Discussion
To achieve the objectives of this study the experiments needed to be as realistic as possible, meaning that the same steps an attacker takes to compromise a network would need to be taken. This is to investigate the effectiveness of the IDS in detecting each stage at the same time there’s a need for a way to ensure that any attacks managed to evade detection have done so because of the effectiveness of the technique and not because of misconfiguration or any other issues. For this reason the experiments were divided into two scenarios. These scenarios were further divided into the experiments discussed in the previously (part 1 – part 8).
As explained by (Bejtlich 2004, p.19), in certain phases of a compromise it becomes very difficult to detect the attack; taking this under consideration it was decided to carry out the tests on the phases where if detected would mean that it was very obvious that an attack is being carried out. Table 7.1 taken from (Bejtlich 2004, p.19) shows these phases.
|
Phases of compromise |
Description |
Probability of Detection |
Attacker’s Advantage |
Defender’s Advantage |
|
Reconnaissance |
Enumerate hosts, services, and application version. |
Medium to high |
Attackers perform host and service discovery over a long time frame using normal traffic patterns. |
Attackers reveal themselves by differences between their traffic and legitimate user traffic. |
|
Exploitation |
Abuse, subvert, or breach services. |
Medium |
Attackers may attack services offering encryption or obfuscate exploit traffic. |
Exploits don’t appear as legitimate traffic, and IDSs will have signatures to detect attacks. |
|
Reinforcement |
Retrieve tools to elevate privileges and/or disguise presence. |
High |
Encryption hides the content of tools. |
Outbound activity from servers can be closely monitored and identified. |
|
Consolidation |
Communicate via backdoor, typically using covert channel. |
Low to medium |
With full control over communication endpoints, the attacker’s creativity is limited only by the access and traffic control offered by intervening network devices. |
Traffic profiling may reveal unusual patterns corresponding to the attacker’s use of a backdoor. |
|
Pillage |
Steal information, damage the asset, for further compromise the organisation. |
Low to medium |
Once operating from a “trusted host”, the attacker’s activities may be more difficult to notice. |
Smart analysts know the sorts of traffic that internal systems should employ and will notice deviations. |
Table 7.1: Phases of a compromise (Bejtlich 2004, p.19)
The highlighted top two columns in the above table are the stages chosen to be investigated for this study.
SCENARIO ONE – NO EVASION
The part of the experiment that represented the main focus of the study was scenario two, however scenario one was also important as it sets the seen up for the rest of the study because it provides a way of testing the operation of each component of the IDS and how they interact with the rest of the system as well as checking that there’s no misconfiguration issues and ensures the accuracy of the results.
At this stage reconnaissance techniques were tested in three phases, for each phase the packets were captured using tcpdump and analysed to see what normal packets would look like.
Phase one – here the IDS relies only on the rules (signatures) that it contains to detect attacks because an important component (pre-processor) was disabled. Thus this mode was called rules only mode. As seen in chapter 6.1 all attacks were successfully detected even when nmap’s fragmentation was used, which demonstrates that the IDS successfully detected the attacks by just using the rules only.
|
Type of scan |
No. of PKTs Received |
No. of PKTs Analysed |
No. of Alerts |
|
SYN Scan |
2018 |
1910 |
941 |
|
Frag SYN |
5014 |
4899 |
2328 |
Table 7.2: Experiment Stats Rules Only Mode
Figure 7.1: Statistics Chart for scenario one Rules only mode
Phase two – this phase was exactly the same as the above except this time the pre-processor were activated while the rules were deactivated, thus this phase was called pre-processor mode. Here none of the attacks raised an alert due to the rules being disabled and any indication of any attack taking place can only be determined by looking at the statistics as was shown by the high number in fragments, which is why it is important to look at such data every so often as it gives signs that on some occasions can’t be seen by looking at the alerts console alone.
|
Type of scan |
No. of PKTs Received |
No. of PKTs Analysed |
No. of Alerts |
|
SYN Scan |
2024 |
2024 |
0 |
|
Frag SYN |
5875 |
5875 |
0 |
Table 7.3: Experiment Stats Pre-processors Mode
Figure 7.2: Experiment Statistics For Scenario One Pre-processor mode
Phase three – this final phase of this scenario the IDS was operated in full mode, meaning the pre-processors as well as the rules were activated. Again here it can be established that all of the attacks were detected and the system and its components are fully operational.
|
Type of scan |
No. of PKTs Received |
No. of PKTs Analysed |
No. of Alerts |
|
SYN Scan |
2037 |
1987 |
962 |
|
Frag SYN |
5356 |
5097 |
2373 |
Table 7.4: Experiment Stats Full mode
Figure 7.3: Experiment Statistics Scenario one Full mode
This way it was confirmed that the system correctly configured and should be able to detect the attacks that will be launched and any attacks that managed to evade detection was due to the technique being effective.
SCENARIO TWO – EVASION TECHNIQUES
As this was the main scenario of the study, two of the evasion techniques discussed in chapter two was chosen for the experiments of this study. Here the experiments were divided into three parts and the IDS was operated in full mode, the first part tested fragmentation techniques using three different configurations to test the same two reconnaissance attacks used in scenario one (SYN and nmap Fragmented SYN scans). The second part investigated the evasion techniques provided by metasploit as well as when these methods are combined with fragroute, while the third and final part used encrypted tunnel to evade detection.
