Re: Firewall-fooling techniques

From: Richard Bejtlich (
Date: 02/17/05

  • Next message: Daniel Cid: "OsAudit v0.1 (log gathering, monitoring and analysis) available."
    Date: Thu, 17 Feb 2005 05:55:58 -0500
    To: Göran Sandahl <>

    On Sun, 13 Feb 2005 00:00:31 +0100, Göran Sandahl <> wrote:
    > Or, can someone please in short terms
    > describe what kind of traffic IDSs have problem detecting today. And how
    > will the bad guys do it tomorrow?


    Chapter 18 of my book addresses this subject. [0] The problem is
    broader than running traffic through Fragrouter, and depends on the
    attacker's goal. Some techniques are designed to fool an analyst, not
    the IDS. Here is a summary:

    - Promote anonymity
     -- Attack from a stepping-stone
     -- Attack using a spoofed source address
     -- Attack from a netblock not owned by the intruder (advertise BGP routes)
     -- Attack from a trusted host
     -- Attack from a familiar netblock
     -- Attack the client, not the server
     -- Use public intermediaries
    - Evade detection
     -- Time attacks properly
     -- Distribute attacks through Internet space
     -- Employ encryption
     -- Appear normal
    - Degrade or deny collection
     -- Employ decoys
     -- Consider volume attacks
     -- Attack the sensor
     -- Separate analysts from their consoles



    [0] The Tao of Network Security Monitoring: Beyond Intrusion

    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    Go to
    to learn more.

  • Next message: Daniel Cid: "OsAudit v0.1 (log gathering, monitoring and analysis) available."

    Relevant Pages

    • Re: Firewalls (was Re: IDS evaluations procedures)
      ... > Systems that have integrated firewall. ... I can attack them. ... This is not an attack against you or any other prevention vendor. ... detection or prevention requires accurate attack identification. ...
    • Re: Questions re WEP encryption
      ... to replay captured APR packets. ... most intrusion detection software never sees it happen. ... active attacks generate wireless traffic that can itself be detected ... and possibly alert the target of the attack. ...
    • RE: IPSec and IDS
      ... it's the resulting change in host behavior AFTER the encrypted ... attack that must be detected. ... intrusion detection is a must. ... Server Sensor installation detected the IIS 5.0, ...
    • Re: Examples of lost security when integrating (secure) SW
      ... A per-packet filtering IPS bridges traffic, ... tcp 5-tuples upon detection, for diverse coverage. ... An attack is detected by the IDS, ... but recognizes an attempt to hijack a session. ...
    • RE: Network hardware IPS
      ... False Positive reduction has nothing to do with Detection Rate. ... Reducing False Positives has everything to do with accuracy and context. ... IDS System A has a signature to detect this attack. ... IDS System B also has a signature to detect this attack. ...