IDS mailing list archives

Previous By Date Next
Previous By Thread Next

IDS bypassing

From: "Ed3f" <ed3f () overminder com>
Date: Mon, 30 Dec 2002 00:43:43 +0100

******************** SECURITY ALERT ********************


Systems Affected

        NAT/PAT/load_balancing/packet_manipulation implementations


Risk

        medium


Overview

        Multiple vendors' implementations of
NAT/PAT/load_balancing/packet_manipulation
        calculate level 4 checksum from scratch.
        This could be used by an attacker to bypass or confuse a NIDS with a stream
        of packets with a temporary invalid checksum.


Description

        Look the scheme:

        Evil --[badSYN]--> Router --[badSYN]--> Load_Balancer --[SYN]--> WebServer
                                                  |                                 |
                                                NIDS1                             NIDS2

        NIDS1 will see a TCP SYN with invalid checksum while NIDS2 will see a valid
        and modifyed SYN. So the webserver will reply to us with a SYN+ACK, letting
        us talk with it while causing a lot of doubts to NIDS1.
        A NIDS network or a DIDS could be confused ignoring the packet or
considering
        it like two different packets (1 valid, 1 invalid) inexplicably received
only
        by one system (NIDS1 receives the invalid SYN, NIDS2 receives the valid
SYN).

        The complete study is available at:
        http://www.phrack.org/phrack/60/p60-0x0c.txt


Solution

        Check the behaviour of every device on your network and eventually update
        your NIDS configuration (not) to analyze level 4 checksum.
        Apply the patch when available.



******************************   Ed3f
*****************************0x000001*
Previous By Date Next
Previous By Thread Next

Current thread: