On Oct 13, 2004, at 10:41 AM, Beauford, Jason wrote:
What can the Blackhats of the world due to perpetuate rule set molding
of Stateful Anomaly Detection engines to allow malicious traffic
through
without being detected? How reliable are S.A.D. engines in detecting
unwanted traffic?
If you're looking for a Phrack article to write, this is probably a
good topic.
On the other hand, if you're looking for something relevant to the ways
that
attackers will actually break in to networks, I'd look elsewhere.
A few thoughts:
- IDS engines --- which are very well understood --- still tend to
be astonishingly weak against directed, surgical attacks (attacks
in which an explicit goal is made of avoiding a particular detector).
Just recently on this list, Dave Maynor from ISS cited a flaw in a
competing IPS product that would have been a major discovery
in 1998, when Newsham, Paxson, Meltzer, Dug Song, and I were all
just beginning to do research on signature IDS.
Despite the fact that virtually every IDS/IPS engine deployed today
has exploitable weaknesses, IPS evasion is still not a tool in most
attackers toolboxes. Have any operators on this list ever detected
an attacker abetted by Fragroute? Fragroute gets press mentions
and is freely downloadable!
"Anomaly detection" is so new, and so un-proven, and so hyped
and marketed, that I doubt anyone is giving serious thought to how to
evade it.
- Despite all this, Arbor Networks actually has done research into
anomaly detection evasion, and we have designed and built
mechanisms to resist training attacks --- suggesting to me that there
are plenty of "anomaly detection" engines out there that can be faked
out.
- However, I would suspect that a far more fruitful avenue of attacking
anomaly detection systems is to chaff them into generating millions
of false positives. On enterprise networks, most well-known anomaly
detection techniques are noisier and harder to tune than signature
systems.
This is simpler than training (or "molding"), and it applies equally
well
to IPS systems --- an IPS that appears to randomly block traffic that
can't be traced to a legitimate attack can be evaded simply by waiting
for operators to turn blocking off.
- With regards to IPS vendors, by the way, you will be surprised at how
simple the mechanisms are that underly vendor claims to "anomaly
detection".
---
Thomas H. Ptacek // Product Manager, Arbor Networks
(734) 327-0000
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to
learn more.
--------------------------------------------------------------------------
