some IDS evasion techniques involve deliberately violating the [[Transmission Control Protocol|TCP]] or [[Internet Protocol|IP]] protocols in a way the target computer will handle differently from the IDS. For example, the [[Transmission Control Protocol|TCP Urgent Pointer]] is handled differently on different operating systems and may not be handled correctly by the IDS.▼
=== Ambiguities ===
▲Some IDS evasion techniques involve deliberately
=== Low-bandwidth attacks ===
Attacks which are spread out across a long period of time or a large number of source IPs, such as [[Nmap|nmap's]] slow scan, can be difficult to pick out of the background of benign traffic. An online [[Password cracking|password cracker]] which tests one password for each user every day will look nearly identical to a normal user who mistyped their password.
== Denial of service ==
Due to the fact that passive IDS are inherently [[fail-open]] (as opposed to [[fail-closed]]), launching a [[denial-of-service attack]] against the IDS on a network is a feasible method of circumventing its protection.<ref name=":
=== CPU exhaustion ===
Packets captured by an IDS are stored in a kernel buffer until the CPU is ready to process them. If the CPU is under high load, it can't process the packets quickly enough and this buffer fills up. New (and possibly malicious) packets are then dropped because the buffer is full.<ref name=":04" />
An attacker can exhaust the IDS's CPU resources in a number of ways. For example, signature-based intrusion detection systems use pattern matching algorithms to match incoming packets against signatures of known attacks. Naturally, some signatures are more computational expensive to match against than others. Exploiting this fact, an attacker can send specially-crafted network traffic to force the IDS to use the maximum amount of CPU time as possible to run its pattern matching algorithm on the traffic.<ref name=":12" /><ref name=":22" /> This [[algorithmic complexity attack]] can overwhelm the IDS with a relatively small amount of bandwidth.<ref name=":12" />
An IDS that also monitors encrypted traffic can spend a large portion of its CPU resources on decrypting incoming data.<ref name=":04" />
=== Memory exhaustion ===
In order to match certain signatures, an IDS is required to keep [[State (computer science)|state]] related to the connections it is monitoring. For example, an IDS must maintain "TCP control blocks" (TCBs), chunks of memory which track information such as sequence numbers, window sizes, and connection states (ESTABLISHED, RELATED, CLOSED, etc.), for each TCP connection monitored by the IDS.<ref name=":04" /> Once all of the IDS's [[random-access memory]] (RAM) is consumed, it is forced to utilize [[virtual memory]] on the [[Hard disk drive|hard disk]] which is much slower than RAM, leading to performance problems and dropped packets similar to the effects of CPU exhaustion.<ref name=":04" />
If the IDS doesn't [[Garbage collection (computer science)|garbage collect]] TCBs correctly and efficiently, an attacker can exhaust the IDS's memory by starting a large number of TCP connections very quickly.<ref name=":04" /> Similar attacks can be made by fragmenting a large number of packets into a larger number of smaller packets, or send a large number of out-of-order TCP segments.<ref name=":04" />
===Operator fatigue===
Alerts generated by an IDS have to be acted upon in order for them to have any value. An attacker can reduce the "availability" of an IDS by overwhelming the human operator with an inordinate number of alerts by sending large amounts of "malicious" traffic intended to generate alerts on the IDS. The attacker can then perform the actual attack using the alert noise as cover. The tools 'stick' and 'snot' were designed for this purpose. They generate a large number of IDS alerts by sending attack signature across the network, but will not trigger alerts in IDS that maintain application protocol context.
== References ==
{{reflist}}
== External links ==
* [https://blogs.forcepoint.com/security-labs/evasions-used-shadow-brokers-tools-danderspritz-and-doublepulsar-part-2-2 Evasions in the wild] blog on evasions found in the Shadow Brokers leak
[[Category:Computer security exploits]]
| |||