IDS weaknesses and limitations of the original document
:
Created :2002-06-24
Views: 464
Original: mayi (mayi99_at_263.net)
Source: www.cnsafe.net
1 NIDS weaknesses and limitations
NIDS get through the packet from the network analysis system to detect and identify unauthorized or unusual in the phenomenon.
1.1 exchange network limitations
1.1.1
the shared network environment can HUB network monitoring, will bring great threat to network security, and therefore now the network, especially in high-speed network switches are used basically to listen to the NIDS network trouble. < br> 1.1.1.1 listen-port switch
now better support listening port, so a lot of NIDS are connected to the monitor port.
are usually full-duplex when connected to the switch, that switch in 100MB on the two-way traffic may reach 200MB, but the monitor port traffic up to 100MB, which led to the switch loss.
to save the switch port, it may be configured as a switch port to listen more other ports, in the normal flow, the monitor port can all listen, but by the attack, network traffic may increase, so that port traffic being monitored exceeds the sum of the maximum listening port, packet loss caused by the switch.
generally larger when the load switches, listening port as fast as the speed of other ports, causing the switch loss.
listening port that is meant to do to increase the need for more switch ports, which may need to purchase additional switches, or even modify the network structure (for example, in one original a VLAN on the switch now needs to be distributed to two switches).
support the monitoring of the switches do not support the switch over to your many, many network design and network monitoring did not take into account the needs of the switch is not purchased support network monitoring, or monitoring performance is not good, so in preparation for installing the switch needs to be replaced when the NIDS.
1.1.1.2 shared HUB
needed in monitoring the network cable to connect a shared HUB, in order to achieve listening function. For small companies, between the Company and the Internet to place a NIDS, is a relatively cheap and relatively easy to implement the program.
with HUB, will result in the host's network connection from the duplex into a half-duplex, and if the NIDS data sent through this HUB, it will increase the potential for conflict.
1.1.1.3 shunt
cable using special equipment, directly from the network cable in the same copy of data from a network Two lines will be copied (one in each direction), connected to a switch on the monitor, NIDS and then connected to this switch. This program does not affect the existing network system, but need to increase the switch, the price is not Philippines, and faced the same problem with the monitor port.
1.1.2 network topology limitations
for a more complex networks, through careful contracting, can lead to the protected host NIDS received packets content or not the same as the order to bypass the NIDS monitoring.
1.1.2.1 Other routes
as some non-technological factors, there may be other routes to bypass the NIDS to reach the protected host (such as a neglected the Modem, but the Modem is not installed next to NIDS).
IP source routing option if allowed, can be designed to bypass the IP routing NIDS.
1.1.2.2 TTL
if a packet arrives with the subject NIDS the number of protected HOP not the same as the host. you can set the TTL value through careful to make a packet can only be protected NIDS or the host can only be received, so that the NIDS's Sensor and the protected host receives a packet not the same, thus bypassing the NIDS monitoring.
1.1.2.3 MTU
If the NIDS's MTU and MTU inconsistent with the protected if the host (due to a variety of protected hosts, the MTU setting is not the same) , you can carefully set at between MTU and set the packet is not fragmented, so that the Sensor and protected NIDS host not the same as the received data packets to bypass the NIDS monitoring.
1.1.2.4 TOS Some network devices will handle
TOS option, if the NIDS and host their own protected network device connected to a different treatment, then set the TOS options through carefully, will result in the Sensor and protected NDIS host receives a packet not the same as the order, so may lead to NIDS packet after the reorganization of the host to be protected inconsistent data packets to bypass the NIDS monitoring (especially in the UDP packet).
1.2
NIDS limitations of commonly used detection methods detection methods are feature detection, anomaly detection, stateful inspection, protocol analysis. practice, most commercial intrusion detection system also uses several detection methods.
NIDS can not handle encrypted data, if data transmission is encrypted, Even a simple replacement, NIDS also difficult to handle, such as using SSH, HTTPS, compressed files with password and other means, can effectively prevent the NIDS testing.
