Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection

Get BibTex-formatted data

Author

T. Ptacek,T.N. Newsham

Entry type

techreport

Abstract

All Currently available network intrusion detection (ID) systems rely uopn a mechanism of data collection--passive protocol analysis--which is fundamentally flawed. In Passive protocol analysis, the itrusion detection system (IDS) unobtrusively watches traffic on the network, and scrutinizes it for patterns of suspicious activity. We outline in this paper two basic problems with the reliability of passive protocol analysis: (1) there isn't enough information on the wire on which to base conclusions about what is actually happening on networked machines, and (2) the fact that the system is passive makes it inherently "fail-open", meaning that a compromise in the availability of the IDS doesn't compromise the availibility of the network. We define three classses of attackeswhich exploit these fundamental problems-insertion, evasion, and denial of service-and describe how to apply these three types of attacks to IP and TCP protocol analysis. We presetn the results of the tests of the efficacy of our attacks against foour of the most popoular network intrusion detection systems on the market . All of the ID systems tested were found to be vulnerable to each of our attacks. This indicates that network ID systems cannot be fully trusted until they are fundamentally redesigned.

Institution

Secure Networks Inc.

Key alpha

Ptacek

Publication Date

0000-00-00

Location

A hard-copy of this is in the Papers Cabinet

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.

@Techreport{ Ptacek,
	title = "Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection",
	author = "T. Ptacek,T.N. Newsham",
	institution = "Secure Networks Inc.",
	abstract = "All Currently available network intrusion detection (ID) systems rely uopn
a mechanism of data collection--passive protocol analysis--which is
fundamentally flawed. In Passive protocol analysis, the itrusion detection
system (IDS) unobtrusively watches traffic on the network, and scrutinizes
it for patterns of suspicious activity. We outline in this paper two
basic problems with the reliability of passive protocol analysis: (1)
there isn't enough information on the wire on which to base conclusions about
what is actually happening on networked machines, and (2) the fact that the
system is passive makes it inherently "fail-open", meaning that a compromise
in the availability of the IDS doesn't compromise the availibility of the
network. We define three classses of attackeswhich exploit these
fundamental problems-insertion, evasion, and denial of service-and describe
how to apply these three types of attacks to IP and TCP protocol analysis.
We presetn the results of the tests of the efficacy of our attacks against
foour of the most popoular network intrusion detection systems on the market
. All of the ID systems tested were found to be vulnerable to each of our
attacks. This indicates that network ID systems cannot be fully trusted
until they are fundamentally redesigned.",
}