On Fri, 28 May 2004, Mike Frantzen wrote:
> This has been a known attack at least since Ptacek and Newsham's seminal
> paper on IDS evasions.
As far as I can see, they describe an attack where the attacker uses IDS's
own MAC address to route frames directly to this box; this is usually
prevented (or difficult to carry out) if the listening interface is an
IP-less span port or bridge node, as it is the case at almost all times
nowadays.
I describe an attack in which the IDS itself is not targeted, but quite
simply, a different MAC address belonging to an innocent bystander is used
to inject an IP frame that matches an existing connection. This should
fool a "transparent" IDS, based on the assumption that link-layer
information is stripped prior to TCP stream identification, which I expect
is the case with a good deal of IDS systems out there.
So there is a difference that makes the attack IMO a bit more of a
concern in a typical setup, which is still not to say I will lose sleep
over it.
Cheers,
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2004-05-29 00:44 --
http://lcamtuf.coredump.cx/photo/current/
Received on May 29 2004
Intro
