Understanding the active response mechanism of IDS

Understanding the active response mechanism of IDS

Release date:2002-02-26
Abstract:

Liuyun
Linuxaid Forum

In the developer group, "What is the most effective method to detect attacks ?" However, users of IDs are still satisfied with the current IDS technology. In order to gain more competitive advantages, many IDs product providers, they all include the active response feature in their products. The concept of this function is that IDs will detect the attacker's attack behavior and organize the attacker to continue the attack. However, the problem is that an attacker with a little knowledge of TCP/IP can easily defeat these response mechanisms directly. Alternatively, the Administrator will have to disable these functions by using these mechanisms to block the network. For administrators, understanding the limitations of active response will help them blindly trust those product providers. The vast majority of response mechanisms are one of the following two forms:
1. Stop a session
2. Firewall Linkage

1. Introduction to the "blocking session" mechanism:
Blocking sessions is currently the most common method by the IDS vendor. This method is popular because it does not require the support of external devices (such as firewalls) and is easy to implement. This mechanism is very simple. Next we will gradually analyze this mechanism and reveal how to bypass it. I hope my comment will not arouse the dislike of the manufacturers.
The following uses the Unicode horizontal directory traversal attack of IIS as an example to explain how this mechanism works. The attacker sends the following request, which consists of 51 bytes. The request turns the 51 bytes into a broken IP packet. Each packet is 20 bytes long, as shown below:

Data:/scripts/.. % C0 % af ../winnt/me32/cmd.exe/C + dir + foo
+ ------------------- + ---------- +
Offset: 0 20 40 51
SEC num: 100 120 140 151

The IDS mentioned in this article is a product with the following features:
1. There is a signal about the attack feature "system32/cmd.exe ".
2. Ability to reorganize all broken packets and stream information
3. Decoding of Unicode, hexcode (hexadecimal encoding), escape, and base64
If attackers simply repeat such behaviors without making any changes, IDs will capture such attacks and generate an alarm. Generally, during processing, the operating system generates a random isn value for the IP packet shown above in the IP stack, and then sends the data with three data packets. (Of course, we all know that this situation cannot be implemented simply through a browser. Here is just an example)
After each packet is sent, the IP stack of some systems will wait for a while to receive confirmation from the recipient and confirm the packet sent. Some system's IP stack will issue all three packets at a time, and then resend the packets that the recipient did not confirm to receive. Although different operating systems process IP stacks differently after a session is established (in the established State), the key here is that the stack can certainly process a certain number of packets at the same time. In this example, our IDs will trigger an alarm when it receives the third packet because it has received 1st and 2nd packets, and now it can reorganize the entire session, and match the appropriate signal. At this time, if IDs has a session blocking function, IDs will send a TCP reset packet to both ends of the communication to actively cut the connection, at this time, the stack of both parties will interpret the reset package as a response from the other end, then stop the entire communication process, release the buffer and cancel all TCP status information. At this time, the attack data packets may still be in the TCP/IP stack buffer of the target host operating system and are not submitted to the application. Because the buffer is cleared, the attack will not occur.
For a reset package, the premise of the reset package sent by IDS is to know the current serial number and confirmation number of the entire session. Otherwise, the reset package will be ignored. In this example, the check number must be 152 (1 greater than the last serial number). If the check number of the reset package you sent is 142, the stack will ignore an invalid data packet or damaged data packet. (Well, it seems that the problem has become clear)

2. Bypass "Session blocking"
The mechanism of session blocking can be bypassed by attackers. Many methods that bypass this mechanism rely on time selection.
If the attack does not require an interactive session process, attackers can simply set the push stack of TCP/IP packets to achieve time selection. The TCP/IP stack generally does not immediately send large volumes of data to the application for processing. Most of the time, this will cause the application to spend a lot of system interruption calls and content exchange costs to improve the processing capability of small data packets, the stack will put all the data in a buffer zone, when the buffer zone is full, the stack submits all the data in the stack to the application layer program at one time. In the preceding example, all 51-byte data is submitted to the application layer at a time only after it is received.
Some applications want to obtain data as quickly as possible, so these applications will pay additional costs to get as much processing speed as possible. The push flag is actually set to notify the TCP/IP stack to submit the data to the application layer immediately after receiving the data. However, if you need to obtain a directory list, you cannot set the push flag in this way, because when the data is passed to the application, the session will be terminated immediately. You cannot get an interactive process, but if you just want to copy a file to the Web server path to download the file through a browser, you can use this method, because the entire process does not require any interaction, you can complete your operations. (For example, copy the Sam file to the web path ).
If you need to maintain a session so that you can get an interactive process, this article will introduce a set of technologies to achieve this goal. The trick here is to let the target host ignore reset packets. At this time, the IDS thought it had terminated the session. In fact, attackers still work well.
The first advantage is that all IDs have a delay time in responding to attacks, because IDs captures packets, monitors attacks, and generates reset packets, it takes some time to issue a reset at the end. Many IDs use The libpcap library to capture packets. Most IDs are built on BSD-like systems, while BSD uses BPF (Berkeley Packet filters) to capture packets, BPF will open a large buffer by default. In a typical network, IDs will issue a reset packet with a delay of about half a second. On Linux and Solaris platforms, the performance is slightly better, but there must be a delay.
To invalidate the Reset sent by IDS, we must ensure that after a session has an attack feature, the subsequent package arrives at the target host first than the reset package. Next we will briefly introduce how to make the target host ignore IDs reset packets through the TCP working mechanism.
In TCP, we all know that there is a window concept. Some of the data received by the system has been submitted to the application, and some are stored in the buffer, waiting to be submitted to the application, there is also an empty space in the system to accept new data. As follows:

