Intrusion detection system evasion techniques

Last updated

Intrusion detection system evasion techniques are modifications made to attacks in order to prevent detection by an intrusion detection system (IDS). Almost all published evasion techniques modify network attacks. The 1998 paper Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection popularized IDS evasion, and discussed both evasion techniques and areas where the correct interpretation was ambiguous depending on the targeted computer system. The 'fragroute' and 'fragrouter' programs implement evasion techniques discussed in the paper. Many web vulnerability scanners, such as 'Nikto', 'whisker' and 'Sandcat', also incorporate IDS evasion techniques.

Contents

Most IDSs have been modified to detect or even reverse basic evasion techniques, but IDS evasion (and countering IDS evasion) are still active fields.

Obfuscation

An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. In this way, an attacker can exploit the end host without alerting the IDS.

Encoding

Application layer protocols like HTTP allow for multiple encodings of data which are interpreted as the same value. For example, the string "cgi-bin" in a URL can be encoded as "%63%67%69%2d%62%69%6e" (i.e., in hexadecimal). [1] A web server will view these as the same string and act on them accordingly. An IDS must be aware of all of the possible encodings that its end hosts accept in order to match network traffic to known-malicious signatures. [1] [2]

Attacks on encrypted protocols such as HTTPS cannot be read by an IDS unless the IDS has a copy of the private key used by the server to encrypt the communication. [3] The IDS won't be able to match the encrypted traffic to signatures if it doesn't account for this.

Polymorphism

Signature-based IDS often look for common attack patterns to match malicious traffic to signatures. To detect buffer overflow attacks, an IDS might look for the evidence of NOP slides which are used to weaken the protection of address space layout randomization. [4]

To obfuscate their attacks, attackers can use polymorphic shellcode to create unique attack patterns. This technique typically involves encoding the payload in some fashion (e.g., XOR-ing each byte with 0x95), then placing a decoder in front of the payload before sending it. When the target executes the code, it runs the decoder which rewrites the payload into its original form which the target then executes. [1] [4]

Polymorphic attacks don't have a single detectable signature, making them very difficult for signature-based IDS, and even some anomaly-based IDS, to detect. [1] [4] Shikata ga nai ("it cannot be helped") is a popular polymorphic encoder in the Metasploit framework used to convert malicious shellcode into difficult-to-detect polymorphic shellcode using XOR additive feedback. [5]

Evasion

Attackers can evade IDS by crafting packets in such a way that the end host interprets the attack payload correctly while the IDS either interprets the attack incorrectly or determines that the traffic is benign too quickly. [3]

Fragmentation and small packets

One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. [1] The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.

By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order,

Overlapping fragments and TCP segments

Another evasion technique is to craft a series of packets with TCP sequence numbers configured to overlap. For example, the first packet will include 80 bytes of payload but the second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data. [3] If the IDS doesn't reassemble the TCP in the same way as the target, it can be manipulated into either missing a portion of the attack payload or seeing benign data inserted into the malicious payload, breaking the attack signature. [1] [3] This technique can also be used with IP fragmentation in a similar manner.

Ambiguities

Some IDS evasion techniques involve deliberately manipulating TCP or IP protocols in a way the target computer will handle differently from the IDS. For example, the TCP urgent pointer is handled differently on different operating systems. If the IDS doesn't handle these protocol violations in a manner consistent with its end hosts, it is vulnerable to insertion and evasion techniques similar to those mentioned earlier. [3]

Low-bandwidth attacks

Attacks which are spread out across a long period of time or a large number of source IPs, such as nmap's slow scan, can be difficult to pick out of the background of benign traffic. An online password cracker which tests one password for each user every day will look nearly identical to a normal user who mistyped their password.

Denial of service

Due to the fact that passive IDS are inherently fail-open (as opposed to fail-closed), launching a denial-of-service attack against the IDS on a network is a feasible method of circumventing its protection. [3] An adversary can accomplish this by exploiting a bug in the IDS, consuming all of the computational resources on the IDS, or deliberately triggering a large number of alerts to disguise the actual attack.

