Evasion (network security)
Encyclopedia
Evasion is a term used to describe techniques of bypassing an information security device in order to deliver an exploit
, attack
or other malware
to a target network or system, without detection. Evasions are typically used to counter network-based intrusion detection and prevention systems (IPS, IDS) but can also be used to by-pass firewalls. A further target of evasions can be to crash a network security device, rendering it in-effective to subsequent targeted attacks.
Evasions can be particularly nasty because a well-planned and implemented evasion can enable full sessions to be carried forth in packets that evade an IDS. Attacks carried in such sessions will happen right under the nose of the network and service administrators.
The security systems are rendered ineffective against well-designed evasion techniques, in the same way a stealth fighter can attack without detection by radar and other defensive systems.
A good analogy to evasions is a system designed to recognize keywords in speech patterns on a phone system, such as “break into system X”. A simple evasion would be to use a language other than English, but which both parties can still understand, and wishfully a language that as few people as possible can talk.
Various advanced and targeted evasion attacks have been known since the mid 1990's:
The 1997 article mostly discusses various shell-scripting and character-based tricks to fool an IDS. The Phrack Magazine article and the technical report from Ptacek et al. discusses TCP/IP protocol exploits, evasions and others. More recent discussions on evasions include the report by Kevin Timm .
The challenge in protecting servers from evasions is to model the end-host operation at the network security device, i.e., the device should be able to know how the target host would interpret the traffic, and if it would be harmful, or not. A key solution in protecting against evasions is traffic normalization at the IDS/IPS device .
Lately there has been discussions on putting more effort on research in evasion techniques. A presentation at Hack.lu
discussed some potentially new evasion techniques and how to apply multiple evasion techniques to by-pass network security devices .
Exploit (computer security)
An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
, attack
Attack (computer)
In computer and computer networks an attack is any attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset.- IETF :Internet Engineering Task Force defines attack in RFC 2828 as:...
or other malware
Malware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
to a target network or system, without detection. Evasions are typically used to counter network-based intrusion detection and prevention systems (IPS, IDS) but can also be used to by-pass firewalls. A further target of evasions can be to crash a network security device, rendering it in-effective to subsequent targeted attacks.
Evasions can be particularly nasty because a well-planned and implemented evasion can enable full sessions to be carried forth in packets that evade an IDS. Attacks carried in such sessions will happen right under the nose of the network and service administrators.
The security systems are rendered ineffective against well-designed evasion techniques, in the same way a stealth fighter can attack without detection by radar and other defensive systems.
A good analogy to evasions is a system designed to recognize keywords in speech patterns on a phone system, such as “break into system X”. A simple evasion would be to use a language other than English, but which both parties can still understand, and wishfully a language that as few people as possible can talk.
Various advanced and targeted evasion attacks have been known since the mid 1990's:
- A seminal text describing the attacks against IDS systems appeared in 1997 .
- One of the first comprehensive description of attacks was reported by Ptacek and Newsham in a technical report in 1998 .
- In 1998, also an article in the Phrack Magazine describes ways to by-pass network intrusion detection .
The 1997 article mostly discusses various shell-scripting and character-based tricks to fool an IDS. The Phrack Magazine article and the technical report from Ptacek et al. discusses TCP/IP protocol exploits, evasions and others. More recent discussions on evasions include the report by Kevin Timm .
The challenge in protecting servers from evasions is to model the end-host operation at the network security device, i.e., the device should be able to know how the target host would interpret the traffic, and if it would be harmful, or not. A key solution in protecting against evasions is traffic normalization at the IDS/IPS device .
Lately there has been discussions on putting more effort on research in evasion techniques. A presentation at Hack.lu
Hack.lu
hack.lu is a yearly computer security held in Luxembourg. The first conference was organized in 2005 and held its sixth edition in 2010....
discussed some potentially new evasion techniques and how to apply multiple evasion techniques to by-pass network security devices .