Content deleted Content added
Rescuing orphaned refs (":04" → ":09" from rev 945505416) |
Reverted vandalism by 1.10.252.98 |
||
Line 3:
Most IDSs have been modified to detect or even reverse basic evasion techniques, but IDS evasion (and countering IDS evasion) are still active fields.
==Payload obfuscation==
An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. In this way, an attacker can exploit the end host without alerting the IDS.
=== Encoding and encryption ===
Application layer protocols like [[Hypertext Transfer Protocol|HTTP]] allow for multiple encodings of data which are interpreted as the same value. For example, the string "cgi-bin" in a [[Uniform Resource Locator|URL]] can be encoded as "%63%67%69%2d%62%69%6e" (i.e., in hexadecimal).<ref name=":12">{{Cite journal|last=Cheng|first=Tsung-Huan|last2=Lin|first2=Ying-Dar|last3=Lai|first3=Yuan-Cheng|last4=Lin|first4=Po-Ching|title=Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems|journal=IEEE Communications Surveys & Tutorials|volume=14|issue=4|pages=1011–1020|doi=10.1109/surv.2011.092311.00082|year=2012|citeseerx=10.1.1.299.5703}}</ref> A web server will view these as the same string and act on them accordingly. An IDS must be aware of all of the possible encodings that its end hosts accept in order to match network traffic to known-malicious signatures.<ref name=":12" /><ref name=":22">{{Cite journal|last=Corona|first=Igino|last2=Giacinto|first2=Giorgio|last3=Roli|first3=Fabio|title=Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues|journal=Information Sciences|volume=239|pages=201–225|doi=10.1016/j.ins.2013.03.022|year=2013}}</ref>
Attacks on encrypted protocols such as [[HTTPS]] cannot be read by an IDS unless the IDS has a copy of the private key used by the server to encrypt the communication.<ref name=":
=== Polymorphism ===
Line 25 ⟶ 19:
== Insertion and evasion ==
Attackers can evade IDS by crafting packets in such a way that the end host interprets the attack payload correctly while the IDS either interprets the attack incorrectly or determines that the traffic is benign too quickly.<ref name=":
=== Fragmentation and small packets ===
Line 33 ⟶ 27:
=== Overlapping fragments and TCP segments ===
Another evasion technique is to craft a series of packets with [[Transmission Control Protocol|TCP sequence numbers]] configured to overlap. For example, the first packet will include 80 bytes of payload but the second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data.<ref name=":
=== Protocol ambiguities ===
Some IDS evasion techniques involve deliberately manipulating [[Transmission Control Protocol|TCP]] or [[Internet Protocol|IP]] protocols in a way the target computer will handle differently from the IDS. For example, the TCP urgent pointer is handled differently on different operating systems. If the IDS doesn't handle these protocol violations in a manner consistent with its end hosts, it is vulnerable to insertion and evasion techniques similar to those mentioned earlier.<ref name=":
=== Low-bandwidth attacks ===
Line 42 ⟶ 36:
== Denial of service ==
Due to the fact that passive IDS are inherently [[fail-open]] (as opposed to [[fail-closed]]), launching a [[denial-of-service attack]] against the IDS on a network is a feasible method of circumventing its protection.<ref name=":
=== CPU exhaustion ===
Packets captured by an IDS are stored in a kernel buffer until the CPU is ready to process them. If the CPU is under high load, it can't process the packets quickly enough and this buffer fills up. New (and possibly malicious) packets are then dropped because the buffer is full.<ref name=":
An attacker can exhaust the IDS's CPU resources in a number of ways. For example, signature-based intrusion detection systems use pattern matching algorithms to match incoming packets against signatures of known attacks. Naturally, some signatures are more computational expensive to match against than others. Exploiting this fact, an attacker can send specially-crafted network traffic to force the IDS to use the maximum amount of CPU time as possible to run its pattern matching algorithm on the traffic.<ref name=":12" /><ref name=":22" /> This [[algorithmic complexity attack]] can overwhelm the IDS with a relatively small amount of bandwidth.<ref name=":12" />
An IDS that also monitors encrypted traffic can spend a large portion of its CPU resources on decrypting incoming data.<ref name=":
=== Memory exhaustion ===
In order to match certain signatures, an IDS is required to keep [[State (computer science)|state]] related to the connections it is monitoring. For example, an IDS must maintain "TCP control blocks" (TCBs), chunks of memory which track information such as sequence numbers, window sizes, and connection states (ESTABLISHED, RELATED, CLOSED, etc.), for each TCP connection monitored by the IDS.<ref name=":
If the IDS doesn't [[Garbage collection (computer science)|garbage collect]] TCBs correctly and efficiently, an attacker can exhaust the IDS's memory by starting a large number of TCP connections very quickly.<ref name=":
===Operator fatigue===
| |||