Hacker "Simple Nomad" showed just how easy it is to hack intrusion detection and intrusion prevention systems yesterday in a briefing at the InfoSec World conference.
First you determine if an IDS/IPS is sitting at the perimeter, and then "fingerprint" it to find out the brand of the device, says the hacker also known as Mark Loveless, security architect for Vernier Networks. By probing the devices, "You can extrapolate what brand of IPS is blocking them and use that to plan your attack."
Different IDS/IPS products block different threats, so an attacker can use those characteristics to gather enough intelligence to pinpoint the brand name, he says. And it's not hard to distinguish an IDS from an IPS: If you can access XYZ before the attack, but not after, it's an IPS. And if there are delays in blocking your traffic, it could be an admin reading the IDS logs, Loveless says.
Loveless pointed to IDS/IPS evasion using an old vulnerability in Windows, "Web hits," which dates back to earlier versions of Microsoft Windows NT and IIS. "It's so old that it's not out there anymore and not supported." Few IPSes block it because it's so dated, he says, so that helps determine which ones you're up against.
"You can tell which ones they are by how they react" to an attack, he says. "Sourcefire's Snort doesn't have a signature for it, but NetSense from Jupiter does."
The trouble with this particular vulnerability was that IDS/IPS signature writers modeled their code after an exploit of the bug -- namely that the header value of zero would cause a buffer overflow -- to build their detection rules, rather than basing it on the actual vulnerability itself. "It wasn't that it had a set value of zero. It was that if the value was smaller than the amount of data you were going to shovel into it," he says.
Loveless changed just one parameter to cause a buffer overflow and to bypass the Snort IDS. "This is more a reflection on who wrote the signature rather than on Snort."
"All it usually takes is changing a couple of these [parameters], and you can bypass most IDS/IPSes," he says. Basically, you use an IDS/IPS against itself by exploiting weaknesses in its signatures (or lack thereof). An attacker can force an IPS to invoke blocking and fall into a denial-of-service trap, and can force a buffer or heap overflow to knock the security tools offline.
How do you protect yourself against such a determined attacker? Besides the obvious -- patch, update, and audit regularly -- Loveless says to ask IDS/IPS vendors if they write their own signatures. If not, do they test them before adding them? Do they detect vulnerabilities or just the exploit? "Vulnerabilities and exploits are two separate things, but the trend is they are most likely looking at the exploit, not the vuln," which limits their effectiveness, he says.
Kelly Jackson Higgins, Senior Editor, Dark Reading