Evasions and attacks
An advanced adversary may attack the monitoring infrastructure itself so that their actions are not detected. These approaches may involve the use of evasive techniques to trick the IDS/IPS and avoid detection. Alternatively, they may target the IDS and IPS device itself to render them less effective and thereby avoid detection.
IDS/IPS evasions
IDS/IPS evasion is a technique used by an adversary to trick the IDS or IPS to conclude that there is no attack occurring when there in fact is (evasion), or to conclude that there is an attack occurring when there in fact isn’t (insertion).
IDS and IPS are separate entities from end hosts, and there are inherent differences in what network traffic they see and how they process the traffic. Due to these differences, it is possible to craft the traffic in such a way as to trick the IDS or IPS device.
An example of an evasion case is as follows:
Figure 1.7 – An IDS evasion example
Figure 1.7 shows a typical scenario for an IDS evasion. The box marked R is an internet protocol router. According to the IP protocol, as the IP datagram is being routed from the source to the destination, the IP datagram’s time-to-live (TTL) value is decremented by 1 at each router.
In this case, the attacker manipulates the packet TTL values such that all of them are seen by the IDS, but only some of them reach the end host. Thereafter, the attacker sends the following:
- Packet 1: Data: “ATT”.
- Packet 2: Data: “END” (TTL 1).
- Packet 2 (Retransmitted): Data: “ACK” (TTL 10).
The attacker sends the attack in two separate packets. Let us imagine that the IDS favors older data when reassembling the segments. So, the IDS reassembles the data (concatenates Packet 1 and Packet 2) as ATTEND. On the other hand, due to the TTL manipulation, the second packet does not reach the end host. So, the end host reassembles the data as ATTACK, which means a successful attack. The IDS, however, fails to generate an alert because it concluded the data as ATTEND.
If the attacker knows that the IDS does not validate packet checksums, the same test as the previous can be repeated, and instead of manipulating the TTL values, they can send the second packet with an invalid checksum, which will be processed by the IDS but discarded by the end host.
The technique for evasion can be adjusted based on the type of difference between the IDS processing and endpoint processing.
Attacks against the IDS/IPS
We saw that the IDS and IPS play a key role in the security posture of an organization. We noted earlier that IDS and IPS processing is complex and involved. In the previous section, we discussed how the adversary tries to go unnoticed during an attack by evasion (and insertion) techniques. In another tactic, the adversary could attack the IDS/IPS itself to render it partially or completely useless for a short or long duration. Such attacks against the IDS/IPS can be classified into two main types:
- Crash attack: This is a class of attack that tries to send some network traffic that causes the IDS to crash when processing it. For example, the IDS could have a buffer overflow vulnerability in its decoder or detector module, which is triggered when processing a certain type of traffic. A very early version of Snort (version 1.8) has a similar vulnerability when processing RPC traffic, causing a buffer overflow. An attacker knowing such a vulnerability could target the IDS and cause a crash, which would lead to degraded operation and missed attacks during that time window.
- Denial-of-service attack: In this approach, the attacker sends traffic that causes the IDS to spend a large amount of time processing it. A lot of such traffic can cause the IDS to go to a state where it cannot keep up and will start dropping packets. This can lead to degraded operations and missed attacks.
A robust IDS design would consider such attacks against itself and have mechanisms to defend against such attacks.
