RE: IDS bypassing
From: charles lindsay (frostbackeng@lycos.com)
Date: 12/30/02
- Previous message: Ed3f: "IDS bypassing"
- Maybe in reply to: Ed3f: "IDS bypassing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: ed3f@overminder.com Date: Mon, 30 Dec 2002 14:56:16 -0500 From: "charles lindsay" <frostbackeng@lycos.com>
Could you be more explicit as to which NAT devices support this evasion technique?
All NAT/PAT devices I am familiar with are either complete TCP proxies, in which case they verify the checksum coming in, and then re-calculate it as it goes out, or they only implement the "quick-update" algorithm (RFC 1624 et alia). In the first case, your evil packets get dropped at the first NAT, in the second case, they always have an incorrect checksum.
================ On Sun 12/29/02 at 6:44 PM ========================
============== Ed3f [ed3f@overminder.com] spake: =====================
>> Systems Affected
>>
>> NAT/PAT/load_balancing/packet_manipulation implementations
>>
>> Overview
>>
>> Multiple vendors' implementations of
>> NAT/PAT/load_balancing/packet_manipulation
>> calculate level 4 checksum from scratch.
>>
<< snip>>
_____________________________________________________________
Get 25MB, POP3, Spam Filtering with LYCOS MAIL PLUS for $19.95/year.
http://login.mail.lycos.com/brandPage.shtml?pageId=plus&ref=lmtplusong with anomaly detection at the higher level.
<br>
Withd
- Next message: smarkle@icsalabs.com: "RE: ICSA [WAS: Re: Intrusion Prevention]"
- Previous message: Ed3f: "IDS bypassing"
- Maybe in reply to: Ed3f: "IDS bypassing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
