Intrusion-detection systems work just fine when it comes to spotting and clamping down on attacks that have been seen before, but security experts warn that a new breed of stealthy network-attack techniques could run roughshod over today's IDS devices.
Experts are increasingly concerned about newer threats such as the so-called polymorphic buffer overflow, in which a person alters the attack's shell code or encrypts it to slip by an IDS. Some analysts contend that signature-based detection systems are doomed unless vendors adapt to changing conditions.
"The IDS vendors will have to graft on anomaly and behavior-based detection or they will die," says Ed Skoudis, vice president of ethical hacking at consultancy Predictive Systems.
The first evidence of how a polymorphic buffer-overflow attack might work came last year with an online tool called ADMutate that can take an attack shell code and subtly transform it. That way, the attack code looks different from the known signature but is functionally equivalent. As it hits the target machine it reassembles, having eluded the IDS. The ADMutate mutation engine is the first of its kind.
While polymorphic attack techniques currently might not be in widespread use, they are a disturbing prospect "because when you can mutate that code in any way, you make it difficult to detect a known attack," says Oliver Friedrichs, director of engineering at consultancy SecurityFocus.
"It does make it harder for IDS," says Stuart Staniford, president and founder of Silicon Defense, which this week announced Sentarus, a management console product line for sensors based on IDS freeware Snort.
Once a new attack is known, it usually takes the IDS vendors a number of hours or days to develop a signature. But in the case of ADMutate, it has taken months for signature-based IDS vendors to add a way to detect a polymorphic buffer overflow generated by it.
"It's a hard problem," says Marty Roesch, president of Sourcefire, a company he founded to commercialize Snort, which he invented. "The idea is that signature-based IDSes like Snort look for traffic in a payload called Shell Code, but you can evade this with polymorphic shell-code generation."
Sourcefire, Internet Security Systems (ISS) and NFR Security are among the vendors that claim to have developed a defense for the ADMutate code-mutation exploit in their IDS products. "We were working on that one for some time," says Chris Rouland, director of the X-Force at ISS.
Even if the vendors have found a way to counter ADMutate, which is not clear, Skoudis says, "There are so many ways to do the same thing as ADMutate. It shows the underlying flaws. We will see a proliferation of polymorphic techniques."
A British firm, NSS Group, in the next few months will evaluate more than a dozen of the latest IDS products to see if they can detect ADMutate-generated code, among other evasion techniques, such as Fragrouter and Whisker. Results should be released in June, says Bob Walder, director of the NSS Group.
In December, NSS Group published more than 200 pages of lab tests it did on 16 IDS products. While the polymorphic buffer overflow might be the most dramatic way to sneak by an IDS, there are many other ways that involve hiding attack code inside large data flows directed at a target. Some IDSes, which depend on mirroring traffic, drop packets when traffic flows increase.
The ISS RealSecure product, Snort and Enterasys' Dragon product "all demonstrated some problems with handling detection on a network saturated with 64-byte packets, causing them to miss attacks under load," wrote NSS Group in its December report.
Cisco's Secure IDS Model 4320, NFR's NID 200 and BlackICE Sentry software (formerly sold by Network Ice, purchased by ISS last year) performed the best in detection, according to the NSS Group report. "Unfortunately, although it performed well under load, Symantec's NetProwler tended to misrepresent many of the attacks detected and was the only one of that group that was outwitted by our IDS evasion techniques," the report said. "Chargen attacks were reported as Stacheldraht, SYN floods were reported as ICMP Redirect, and SYNDrop was reported as the Tribal Flood Network 2K, among others."
And, according to NSS Group, another IDS, Intrusion's SecureNet Pro's sensor and console, were overwhelmed by an attack called Snot in which "genuine" attacks are inserted into a deliberate flood of data traffic.
RealSecure's detection capabilities fall off dramatically at 50% of network load, according to NSS Group. But ISS is redesigning its IDS to be based on BlackICE, which makes use of anomaly detection and can detect ADMutate-based attacks. RealSecure 7.0, expected to ship by June, should reflect such improvements.
ISS customers seem patient.
"There's nothing that is really perfect," says Andrew Bagrin, director of business technology at Regal Cinemas, which uses RealSecure to detect attacks against its Web site and internal network. "The RealSecure IDS does a good job for most attacks, and when it senses one, it sends a message to our Check Point firewall to block that attack traffic for 50 minutes."
Regal is merging with United Artist and Edward Theatres to form the Regal Entertainment Group, totaling 560 locations. At that point, Regal will deploy an appliance from Crossbeam Systems called the Crossbeam X40S to run the firewall and IDS on the same hardware.
NSS Group director Walder says the IDS industry is undergoing such rapid change that NSS Group will have to do tests at least two or three times per year to keep up with what vendors are doing to improve their products.
Latest IDS testing report
The NSS Group.
Network World's Security and Bug Patch Alert newsletter
Get the latest information on security and bug alert announcements and fixes from major vendors.
Network World on Security newsletter
Stay current on security challenges and solutions, and get strategic insight into the future of information security.
Security research page
Get up to speed on security issues, including intrusion detection, hackers and other subjects.
Error 404--Not Found
From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
10.4.5 404 Not Found
The server has not found anything matching the Request-URI. No indication is given of whether the condition is temporary or permanent.
If the server does not wish to make this information available to the client, the status code 403 (Forbidden) can be used instead. The 410 (Gone) status code SHOULD be used if the server knows, through some internally configurable mechanism, that an old resource is permanently unavailable and has no forwarding address.