Intrusion Detection (from Phrak.Com)
By: July • Research Paper • 5,634 Words • February 18, 2010 • 1,080 Views
Join now to read essay Intrusion Detection (from Phrak.Com)
(Taken from phrack.com, the best Hacker zine ever)
-------------------------[ Defeating Sniffers and Intrusion Detection Systems
----[ Overview
The purpose of this article is to demonstrate some techniques that can be used
to defeat sniffers and intrusion detection systems. This article focuses
mainly on confusing your average "hacker" sniffer, with some rough coverage of
Intrusion Detection Systems (IDS). However, the methods and code present in
this article should be a good starting point for getting your packets past ID
systems. For an intense examination of attack techniques against IDS, check
out: http://www.nai.com/products/security/advisory/papers/ids-html/doc000.asp.
There are a large number of effective techniques other than those that are
implemented in this article. I have chosen a few generic techniques that
hopefully can be easily expanded into more targeted and complex attacks. After
implementing these attacks, I have gone through and attempted to correlate
them to the attacks described in the NAI paper, where appropriate.
The root cause of the flaws discussed in this article is that most sniffers
and intrusion detection systems do not have as robust of a TCP/IP
implementation as the machines that are actually communicating on the network.
Many sniffers and IDS use a form of datalink level access, such as BPF, DLPI,
or SOCK_PACKET. The sniffer receives the entire datalink level frame, and
gets no contextual clues from the kernel as to how that frame will be
interpreted. Thus, the sniffer has the job of interpreting the entire packet
and guessing how the kernel of the receiving machine is going to process it.
Luckily, 95% of the time, the packet is going to be sane, and the kernel
TCP/IP stack is going to behave rather predictably. It is the other 5% of the
time that we will be focusing on.
This article is divided into three sections: an overview of the techniques
employed, a description of the implementation and usage, and the code. Where
possible, the code has been implemented in a somewhat portable format: a
shared library that wraps around connect(), which you can use LD_PRELOAD to
"install" into your normal client programs. This shared library uses raw
sockets to create TCP packets, which should work on most unixes. However, some
of the attacks described are too complex to implement with raw sockets, so
simple OpenBSD kernel patches are supplied. I am working on complementary
kernel patches for Linux, which will be placed on the rhino9 web site when
they are complete. The rhino9 web site is at: http://www.rhino9.ml.org/
----[ Section 1. The Tricks
The first set of tricks are solely designed to fool most sniffers, and will
most likely have no effect on a decent ID system. The second set of tricks
should be advanced enough to start to have an impact on the effectiveness of
an intrusion detection system.
Sniffer Specific Attacks
------------------------
1. Sniffer Design - One Host Design
The first technique is extremely simple, and takes advantage of the design of
many sniffers. Several hacker sniffers are designed to follow one connection,
and ignore everything