Ids weakness and limitations
Create time: 2002-06-24
Article attribute: original
Article Source:
Www.cnsafe.net
Article submission:
Mayi (Mayi99_at_263.net)
1 NIDS weaknesses and limitations
NIDs detects and identifies unauthorized or exceptions in the system by obtaining packets from the web.
1.1 network limitations
1.1.1 Switching Network Environment
Since the shadring HUB can make a network monitoring, it will bring great threats to network security, so now, now, in particular the high-speed network basically uses a switch, thus bringing trouble to NIDS's network monitoring.
1.1.1.1 Listening Port
Now better switches support listening ports, many NIDs are connected to the listening port.
Usually, all-duplex is usually connected to the switch, that is, the bidirectional traffic on the 100MB switch may reach 200MB, but the traffic of the listener reaches up to 100MB, causing the switch to packet.
In order to save the switch port, it is likely to be configured as a switch port to listen to multiple other ports. Under normal traffic, the listening port can be listened, but when it is attacked, network traffic may increase, so that the log listened port traffic The sum exceeds the upper limit of the listening port, causing the switch to packet loss.
When the general switch is large, the speed of the listening port can't catch the speed of other ports, causing the switch to packet.
Increasing the listening port is meant to do more switch ports, which may need to purchase additional switches, and even modify the network structure (for example, a VLAN originally on one switch is now required to be distributed to two switches).
Support listening switches are much more expensive than unsupported switches. Many networks do not take into account the needs of network listeners. The purchased switches do not support network monitoring, or the listening performance is not good, so that when preparing to install NIDS Replace the switch.
1.1.1.2 shared HUB
Connect a shared HUB in the network cable that needs to be listened to achieve the function of listening. For small companies, a NIDS placed between the company and the Internet is a relatively inexpensive and easier scheme.
With HUB, the network connection of the host will cause a full duplex to half-duplex, and if the data sent by NIDS passes this HUB, it will increase the possible possible possible.
1.1.1.3 Cable Distortion
With a special device, copy the same data directly from the network cable, copy two copies from one network cable (one part in each direction), connected to the support listener, NIDS is again connected to this switch. This solution does not affect the existing network system, but it is necessary to increase the switch, the price is expensive, and face the same problem with the listening port.
1.1.2 Network Topology Limitation
For a more complex network, by careful hair packing, NIDS can cause the content or order of the packet received by the protected host, thereby bypassing NIDS.
1.1.2.1 Other routes
Due to some non-technical factors, there may be other routes to bypass NIDs to reach protected hosts (such as a negligible modem, but there is no NIDS next to Modem).
If the IP source routing option allows, you can bypass NIDs by carefully designing IP routing.
1.1.2.2 TTL
If the packet arrives at NIDS and the number of HOP's hop's hop is different. The TTL value can only be used by NIDS or can only be received by NIDS or can only be received by NIDS or can only be protected by the protected host, which is not the same as the data packet received by the protected host, thereby bypassing NIDS monitoring. .
1.1.2.3 MTU
If the NIDS's MTU is inconsistent with the MTU of the protected host (due to various protected hosts, its MTU settings is different), you can carefully set the MTU between the two, and set this package to be sluggable, thus The NIDS's Sensor is not the same as the packet received by the protected host, thereby bypass NIDS monitoring. 1.1.2.4 TOS
Some network devices handle TOS options. If NIDS is different from the network device that is connected to the protected host, by carefully setting the TOS option, the order of NDIS's Sensor and the protected host received are different. It is therefore possible to cause the NIDS recombination after the packet of the protected host, thereby bypassing NIDS monitoring (especially in the UDP package).
1.2 Detection method limitations
NIDS commonly used detection methods include feature detection, abnormal detection, state detection, protocol analysis, etc. Most of the commercial intrusion detection systems are mostly used in several detection methods.
NIDS cannot handle encrypted data, if it is encrypted in the data transfer, even simply replacing, NIDS is difficult to handle, for example, using SSH, HTTPS, with a password compressed file, etc., can effectively prevent NIDS detection.
NIDS is difficult to detect playback attack, middleman attack, and no power to network monitors.