CPU exhaustion

Packets captured by an IDS are stored in a kernel buffer until the CPU is ready to process them. If the CPU is under high load, it can't process the packets quickly enough and this buffer fills up. New (and possibly malicious) packets are then dropped because the buffer is full. [3]

An attacker can exhaust the IDS's CPU resources in a number of ways. For example, signature-based intrusion detection systems use pattern matching algorithms to match incoming packets against signatures of known attacks. Naturally, some signatures are more computational expensive to match against than others. Exploiting this fact, an attacker can send specially-crafted network traffic to force the IDS to use the maximum amount of CPU time as possible to run its pattern matching algorithm on the traffic. [1] [2] This algorithmic complexity attack can overwhelm the IDS with a relatively small amount of bandwidth. [1]

An IDS that also monitors encrypted traffic can spend a large portion of its CPU resources on decrypting incoming data. [3]

Memory exhaustion

In order to match certain signatures, an IDS is required to keep state related to the connections it is monitoring. For example, an IDS must maintain "TCP control blocks" (TCBs), chunks of memory which track information such as sequence numbers, window sizes, and connection states (ESTABLISHED, RELATED, CLOSED, etc.), for each TCP connection monitored by the IDS. [3] Once all of the IDS's random-access memory (RAM) is consumed, it is forced to utilize virtual memory on the hard disk which is much slower than RAM, leading to performance problems and dropped packets similar to the effects of CPU exhaustion. [3]

If the IDS doesn't garbage collect TCBs correctly and efficiently, an attacker can exhaust the IDS's memory by starting a large number of TCP connections very quickly. [3] Similar attacks can be made by fragmenting a large number of packets into a larger number of smaller packets, or send a large number of out-of-order TCP segments. [3]

Operator fatigue

Alerts generated by an IDS have to be acted upon in order for them to have any value. An attacker can reduce the "availability" of an IDS by overwhelming the human operator with an inordinate number of alerts by sending large amounts of "malicious" traffic intended to generate alerts on the IDS. The attacker can then perform the actual attack using the alert noise as cover. The tools 'stick' and 'snot' were designed for this purpose. They generate a large number of IDS alerts by sending attack signature across the network, but will not trigger alerts in IDS that maintain application protocol context.

Related Research Articles

<span class="mw-page-title-main">Buffer overflow</span> Anomaly in computer security and programming

In programming and information security, a buffer overflow or buffer overrun is an anomaly whereby a program writes data to a buffer beyond the buffer's allocated memory, overwriting adjacent memory locations.

<span class="mw-page-title-main">Denial-of-service attack</span> Cyber attack disrupting service by overloading the provider of the service

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

<span class="mw-page-title-main">IP address spoofing</span> Creating IP packets using a false IP address

In computer networking, IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a false source IP address, for the purpose of impersonating another computing system.

In telecommunications and computer networking, a network packet is a formatted unit of data carried by a packet-switched network. A packet consists of control information and user data; the latter is also known as the payload. Control information provides data for delivering the payload. Typically, control information is found in packet headers and trailers.

<span class="mw-page-title-main">Intrusion detection system</span> Network protection device or software

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

<span class="mw-page-title-main">Shellcode</span> Small piece of code used as a payload to exploit a software vulnerability

In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. However, attempts at replacing the term have not gained wide acceptance. Shellcode is commonly written in machine code.

In computing, polymorphic code is code that uses a polymorphic engine to mutate while keeping the original algorithm intact - that is, the code changes itself every time it runs, but the function of the code will not change at all. For example, the simple math expressions 3+1 and 6-2 both achieve the same result, yet run with different machine code in a CPU. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.

<span class="mw-page-title-main">Host-based intrusion detection system</span> Type of intrusion detection system

A host-based intrusion detection system (HIDS) is an intrusion detection system that is capable of monitoring and analyzing the internals of a computing system as well as the network packets on its network interfaces, similar to the way a network-based intrusion detection system (NIDS) operates. This was the first type of intrusion detection software to have been designed, with the original target system being the mainframe computer where outside interaction was infrequent.

An anomaly-based intrusion detection system, is an intrusion detection system for detecting both network and computer intrusions and misuse by monitoring system activity and classifying it as either normal or anomalous. The classification is based on heuristics or rules, rather than patterns or signatures, and attempts to detect any type of misuse that falls out of normal system operation. This is as opposed to signature-based systems, which can only detect attacks for which a signature has previously been created.

In computer networks, a tunneling protocol is a communication protocol which allows for the movement of data from one network to another. It involves allowing private network communications to be sent across a public network through a process called encapsulation.

A ping of death is a type of attack on a computer system that involves sending a malformed or otherwise malicious ping to a computer.

<i>Hacking: The Art of Exploitation</i> 2003 book by Jon "Smibbs" Erickson

Hacking: The Art of Exploitation (ISBN 1-59327-007-0) is a book by Jon "Smibbs" Erickson about computer security and network security. It was published by No Starch Press in 2003, with a second edition in 2008. All of the examples in the book were developed, compiled, and tested on Gentoo Linux. The book also comes with a CD that contains a Linux environment with all the tools and examples used in the book.