NIDS difficult to detect replay attacks, middle attacks on network monitoring can not do anything.
current NIDS difficult to detect DDoS attacks effectively.
1.2.1
system to achieve limited protection due to the NIDS hosts a variety of great programs running, even on the same protocol implementation are not the same, the intruder may use different systems for different implementations of different information collection systems (such as Nmap via TCP / IP fingerprinting to identify the operating system) or to choose attack, the NIDS likely familiar with these systems different implementations and therefore may be an intruder to bypass.
1.2.2
anomaly detection anomaly detection is often limited to statistical methods used for detection.
anomaly detection requires a lot of the original audit record, a pure statistical intrusion detection system will ignore those who produce little or no statistical law will affect the audit records of the invasion, even if it has a very obvious feature.
statistical methods can be trained to adapt to the invasion pattern. When the intruder knows was monitored his activities, he can study the statistical intrusion detection system of statistical methods and the scope of the system can accept the audit event is generated, step by step training in intrusion detection system to the corresponding deviation from the normal range of activity profile, eventually invasion treated as a normal event.
more and more complex applications, many of the main activities of a simple statistical model is difficult to describe, and complex statistical models in calculating the amount of testing can not meet the requirements of real-time.
statistical methods A threshold is difficult to effectively determine the value is too small will produce a large number of false positives, the value is too large will produce a large number of omissions, such as the system is configured to 200 / s half-open TCP connection is SYN_Flooding, the intruder per establishment of 199 seconds, half-open connections will not be regarded as an attack.
1.2.2.1 slow scan
anomaly detection is often used to port scan and DoS attack detection. NIDS upper limit of the existence of a traffic log, if the scan interval exceed this limit, NIDS will ignore the scan.
Although the upper limit can be configured NIDS very long, but the longer this configuration, the system requires more resources, subject to the DoS attack against the NIDS more likely .
1.2.3 Features detection limits
detection rules updates are always behind the attacks of the update, now, a new vulnerability on the Internet, the next day could find online for the attack method and code, but the corresponding average detection rules need to be summed up for several days. there is a discovery of new invasive method to upgrade the rules user library / knowledge of the time difference, are dedicated intruder, there will be ample time for invasion.
many published attacks are not summed up the corresponding false positive detection rules or rules of the high rate of detection. and now more and more hackers tend not to disclose the vulnerabilities they found, making it difficult to sum up these attacks, attacks characteristics.
currently finishing the new rules, or the main factory for volunteers to complete, by the user to download to use, user-defined rules rarely, in the convenience of users, but also facilitate the intruder: the intruder can check all the rules, and will not be detected by means of the invasion, greatly reduce the probability of being found in NIDS.
summed up the current rules posted on the main for network hacking tools or methods, but for many to release the source code hacking tools, many intruders can simply modify the source code (for example, hackers often Trojan horse code changes), resulting in a variant of attack, to bypass the detection NIDS.
1.2.4 Limitations
for the application layer protocol agreement, the general NIDS only simple processing, such as the commonly used HTTP, FTP, SMTP, etc., there are a lot of agreement does not deal with, are unlikely to all treatment, directed at special agreement or user-defined protocol attacks, bypass the NIDS can be a good check.
1.2.5 variant
1.2.5.1 HTTP intrusion attack variant
duplicate directory separators, l / r into l / / r.
the current directory, l / cgi-bin / phfr into l / cgi-bin /. / phfr.
parent directory, l / cgi-bin / phfr into l / cgi-bin / xxx / .. / phfr.
URL encoding, l / cgi-bin / r into l% 2fcgi-bin / r.
use TAB instead of spaces and other separators. < br> NULL methods, lGET% 00/cgi-bin/phfr.
GET away with the other methods, such as POST.
change the parameter order, add the unwanted parameters.
for IIS, there are the following methods :
DOS / Win under the directory separator, l/winnt/system32/cmd.exer into l / winnt system32 cmd.exer.
case conversion, such as cmd.exe into CMD.EXE.
IIS second decoder, such as cmd.exe into% 2563md.exe,% 25 decoded as r% r, and then decode the% 63 is rcr.
