Warning About IDS Evasion Greeted by Chorus of ‘Meh’

‘All your IDS are belong to us,’ was the message on Monday, after researchers at networking security equipment vendor Stonesoft announced the discovery of evasion techniques that could be used by sophisticated attackers to bypass network based IDS and IPS. The disclosure raises questions about the effectiveness of a wide range of networking security products, but experts say those kind of questions are nothing new.

‘All your IDS are belong to us,’ was the message on Monday, after researchers at networking security equipment vendor Stonesoft announced the discovery of evasion techniques that could be used by sophisticated attackers to bypass network based IDS and IPS. The disclosure raises questions about the effectiveness of a wide range of networking security products, but experts say those kind of questions are nothing new.
In a coordinated release with the Finnish CERT (CERT-FI), the Helsinki-based firm went public with what it described as a new breed of ‘evasion techniques’ that can fool most commercially available intrusion detection (IDS) and intrusion prevention (IPS) products.

CERT-FI issued an advisory suggesting organizations “employing intrusion detection or prevention systems to protect their networks should consider employing complementary means for detecting and preventing network attacks.” However, there is no evidence that the attack methodologies, made possible by an internally developed testing tool at Stonesoft, are being used in the wild.

Neither Stonesoft nor CERT-FI disclosed details of the vulnerabilities. However, in a technical presentation made available on its Web site, Stonesoft said that the holes were discovered using an internal testing tool it has dubbed “Predator,” which includes its own TCP stack, not the one provided by the host operating system, allowing Stonesoft to test (or “fuzz”) common protocols such as TCP, MSRPC, IPv4 and SMB and try evasion techniques at multiple network layers simultaneously.

As an example, Stonesoft described one evasion method the company has discovered that involves rapidly opening and closing at TCP connection on a target system, while manipulating a setting called TCP TIME_WAIT to keep the TCP/IP socket that is created open. Using Predator’s custom TCP stack, the attacker then creates a new connection to the same source port, allowing it to bypass the resident IPS, which believes the connection to already have been inspected.

Researchers working for Stonesoft have been delving into evasion techniques since 2007 in an effort to improve Stonesoft’s own products, said Matt McKinley, Director of Product Management in the U.S.

“In the process of doing so, we basically discovered that its possible to combine multiple evasion techniques together working at different layers (of the IP stack) and they can confound the IPS and become hard to protect,” he said.

The custom TCP/IP stack is a key ingredient in the new attack, McKinley said. It breaks the common assumption that attacker will simply leverage the operating system’s standards-based TCP/IP implementation in its attack. Such an approach isn’t new, but requires a significant investment of time and money. Still, that’s well within the reach of modern “advanced persistent threats” such as those backed by nation states, commercial competitors or cyber crime syndicates, McKinley said.

“We think this method is already in use and it would account for many penetrations that go unexplained,” McKinley said.

But security experts consulted by Threatpost noted that strategies for evading IDS and IPS are almost as old as the technology itself, including the kinds of evasion techniques described by Stonesoft.

A 1998 paper by Thomas Ptacek and Timothy Newsham of Secure Networks Inc. describes many of the core techniques for disabling or evading intrusion detection systems. Jack Walsh, the Network IPS Program Manager at ICSA Labs said vendors, limited by time and resources, tend to focus on likely attack vectors, rather than feasible, but unlikely attacks.

Walsh said his organization validated the 40 or so evasion techniques detailed by Stonesoft, and said some are variations of known attacks, and others are novel. Still, ICSA hasn’t decided haven’t decided whether to begin using any of the new evasion methods for in its own product evaluations.

“We’ve always tested against evasion techniques, but we try to focus on what exists in the publicly or commercially available or known in the Internet community. We’re going to have a discussion about whether these new techniques meet that standard,” Walsh said.

Stonesoft’s publicizing of the vulnerabilities – including marketing literature, a dedicated Web site and video presentation have tended to sensationalize what most experts feel is just another data point in a long string of revelations about the limitations of networking security technology like IDS and IPS.

“It’s like they discovered some new buffer overflows and they’re acting as if they’ve discovered buffer overflows,” said Chris Wysopal, CTO at Veracode, a software testing firm.

“We’ve known for a long time that the (IDS) model can never be done correctly. Over time, we’ve seen IDS and IPS makers come up with better ways of defeating evasions, and attackers come up with new kinds of evasion that drive detection back down. There are just so many different problems with the whole class of devices,” he said.

Suggested articles

Discussion

  • Anonymous on

    a typical 'meh' situation, in the ever glorious battelfields of dear Information Te'hnology.

    What will you tell the customer this time,

    "I knew that all along, don't worry. Nobody's able to do anything about it anyway. Yeah, i got it covered. I'm so smart i was able to delude your ass for this long, i can delude any attacker's ass as well. " Well, that would work because despite failing technology nothing major happended. Didn't it !?

    I think to remember the 1998 paper because of the office-riot it caused in those earlyish days. Besides the fired-up discussions mostly concluding it would not work for even 90% but hey, let's go and install one ( said the boss ). Meh. Shut up and dance so they say every day. In a way this kind of advertisement is a mitigation in itself, referring to a paper from 1998, a Gartner study from 2003. On products in use in 2010. One could only hope those dollars and euros were well spent on some more recent technologies doing better then +7 years ago.
  • Anonymous on

    what?

  • Bobby on

    Intrusion detection systems aren't enough to protect networks. Only a part of a holistic approach. Gartner is now saying that security products need to be contextually aware. An interesting change from the static approach.

  • bunk on

    Let's see em and what configuration and environment they are actually effective within.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.