Re: AppScan and IDS evasion

[Chris Brenton <cbrenton () chrisbrenton org>]

On Fri, 2008-06-27 at 16:53 -0500, TH wrote:
> For instance, what if an attacker with nice network connectivity such
> that they can spoof packets without any filtering, and then they run
> snot or sneeze, or whatever the IDS/IPS triggering tool of chioce
> is...while spoofing traffic as though its coming from...
>
> $ for i in a b c d e f g h i j k l m ; do  dig +short $i.root-servers.net; done

Seen this in the wild. Noting worse than a financial institution that
can no longer find anything. ;-)

The "belief" is that an attacker can not spoof a TCP session because the
three packet handshake is required prior to data transmission. I've
found a few excepts in my travels:

1) IDS/IPS will tag malicious payloads in the SYN
2) State is not properly maintained or skipped on some TCP ports so a
single malicious ACK does the trick
3) Shunning based ob UDP which is easily spoofed

HTH,
C



------------------------------------------------------------------------
This list is sponsored by: Cenzic

Top 5 Common Mistakes in 
Securing Web Applications
Get 45 Min Video and PPT Slides

www.cenzic.com/landing/securityfocus/hackinar
------------------------------------------------------------------------