UNICODE encoding, for example, becomes% c0% cmd.exe 63md.exe. UNICODE encoding is more complex because there are only a handful of NIDS can decode it.
1.2.5.2 Telnet attack variant
use the backspace key.
filled using the Tab key for command .
use Shell to execute attack code.
using macros.
add a useless argument.
fact that NIDS is difficult to detect after connecting to the server via Telnet to a local attack.
1.2 .6 TCP / IP protocol limitations
the TCP / IP design had considered not very good security, so the current IPV4 security is worrying, in addition to the above problems caused by the network structure, there are the following some of the limitations.
1.2.6.1 IP packet fragmentation
slice, some NIDS IP fragmentation can not be restructured, or exceeded its capacity, you can bypass the NIDS.
an IP datagram fragments up to 8192, NIDS can be a performance parameter is the largest reorganization of the number of IP fragments.
NIDS every IP received a new IP datagram fragmentation when the film will start a sub- restructuring process, after the reorganization is complete or the timeout (typically 15 seconds timeout) Close this restructuring process, NIDS is the performance parameters of a simultaneous restructuring of the IP packets.
a maximum IP datagram is 64K, is ready to receive an IP packet, NIDS will be ready enough memory to accommodate the upcoming follow-up patch, NIDS performance parameters is the energy of a restructuring of the largest IP datagram length.
combination of the above three parameters, that is, the timeout NIDS (for example 15 seconds) to be able to simultaneously prepare for the maximum (for example, 64K) of the number of IP datagrams restructuring.
If the NIDS received data packets over the limit, NIDS can not no packet loss, which occurred in DoS attacks.
1.2.6.2 IP overlapping fragments
IP packet fragmentation in the reorganization of the time, if you encounter the words of overlapping fragments, each of the operating system is not the same approach, For example, some systems will be used first before the patch (Windows and Solaris), some are received after the patch using (BSD and Linux), if the overlapping fragments of the data is not the same, and the treatment of NIDS and protected not the same as the host, after the reorganization will result in NIDS packet and data packets to be inconsistent with protection of the host, thereby bypassing the detection of NIDS.
such as TCP or UDP can overlap the destination port, and then penetrate the overwhelming majority of the firewall and may bypass the NIDS.
can overlap TCP flags, the NIDS can not correctly detect the TCP FIN packet, so that the NIDS can simultaneously monitor soon reach maximum number of TCP connections; the NIDS can not be detected correctly TCP SYN packets, so that the NIDS can not detect the TCP connection should be.
1.2.6.3 TCP segment
If the NIDS can not be TCP stream reassembly, you can bypass the TCP segments to NIDS.
some unusual TCP segment will confuse some NIDS.
1.2.6.4 TCP un-sync
sent the wrong in the TCP sequence number, sending duplicate serial number, reverse the order of such transmission, it is possible to bypass the NIDS.
1.2.6.5 OOB
attacker to send OOB data is protected if the host application can handle OOB, the NIDS can not accurately predict the received OOB host to be protected when the number of normal data buffer, so may bypass the NIDS.
some systems when dealing with OOB will be the beginning of a byte of data discarded (such as Linux, the Apache, but IIS is not), then by sending multiple TCP segment, including with OOB option of TCP segments, the NIDS may lead to the data stream after the reorganization of the host and application protection is inconsistent, and thus bypass the NIDS.
1.2.6.6 T / TCP
can handle things if the target host TCP (currently very few systems support), an attacker can send a transaction TCP, NIDS may not be protected with the application on the host the same treatment, which may bypass the NIDS.
1.3 resources and processing power limitations
The DoS attack against the NIDS 1.3.1.
1.3.1.1 large flow impact
attacker to the protected network to send large amounts of data, more than NIDS processing power is limited, the case of packet loss will occur, which may lead intrusion omission.
NIDS network packet capture capabilities and a number of factors related. For example, 1500 byte packets in each case, NIDS will be more than 100MB / s of processing power, even to the more than 500MB / s of processing power But if only 50 bytes per packet, 100MB / s of traffic means that 2,000,000 packets / s, most of which will exceed the current handling capacity of cards and switches.
