Firewall Wizards mailing list archives
Re: Important Comments re: INtrusion Detection
From: Aleph One <aleph1 () dfw net>
Date: Fri, 20 Feb 1998 12:43:32 -0600 (CST)
On Thu, 19 Feb 1998, Barney Wolff wrote:
But why would it need to? Overlapping fragments are "never" produced by accident or misconfiguration, and can therefore always be taken as an attack signature. Are you really intending to say that if I'm dumb enough to use an attack that works on OS-X against a host running OS-Y, the IDS should ignore me until I smarten up? It might not page somebody, but it surely should at least count me.
The point is that an IDS may be able to detect the anomalous traffic but not the attack hidden by such traffic which makes their signature database quite useless.
What's being missed here, imho, is that the great majority of attacks use packets/streams that lie far outside the boundaries of legitimate use, despite perhaps being legal IP or TCP.
The are much more subtle attacks that fall within normal IP traffic. In particular the one described by Vern in his paper, using the IP time to live field, is very difficult to detect. The attacker may send the same packet twice, once with a TTL long enough for the victim to see it and another with the TTL long enough for the IDS to see it but short enough for the victim to not see it. Now the IDS has to try to figure out which packet it should use to recreate the stream. This types of packets can be seen normally on the network when a retransmit takes a different route with a different number of hops than the original packet.
As with firewalls, it can be useful to think about IDS as "deny what I don't recognize as permitted" rather than "permit what I don't recognize as denied".
The problem is the network IDS's cant "deny" anthing. They are fully passive.
Barney Wolff <barney () databus com>
Aleph One / aleph1 () dfw net http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
Current thread:
- Re: Important Comments re: INtrusion Detection, (continued)
- Re: Important Comments re: INtrusion Detection Steven M. Bellovin (Feb 18)
- Re: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 18)
- Re: Important Comments re: INtrusion Detection Adam Shostack (Feb 18)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 18)
- Re: Important Comments re: INtrusion Detection Paul M. Cardon (Feb 19)
- Re: Important Comments re: INtrusion Detection Jonathan Care (Feb 19)
- Re: Important Comments re: INtrusion Detection Michael T. Stolarchuk (Feb 19)
- RE: Important Comments re: INtrusion Detection Kurt Ziegler (Feb 19)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 19)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection Aleph One (Feb 20)
- Re: Important Comments re: INtrusion Detection marc (Feb 20)
- Re: Important Comments re: INtrusion Detection Barney Wolff (Feb 20)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 20)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection tqbf (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Darren Reed (Feb 21)
- Re: Important Comments re: INtrusion Detection Vern Paxson (Feb 21)