Thursday, September 16, 2010

IDS weaknesses and limitations (2)




1.2.5 Intrusion variant
1.2.5.1 HTTP attack variant
Repeat the directory separator ,'/'' into'//''銆?br />The current directory, '/ cgi-bin/phf''into the' / cgi-bin/./phf''.
Parent directory, '/ cgi-bin/phf''into the' / cgi-bin/xxx/../phf''.
URL encoding, '/ cgi-bin /''becomes'% 2fcgi-bin /''.
Use TAB instead of spaces and other separators.
NULL method, 'GET% 00/cgi-bin/phf''.
GET outside use other methods such as POST.
Change the parameters of the order, add the unwanted parameters.
For IIS, there are the following:
DOS / Win under the directory separator, '/ winnt/system32/cmd.exe''into the' / winntsystem32cmd.exe''.
Case conversion, such as cmd.exe into CMD.EXE.
IIS second decoder, such as cmd.exe into% 2563md.exe,% 25 and then decoded to decode% 63''%'', as''c''.
UNICODE encoding, such as cmd.exe into the% c0% 63md.exe. UNICODE encoding more complex because there are very few NIDS can decode it.

1.2.5.2 Telnet attack variant
Use the backspace key.
Using the Tab key for command padded.
Use Shell to execute attack code.
Using macros.
Add a useless argument.
In fact very difficult to detect those NIDS Telnet to connect to the server through the local after the attack.

1.2.6 TCP / IP protocol limitations
As TCP / IP design did not consider good security, so now IPV4 security is worrying, in addition to the above problems arising due to network structure, there are some limitations below.

1.2.6.1 IP fragmentation
Packet fragmentation, some NIDS can not restructure IP fragmentation, or more than its capacity, you can bypass the NIDS.
A maximum of 8192 IP datagram fragmentation, NIDS performance parameters of a reorganization shall be able to slice the largest number of IP.
NIDS every IP received a new IP datagram fragmentation when the fragment will start a restructuring process, after the reorganization is complete, or timeout (typically 15 seconds of overtime) Close this restructuring process, NIDS performance parameters of a shall simultaneously restructuring the number of IP packets.
An IP datagram maximum 64K, as ready to receive a IP datagram, NIDS will be ready enough memory to accommodate the upcoming follow-up fragments, NIDS performance parameters of a reorganization shall be to the largest IP datagram .
Combining above three parameters, namely, in the time-out time NIDS (for example 15 seconds) while preparing for maximum internal energy (for example, 64K) The number of IP datagram reorganization.
If the NIDS received packets over the limit, NIDS have packet loss, which occurred DoS attacks.

1.2.6.2 IP fragment overlap
IP packet fragmentation in the reorganization of the time, if met, then overlapping fragments, each operating system is not the same approach, for example, some systems will use the first received fragment (Windows and Solaris), some will be adopted after the closing to the slice (BSD and Linux), if the overlapping fragment of data is not the same thing, and NIDS approach is different with the protected host, it will lead to NIDS packet after the reorganization of the protected host and the packet is inconsistent, NIDS to bypass the detection.
For example, TCP or UDP can overlap the destination port, and then penetrate through most firewalls now, and may bypass the NIDS.
You can also overlap TCP flags, so that NIDS can not correctly detect the TCP FIN packet, so that NIDS soon to be able to simultaneously monitor the maximum number of TCP connections; to NIDS can not correctly detect TCP SYN packet, so that NIDS can not detect TCP connection due.

1.2.6.3 TCP segmentation
If the NIDS can not be re-TCP stream, you can bypass the TCP segmentation to NIDS.
Some unusual TCP segmentation will confuse some of NIDS.

1.2.6.4 TCP un-sync
Sent the wrong in the TCP sequence number, send the duplicate serial number, reverse the order to send such, it is possible to bypass the NIDS.

1.2.6.5 OOB
Attacker to send OOB data is protected if the host application can handle OOB, as NIDS can not predict the protected buffer when the host received OOB data in the number of normal, they may bypass the NIDS.
Some systems, when dealing with OOB will be the beginning of a byte of data discarded (such as Linux, the Apache, but IIS is not), then by sending in more than one TCP segment, including options with OOB TCP segment, then NIDS may lead to the data stream after the reorganization of the host and the protected application is inconsistent, and thus bypass the NIDS.

1.2.6.6 T / TCP
If the destination host can handle things TCP (currently very few systems support), an attacker can send transaction TCP, NIDS may not be protected with the host application on the same treatment, which may bypass the NIDS.

1.3 Resource and capacity constraints

The DoS attack against the NIDS 1.3.1.

1.3.1.1 the impact of high flow
Attacker to the protected network to send large amounts of data, more than NIDS processing power is limited, the situation of packet loss will occur, which may lead to acts of omission of the invasion.
NIDS network packet capture capabilities associated with a number of factors. For example, 1500 bytes in each packet case, NIDS will be over 100MB / s of processing power, even to more than 500MB / s of processing power, but if only 50 bytes per packet, 100MB / s of traffic means that 2 million package / s, most of which will exceed the current handling capacity of cards and switches.

