| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040529004447.J50588@dekadens.coredump.cx>
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Re: Bypassing "smart" IDSes with misdirected
frames? (long and boring)
On Fri, 28 May 2004, Mike Frantzen wrote:
> This has been a known attack at least since Ptacek and Newsham's seminal
> paper on IDS evasions.
As far as I can see, they describe an attack where the attacker uses IDS's
own MAC address to route frames directly to this box; this is usually
prevented (or difficult to carry out) if the listening interface is an
IP-less span port or bridge node, as it is the case at almost all times
nowadays.
I describe an attack in which the IDS itself is not targeted, but quite
simply, a different MAC address belonging to an innocent bystander is used
to inject an IP frame that matches an existing connection. This should
fool a "transparent" IDS, based on the assumption that link-layer
information is stripped prior to TCP stream identification, which I expect
is the case with a good deal of IDS systems out there.
So there is a difference that makes the attack IMO a bit more of a
concern in a typical setup, which is still not to say I will lose sleep
over it.
Cheers,
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2004-05-29 00:44 --
http://lcamtuf.coredump.cx/photo/current/
Powered by blists - more mailing lists