Re: (no subject)

[tqbf () secnet com]

The Firewall Witch on Feb 20 1998

> completely fake attacks
> could be presented to an IDS, so the Sysadmin will spend time examining
> vunerabilities to, and
> protecting against, non-existant attacks.

This has two important implications, one of which fits within the general
point you are making regarding "denial of service attacks against
sysadmins". 

The most obvious problem is that a monitoring system which continuously
emits false positives is useless. Anyone who has spent time as a sysadmin
or network admin knows this. At my previous employer, I had rigged up
Merit RADIUS to "ping" my network of authentication servers, so I would
find out when one crashed and needed to be rebooted. Due to wacky problems
that I never quite tracked down, I got a false alarm from that thing
about 5 times a day, at random intervals, and, as a result, I stopped
waking up at night when my pager went off and told me "RADIUS IS DOWN!". 

The same is true of any kind of alert system, and this is why the false
positive problem in ID systems is really critically important to solve (I
think it's outside the scope of our [SNI's] work). If your ID system
squawks at shadows every (20 + random()) minutes, you will stop paying
attention. At some point, you will not being attention when an attacker
really does break in.

Of course, this is exploitable in the same manner as statistical analysis
engines are: over time, a devious attacker can build up a tolerance for
certain alarms in IDS operators, maybe by spending a week or so firing off
false alarms from fake IP addresses to random machines on the
IDS-protected network from cron. The ID system isn't too valuable for that
type of attack anymore; if the admin is going to spend all the time
it takes to investigate every meaningless feint, he might as well spend
the time to close the hole on all his machines. 

Chances are, though, he'll be conditioned to the ID system bleeps just
like I got conditioned to RADIUS alarms, and sleep through the real
attacks. 

The second serious issue here is that the ability to "fake" attacks makes
ID system output drastically less valuable as real evidence of a crime. I
will be happy to be the first expert witness to get up in court and tell a
jury that the IDS logs being presented as evidence in a misuse trial could
just as easily have been forged by the D.A. (or a hacker rival, or
annoying IRC kid, or...) as they could have been generated by the IDS in
response to a real attack.

-----------------------------------------------------------------------------
Thomas H. Ptacek                                        Secure Networks, Inc.
-----------------------------------------------------------------------------
http://www.enteract.com/~tqbf                           "mmm... sacrilicious"

----- End of forwarded message from MAILER-DAEMON () joshua enteract com -----