In computer networking, jumbo frames are Ethernet frames with more than 1500 bytes of payload, the limit set by the IEEE 802.3 standard. The payload limit for jumbo frames is variable: while 9000 bytes is the most commonly used limit, smaller and larger limits exist. Many Gigabit Ethernet switches and Gigabit Ethernet network interface controllers and some Fast Ethernet switches and Fast Ethernet network interface cards can support jumbo frames.

In computer security, a NOP slide, NOP sled or NOP ramp is a sequence of NOP (no-operation) instructions meant to "slide" the CPU's instruction execution flow to its final, desired destination whenever the program branches to a memory address anywhere on the slide.

IP fragmentation attacks are a kind of computer security attack based on how the Internet Protocol (IP) requires data to be transmitted and processed. Specifically, it invokes IP fragmentation, a process used to partition messages from one layer of a network into multiple smaller payloads that can fit within the lower layer's protocol data unit (PDU). Every network link has a maximum size of messages that may be transmitted, called the maximum transmission unit (MTU). If the SDU plus metadata added at the link layer exceeds the MTU, the SDU must be fragmented. IP fragmentation attacks exploit this process as an attack vector.

Network behavior anomaly detection (NBAD) is a security technique that provides network security threat detection. It is a complementary technology to systems that detect security threats based on packet signatures.

<span class="mw-page-title-main">Network forensics</span>

Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, network investigations deal with volatile and dynamic information. Network traffic is transmitted and then lost, so network forensics is often a pro-active investigation.

An IPv6 packet is the smallest message entity exchanged using Internet Protocol version 6 (IPv6). Packets consist of control information for addressing and routing and a payload of user data. The control information in IPv6 packets is subdivided into a mandatory fixed header and optional extension headers. The payload of an IPv6 packet is typically a datagram or segment of the higher-level transport layer protocol, but may be data for an internet layer or link layer instead.

In network security, evasion is bypassing an information security defense in order to deliver an exploit, attack, or other form of malware to a target network or system, without detection. Evasions are typically used to counter network-based intrusion detection and prevention systems but can also be used to by-pass firewalls and defeat malware analysis. A further target of evasions can be to crash a network security defense, rendering it in-effective to subsequent targeted attacks.

Deep content inspection (DCI) is a form of network filtering that examines an entire file or MIME object as it passes an inspection point, searching for viruses, spam, data loss, key words or other content level criteria. Deep Content Inspection is considered the evolution of Deep Packet Inspection with the ability to look at what the actual content contains instead of focusing on individual or multiple packets. Deep Content Inspection allows services to keep track of content across multiple packets so that the signatures they may be searching for can cross packet boundaries and yet they will still be found. An exhaustive form of network traffic inspection in which Internet traffic is examined across all the seven OSI ISO layers, and most importantly, the application layer.

References

  1. 1 2 3 4 5 6 7 8 Cheng, Tsung-Huan; Lin, Ying-Dar; Lai, Yuan-Cheng; Lin, Po-Ching (2012). "Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems". IEEE Communications Surveys & Tutorials. 14 (4): 1011–1020. CiteSeerX   10.1.1.299.5703 . doi:10.1109/surv.2011.092311.00082. S2CID   1949199.
  2. 1 2 Corona, Igino; Giacinto, Giorgio; Roli, Fabio (2013). "Adversarial attacks against intrusion detection systems: Taxonomy, solutions and open issues". Information Sciences. 239: 201–225. doi:10.1016/j.ins.2013.03.022.
  3. 1 2 3 4 5 6 7 8 9 10 11 12 Ptacek, Thomas H.; Newsham, Timothy N. (1998-01-01). "Insertion, evasion, and denial of service: Eluding network intrusion detection". CiteSeerX   10.1.1.119.399 .{{cite journal}}: Cite journal requires |journal= (help)
  4. 1 2 3 Chaboya, D. J.; Raines, R. A.; Baldwin, R. O.; Mullins, B. E. (2006-11-01). "Network Intrusion Detection: Automated and Manual Methods Prone to Attack and Evasion". IEEE Security Privacy. 4 (6): 36–43. doi:10.1109/MSP.2006.159. ISSN   1540-7993. S2CID   11444752.
  5. "Polymorphic XOR Additive Feedback Encoder". rapid7.com.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.