Network IPS Evasion Techniques
As discussed in the previous section there are a number of methods to analyze attacks, but to better analyze and choose anti-evasion countermeasures it's important to understand the various evasion techniques used by attackers. Network attackers often use network IPS evasion techniques to attempt to bypass the intrusion detection, prevention, and traffic filtering functions provided by network IPS sensors. Some commonly used network IPS evasion techniques are listed below:
- Encryption and Tunneling
- Timing Attacks
- Resource Exhaustion
- Traffic Fragmentation
- Protocol-level Misinterpretation
- Traffic Substitution and Insertion
Encryption and Tunneling
One common method of evasion used by attackers is to avoid detection simply by encrypting the packets or putting them in a secure tunnel. As discussed now several times, IPS sensors monitor the network and capture the packets as they traverse the network, but network based sensors rely on the data being transmitted in plaintext. When and if the packets are encrypted, the sensor captures the data but is unable to decrypt it and cannot perform meaningful analysis. This is assuming the attacker has already established a secure session with the target network or host. Some examples that can be used for this method of encryption and tunneling are:
- Secure Shell (SSH) connection to an SSH server
- Client-to-LAN IPSec (IP Security) VPN (virtual private network) tunnel
- Site-to-site IPSec VPN tunnel
- SSL (Secure Socket Layer) connection to a secure website
There are other types of encapsulation that the sensor cannot analyze and unpack that attackers often use in an evasion attack. For example, GRE (Generic Route Encapsulation) tunnels are often used with or without encryption.
Timing Attacks
Attackers can evade detection by performing their actions slower than normal, not exceeding the thresholds inside the time windows the signatures use to correlate different packets together. These evasion attacks can be mounted against any correlating engine that uses a fixed time window and a threshold to classify multiple packets into a composite event. An example of this type of attack would be a very slow reconnaissance attack sending packets at the interval of a couple per minute. In this scenario, the attacker would likely evade detection simply by making the scan possibly unacceptably long.
Resource Exhaustion
A common method of evasion used by attackers is extreme resource consumption, though this subtle method doesn't matter if such a denial is against the device or the personnel managing the device. Specialized tools can be used to create a large number of alarms that consume the resources of the IPS device and prevent attacks from being logged. These attacks can overwhelm what is known as the management systems or server, database server, or out-of-band (OOB) network. Attacks of this nature can also succeed if they only overwhelm the administrative staff, which does not have the time or skill necessary to investigate the numerous false alarms that have been triggered.
Intrusion detection and prevention systems rely on their ability to capture packets off the wire and analyze them quickly, but this requires the sensor has adequate memory capacity and processor speed. The attacker can cause an attack to go undetected through the process of flooding the network with noise traffic and causing the sensor to capture unnecessary packets. If the attack is detected, the sensor resources may be exhausted but unable to respond within a timely manner due to resources being exhausted.
Traffic Fragmentation
Fragmentation of traffic was one of the early network IPS evasion techniques used to attempt to bypass the network IPS sensor. Any evasion attempt where the attacker splits malicious traffic to avoid detection or filtering is considered a fragmentation-based evasion by:
- Bypassing the network IPS sensor if it does not perform any reassembly at all.
- Reordering split data if the network IPS sensor does not correctly order it in the reassembly process.
- Confusing the network IPS sensor's reassembly methods which may not reassemble split data correctly and result in missing the malicious payload associated with it.
- A few classic examples of fragmentation-based evasion are below:
- TCP segmentation and reordering, where the sensor must correctly reassemble the entire TCP session, including possible corner cases, such as selective ACKs and selective retransmission.
- IP fragmentation, where the attacker fragments all traffic if the network IPS does not perform reassembly. Most sensors do perform reassembly, so the attacker fragments the IP traffic in a manner that it is not uniquely interpreted. This action causes the sensor to interpret it differently from the target, which leads to the target being compromised.
In the same class of fragmentation attacks, there is a class of attacks involving overlapping fragments. In overlapping fragments the offset values in the IP header don't match up as they should, thus one fragment overlaps another. The IPS sensor may not know how the target system will reassemble these packets, and typically different operating systems handle this situation differently.
Protocol-level Misinterpretation
Attackers also evade detection by causing the network IPS sensor to misinterpret the end-to-end meaning of network protocols. In this scenario the traffic is seen differently from the target by the attacker causing the sensor either to ignore traffic that should not be ignored or vice versa. Two common examples are packets with bad TCP checksum and IP TTL (Time-to-live) attacks.
A bad TCP checksum could occur in the following manner: An attack intentionally corrupts the TCP checksum of specific packets, thus confusing the state of the network IPS sensor that does not validate checksums. The attacker can also send a good payload with the bad checksum. The sensor can process it, but most hosts will not. The attacker follows with a bad payload with a good checksum. From the network IPS sensor this appears to be a duplicate and will ignore it, but the end host will now process the malicious payload.
The IP TTL field in packets presents a problem to network IPS sensor because there is no easy way to know the number of hops from the snesor to the end point of an IP session stream. Attackers can take advantage of this through a method of reconnaissance by sending a packet that has a very short TTL which will pass through the network IPS fine, but be dropped by a router between the sensor and the target host due to a TTL equaling zero. The attacker may then follow by sending a malicious packet with a long TTL, which will make it to the end host or target. The packet looks like a retransmission or duplicate packet from the attacker, but to the host or target this is the first packet that actually reached it. The result is a compromised host and the network IPS sensor ignored or missed the attack.
