Vulnerability Development mailing list archives

RE: Covert Channels

From: "Dom De Vitto" <dom () DeVitto com>
Date: Fri, 18 Oct 2002 19:48:38 +0100

Hmmm, I found the reference my head had indexed:
<http://www.phrack.com/phrack/57/p57-0x03>

(Volume 0x0b, Issue 0x39, Phile #0x03 / 0x01 )
Subject: NIDS Evasion Method named "SeolMa"

Which was out Aug 11, 2001 (so yes, not cutting edge!)

But thanks for the correction, I just turned 30, so I'm think that
everything is "cutting edge" nowerdays... :-0

Dom 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom () devitto com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 
-----Original Message-----
From: Jeff Nathan [mailto:jeff () wwti com] 
Sent: Friday, October 18, 2002 5:46 PM
To: Dom De Vitto; 'kam'; 'Jeremy Junginger'
Cc: vuln-dev () securityfocus com; pen-test () securityfocus com
Subject: RE: Covert Channels


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --On Thursday, October 17, 2002 21:02:16 +0100 Dom De Vitto 
<dom () DeVitto com> wrote:

[...]

I'd also suggest you check out cutting edge anti-ids techniques, 
including using urgent data points and boundary anomalies to cause 
IDSs to reform data streams differently to OS IP stacks.


[...]

Dom
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dom De Vitto                                       Tel. 07855 805 271
http://www.devitto.com                         mailto:dom () devitto com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


I wouldn't want to nit-pick but in the case of stream reassembly evasion

and NIDS evasion in general, those sorts of techniques are at least 4
years 
old.  In the case of urgent data there still may be some valid evasion 
techniques lingering from historical implementations but their result
will 
largely be an off-by-one in the handling of  urgent data for strictly
RFC 
compliant stacks.

An inline device, of course, doesn't suffer from these issues.  It
simply 
enforces a policy, including that of dropping packets that aren't quite 
right.

- -Jeff

- --
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE9sDrEEqr8+Gkj0/0RAowAAJ9CMfX/SeafPoLm6r3xpZ+8PC8U3QCgj2ZX
Y2klv4OiOwnejyRyHvk5+4I=
=ZY1H
-----END PGP SIGNATURE-----

Current thread:

RE: Covert Channels, (continued)
- - - RE: Covert Channels Michal Zalewski (Oct 19)
    - Re: Covert Channels Dragos Ruiu (Oct 21)
    - Re: Covert Channels Roland Postle (Oct 22)
    - RE: Covert Channels Roland Postle (Oct 21)
  - RE: Covert Channels Jason Barbour (Oct 17)
  - Re: Covert Channels Alex Tibbles (Oct 17)
  - Re: Covert Channels MA (Oct 17)
    - Re: Covert Channels Roland Postle (Oct 17)
  - RE: Covert Channels Dom De Vitto (Oct 17)
    - RE: Covert Channels Jeff Nathan (Oct 19)
    - RE: Covert Channels Dom De Vitto (Oct 19)
- Re: Covert Channels Craig Baltes (Oct 17)
- Re: Covert Channels CJ Oster (Oct 17)
- Re: Covert Channels Rohit Sharma (Oct 17)
- Re: Covert Channels Chris Reining (Oct 18)
- Re: Covert Channels Darryl Luff (Oct 18)
  - Re: Covert Channels Valdis . Kletnieks (Oct 18)
  - Re: Covert Channels Jeff Nathan (Oct 19)
- Re: Covert Channels Frank Knobbe (Oct 23)
  - Re: Covert Channels Jose Nazario (Oct 23)
    - Re: Covert Channels Blue Boar (Oct 23)

(Thread continues...)