Research subsequent to the papers that Paxson, Newsham, and I wrote
established the term "vantage point problem" to describe the failure
mode where a monitoring system gets tripped up by the differences
between its own protocol logic and the logic of a real implementation
of that protocol on an end system.
We've seen vantage point problems in a variety of places --- probably
most notably in HTTP and in SMB.
My considered opinion is that vantage point problems are the "buffer
overflow" vulnerability of the monitoring/integrity field.
I think most people would concede at this point that the best solution
to buffer overflow attacks is to preclude them from existing: automatic
bounds checking, least-privilege OS enforcement, and stack/heap
integrity guards. Chasing the "next" buffer overflow and following the
discover/wait/publish/patch cycle is probably not an effective
strategy.
Similarly, the real solution for the vantage point problem is to
preclude consistency problems --- by proxying, scrubbing, or moving
functionality closer to the end-systems.
So I guess that I'm saying that you're right, David, and that there are
lots of places to look besides TCP headers for these problems.
On Dec 1, 2004, at 4:49 PM, Maynor, David (ISS Atlanta) wrote:
Aside from looking at this the best way to learn to evade IDS/IPS is an
understanding of the protocols that they are protecting. This doesn't
mean just TCP/UDP; this also means things like MSRPC, HTTP, SSL and
such.
---
Thomas H. Ptacek // Product Manager, Arbor Networks
(734) 327-0000
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
