Return to the Main Menu

Background for the 50 Ways to Defeat an IDS Product

This article has been edited from an original article written by Fred Cohen, of Sandia Labs, in Albuquerque, New Mexico, that is posted on the web at the URL

http://www.all.net/journal/netsec/9712.html

It is often difficult to tell the wheat from the chaff when selecting security products or deciding on capabilities. Very few managers know how to choose the best IDS for them. In addition, vendors seem to be taking advantage of this knowledge vacuum to make sales. Many claims for IDS systems have been made. The lists below attempt to debunk many of these claims by showing ways to get around many existing IDS products.

The 50 Ways to Defeat an IDS Product


1 - Inserting extraneous characters into a standard attack typically causes detection failure. As an example, you could insert the string && true into a typical shell command line without ill effect on operation but with degraded IDS performance.

2 - Use tabs instead of spaces in commands. Since most current systems don t interpret all separators in the same way, changing to non-standard separators can make them fail. You might also try , instead of ; in the Unix shell.

3 - Closely related to number 2, you could change the separator character in the system so that (for example) % is the separator. This would confuse detection systems almost without exception.

4 - Reorder a detected attack sequence. For example, if the attack goes a;b;c and it would also work as b;a;c , most detection systems would rank the one they were not tuned to find as unlikely to be an actual attack.

5 - Split a standard attack across more than one user. Using the a;b;c example above, if user X types a;b and user Y types c the attack is almost certain to go undetected.

6 - Split a standard attack across multiple sessions. Login once and type a;b , logout, then login and type c .

7 - Split across multiple remote IP addresses/systems. Login from sites X and Y, and type a from site X, b from site Y, and c from site X.

8 - Define a macro for a command used in a standard attack. For example, set a shell variable called $ZZ to cp and then use $ZZ instead of cp where appropriate.

9 - Define a macro for a parameter in a standard attack. For example, use the name $P instead of the string /etc/passwd .

10 - Create shell scripts to replace commands you use. If you do this carefully, the detector will not associate the names you use for the scripts to the commands and will miss the whole attack.



Bonus attack 1 - Add comments to attack lines in an attack that would otherwise be detected.



11 - Use different commands to do the same function. For example, echo * is almost the same as ls in the Unix shell.

12 - Change the names in standard attacks. For example, if the standard attack uses a temporary file named xxx , try using yyy .

13 - Create a code-book translater for attack keywords. This can be done by piping all commands through a filter program, perhaps using sed to do string substitution.

14 - Encode the attacks in ebcdic and change terminal types to an ebcdic terminal. Since all the characters are differently coded, the detector will be unable to decode your actions.

15 - Encrypt your attacks: for example, by using the secure shell facilities intended to increase protection by preventing snooping including snooping by the IDS.

16 - Use a postfix notation for transmissions, and then translate back at the other end. The detector will not be able to understand the syntax.

17 - Turn on full duplex communications mode wit the target. The extra characters going back and forth may confuse the IDS.

18 - Intermix several known intrusion techniques by alternating one instruction from each. The IDS is likely not to recognize any of the attacks.

19 - Encode results sent by daemons so that the patterns of what is returned cannot be used for detection. For example, instead of mailing yourself a password file by exploiting a sendmail bug, pipe the password file through a sed script that changes the : s to - s.

20 - Attack by piping everything through an awk script that exchanges characters. This will confuse the IDS.



Bonus attack 2 - Run commands selected from a table by the row number and have the victim system do the command-line calls. So you might send 15 *.com and the victim system might do dir *.com .



21 - Overwhelm the IDS sensor ports. For example, by using an echo virus against a UDP port, you might make the sensor port unable to receive further sensor inputs.

22 - Crash the IDS with ping packets. By sending long IPNG packets, many systems that run IDS systems can be crashed, causing them to fail to detect subsequent attacks.

23 - Kill the IDS by attacking its platform. Most IDS systems run on regular hosts which can themselves be attacked. Once the platform is taken over, the IDS can be subverted.

