Understanding IDS active response mechanism
Release Date: 2002-02-26
Abstract:
Flow cloud
LinuxAid Forum
In the developer's group, the debate of "What is the most effective way to detect attacks?" The debate of the problem is still in fierce, but IDS users are still satisfied with the current IDS technology, in order to get more advantages Competition, a lot of IDS product providers have joined active responses in their products. The concept of this feature is that IDS will detect an attacker's attack behavior, and organize an attacker to continue to attack. However, the problem is a little bit of TCP / IP knowledge to easily defeat these response mechanisms; or use these mechanisms to block the network function, the administrator will have to close these functions. For administrators, understand the limitations of active response will help manage people who believe in those product providers. Most of the response mechanisms are one of the following two forms:
Blocking session
2. Firewall linkage
First, "Blocking Session" Mechanism Description:
Block sessions from so far, it is the most common way of the most IDS vendor. This approach is popular because it does not require support for external devices (such as firewalls), and it is easy to implement. This mechanism is very simple. Here we will gradually analyze this mechanism and reveal how to bypass it, I hope that my evaluation will not cause the manufacturer's disgusting.
Below we use IIS's Unicode horizontal directory traversal attack as an example, let me talk about this mechanism. The attacker issues the following request, this request has a total of 51 bytes, turn these 51 bytes into a fragmentation IP package, each package length 20 bytes, as shown below:
Data: /scripts/..
