Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Firewall-fooling techniques

from [Richard Bejtlich] Network Security [Permanent Link]
Subject: Re: Firewall-fooling techniques
Date: Thu, 17 Feb 2005 05:55:58 -0500 
On Sun, 13 Feb 2005 00:00:31 +0100, Göran Sandahl <goran@gsandahl.net> wrote:

Or, can someone please in short terms
describe what kind of traffic IDSs have problem detecting today.  And how
will the bad guys do it tomorrow?


Hello,

Chapter 18 of my book addresses this subject. [0]  The problem is
broader than running traffic through Fragrouter, and depends on the
attacker's goal. Some techniques are designed to fool an analyst, not
the IDS.  Here is a summary:

- Promote anonymity
 -- Attack from a stepping-stone
 -- Attack using a spoofed source address
 -- Attack from a netblock not owned by the intruder (advertise BGP routes)
 -- Attack from a trusted host
 -- Attack from a familiar netblock
 -- Attack the client, not the server
 -- Use public intermediaries
- Evade detection
 -- Time attacks properly
 -- Distribute attacks through Internet space
 -- Employ encryption
 -- Appear normal
- Degrade or deny collection
 -- Employ decoys
 -- Consider volume attacks
 -- Attack the sensor
 -- Separate analysts from their consoles

Sincerely,

Richard
http://www.taosecurity.com

[0] The Tao of Network Security Monitoring: Beyond Intrusion
Detection, http://www.taosecurity.com/books.html

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  OsAudit v0.1 (log gathering, monitoring and analysis) available., Daniel Cid
Next by Date:  IDS data sets, Zafar, Salim
Previous by Thread:  Re: Firewall-fooling techniques, Göran Sandahl
Next by Thread:  OsAudit v0.1 (log gathering, monitoring and analysis) available., Daniel Cid
Indexes:  [Date] [Thread] [Top] [All Lists]