The current NIDS is also difficult to effectively detect DDoS attacks.
1.2.1 System implementation limitations
Due to the extremely operational procedures protected by NIDS protection, even the implementation of the same protocol is not the same, the intruder may use different systems to collect different systems to collect system information collection (such as NMAP via TCP / IP Fingerprints to identify the operating system) or select attack, because NIDS is not much different to be different from these systems, so it may be bypass by invaders.
1.2.2 limitations of abnormal detection
Abnormal detection is usually detected by statistical methods.
Abnormal detection requires a lot of original auditing records, a pure statistical intrusion detection system ignores the invasion of the audit records that will not have statistical laws, even if it has obvious characteristics.
The statistical method can be trained to accommodate intrusion mode. When the invader knows his activities, he can study the statistical method of statistical intrusion detection system, and generate audit incidents within the scope of the system, step-by-step invasion detection system, thus the corresponding activities profile deviates from normal. The range will eventually treat the invasion as a normal event.
The application system is increasing, many subject activities are difficult to simply statistical models, and complex statistical models cannot meet real-time detection requirements in computational quantities.
The threshold in the statistical method is difficult to effectively determine, too small value generate a large number of false positives, too large value generates a large number of missions, such as the system configured as 200 / second half-open TCP connection to syn_flooding, the invader Establishing a 199-semi-open connection per second will not be considered an attack.
1.2.2.1 Slow Scan
Abnormal detection is often used to detect port scans and DOS attacks. NIDS has a limit of traffic logs. If the scan interval exceeds this limit, NIDS will ignore this scan.
Although NIDS can be configured very long, the longer this configuration, the more system resources are required, the greater the possibility of DOS attacks for NIDS.
1.2.3 limitations of feature detection
The update of the detection rule is always behind the update of the attack means. In fact, a new vulnerability is published on the Internet, and the next day may find methods and code for attacks on the Internet, but the corresponding test rules also need A few days can you summarize it. There is a discovery new intrusion method to the user upgrade rule base library / knowledge base, and the intruder will have sufficient time to invade.
Many published attacks have not summed up the corresponding test rules or the detection rules are very high. And now more and more hackers tend to not announce the vulnerabilities they find, which is difficult to summarize the attack characteristics of these attacks. At present, the new rules are mainly completed by volunteers or manufacturers. The user is downloaded by the user, and the user-defined rules are actually rare. It is convenient for users to be invaded: intruders can check all Rules, then use the means that will not be detected to be invaded, greatly reduced the probability discovered by NIDS.
The rules currently summarized primarily for the hacker tools or methods published on the network, but for many hackers published in the source code, many intruders can make simple modifications to source code (such as hackers often modify the code of Trojan horse). In order to generate a variant of the attack method, you can bypass NIDs.
1.2.4 SOLVED Limitation
For application layer protocols, the general NIDS simply handles commonly used http, ftp, smtp, etc., there are still a lot of protocols, which are not processed, nor very possible all possible, directly for some special protocols or user-defined protocols. Attack, you can bypass NIDS checks.
1.2.5 Intrusion variant
1.2.5.1 HTTP attack variant
Duplicate directory split, '/' changes to '//'.
The current directory, '/ cgi-bin / pHf' changes to '/cgi-bin/./phf'.
The superior directory, '/ cgi-bin / pHf' changes to '/cgi-bin/xxx/../phf'.
URL encoding, '/ cgi-bin /' becomes '% 2fcgi-bin /'.
Use other divisions such as Tab instead of spaces.
NULL method, 'get% 00 / cgi-bin / pHf'.
Other methods outside GET, such as POST.
Change the parameter order and add useless parameters.
For IIS, there is also the following methods:
DOS / WIN directory split, '/ winnt / system32 / cmd.exe' changes to '/winnt/system32/cmd.exe'.
Calculation conversion, such as cmd.exe changes to cmd.exe.
IIS quadratic decoding, such as cmd.exe changes to% 2563 md.exe,% 25 decoding is '%', and then decoding% 63 is 'c'.