24 - Create false audit records to confuse the IDS. For example, send packets to the IDS in between the packets that might indicate an attack and containing information makes the attack actions look harmless.

25 - Consume all IDS disk space then launch for real. By (for example) overrunning the disk space consumed by the IDS with innocuous but detected sequences, the IDS will fail and subsequent attacks go undetected.

26 - Stop the generation or collection of audit records then attack. For example, by creating a large number of processes, the system running the IDS may not be able to create the process needed to generate an audit record.

27 - Cause the response system to disrupt normal communications. For example, some IDS systems respond to repeated attacks from a site by cutting off all traffic from that site. By forging malicious traffic coming from a particular host, the IDS may cut off all traffic from that host, after which it can be attacked at will.

28 - Type everything in backwards and use a translator program to reverse it. Do the same in transmissions sent back to you.

29 - Type everything in infix notation and have it translated via awk into prefix notation. The IDS may be unable to interpret the traffic.

30 - Use emacs as the shell and use wipes and yanks in and out of the cmd buffer instead of typing. The IDS will see things like control-W and control-Y while the command interpreter on the victim site will see malicious commands.



Bonus attack 3 - Type very slowly (over a period of hours per command line should do nicely). Since buffer sizes are limited, your traffic may be lost in the glut of other things the IDS has to watch.



31 - Change routes to target to avoid the IDS.

32 - Change return routes from target to avoid the IDS.

33 - Use source routing to reroute each packet through a different path to the victim, thus avoiding any single IDS.

34 - Start an outbound session from the victim via a modem and attack over that connection. If the IDS is network-based, it will miss these packets.

35 - Interfere with the infrastructure between the victim and the IDS. In remote monitoring and network-based IDS systems, this is often possible by modifying router traffic (as a simple example).

36 - Break into an intermediary to break the traceback of the attack. The intrusion may be detected, but they won t be able to trace it to you (unless they are very good at traces).

37 - Start a session on an unusual IP port. These ports are often not understood or watched by IDS systems.

38 - Use a modified protocol for communications, such as one that reverses bytes on words. (See PDP-11 and VAX encodings for examples).

39 - Use IPX over IP for the attack. The IDS will probably only notice the IP packets and not understand the content.

40 - Use a different tunneled protocol session for the attack such as IP over HTML.



Bonus Attack 4 - Define your own protocol for a new application and attack over it.



41 - Attack over dial-ins instead of a network. Network-based IDS systems will never notice this activity.

42 - Create large numbers of false positives to increase noise level. This will make finding the real attack human time intensive and people tend to fail under these circumstances.

43 - Plant the intrusion instructions within a Word macro and send a document to the victim. The IDS probably can t decode the attack inside the macro.

44 - Plant the intrusion code within another macro and send to victim. Power point perhaps, or 123, or you get the idea.

45 - Put the attack in a compiled program (i.e., a Trojan Horse) and get the victim to download the attack and run it for you.

46 - Use a rarely used protocol for the attack. Chances are the IDS doesn t know how to interpret the packets.

47 - Recode the attack in a different language than it was originally published in.

48 - Use any non-technical attack (such as so-called human engineering). Since the IDS only looks at bits and bytes, it doesn t detect many of the common attacks used by attackers today.

49 - Attack any system that doesn't run Unix. Since almost all of today s IDS systems only look for Unix attacks, everything else will pass undetected. (Some apparently detect NT attacks now as well.)

50-1000+ - Use one of the 1000 or so published attacks not detected by current systems. The largest number of detected attacks advertised to date as being detected by any such system is only about 50. (One vendor recently claimed over 150, but the newest numbers I heard for known vulnerabilities has gone up to 2,000) Nevertheless, 150 is progress over 50!



Bonus attacks - 1000+ to infinity - Create a new attack script. IDS systems today almost all look only for a small number of known attacks.

Return to the Beginning of this Document