bypassingintrusiondetectionsystems-全文預覽
【正文】 QUEUE SESSION QUEUE IP 1 IP 2 IP 3 Session 1 Session 2 Session 3 Bypassing NIDS Fragmentation ? NIDS must reconstruct fragments – Maintain state = drain on resources – Must overwrite correctly = more drain on resources ? Target server correctly defrags ? Attack 1 just fragment ? Attack 2 frag with overwrite ? Attack 3 start an attack, follow with many false attacks, finish the first attack Bypassing NIDS TCP unsync ? Inject a packet with a bad TCP checksum –fake ?FIN? packet ? Inject a packet with a weird TCP sequence number – step up – wrapping numbers Bypassing NIDS Low TTL NIDS 1 2 3 WWW Bypassing NIDS Max ?MTU? NIDS WWW Segment with MTU = 1300 1350 byte packet with DF = 1 Bypassing NIDS HTTP Proto ? ?/? padding: “/cgibin///phf” ? Self referencing directories: “/cgi bin/./phf” ? URL Encoding: “%2fcgibin/phf” ? Reverse Traversal: “/cgibin/here/../phf” ? TAB instead of spaces removal ? DOS/Win syntax: “/cgibin\phf” ? Null method: “GET%00/cgibin/phf” Bypassing NIDS Tel Proto ? Strip out Tel codes ? Automatic proxies which add random characters followed by backspace –“su X{backspace}root” Bypassing NIDS Resources ? Tools – Whisker Rain Forest Puppy – Fragrouter Dug Song – Congestant horizon, Phrack 54 ? Papers – “Insertion, Evasion and Denial of Service: Eluding Network Intrusion Detection”, Tom Ptacek, Timothy Newsham – Bro information: Bypassing HIDS Kernel Hacks ? Windows NT – 4 byte patch that removes all security restrictions from objects within the NT domain. – Could use ac
教學課件相關推薦
鄂ICP備17016276號-1