SCENARIO 2.1 – FRAGMENTATION
This part demonstrated the fragmentation techniques discussed in (Newsham 1998). Tools such as fragroute (discussed in chapter four) was used to modify packets using different patterns of the fragmentation techniques explained in the paper. The setup was to use three different configuration settings for each scan. These setting were:
Fragroute’s default configurations – When this pattern was used on its own the IDS managed to successfully detect it, though when it was combined with nmap’s fragmentation the IDS failed to detect such a combination.
|
Type of scan |
No. of PKTs Received |
No. of PKTs Analysed |
No. of Alerts |
|
SYN Scan |
4272 |
4272 |
68 |
|
Frag SYN |
12191 |
12191 |
0 NB: this was set to zero due to the alerts generated are not linked to the scans so they were considered as false positives and the scans themselves have not been detected |
Table 7.5: Experiment Stats Scenario Two – Fragmentation (default settings)
Figure 7.4: Scenario Two Fragmentation Stats chart – Default settings Stats
8-byte fragments favoring old data – the IDS successfully detected the attacks in this part of the experiment when using this pattern alone, while when combining it with nmap’s fragmentation the IDS failed to detect the attack.
|
Type of scan |
No. of PKTs Received |
No. of PKTs Analysed |
No. of Alerts |
|
SYN Scan |
2412 |
2412 |
198 |
|
Frag SYN |
6189 |
6189 |
0 NB: this was set to zero due to the alerts generated are not linked to the scans so they were considered as false positives and the scans themselves have not been detected. |
Table 7.6: Experiment Stats Scenario Two – Fragmentation (8 Byte fragments)
Figure 7.5: Scenario Two Fragmentation Stats chart – 8 Byte fragment settings
4-byte TCP segments favoring new data – Here in this setup the IDS failed to detect any of the attacks when combined with nmap’s fragmentation, however it successfully detected the events when using this setting on its own.
|
Type of scan |
No. of PKTs Received |
No. of PKTs Analysed |
No. of Alerts |
|
SYN Scan |
2272 |
2272 |
68 |
|
Frag SYN |
6186 |
6186 |
0 NB: this was set to zero due to the alerts generated are not linked to the scans so they were considered as false positives and the scans themselves have not been detected. |
Table 7.7: Experiment Stats Scenario Two – Fragmentation (4 Byte TCP segments)
Figure 7.6: Scenario Two Fragmentation Stats Chart – 4 Byte TCP segments
This demonstrates that these methods could still be effective in evading IDSs especially when more advanced patterns are used or when combined with other techniques. Also it is important to recognise that the above patterns are considered to be basic and a tool such as fragroute or even fragrouter (two different tools) contains over a dozen different patterns; when these are combined dozens if not hundreds of different evasion patterns can be created, which will make it very difficult if not impossible for any IDS to detect such methods. According to author fragmentation is methods still works and on many occasions can still be used to evade detection.
SCENARIO 2.2 – METASPLOIT
Metasploit is very popular and useful framework that security professionals should make use of. This part of the experiment demonstrated how such a framework can be used by professionals to test the effectiveness of their security controls. Here the same concept was used as the one used previously, first an exploit was chosen (DISTCC) and launched at the target directly without the use of any evasion methods.
At first the IDS did not detect the attack and after careful examinations it was confirmed that the IDS didn’t have signatures to detect it; therefore the captured packets were analysed to check for any unique characteristics that can be used as a signature for this attack. After that a signature was created, tested and confirmed to work and was able to detect the attack.
An evasion technique was chosen from the ones metasploit recommended (this is because metasploit comes with many evasion methods that are suitable per exploit) and the attack was launched again. This time the IDS failed to detect it. After a careful and stressful analysis of the captured traffic a set of signatures was created and tested to be very successful in detecting the attacks to the extent that no other variation of the attack can pass by the IDS without being detected.
This illustrates how useful such tools can be for researchers as they allow researchers to very easily test current technologies and develop solutions for issues that have been raised and such procedures would take a considerable amount of time to achieve without such tools.
Finally for this part of the experiment the same metasploit evasion method used previously was combined with fragroute to evade detection. This demonstrates the challenge researchers, developers and current IDSs faces and also shows that these tools are also used or can be used by attackers (because the majority of time professional hackers have their own tools) to evade the controls that are intended to stop them.
This leads to a final conclusion as also illustrated below, IDSs will continue to have these limitations if new developments are not taken to a new level by utilising new technologies and implementing the same techniques attackers use (as will be explained in chapter eight) because at the moment the majority of the developments that have been taken place are based on the methods discussed in 1998 in a paper by (Newsham 1998), which is considered in the IT field to be very old, outdated and should’ve been resolved already.
SCENARIO 2.3 – ENCRYPTED TUNNELS
IDSs with all their varieties and methods of detection are very effective and have become a main security component of any organisation network; nevertheless, they do have limitations as demonstrated. This is true for any IDS regardless of how much or how state of the art it is, which is why many organisations implement a combination of different technologies to make up for these limitations.
Although researchers and developers have spent grate amount of effort, time and money to improve these devises and resolve their weaknesses and have done a great job in making IDSs a lot better and more accurate each year, there are however issues that will continue to be a concern. Some of these issues including the ones discussed previously are attacks that have been concealed using some form of encryption, which is what this part of the experiment have demonstrated.
Regardless of how accurate IDSs are and the signatures they have at their disposal, when encryption is being used such as the SSH tunnels applied in this experiment all of these controls are rendered useless because the IDS cannot see the attacks. Therefore, for the time being it is very important for organisations, students, researchers and developers to recognise these shortcomings and to apply other measures to protect their networks and not to rely (fully) on Intrusion Detection Systems for protecting their data.
InfoSecTutorials.com 