Investigating the efficiency of modern Intrusion Detection Systems (IDS) in detecting current evasion techniques – Part 3 – Basic Evasion

IDS Evasion Techniques

Since the introduction of intrusion detection systems they became very popular amongst network administrators because it provided a way to detect if any attacks took place. At them days (1990s) these systems were very simple devises that monitor the network traffic, match it to a database of signatures and if there is a match an alert is produced that informs the administrator of the event
(Bruneau, 2001,
History and Evolution of Intrusion Detection, p. 3). Throughout the years attackers, security professionals, researchers and developers have always played a cat and mouse game. Every time developers, security professionals and researchers find or develop new ways to counteract attacks, attackers seem to develop new ways to attack security devises such as IDSs or even bypass them altogether. This is because of the complexities in capturing, analysing and understanding network traffic (Timm, 2002, IDS Evasion Techniques and Tactics, p. 1). These complexities meant the existence of many techniques that can be used to take advantage of the weaknesses in IDSs. These methods were very simple such as pattern matching, denial of service (DOS) and false positives. However overtime more advanced techniques such as fragmentation, session splicing and polymorphic shell-code techniques began to appear.

As mentioned by (Roberts, 2010)
that stonesoft’s disclosure of a new way to evade IDSs and IPSs (IDPSs) raises some doubts about the effectiveness of many security products already used by many organisations worldwide. However stonesoft’s discovery was not new; anyone has an interest in information security knows that these techniques have been around for a very long time and was first mentioned in 1998 by (Newsham, 1998).

As quoted by (Roberts, 2010):

“Researchers working for Stonesoft have been delving into evasion techniques since 2007 in an effort to improve Stonesoft’s own products, said Matt McKinley, Director of Product Management in the U.S.”

He further quoted:

“”In the process of doing so, we basically discovered that it’s possible to combine multiple evasion techniques together working at different layers (of the IP stack) and they can confound the IPS and become hard to protect,” he said.”

However, I respectfully disagrees with what Mr. Matt McKinley had said; this is because these techniques as will be discussed in the following sections have been around for a very long time and all are based on the techniques mentioned in
(Newsham, 1998)

In this section the author presents an overview of some of these techniques by dividing them into two categories Basic techniques and Complex techniques.

Basic evasion techniques

Pattern-matching Weaknesses

As described by (iDefence Security Team, 2006, p. 3), most IDSs seem to employ pattern-based detection approach and many of the evasion methods performed by attackers tend to exploit the pattern matching mechanism and takes advantage of its weaknesses. As described in “Appendix A” pattern-based (signature-based) approach compares the network traffic to known vulnerabilities or commonly used strings inside exploits to detect attacks. However due to the fact that not all input have to be the same to trigger a particular vulnerability, which means a small change in the string can bypass the IDS. An example to explain this further is shown below:

Taking a simple HTTP request as an example

GET /cgi-bin/phf?

If this string was sent and seen by the IDS it will cause an alert, however if the string was obfuscated as shown below it will trigger the attack but no alerts will be produced:

GET /cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaa/..%25%2fp%68f?

Both of the strings above would produce the same results; however the second one would bypass detection because when the string is compared to the signatures available in the IDS there will be no match because no signature is available with a string that matches this one and so the attack would reach its destination without being detected and when the target receives this string it will URL decode to /phf. This is because in a URL % is used to escape special characters. Thus %25 will be decoded to %, %2f decoded to / and %68 decoded to h, which will result into /cgi-bin/aaaaaaaaaaaaaaaaaaaaaaaaaa/..%/phf?
String this causes it to move up a directory because the %/ escapes the “/” and the “..” moves up a directory, therefore strips out the multiple “a” character leaving the string looking as /cgi-bin/phf?, which is the same as the original string.

Unicode Evasion techniques

According to the same document mentioned above; Unicode is a way of representing characters of each language by giving it a unique identifier to help uniform the computer representation of each language. Although Unicode is a very useful method that made a big difference in the way computers have advanced it also provided attackers another way to evade detection.

Because in Unicode it is possible to represent a single character in multiple ways meant a big problem for IDSs. For example a character such as “\” can be represented as 5C, C19C and E0819C, this makes creating signatures very challenging. Although the new Unicode standard makes multiple representation illegal, some applications still use the old standard.

A good example of how Unicode affects IDS as presented by the iDefense document is the Microsoft IIS 4.0/5.0 directory traversal vulnerability. This vulnerability was released in October 2000 by Rain Forrest Puppy.

Denial of service (DoS)

Another way attackers use to evade detection is a DoS attack, which can be classed as an indirect way of evading IDSs. In an enterprise alert data is stored centrally so it can be viewed from one location, in other words alert logs for the entire enterprise network, which can have many IDS sensors can be viewed centrally from one location instead of a system-by-system basis. This is very useful for security analysts but if attackers know the IP address of the central logging server they could direct their attack towards it in order to slow it down or even launch a DoS attack to crash it. When this happens attackers can then launch further attacks happily knowing that their attack will not generate any alerts because the logging server is down. Another method discussed below, which is useful if the logging server’s IP address is not known is to generate false positives in order to fill the logging server’s memory so that it can no longer log any alerts.

False Positive technique

This method is very similar to the DoS attack method, as mention at the end of the above section the aim of this technique is to generate large amounts of packets known to trigger an alert. This will force the IDS to produce large amounts of alerts that must be logged, which in turn will give the attacker two advantages, the first is that the logging server’s memory will fill up and so no further alerts can be logged; the second advantage is that the attacker can hide the real attack within the huge amount of alerts knowing that security analysts would have great difficulty in differentiating between the real attack and the false alerts when looking at log data.

Also attackers know that many IDSs would have the same or similar signatures for a particular attack, which increases the success rate of a given attack. This is because the more signatures IDSs have in common, the more false positives attackers are able to generate and the faster attackers can launch their attacks.

Session splicing

Because of the processor power required to reconstruct a full session some IDSs only reassemble parts of it. Also some IDSs perform pattern matching on the data before reassembling the session. This resulted in a technique that emerged to take advantage of these vulnerabilities and exploits them. This method splits the data into several packets, which means that every single packet will not match any of the IDS’s signatures. Many IDSs stop reconstructing a stream of packets after a certain period of time and so if intruders know which IDS system is in use they could add a delay time between packets to skip reassembly checking. Also if the application the attacker is trying to attack keeps a session for a longer period then the amount of time the IDS set to reassemble packets, the IDS will stop reassembling that session, which provides attackers the ability to send malicious data that would go undetected.

This type of attack is known as session splicing, which is very old and most if not all modern IDSs haven found ways to prevent it (iDefence Security Team, 2006).


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s