Intrusion detection system evasion techniques: Difference between revisions

Content deleted Content added
top: no longer orphan, cap
m Denial of service: overlink, cap
Line 45:
Due to the fact that passive IDS are inherently [[fail-open]] (as opposed to [[fail-closed]]), launching a [[denial-of-service attack]] against the IDS on a network is a feasible method of circumventing its protection.<ref name=":04" /> An adversary can accomplish this by exploiting a bug in the IDS, consuming all of the computational resources on the IDS, or deliberately triggering a large number of alerts to disguise the actual attack.
 
=== CPU Exhaustionexhaustion ===
Packets captured by an IDS are stored in a kernel buffer until the CPU is ready to process them. If the CPU is under high load, it can't process the packets quickly enough and this buffer fills up. New (and possibly malicious) packets are then dropped because the buffer is full.<ref name=":04" />
 
An attacker can exhaust the IDS's CPU resources in a number of ways. For example, signature-based [[Intrusion detection system|intrusion detection systems]] use pattern matching algorithms to match incoming packets against signatures of known attacks. Naturally, some signatures are more computational expensive to match against than others. Exploiting this fact, an attacker can send specially-crafted network traffic to force the IDS to use the maximum amount of CPU time as possible to run its pattern matching algorithm on the traffic.<ref name=":12" /><ref name=":22" /> This [[algorithmic complexity attack]] can overwhelm the IDS with a relatively small amount of bandwidth.<ref name=":12" />
 
An IDS that also monitors encrypted traffic can spend a large portion of its CPU resources on decrypting incoming data.<ref name=":04" />
 
=== Memory Exhaustionexhaustion ===
In order to match certain signatures, an IDS is required to keep [[State (computer science)|state]] related to the connections it is monitoring. For example, an IDS must maintain "TCP control blocks" (TCBs), chunks of memory which track information such as sequence numbers, window sizes, and connection states (ESTABLISHED, RELATED, CLOSED, etc.), for each TCP connection monitored by the IDS.<ref name=":04" /> Once all of the IDS's [[random-access memory]] (RAM) is consumed, it is forced to utilized [[virtual memory]] on the [[Hard disk drive|hard disk]] which is much slower than RAM, leading to performance problems and dropped packets similar to the effects of CPU exhaustion.<ref name=":04" />
 
If the IDS doesn't [[Garbage collection (computer science)|garbage collect]] TCBs correctly and efficiently, an attacker can exhaust the IDS's memory by starting a large number of TCP connections very quickly.<ref name=":04" /> Similar attacks can be made by fragmenting a large number of packets into a larger number of smaller packets, or send a large number of out-of-order TCP segments.<ref name=":04" /><h3>Operator Fatigue</h3>Alerts generated by an IDS have to be acted upon in order for them to have any value. An attacker can reduce the "availability" of an IDS by overwhelming the human operator with an inordinate number of alerts by sending large amounts of "malicious" traffic intended to generate alerts on the IDS. The attacker can then perform the actual attack using the alert noise as cover. The tools 'stick' and 'snot' were designed for this purpose. They generate a large number of IDS alerts by sending attack signatures across the network, but will not trigger alerts in IDS that maintain application protocol context.
 
== References ==
<references/>