lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Re: Bypassing "smart" IDSes with misdirected
 frames? (long and boring)

On Fri, 28 May 2004, Mike Frantzen wrote:

> This has been a known attack at least since Ptacek and Newsham's seminal
> paper on IDS evasions.

As far as I can see, they describe an attack where the attacker uses IDS's
own MAC address to route frames directly to this box; this is usually
prevented (or difficult to carry out) if the listening interface is an
IP-less span port or bridge node, as it is the case at almost all times
nowadays.

I describe an attack in which the IDS itself is not targeted, but quite
simply, a different MAC address belonging to an innocent bystander is used
to inject an IP frame that matches an existing connection. This should
fool a "transparent" IDS, based on the assumption that link-layer
information is stripped prior to TCP stream identification, which I expect
is the case with a good deal of IDS systems out there.

So there is a difference that makes the attack IMO a bit more of a
concern in a typical setup, which is still not to say I will lose sleep
over it.

Cheers,
-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-05-29 00:44 --

   http://lcamtuf.coredump.cx/photo/current/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