Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frame

from [Michal Zalewski] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring)
Date: Sat, 29 May 2004 00:50:37 +0200 (CEST) 
On Fri, 28 May 2004, Mike Frantzen wrote:


This has been a known attack at least since Ptacek and Newsham's seminal
paper on IDS evasions.


As far as I can see, they describe an attack where the attacker uses IDS's
own MAC address to route frames directly to this box; this is usually
prevented (or difficult to carry out) if the listening interface is an
IP-less span port or bridge node, as it is the case at almost all times
nowadays.

I describe an attack in which the IDS itself is not targeted, but quite
simply, a different MAC address belonging to an innocent bystander is used
to inject an IP frame that matches an existing connection. This should
fool a "transparent" IDS, based on the assumption that link-layer
information is stripped prior to TCP stream identification, which I expect
is the case with a good deal of IDS systems out there.

So there is a difference that makes the attack IMO a bit more of a
concern in a typical setup, which is still not to say I will lose sleep
over it.

Cheers,
-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-05-29 00:44 --

   http://lcamtuf.coredump.cx/photo/current/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] new rsync :) exploit rsync-too-open, phlox
Next by Date:  Re: [Full-Disclosure] new rsync :) exploit rsync-too-open, dkey
Previous by Thread:  [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Mike Frantzen
Next by Thread:  [Full-Disclosure] Re: Bypassing "smart" IDSes with misdirected frames? (long and boring), Srini
Indexes:  [Date] [Thread] [Top] [All Lists]