Defeating an IDS
Intrusion detection systems are extremely helpful tools that aid
security administrators in the ever-evolving task of securing the network. Using
a variety of techniques previously discussed, these systems can monitor and
alert the security team in many potentially harmful situations. This does not
imply, however, that IDS are invincible. The art of managing intrusion detection
systems is not simple and requires constant effort and attention.
We have already discussed several limitations of each type of
intrusion detection system. All varieties can suffer from information overload
in bandwidth intensive networks and most IDS require constant tuning and
support. For instance, if signature-based IDS are not updated with the latest,
most prevalent attack signatures, they will be ineffective against newly
discovered vulnerabilities. Likewise, should new network applications be added
or altered on the network, anomaly-based IDS must again run baselines against
the new "normal" network state. Even if IDS are properly maintained and updated,
the security team must respond properly and quickly to security events,
otherwise the IDS is useless.
Network IDS must be positioned properly in the network and the
network infrastructure must be appropriately configured to deliver traffic to
the IDS. In most modern networks and certainly in large network environments,
one IDS will not suffice. Multiple IDS (and oftentimes, multiple types of IDS)
are therefore required for effective detection coverage, which necessitates good
management practices and potentially, the use of IDS event correlation and
aggregation servers.
There also exist methods by which an attacker may render IDS
ineffective. These include DoS attacks directed at IDS infrastructure and other
more focused attacks. For instance, if a hacker overloads a network with decoy
attack signatures, he or she may be able to secretly exploit other code
simultaneously and remain undetected by the IDS.
Another way attackers may elude IDS is through an act known as
session slicing. This can occur when a malicious payload is successfully
delivered over multiple packets and may defeat simple pattern- or signature-
matching mechanisms. Oftentimes, this payload can be delivered over long time
periods using various means, which leads to another vulnerability of IDS; slow
scanning. Many IDS do not recognize attacks that occur over extended periods of
time. If an attacker is patient enough, he or she may be able to elude IDS
simply by working slowly.
IDS can also be bypassed by changing the default manner in which
applications or network communications operate. For instance, if a
signature-based system is looking for Back Orifice connections on TCP port
31337, a hacker might simply change the TCP port to avoid detection. Similarly,
if an attacker changes the sequence of exploit events, he or she may not trigger
common network signature alert routines.
Finally, proxy attacks and spoofing are ways in which attack
traffic may appear from internal, trusted hosts and may, therefore, be ignored
by IDS.
Sections
Comments (0 posted)
Syndication
