IDS mailing list archives
IDS bypassing
From: "Ed3f" <ed3f () overminder com>
Date: Mon, 30 Dec 2002 00:43:43 +0100
******************** SECURITY ALERT ******************** Systems Affected NAT/PAT/load_balancing/packet_manipulation implementations Risk medium Overview Multiple vendors' implementations of NAT/PAT/load_balancing/packet_manipulation calculate level 4 checksum from scratch. This could be used by an attacker to bypass or confuse a NIDS with a stream of packets with a temporary invalid checksum. Description Look the scheme: Evil --[badSYN]--> Router --[badSYN]--> Load_Balancer --[SYN]--> WebServer | | NIDS1 NIDS2 NIDS1 will see a TCP SYN with invalid checksum while NIDS2 will see a valid and modifyed SYN. So the webserver will reply to us with a SYN+ACK, letting us talk with it while causing a lot of doubts to NIDS1. A NIDS network or a DIDS could be confused ignoring the packet or considering it like two different packets (1 valid, 1 invalid) inexplicably received only by one system (NIDS1 receives the invalid SYN, NIDS2 receives the valid SYN). The complete study is available at: http://www.phrack.org/phrack/60/p60-0x0c.txt Solution Check the behaviour of every device on your network and eventually update your NIDS configuration (not) to analyze level 4 checksum. Apply the patch when available. ****************************** Ed3f *****************************0x000001*
Current thread:
- IDS bypassing Ed3f (Dec 30)
- <Possible follow-ups>
- RE: IDS bypassing charles lindsay (Dec 30)