Content deleted Content added
Update Denial of service intro |
Denial of Service - CPU Exhaustion |
||
Line 39:
An adversary can evade detection by disabling or overwhelming the IDS. This can be accomplished by exploiting a bug in the IDS, using up computational resources on the IDS, or deliberately triggering a large number of alerts to disguise the actual attack. The tools 'stick' and 'snot' were designed to generate a large number of IDS alerts by sending attack signatures across the network, but will not trigger alerts in IDSs that maintain application protocol context.
=== CPU Exhaustion ===
Packets captured by an IDS are stored in a kernel buffer until the CPU is ready to process them. If the CPU is under high load, it can't process the packets quickly enough and this buffer fills up. New (and possibly malicious) packets are then dropped because the buffer is full.<ref name=":02">{{Cite journal|last=Ptacek|first=Thomas H.|last2=Newsham|first2=Timothy N.|date=1998-01-01|title=Insertion, evasion, and denial of service: Eluding network intrusion detection|url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.119.399&rank=1}}</ref>
An attacker can exhaust the IDS's CPU resources in a number of ways. For example, signature-based [[Intrusion detection system|intrusion detection systems]] use pattern matching algorithms to match incoming packets against signatures of known attacks. Naturally, some signatures are more computational expensive to match against than others. Exploiting this fact, an attacker can send specially-crafted network traffic to force the IDS to use the maximum amount of CPU time as possible to run its pattern matching algorithm on the traffic.<ref name=":1">{{Cite journal|last=Cheng|first=Tsung-Huan|last2=Lin|first2=Ying-Dar|last3=Lai|first3=Yuan-Cheng|last4=Lin|first4=Po-Ching|title=Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems|url=http://dx.doi.org.ezproxy.neu.edu/10.1109/SURV.2011.092311.00082|journal=IEEE Communications Surveys & Tutorials|volume=14|issue=4|pages=1011–1020|doi=10.1109/surv.2011.092311.00082}}</ref><ref name=":2">{{Cite journal|last=Corona|first=Igino|last2=Giacinto|first2=Giorgio|last3=Roli|first3=Fabio|title=Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues|url=http://dx.doi.org.ezproxy.neu.edu/10.1016/j.ins.2013.03.022|journal=Information Sciences|volume=239|pages=201–225|doi=10.1016/j.ins.2013.03.022}}</ref> This [[algorithmic complexity attack]] can overwhelm the IDS with a relatively small amount of bandwidth.<ref name=":1" />
An IDS that also monitors encrypted traffic can spend a large portion of its CPU resources on decrypting incoming data.<ref name=":02" />
== References ==
| |||