IDFAQ: How does Fragroute evade NIDS detection?

Michael Holstein

Network based Intrusion Detection Systems (NIDS) are typically configured to passively monitor network traffic on a segment by way of a hardware tap or other tactic such as use of the switchport-monitor command (Cisco IOS) allowing the NIDS to monitor, and in some cases, inject traffic for all hosts and destinations passing through the segment.

Most NIDS systems are pattern based, requiring a large set (typically ~1500+) signatures to alert based on a specific combination of TCP flags in the header, or a set pattern in the payload. The accuracy of this approach depends, of course, on the skill of the administrator writing the signature, but in most cases this provides for very accurate detection of a specific attack, and will not catch new or modified attacks.

Statistically based NIDS systems, which are usually used in conjunction with pattern matching, tries to establish a baseline of activity and alert when packets are ‚statistically significant‚ in their deviation from the norm ‚ a mathematical way of saying ‚weird packet‚. Unlike pattern matching, this tactic can catch new (and only occasionally, more creative) attacks at the cost of being rather noisy and requiring human analysis of all alerts.

Because most NIDS systems operate in layer 2 (OSI), they simply feed raw traffic into a detection engine and rely on the pattern matching and/or statistical analysis to determine what is malicious. Packets are not processed by the host‚s TCP/IP stack ‚ allowing the NIDS to analyze traffic the host would otherwise discard. This approach also has the disadvantage that packets can be intentionally crafted in such a way as to confuse pattern-matching NIDS systems, while still being correctly assembled by the host TCP/IP stack to render the attack payload.

Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection, written by Ptacek & Newsham (1998), details a number of these attack methods, which are summarized below. The techniques described in Ptacek & Newsham were used by programmer Dug Song to create Fragroute.

Fragroute, by its own assertion [man(8) page], ‚‚¶intercepts, modifies, and rewrites egress traffic destined for the specified host, implementing most of the attacks described in the Secure Networks ‚Insertion, Evasion, and Denial of Service ‚Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection‚ paper of January 1998.‚

Terms and Conventions used in this document
Software :
Snort : Network Intrusion Detection (NIDS).
www.snort.org/dl/snort-1.8.6.tar.gz

Tcpdump : Packet capture utility.
www.tcpdump.org/release/tcpdump-3.7.1.tar.gz

Ethereal : Packet analysis utility.
www.ethereal.com/distribution/ethereal-0.9.3.tar.gz

Fragroute : Packet shaper. www.monkey.org/~dugsong/fragroute/fragroute-1.2.tar.gz
Obfuscation : source and destination hosts/networks are aliased as follows :
Attack.source : host initiating the attack
Attach.target : host running the daemon under attack.
Session logs : mathematical operands are used to indicate direction of communication :
‚>‚ : commands issued from the attack.source
‚ attack.source:21862
TCP TTL:59 TOS:0x10 ID:47366 IpLen:20 DgmLen:42 DF
***A*R** Seq: 0x55626D41 Ack: 0x726E5455 Win: 0x4733 TcpLen: 20

[**] [111:2:1] spp_stream4: possible EVASIVE RST detection [**]
05/02-20:58:16.599253 attack.target:13398 -> attack.source:26951
TCP TTL:59 TOS:0x10 ID:49947 IpLen:20 DgmLen:40 DF
***A*R** Seq: 0x5447766C Ack: 0x68534F74 Win: 0x364E TcpLen: 20

Possible Solutions To The Vulnerability
  • Use a host-based IDS system on exposed systems. Host based IDS systems are able to detect malicious activity by monitoring at the application layer, and are able to report on entries created in the system or access logs. Logsnorter is one such example [www.snort.org/dl/contrib./logsnorter-0.2.tar.gz].
  • Upgrade your NIDS software. Vendors are presently scrambling to address the issues created by Fragroute and will figure it out eventually. <
References
Lemos, Robert. New tool camouflages hacker programs. ZdNet Australia. 22 April 2002. http://www.zdnet.com.au/newstech/security/story/0,2000024985,20264745,00.htm

Mitre. Common Vulnerabilities and Exposures. 27 August 1999. http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0082

Ptacek, Thomas & Newsham, Timothy. ‚Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection‚. Secure Networks, January 1998. http://www.insecure.org/stf/secnet_ids/secnet_ids.html

Roesch, Marty. News. 7 May 2002. www.snort.org/index.html

Song, Dug. ‚Fragroute(8)‚ http://www.monkey.org/~dugsong/fragroute/fragroute.8.txt

Timm, Kevin.IDS Evasion Techniques and Tactics. SecurityFocus (Infocus). 7 May, 2002 http://online.securityfocus.com/infocus/1577