Traffic Substitution and Insertion
Another class of evasion attacks includes traffic substitution and insertion. Traffic substitution is when that attacker attempts to substitute payload data with other data in a different format, but the same meaning. A network IPS sensor may miss such malicious payloads if it looks for data in a particular format and doesn't recognize the true meaning of the data. Some examples of substitution attacks are below:
- Substitution of spaces with tabs, and vice versa, for example inside HTTP requests.
- Using Unicode instead of ASCII strings and characters inside HTTP requests.
- Exploit mutation, where specific malicious shellcode (executable exploit code that forces the target system to execute it) can be substituted by completely different shellcode with the same meaning and thus consequences on the end host or target.
- Exploit case sensitivity and changing case of characters in a malicious payload, if the network IPS sensor is configured with case-sensitive signature.
Insertion attacks act in the same manner in that the attacker inserts additional information that does not change the payload meaning into the attack payload. An example would be the insertion of spaces or tabs into protocols that ignore such sequences.
Unicode provides a unique identifier for every character in every language to facilitate uniform computer representation of the world's languages. The Unicode Consortium manages Unicode and has been adopted by the majority of information technology industry leaders. Modern standards including Java, LDAP (Lightweight Directory Access Protocol), and XML require Unicode. Many operating systems and applications support Unicode. Also known as 'code points', Unicode can be represented by U+xxxx where x is a hexadecimal digit.
UTF-8 is the Unicode Transformation Format that serializes a Unicode code point as a sequence of one to four bytes, as defined by the Unicode Consortium in its "Corrigendum to Unicode 3.0.1." UTF-8 provides a way to encode Unicode points and still be compatible with ASCII, which is the common representation of text on the Internet.
Even though the Unicode specification dictates that the code points should be treated differently there are times the application or operation system can assign the same interpretation to different code points.
Cisco supports the following variations of its Unicode de-obfuscation though there are many different implementations of Unicode decoding (including some "free interpretations"):
- Ambiguous bits - Some decoder implementations ignore certain bits in the encoding. For example, an application will treat %A9 and %C9 identically, discarding the fifth bit in a UTF8 two octet encoding.
- Alternate code pages - Most Windows-based personal computers have extended Latin code pages loaded. Typically when an extended character is processed it is normalized to an ASCII equivalent character.
- Self-referencing directories - The directory name "test/././app" refers to the same path as "test/app".
- Double Encoding - The code point passes through two levels of encoding. The base encoding can be either a single octet UTF-8 or Unicode %U encoding (without variation). The second encoding can encode each octet of the base encoding with any encoding method and variation. When utilized a single character can be encoded in many unique ways, such as listed below:
- "%" can be represented at least 140 ways.
- "x" can be represented at least 1000 ways on average.
- "U" can be represented at least 3260 ways.
- Multiple directory delimiters - Some operating systems will treat "/" and "\" equivalently as directory delimiters. Repeated directory delimiters are also ignored.
- Unencoded octtets mixed with encoded octets in a UTF8 sequence - Any octet except the first octet in a UTF8 sequence can be an unencoded value. A good example of this is the value 0x123 represented in UTF-8 is %E0%84%A3, but the 84 being an ASCII value can also be represented with a UTF-8 value.
- Microsoft base-36 - Older version of Microsoft's UTF8 decoder accept 36 characters (A-Z and 0-9) as valid hexadecimal characters in the UTF8 encoding instead of the normal 16 characters (A-F and 0-9). This is often referred to as a decoder implementation error.
Table 3-2 Cisco IPS Evasion Tools & Anti-Evasion Features
|
Evasion Method |
Evasion Tool |
Cisco IPS Anti-Evasion Features |
|
Traffic Fragmentation |
Fragroute, fragrouter |
Full session reassembly in STRING and SERVICE engines |
|
Traffic Substitution and Insertion |
Metasploit, Nessus |
Data normalization (de-obfuscation) in SERVICE engines |
|
Protocol-level Misinterpretation |
|
IP TTL Validation TCP Checksum Validation |
|
Timing Attacks |
Nmap |
Configuration intervals and Use of CS MARS and similar tools for correlation |
|
Encryption and Tunneling |
Any encrypted protocol |
GRE tunnel inspection |
|
Resource Exhaustion |
Stick |
Smart dynamic event summarization |
Table 3-2 above summarizes the evasion methods, tools, and the corresponding IPS anti-evasion features available on the Cisco IPS sensors. Though they are covered in the table the anti-evasion features are listed below:
- Smart and dynamic summarization of events to guard against too many alarms for high event rates.
- IP TTL analysis and TCP checksum validation to guard against end-to-end protocol-level traffic interpretation.
- Full session reassembly that supports the STRING and SERVICE engines that must examine a reliable byte stream between two network endpoints.
- Configurable intervals for correlating signatures, or the use of an external correlation that does not require real-time resources, such as Cisco Security MARS.
- Data normalization (de-obfuscation) inside SERVICE engines, where all signatures convert network traffic data into a normalized, canonical form being comparing it to the signature matching rules.
- Inspection of traffic inside GRE tunnels to prevent evasion through tunneling.
We'll discuss the configuration of these features in later chapters.