Re: Important Comments re: INtrusion Detection

[Aleph One <aleph1 () dfw net>]

On Thu, 19 Feb 1998, Barney Wolff wrote:

> But why would it need to?  Overlapping fragments are "never" produced
> by accident or misconfiguration, and can therefore always be taken as
> an attack signature.  Are you really intending to say that if I'm dumb
> enough to use an attack that works on OS-X against a host running OS-Y,
> the IDS should ignore me until I smarten up?  It might not page somebody,
> but it surely should at least count me.

The point is that an IDS may be able to detect the anomalous traffic
but not the attack hidden by such traffic which makes their signature
database quite useless.

> What's being missed here, imho, is that the great majority of attacks
> use packets/streams that lie far outside the boundaries of legitimate
> use, despite perhaps being legal IP or TCP.


The are much more subtle attacks that fall within normal IP traffic.
In particular the one described by Vern in his paper, using the IP time to
live field, is very difficult to detect. The attacker may send the same
packet twice, once with a TTL long enough for the victim to see it and
another with the TTL long enough for the IDS to see it but short enough
for the victim to not see it. Now the IDS has to try to figure out which
packet it should use to recreate the stream. This types of packets can be
seen normally on the network when a retransmit takes a different route
with a different number of hops than the original packet.

> As with firewalls, it can be useful to think about IDS as "deny what I
> don't recognize as permitted" rather than "permit what I don't recognize
> as denied".

The problem is the network IDS's cant "deny" anthing. They are fully
passive.

> Barney Wolff  <barney () databus com>

Aleph One / aleph1 () dfw net
http://underground.org/
KeyID 1024/948FD6B5 
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01