|
IDS
mailing list archives
IDS bypassing
From: "Ed3f" <ed3f () overminder com>
Date: Mon, 30 Dec 2002 00:43:43 +0100
******************** SECURITY ALERT ********************
Systems Affected
NAT/PAT/load_balancing/packet_manipulation implementations
Risk
medium
Overview
Multiple vendors' implementations of
NAT/PAT/load_balancing/packet_manipulation
calculate level 4 checksum from scratch.
This could be used by an attacker to bypass or confuse a NIDS with a stream
of packets with a temporary invalid checksum.
Description
Look the scheme:
Evil --[badSYN]--> Router --[badSYN]--> Load_Balancer --[SYN]--> WebServer
| |
NIDS1 NIDS2
NIDS1 will see a TCP SYN with invalid checksum while NIDS2 will see a valid
and modifyed SYN. So the webserver will reply to us with a SYN+ACK, letting
us talk with it while causing a lot of doubts to NIDS1.
A NIDS network or a DIDS could be confused ignoring the packet or
considering
it like two different packets (1 valid, 1 invalid) inexplicably received
only
by one system (NIDS1 receives the invalid SYN, NIDS2 receives the valid
SYN).
The complete study is available at:
http://www.phrack.org/phrack/60/p60-0x0c.txt
Solution
Check the behaviour of every device on your network and eventually update
your NIDS configuration (not) to analyze level 4 checksum.
Apply the patch when available.
****************************** Ed3f
*****************************0x000001*
 By Date 
By Thread
Current thread:
- IDS bypassing Ed3f (Dec 30)
|
Intro
