IDS,Firewalls & Honeypots
Intrusion Detection System
An intrusion detection system is a device or software application that monitors network and or system activities for malicious activities or policy violations and produce reports to a management station
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. NIDS is a network security system focusing on the attacks that come from the inside of the network (authorized users). When we classify the designing of the NIDS according to the system interactivity property, there are two types: on-line and off-line NIDS. On-line NIDS deals with the network in real time and it analyses the Ethernet packet and applies it on the some rules to decide if it is an attack or not. Off-line NIDS deals with a stored data and pass it on a some process to decide if it is an attack or not.
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS es for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization
Evasion techniques
There are a number of techniques which attackers are using, the following are considered ‘simple’ measures which can be taken to evade IDS:
Intrusion Detection System
An intrusion detection system is a device or software application that monitors network and or system activities for malicious activities or policy violations and produce reports to a management station
An intrusion detection system (IDS) is a device or software application that monitors network or system activities for malicious activities or policy violations and produces reports to a management station. IDS come in a variety of “flavors” and approach the goal of detecting suspicious traffic in different ways. There are network based (NIDS) and host based (HIDS) intrusion detection systems. NIDS is a network security system focusing on the attacks that come from the inside of the network (authorized users). When we classify the designing of the NIDS according to the system interactivity property, there are two types: on-line and off-line NIDS. On-line NIDS deals with the network in real time and it analyses the Ethernet packet and applies it on the some rules to decide if it is an attack or not. Off-line NIDS deals with a stored data and pass it on a some process to decide if it is an attack or not.
Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system. Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts. In addition, organizations use IDPS es for other purposes, such as identifying problems with security policies, documenting existing threats and deterring individuals from violating security policies. IDPSes have become a necessary addition to the security infrastructure of nearly every organization
Evasion techniques
There are a number of techniques which attackers are using, the following are considered ‘simple’ measures which can be taken to evade IDS:
- Fragmentation: by sending fragmented packets, the attacker will be under the radar and can easily bypass the detection system's ability to detect the attack signature.
- Avoiding defaults: The TCP port utilised by a protocol does not always provide an indication to the protocol which is being transported. For example, an IDS may expect to detect a trojan on port 12345. If an attacker had reconfigured it to use a different port the IDS may not be able to detect the presence of the trojan.
- Coordinated, low-bandwidth attacks: coordinating a scan among numerous attackers (or agents) and allocating different ports or hosts to different attackers makes it difficult for the IDS to correlate the captured packets and deduce that a network scan is in progress.
Insertion Attack
- An IDS blindly believes and accepts a packet that an end system rejects
- This attack occurs when NIDS is less strict in processing packets
- The IDS gets more packets than the destination
Obfuscating
- An IDS can be evaded by obfuscating or encoding the attack payload in a way that the great target understood but the IDS will not
- Attackers manipulate the path referenced the signature to fool the HIDS
Session Splicing
A technique used to bypass ids where an attacker splits the packets that has no single packet triggers the IDS
UNicode Evasion Technique
Unicode is a character coding system to support the worldwide interchange processing and display of the written texts
Overlapping Fragments
An IDS evasion technique is to craft a series of packets with TCP sequence numbers configured to overlap
TIME TO LIVE ATTACKS
These attacks requires the attacker to have a prior knowledge of the topology of the victim network
This Information can be obtained using tools such as trace route which gives information on the number of routes between the attacker and the victim
Post a Comment
Thank you for visiting Afridi's Technoworld