1.3.1.2 IP fragmentation attacks
attacker to the protected network to send a large number of IP fragments (eg TARGA3 attacks), more than NIDS IP fragments can be simultaneously restructuring capacity, leading technology through IP fragmentation attacks omission.
1.3.1.3 TCP Connect Flooding
attacker to create or simulate a large number of TCP connections (which can be described by the above method of IP fragment overlap), while more than NIDS to monitor the maximum number of TCP connections, resulting in redundant TCP connection can not be monitored.
1.3. 1.4 Alert Flooding
attacker can detect the light of the rules posted on the network, while in the attack deliberately send a large number will cause the alarm NIDS data (such as stick attack), may exceed the speed of NIDS to send the alarm, resulting in leakage reported, and the network receives a large number of alarms, it is difficult to distinguish a real attack.
If you send 100 bytes can generate an alarm, dial-up Internet access through the 50 alarms can be generated per second, 10M per LAN seconds, the alarm can be generated 10000.
1.3.1.5 Log Flooding
an attacker to send massive amounts of data will cause the alarm NIDS, the NIDS Log eventually run out of space is to delete the previous Log record. < br> 1.3.2 memory and hard drive limitations
If you want to improve NIDS can handle the IP fragment reassembly and TCP connection monitoring capabilities, which will require more memory to do the buffer, if the NIDS's memory allocation and management is not good, will enable the system in some special cases spend a lot of memory, if you start using virtual memory, it will shake the memory may occur.
usually far less than the speed of the hard disk speed of the network, if the system to produce a large number of alarm record to the hard drive, will cost a lot of systems out of processing power, if the system records the original network data, save a large and high-speed network data will require expensive high-capacity RAID.
1.4 NIDS vulnerabilities related systems
NIDS itself should have very high security, general monitoring of the network cards are not used for IP address and other network card will not open any ports. but may be related systems NIDS attack.
1.4.1 Console host Security Vulnerability
Some systems have a separate console, if the attacker can control the console where the host can control the entire NIDS system.
1.4.2 Sensor and Console communications vulnerability
If the communication between the sensor and the console may be attacked by a successful attack, will affect the normal use of the system. For example, the ARP spoofing or SYN_Flooding.
If the communication between the sensor and the console, clear communication or simply use encryption, then may be subject to IP spoofing attacks or replay attacks.
1.4.3 and the system alarm and other devices related to the vulnerability of communications
If an attacker can successfully attack the system alarm and other related equipment, such as mail servers, etc. , will affect the alarm message is sent.
2 HIDS weaknesses and limitations of resource constraints
2.1 HIDS installed as the host to be protected and, therefore, the resources can not be too much, thereby greatly limiting the use of detection and processing performance.
2.2 operating system limitations
not like NIDS, manufacturers can customize a sufficiently secure operating system to ensure their own security NIDS, HIDS security by its hosts operating system's security restrictions, if the host system is compromised, HIDS will soon be removed. If the HIDS as stand-alone, it is basically not successful attack can only be detected if the HIDS for the sensor / control panel structure, will be on the same face and NIDS attacks related systems.
some HIDS will consider increasing the security of the operating system itself (for example, LIDS).
2.3 limits
HIDS system log will log to the system by monitoring suspicious behavior, but some programs system log is not detailed enough, or does not log. Some of invasion itself is not the procedure that has a record of the log.
If the system does not install third-party logging system, the system itself will soon be logging system intruders attack or modification, and intrusion detection systems typically do not support third-party logging system.
HIDS is not real-time checks if the system log, the use of automated attack tools in the inspection interval will be entirely possible to complete all the attacks in the project and clear in the system log traces.
2.4 kernel was modified to cheat file checks
intruder to modify the system if the core, you can fool a tool based on the file consistency check. This is like the original Some viruses, when they think that by the time of examination or follow the original documents or data will be available to check the tools or tracking tool.
2.5 network detection limits
some HIDS can check network status, but will face a NIDS many of the problems faced.
No comments:
Post a Comment