Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames?

from [Michal Zalewski] Network Security [Permanent Link]
Subject: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames?
Date: Fri, 28 May 2004 01:48:21 +0200 (CEST) 
On Thu, 27 May 2004, Alexander E. Cuttergo wrote:


If the attacker is on the same LAN as your IDS, you have many problems
more severe than the attack you have described.


In a sufficiently complex network, you are going to face internal threats.
Simply, if you have 1000 or 10000 employees, it is foolish to assume they
are all going to play nice. Installing internal IDSes, firewalls and
whatnots is a way of mitigating and managing the risk. Most of IDS vendors
have solutions that can be plugged internally.

I would not even bother to post if IDSes were not commonly used in such a
setup.


More generally, if you can send a packet which is accepted by the IDS
and not by the target host, you can bypass IDS. Another example is
sending packets with low ttl; this even does not require access to the
same LAN.


You won't be able to do this in a reasonable IDS setup (span port or
bridge mode).


A packet which is not accepted by the recipient will not elicit an ACK
frame.


One that is does not have to do this, either. Window size, etc.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-05-28 00:04 --

   http://lcamtuf.coredump.cx/photo/current/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames?, Michal Zalewski <=
Previous by Date:  Re: [Full-Disclosure] lists, autoresponders, and netiquette, James Edwards
Next by Date:  RE: [Full-Disclosure] Re: Cisco's stolen code, Brown, James (Jim)
Previous by Thread:  [Full-Disclosure] Bypassing "smart" IDSes with misdirected frames?, Alexander E. Cuttergo
Next by Thread:  [Full-Disclosure] Hotmail & Passport (.NET Accounts) Vulnerability, este ramoni
Indexes:  [Date] [Thread] [Top] [All Lists]