1.3.1.2 IP fragmentation attacks
Attacker to the protected network to send a large number of IP fragments (such as TARGA3 attacks), more than NIDS IP fragments can be simultaneously restructuring capacity, leading technology through IP fragmentation attacks omitted.

1.3.1.3 TCP Connect Flooding
Attacker to create or simulate a large number of TCP connections (described by the above method of IP fragment overlap), while more than NIDS to monitor the maximum number of TCP connections, resulting in unnecessary TCP connection can not be monitored.

1.3.1.4 Alert Flooding
Attacker can detect the light of the rules posted on the network, while the attack would deliberately send a large number of alarm caused by NIDS data (such as stick attack), may exceed the speed NIDS to send alarm, resulting in omission, and to network received a large number of alarm, it is difficult to distinguish real attacks.
If you send 100 bytes can generate an alarm, you can generate per second through dial-up 50 police, 10M LAN can produce 10 thousand per second alarm.

1.3.1.5 Log Flooding
The attacker will send large amounts of data caused by NIDS alarms and eventually led to the space NIDS to be depleted Log, Log to delete the previous record.

1.3.2 RAM and hard drive limit
If the NIDS to improving the ability to process the IP fragments and TCP connection monitoring capabilities restructuring, which will require more memory to do the buffer, if the NIDS's memory allocation and management is not good, will the system cost a lot of exceptional circumstances memory, if the start using virtual memory, it will shake the memory may occur.
Hard drive speed is usually far less than the speed of the network, if the alarm system to produce a large number of records to the hard drive, will cost enormous amounts of system capacity, if the system records the original network data, save a large and high-speed network data will require expensive large-capacity RAID.

1.4 NIDS related to the vulnerability of the system
NIDS itself should have very high security, generally used for monitoring the network cards are not IP addresses, and other card will not open any ports. However, associated with the NIDS system may be attacked.

1.4.1 Console host of security vulnerabilities
Some systems have a separate console, if the attacker can control the console to the host computer, you can control the entire NIDS system.

1.4.2 Sensor and the vulnerability of the console communication
If the communication between sensors and the console may be attacked by a successful attack, will affect the normal use of the system. Such as conducting ARP deception or SYN_Flooding.
If the communication between sensors and console explicit communication or simply use encryption, you may be subject to IP spoofing or replay attacks.

1.4.3 and the system alarm and other equipment related to the vulnerability of communications
If an attacker can successfully attack the system alarm and other related equipment, such as mail servers and so on, will affect the alarm message is sent.

2 HIDS weaknesses and limitations

2.1 Resource constraints
As HIDS installed on protected hosts, so the resources can not be too much occupied, thus limiting the detection method used and the processing performance.

2.2 operating system limitations
Unlike NIDS, manufacturers can customize their own operating system, a sufficient security to ensure their own security NIDS, HIDS where the security of the host operating system under its security restrictions, if the host system is compromised, HIDS will soon be cleared. If the HIDS as stand-alone, it is basically not successful attack can only be detected if the HIDS for the sensor / control panel structure, will be faced with the same NIDS attack on the related systems.
Some HIDS will consider increasing the security of the operating system itself (such as LIDS).

2.3 System log limit
HIDS will monitor the system log to discover through the suspicious behavior, but some procedures are not sufficiently detailed system logs, or no logs. Some of the invasion would not in itself be a system log of the proceedings recorded.
If the system does not install third-party logging system, the system's own log system will soon be intruders or modified, and intrusion detection systems typically do not support third-party logging systems.
If there is no real-time inspection system HIDS log, then use automated tools to attack will be entirely possible to complete the inspection interval and clear of all the attack works in the system log traces.

2.4 The core of the system was modified to fool the paper check
If an intruder to modify the system core, you can fool a tool based on file consistency check. It's like the beginning of certain viruses, when they think that by the time of inspection or to track the original documents or data will be available to the inspection tool or tracking tool.

Detection limit of 2.5 Network
Some HIDS can check the network status, but will face many problems facing the NIDS.







相关链接:



Youtube zen



Photoshop top aides - EXTENSIS Photo Graphics (1)



Mp4 To Avi Converter Free



Interview with B & Q (China) Vice President, Human Resources Director Miss Hu Weiyan



News About Games Board



Do for others to do the wedding dress carriers should be out of the "influence" the edge



Neusoft transition stranded behind the overall market REJECTIONS



Convert Xvid To Divx



PICKED Pager Tools



IME TOOL to INPUT more obedient



Jack Ma, Alibaba Will Open A Large Envelope Puzzle



Exchange links need special attention



What rod dealer outlets



Flv Format



Guide Adventure And Roleplay



C # and object-oriented programming language [1]



No comments:

Post a Comment