+ ----------------------- + -------- + ---------------- +
| Data handed over to the application | unprocessed data | empty zone |
+ ----------------------- + ----------------- + ---------------- +
^
|
Current pointer (CP)

| <-------------- Form --------------> |

All the data in the buffer zone and the empty Zone constitute a TCP window. Only the data in the form can be sent, receive, or reset, the data before the form (that is, the data that has been submitted to the application layer) is processed data, and the data after the form is ignored. As shown in, the TCP stack also uses the current pointer CP to locate the starting position of the current empty area. The CP Pointer Points to the starting position of the next packet to be received, and its value is equal to the confirmation value. For example, if the current stack obtains 76 bytes of data, the confirmation value is 77. If the next packet arrives, the CP pointer moves to the end position + 1 of the next packet.
Because not all data packets in TCP must arrive in order, it is possible that the subsequent data packets are first served than the previous data packets, for example, data packets starting from 90 bytes may arrive first than data packets starting from 77 bytes. All arriving packets will enter the buffer, but the CP pointer will stay at the 77 position until the packets starting from 77 bytes arrive. When the packets starting from 77 bytes arrive, the CP pointer will be moved to the end of the received data packet at a time, as shown in:
+ ----------------------- + ----------------- + ----- + -------------------- + -------- +
| Data handed over to the application | unprocessed data | empty zone | first-come-to-back data | empty zone |
+ ----------------------- + ----------------- + ----------- + ---------------------- + -------- +
^
|
Current pointer (CP)

Unordered packet arrival

+ ----------------------- + ----------------- + -------------------- + ---------------------- + -------- +
| Data that has been handed over to the application | unprocessed data | data from the back to the top | data from the first to the back | Empty Area |
+ ----------------------- + ----------------- + -------------------- + ---------------------- + -------- +
^
|
Current pointer (CP)

When the data packet arrives, the CP pointer moves at a time.

In most TCP implementations, the reset package must be consistent with the CP pointer, otherwise the reset package will be discarded. All right, everything is completely clear, as long as we can construct a series of continuous data packets and modify the current CP. For example, in the above example, we construct the fourth package after the third package, such as containing a space or something, as long as the attack effect is not affected. If we send these two packages continuously at a very fast speed, when IDs catches the third package, it will generate a reset package, but at this time the fourth package has reached the target host, modify
CP pointer. When the reset package sent by IDS reaches the target host, this Reset package is ignored. (We have mentioned that IDs has latency ). At the same time, we can have a better way. When constructing a data packet, we first send the fourth data packet and then send the fourth data packet. Then, the fourth data packet first arrives, it enters the buffer, but the CP does not change at this time. When 3rd packets arrive, the CP will move to 4th packets, in this way, no matter how fast the reset generated by IDS can be issued, the validation sequence of this Reset is always
It must be ignored if it is generated based on 3rd packages. Because the CP pointer has changed for a long time.

Iii. Conclusion
This article mainly describes the IDS active response mechanism for the reset packet to block TCP sessions. As for the firewall linkage mechanism, we can actually redirect through spoofing (for example, FTP redirection, etc., see phrack 51) and so on, causing firewall to reject some important addresses, such as the gateway route address and DNS address, which can also cause great interference to users, at the same time, in general, the firewall Linkage Mechanism will have a latency of one to two seconds. This time is enough for attackers to install a backdoor on the target host. In this way, all kinds of defense may be easily broken through. As described in this article, we can see that IDs provides an active response mechanism, which is much better than simply alerting but not responding, and attracts users, even this has become a propaganda weapon of many vendors, so many consumers think that this is a very superb technology. In fact, an attacker with a little TCP/IP knowledge can invalidate this response mechanism, this does not seem to have been noticed by the vendor !!! Isn't that a spoofing ?!

Iv. Copyright Notice
The copyright of this article belongs to the author. No one or organization can use this article to engage in commercial activities. Any use of the techniques described in this article to engage in illegal activities will be at your own risk and will not be related to the author of this article.