Unicode encoding, such as cmd.exe to% C0% 63md.exe. Since Unicode encoding is more complicated, only a very small number of NIDs can decode them.
1.2.5.2 Telnet attack variant
Use the retracted key.
Use the Tab key to make a command.
Use the shell to perform the attack code.
Macro.
Add useless parameters.
In fact, NIDS is difficult to detect local attacks that are connected to the server through Telnet.
1.2.6 TCP / IP protocol limitations
Since the TCP / IP design does not consider safely, the current IPv4's security is worrying. In addition to the problem caused by the network structure, there are some limitations.
1.2.6.1 IP fragmentation
Split the data package, some NIDs cannot be reorganized by IP fragmentation, or more than its processing power, then bypass NIDs.
An IP datagram has a maximum of 8192 slice, and a performance parameter of NIDS is the maximum number of IP fragments that can be reorganized.
Each time the NIDS receives the IP fragmentation of a new IP datagram, a fragment restructuring process is started, and after the recombination is completed or timeout (generally 15 seconds, it is time-up) to close this reorganization process, the performance parameters of NIDs are The number of IP packets can be reorganized at the same time.
One IP datagrar has a maximum of 64K. To prepare an IP datagram, NIDS will prepare enough memory to accommodate the upcoming subsequent fragmentation, the performance parameters of NIDs are the length of the maximum IP datagram that can be reorganized. . In conjunction with the above three parameters, the NIDS can be used to simultaneously prepare the maximum value (for example, 64K) at the timeout (for example, 15 seconds).
If the data packet received by NIDs exceeds the limit described above, NIDS has to packet, thereby happens DOS attack.
1.2.6.2 IP overlapping fraction
When the recombinant IP package is separated, if the overlapping fraction is encountered, the processing method of each operating system is not the same, for example, some systems will use the first-received slice (Windows and Solaris), and some will be re-received Differential slices (BSD and Linux), if the data of the overlap fraction is different, and the NIDS processing method is different from the protected host, the NIDS recombination will result in inconsistent packets of the protected host. Thereby bypass NIDS detection.
For example, you can overlap the TCP or UDP's destination port, and then penetrate throughout the current firewall, and may bypass NIDs.
You can also overlap the TCP flag, so that the NIDS does not correctly detect the TCP FIN package, so that NIDS quickly reaches the upper limit of the number of TCP connections capable of simultaneously monitoring; so that NIDs can't detect the TCP SYN package, so that NIDS is not detected The corresponding TCP connection.
1.2.6.3 TCP segmentation
If NIDS cannot perform TCP stream reorganization, you can bypass NIDs via TCP segmentation.
Some abnormal TCP sections will confuse some NIDs.
1.2.6.4 TCP UN-SYNC
Send an error in the TCP, send a repeated serial number, reverse transmission order, etc., it is possible to bypass NIDs.
1.2.6.5 OOB
The attacker sends OOB data. If the application that is protected host can process OOB, the NIDS may be bypass because NIDS is not possible to accurately predict the normal data in the buffer when the protected host receives OOB.
Some systems are processed when processed OOB, they will discard the started 1 byte data (such as Apache under Linux, but IIS will not be), by including the TCP segment with an OOB option, by the multiple TCP segments transmitted. The NIDS stream restructuring may cause inconsistencies with the application of the protected host, thus bypass NIDs.
1.2.6.6 T / TCP
If the target host can be guideline TCP (currently rarely supported), the attacker can send a transaction TCP, NIDS may not process the same processing as the application on the host, which may bypass NIDs.
1.3 resource and processing power limitations
1.3.1 DOS attacks for NIDs.
1.3.1.1 Large flow shock
The attacker sends a large amount of data to the protected network, which exceeds the processing capability of NIDs, and the packet loss will occur, which may result in an intrusion behavior.
NIDS's network capture capability is related to many factors. For example, in the case of 1500 bytes of each package, NIDs will exceed 100Mb / s processing power, even more than 500MB / s processing power, but if each package is only 50 bytes, 100Mb / s traffic means 2000000 package / S, which will exceed the absence of most network cards and switches.
