Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
While Heartbleed distracts, hackers hit US universities
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Apple kicks off public OS X beta testing
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
BlackBerry Releases BES 10 Security Update to Address 'Heartbleed' Flaw
Verizon: Web apps are the security punching bag of the Internet
Cisco announces security service linked with new operations centers
Dell launches virtual storage accelerator, aims to boost SAN performance
Free OS X Mavericks now powers half of all Macs
Even the most secure cloud storage may not be so secure, study finds  
3D printing will transform these five industries
Most but not all sites have fixed Heartbleed flaw
NEC launches face-recognition protection for PCs
Hundreds of medical professionals targeted in multi-state tax scam
Super-high frequencies could one day deliver your mobile video
Americans cool with lab-grown organs, but not designer babies
IT Departments Not Losing Ground to Managed Service Providers (Yet)
Where's my gigabit Internet, anyway?
IE6: Retired but not dead yet
Enterprise who? Google says little about Apps, business cloud services in Q1 report
/

Put to the test

New threats force intrusion-detection vendors to rearm.

Today's breaking news
Send to a friendFeedback


Intrusion-detection systems work just fine when it comes to spotting and clamping down on attacks that have been seen before, but security experts warn that a new breed of stealthy network-attack techniques could run roughshod over today's IDS devices.

Experts are increasingly concerned about newer threats such as the so-called polymorphic buffer overflow, in which a person alters the attack's shell code or encrypts it to slip by an IDS. Some analysts contend that signature-based detection systems are doomed unless vendors adapt to changing conditions.

"The IDS vendors will have to graft on anomaly and behavior-based detection or they will die," says Ed Skoudis, vice president of ethical hacking at consultancy Predictive Systems.

The first evidence of how a polymorphic buffer-overflow attack might work came last year with an online tool called ADMutate that can take an attack shell code and subtly transform it. That way, the attack code looks different from the known signature but is functionally equivalent. As it hits the target machine it reassembles, having eluded the IDS. The ADMutate mutation engine is the first of its kind.

While polymorphic attack techniques currently might not be in widespread use, they are a disturbing prospect "because when you can mutate that code in any way, you make it difficult to detect a known attack," says Oliver Friedrichs, director of engineering at consultancy SecurityFocus.

"It does make it harder for IDS," says Stuart Staniford, president and founder of Silicon Defense, which this week announced Sentarus, a management console product line for sensors based on IDS freeware Snort.

Once a new attack is known, it usually takes the IDS vendors a number of hours or days to develop a signature. But in the case of ADMutate, it has taken months for signature-based IDS vendors to add a way to detect a polymorphic buffer overflow generated by it.

"It's a hard problem," says Marty Roesch, president of Sourcefire, a company he founded to commercialize Snort, which he invented. "The idea is that signature-based IDSes like Snort look for traffic in a payload called Shell Code, but you can evade this with polymorphic shell-code generation."

Sourcefire, Internet Security Systems (ISS) and NFR Security are among the vendors that claim to have developed a defense for the ADMutate code-mutation exploit in their IDS products. "We were working on that one for some time," says Chris Rouland, director of the X-Force at ISS.

Even if the vendors have found a way to counter ADMutate, which is not clear, Skoudis says, "There are so many ways to do the same thing as ADMutate. It shows the underlying flaws. We will see a proliferation of polymorphic techniques."

A British firm, NSS Group, in the next few months will evaluate more than a dozen of the latest IDS products to see if they can detect ADMutate-generated code, among other evasion techniques, such as Fragrouter and Whisker. Results should be released in June, says Bob Walder, director of the NSS Group.

In December, NSS Group published more than 200 pages of lab tests it did on 16 IDS products. While the polymorphic buffer overflow might be the most dramatic way to sneak by an IDS, there are many other ways that involve hiding attack code inside large data flows directed at a target. Some IDSes, which depend on mirroring traffic, drop packets when traffic flows increase.

The ISS RealSecure product, Snort and Enterasys' Dragon product "all demonstrated some problems with handling detection on a network saturated with 64-byte packets, causing them to miss attacks under load," wrote NSS Group in its December report.

Cisco's Secure IDS Model 4320, NFR's NID 200 and BlackICE Sentry software (formerly sold by Network Ice, purchased by ISS last year) performed the best in detection, according to the NSS Group report. "Unfortunately, although it performed well under load, Symantec's NetProwler tended to misrepresent many of the attacks detected and was the only one of that group that was outwitted by our IDS evasion techniques," the report said. "Chargen attacks were reported as Stacheldraht, SYN floods were reported as ICMP Redirect, and SYNDrop was reported as the Tribal Flood Network 2K, among others."

And, according to NSS Group, another IDS, Intrusion's SecureNet Pro's sensor and console, were overwhelmed by an attack called Snot in which "genuine" attacks are inserted into a deliberate flood of data traffic.

RealSecure's detection capabilities fall off dramatically at 50% of network load, according to NSS Group. But ISS is redesigning its IDS to be based on BlackICE, which makes use of anomaly detection and can detect ADMutate-based attacks. RealSecure 7.0, expected to ship by June, should reflect such improvements.

ISS customers seem patient.

"There's nothing that is really perfect," says Andrew Bagrin, director of business technology at Regal Cinemas, which uses RealSecure to detect attacks against its Web site and internal network. "The RealSecure IDS does a good job for most attacks, and when it senses one, it sends a message to our Check Point firewall to block that attack traffic for 50 minutes."

Regal is merging with United Artist and Edward Theatres to form the Regal Entertainment Group, totaling 560 locations. At that point, Regal will deploy an appliance from Crossbeam Systems called the Crossbeam X40S to run the firewall and IDS on the same hardware.

NSS Group director Walder says the IDS industry is undergoing such rapid change that NSS Group will have to do tests at least two or three times per year to keep up with what vendors are doing to improve their products.

RELATED LINKS

Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

Latest IDS testing report
The NSS Group.

ADMutate info and download

Network World's Security and Bug Patch Alert newsletter
Get the latest information on security and bug alert announcements and fixes from major vendors.

Network World on Security newsletter
Stay current on security challenges and solutions, and get strategic insight into the future of information security.

Security research page
Get up to speed on security issues, including intrusion detection, hackers and other subjects.

Error 404--Not Found

Error 404--Not Found

From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:

10.4.5 404 Not Found

The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.

If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.