Analysis of basic IDS evasion techniques and related countermeasures (1)

In the days when the network is booming, network security issues have become increasingly prominent. Black and white channels on the network are fiercely competitive in various fields of network security. The Black Hat community is constantly introducing new technologies to avoid or bypass Network Intrusion Detection Systems (NIDS). NIDS developers are constantly adding Detection techniques to their own products.

However, due to the limitations of NIDS, the day of victory is leaning towards the black hat. This article will discuss some basic IDS evasion technologies and how to identify these technologies.

1. Weakness of String Matching

The IDS evasion technique for basic string matching vulnerabilities was first proposed and implemented. Some pattern-based intrusion detection devices rely almost entirely on string matching algorithms. For a poorly written pattern, attackers can easily destroy string matching.

Although not all intrusion detection systems are purely based on signatures, most of them depend heavily on string matching algorithms. Here, we will use the open source code tool snort for discussion.

In UNIX systems,/etc/passwd is an important file that contains information such as the user name, group member relationship, and shell allocated to the user. We will start from monitoring access to the/etc/passwd file. The following is the snort detection rule for detection:

Alert tcp $ EXTERNAL_NET any-> $ HTTP_SERVERS 80 (msg: "WEB-MISC/etc/passwd ";

Flags: A +; content: "/etc/passwd"; nocase; classtype: attempted-recon; sid: 1122; rev: 1)

Snort uses string matching algorithms to detect HTTP requests that contain signatures (/etc/passwd. However, the signature of this rule is too simple. Attackers can easily bypass detection by modifying the Attack String (we do not consider that the attack request is sent through HTTP ). For example, you can change the attack request from GET/etc/passwd to GET/etc/// passwd or GET/etc/rc. d /.. /. // passwd, the modification method is countless.

This is the most basic anti-virus technology, and it is relatively easy to detect this technology. You only need to carefully consider the possible variants of attacks when writing signatures. Currently, most popular intrusion detection systems have powerful string matching capabilities, which is sufficient to detect most variants of such attacks. However, some poorly-written signatures can give attackers a chance.

Attackers can also make changes on this basis, which increases the defense difficulty of the intrusion detection system with little effort. For example, in an interactive session such as telnet, attackers attempt to read the/etc/passwd file.

Generally, intrusion detection systems have many signatures, such as misuse operations and backdoors. However, these signatures generally only contain the hacker tool name, file name, and program name. When obtaining the content of the/etc/passwd file, we do not directly input command lines such as cat/etc/passwd, but use a command interpreter (for example: perl) to achieve our goal:

Badguy @ host $ perl-e

'$ Foo = pack ("C11", 47,101,116, 115,115,119,100 );

@ Bam = '/bin/cat/$ foo'; print "@ bam/n ";'

From this command, the intrusion detection system will not reorganize the/etc/passwd characters. Obviously, it is very difficult to defend against such attacks, because it requires the intrusion detection system to be able to understand how such interpreters receive commands, which is not realistic.

Of course, the intrusion detection system can also trigger alarms for suspicious behaviors using the interpreter, but it is difficult to precisely monitor attack behaviors.

By combining string processing technology and character replacement technology, we can implement more complicated string camouflage. For WEB requests, we do not need to use the command interpreter. In our requests, we can use a hexadecimal URL. The following requests can be interpreted as/etc/passwd by the target WEB server:

GET % 65% 74% 63/% 70% 61% 73% 73% 64

Or

GET % 65% 74% 63/% 70a % 73% 73% 77d

To capture all variations of this string, you may need more than 1000 signatures for string matching, which is not considered UNICODE. UNICODE provides another character expression. This article will not discuss more about the unicode ids spoofing technology.

For more details, see IDS Evasion with Unicode of SecurityFocus. In addition, RainForestPuppy uses another IDS spoofing technology in its HTTP scanning tool Whisker:

-I 1 IDS-evasive mode 1 (URL encoding)

-I 2 IDS-evasive mode 2 (// directory insertion)

-I 3 IDS-evasive mode 3 (prematurely ending the URL)

-I 4 IDS-evasive mode 4 (Long URL)

-I 5 IDS-evasive mode 5 (counterfeit parameter)

-I 6 IDS-evasive mode 6 (TAB Division) (not NT/IIS)

-I 7 IDS-evasive mode 7 (case sensitive)

-I 8 IDS-evasive mode 8 (Windows delimiter)

-I 9 IDS-evasive mode 9 (Session stitching) (slow)

-I 0 IDS-evasive mode 0 (NULL method)

If you want to know the technical details of these methods, refer to A Look At Whisker's Anti-IDS Tactics. Rfp separately places the anti-ids technology used by whisker into the libwhisker Library (written in perl, it provides great convenience for other programs to adopt these technologies. In addition, scanning tools such as nessus and babelweb have their own application-layer intrusion detection and avoidance technologies.

At present, IDS developers have a better understanding of various network protocols, and intrusion detection devices perform necessary protocol analysis before matching the data packet load, therefore, the current IDS can well handle the above spoofing technology.

However, redundant character conversion increases the load of the intrusion detection system, sometimes outweighs the loss. To reduce this negative impact, developers can enable the intrusion detection system to convert characters only on specific ports.