1.3.1.2 IP Debris Attack
An attacker sends a large amount of IP fragments (such as Targa3 attacks) to the protected network, which exceeds NIDS can be used at the same time, resulting in attacks through IP fragmentation techniques.
1.3.1.3 TCP Connect Flooding attacker creates or simulates a large number of TCP connections (which can be overlapped by the IP overlapping method described above), which exceeds the upper limit of the TCP connection number of NIDs simultaneously, resulting in excess TCP connections that cannot be monitored.
1.3.1.4 Alert Flooding
Attackers can refer to the detection rules published on the network, deliberately sending a large amount of data that will cause NIDS alarms (such as Stick attack) while attacking, which may exceed NIDS to send alarm speed, resulting in a leak, and makes the network management To a large number of alarms, it is difficult to distinguish true attacks.
If you send 100 bytes to generate 1 alarm, you can generate 50 alarms per second through dial-up nets, and 10,000 alarms can be generated per second in the 10M LAN.
1.3.1.5 log flooding
An attacker sends a large amount of data that will cause NIDS alarms, eventually leading to the NIDS to log's space is exhausted, thereby deleting the previous log record.
1.3.2 memory and hard disk restrictions
If NIDS wants to increase IP fragment reorganization and TCP connection monitoring capabilities that can be handled simultaneously, this will need more memory to make buffers. If NIDS's memory allocation and management are not good, it will make the system spend a lot in some special case. Memory, if you start using virtual memory, you will have a memory jitter.
Usually the speed of the hard disk is far more than the speed of the network. If the system produces a large number of alarm records to the hard disk, a large amount of system processing power will be consumed, if the system records the original network data, saving a large number and high-speed network data will need expensive Large capacity RAID.
1.4 Viciousness of NIDS related systems
NIDS itself should have a considerable security, generally used by NICs that are listening to no IP address, and other NIC will not open any port. But the system related to NIDS may be attacked.
1.4.1 Security Vulnerability of Console Host
Some systems have a separate console. If the attacker can control the host where the console is located, you can control the entire NIDS system.
1.4.2 Vulnerability of Sensor and Console Communication
If communication with the control table can be successfully attacked by the attacker, it will affect the system normally. For example, ARP spoof or syn_flooding.
If the communication between the sensor and the console uses a plaintext communication or just simple encryption, it may be subjected to IP spoofing or playback attack.
1.4.3 Viciousness of other devices related to system alarms and their communications
If an attacker can successfully attack other devices related to the system alarm, such as a mail server, etc., will affect the sending of the alarm message.
2 HIDS weaknesses and limitations
2.1 Resource Limitations
Since the HIDS is installed on the host, the resource occupied is not too much, which greatly limits the detection method and processing performance.
2.2 Operating System Limitations
Unlike NIDS, manufacturers can customize a sufficiently safe operating system to ensure that NIDS own security, HIDS security is limited by the security of the operating system of its host, if the system is broken, HIDS will be removed quickly. If hids is a single machine, it can only detect an unsuccessful attack. If HIDS is the sensor / console structure, it will face the same to NIDS's attack on the relevant system.
Some HIDs will consider increasing the security of the operating system (eg, LIDS).
2.3 System log restrictions
HIDS will discover suspicious behavior by monitoring system logs, but some programs system logs are not sufficiently detailed, or there is no log. Some intrusion behavior itself will not be recorded by the system log.
If the system does not have a third-party log system, the system itself will soon be attacked or modified by intruders, while intrusion detection systems typically do not support third-party log systems.
If the HIDS does not check the system log in real time, the attacks that use the automation tool will be fully possible to complete all the attack projects in the detection interval and clear the traces left in the system log. 2.4 Modified system core can be cheated
If the intruder modifies the system core, you can deceive tools based on file consistency check. This is like some of the viruses that will provide the original file or data to the inspection tool or trace tool when they think it is checked or tracked.
2.5 Network Detection Limitations
Some HIDs can check the network state, but this will face a lot of problems faced by NIDS.
ID: MAYI
QQ: 711705
MSN: cnsafe@msn.com
Homepage:
Www.mayia.com
Www.cnsafe.net
