To help you plan your security strategy, this section shows you how hackers exploit vulnerabilities in IDSs. This will help you to better understand inherent weaknesses in the technology so that you can plan your layered security strategy more effectively.
Fragmentation is the most common attack against IDSs. By splitting packets into smaller pieces, hackers can often fool the IDS. A stateful IDS can reassemble fragmented packets for analysis, but as throughput increases, this consumes more resources and becomes less accurate. For example, one of the most popular network-scanning tools available, known as NMAP, has a fragmentation engine built right into it. If a hacker is using the GUI version of this tool, she only has to check a box to fragment her probe. By doing this, an ICMP probe packet is down into small chunks that are reassembled at the target computer. Using this technique, firewalls and IDSs often see only the partial packet, which does not raise any warning flags.
In addition to fragmenting data, it is possible to spoof the TCP sequence number that the IDS sees. For example, by sending a post-connection SYN packet with a forged sequence number, the IDS is desynchronized from the host. That is because the host drops the unexpected and inappropriate SYN, whereas the IDS might reset itself to the new sequence number. Thus, the IDS ignores the true data stream because it is waiting for a new sequence number that does not exist. Sending an RST packet with a forged address that corresponds to the forged SYN can also close this new connection to the IDS.
Whisker is a software tool designed to hack Web servers by sneaking carefully deformed HTTP requests past the IDS. For example, a typical cgi-bin request has the following standard HTTP format:
GET /cgi-bin/script.cgi HTTP/1.0
Obfuscated HTTP requests can often fool IDSs that parse Web traffic. For example, if an IDS scans for the classic phf exploit that follows, we can often fool it by adding extra data to our request:
For example, we can issue this request:
GET /cgi-bin/subdirectory/../phf HTTP/1.0
In this case, we request a subdirectory and then use the /../ command to move back up to the parent directory and execute the target script. This technique of sneaking in the back door is referred to as directory traversal, and it is currently one of the most commonly used forms of exploit.
Whisker automates a variety of such anti-IDS attacks. Because of this, Whisker is known as an anti-IDS (AIDS). Whisker has split into two projectswhisker (the scanner) and libwhisker (Perl module used by Whisker)and has been updated regularly.