lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: lcamtuf at coredump.cx (Michal Zalewski)
Subject: Re: Bypassing "smart" IDSes with misdirected frames?

On Thu, 27 May 2004, Alexander E. Cuttergo wrote:

> If the attacker is on the same LAN as your IDS, you have many problems
> more severe than the attack you have described.

In a sufficiently complex network, you are going to face internal threats.
Simply, if you have 1000 or 10000 employees, it is foolish to assume they
are all going to play nice. Installing internal IDSes, firewalls and
whatnots is a way of mitigating and managing the risk. Most of IDS vendors
have solutions that can be plugged internally.

I would not even bother to post if IDSes were not commonly used in such a
setup.

> More generally, if you can send a packet which is accepted by the IDS
> and not by the target host, you can bypass IDS. Another example is
> sending packets with low ttl; this even does not require access to the
> same LAN.

You won't be able to do this in a reasonable IDS setup (span port or
bridge mode).

> A packet which is not accepted by the recipient will not elicit an ACK
> frame.

One that is does not have to do this, either. Window size, etc.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-05-28 00:04 --

   http://lcamtuf.coredump.cx/photo/current/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