RE: ids inquisition

From: Turner, Elliot (eturner@intrusion.com)
Date: 07/27/01


Message-ID: <636A9B29EA94BC4194D844C27A3B1AAB016DE578@Mercury.intrusion.com>
From: "Turner, Elliot" <eturner@intrusion.com>
To: "'Randy Taylor'" <gnu@charm.net>, focus-ids@securityfocus.com
Subject: RE: ids inquisition
Date: Fri, 27 Jul 2001 11:42:31 -0500

My comments below:

-----Original Message-----
>From: Randy Taylor [mailto:gnu@charm.net]
>Sent: Thursday, July 26, 2001 11:01 PM
>To: focus-ids@securityfocus.com
>Subject: Re: ids inquisition
>
>
>
>Sorry, I can't let _this_ go silently by.
>
At 03:54 PM 7/26/2001 -0700, Robert Graham wrote:
>>
>>BTW, Jeff means me (Robert Graham). As a vendor, I released a utility
>>"sidestep" that does some weird stuff that demonstrates evasion against
other
>>vendor's products.
>
>And opened up a class of attacks that hadn't been widely seen before. I'd
>expect that from a blackhat, but not from a company CTO. Smelled like
hubris
>and dangerous art for art's sake...it was a really bad smell.

A new class of attacks? Sidestep hardly does anything malicious, containing
only the following functionality:

 - RPC Portmapper Dump
 - FTP CWD ~root
 - DNS version.bind Query
 - SNMP LanMAN User Enum
 - PHF Probe
 - BackOrifice Ping

Most of the above are either probes (RPC Dump, version.bind Query, PHF
Probe, BackOrifice Ping), information gathering tools (LanMAN User ENUM),
and there is a single actual attack (CWD ~root).

All of the above attacks are publicly known, and have been for quite some
time.

Further, NIDS evasion is nothing new. The Ptacek/Newsham paper outlined
many network evasion attacks (fragment reassembly, out-of-order TCP
segments, bad checksums, etc) a number of years ago. CASL and Fragrouter
both exploit these evasion techniques.

Sure, sidestep does application-layer evasion, but this is nothing new
either.

Vern Paxson's paper on Bro outlines several application-layer evasion
attacks against NIDS packages. This paper was written a number of years
ago.

Frankly, I think Graham should be commended for writing this tool. He's
showing others how easy these attacks are to exploit. These attacks have
been known about for ages, and are in active use within the BlackHat
community.

Further, source code isn't (to my knowledge) even available for
SIDESTEP.EXE. This is merely a harmless demonstration program, designed to
show the shortcomings of various NIDS packages actively in use today.

Graham is doing the community a service by getting other NIDS packages to
improve their detection techniques. That's what security research is all
about.

Regards,

Elliot Turner

Disclaimer: I don't work for Robert Graham, NetworkICE or ISS. In fact, I
work for one of his competitors. I do however, believe he is doing our
community a service by performing legitimate research into NIDS evasion and
providing demonstration programs which illustrate his research.



Relevant Pages

  • Re: Combat systems and mental blocks
    ... easily tweak the results of various attacks idependently from ... and then have the resistances and evasion rates for various ... that needs to have any 'protection') can have several values, ...
    (rec.games.roguelike.development)
  • Re: Rogue dings 70 and does BGs
    ... a> Note also, that even with evasion up, attacks from behind cannot be ... It always seems that my attacks get dodged/blocked/paried even from behind ... a> some distance, shadowstep and kidney. ... I'm a dwarf rogue I have the racial to be poison/bleed/desease immune for 8 ...
    (alt.games.warcraft)
  • Re: Rogue dings 70 and does BGs
    ... a> Note also, that even with evasion up, attacks from behind cannot be ... It always seems that my attacks get dodged/blocked/paried even from behind ... is often complaining that they (mobs) shouldn't be able to dodge, ... standing on their heels, then it can still count as being in front of ...
    (alt.games.warcraft)
  • Re: Rogue dings 70 and does BGs
    ... a> Note also, that even with evasion up, attacks from behind cannot be ... It always seems that my attacks get dodged/blocked/paried even from behind ... block or parry his backstabs. ...
    (alt.games.warcraft)