In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Understand the active response mechanism of IDS
In the developer community, about "what is the most effective way to detect *?" The debate on the issue is still going on fiercely, but IDS users are still satisfied with the current IDS technology. In order to gain a more competitive advantage, many IDS product providers have added active response functions to their products. The concept of this function is that IDS will detect the behavior of the * * and organize the * to continue. The problem, however, is that anyone with a little knowledge of TCP/IP can easily defeat these response mechanisms directly, or use these mechanisms to block the network, and administrators will have to turn them off. For administrators, understanding the limitations of proactive response will help administrators to blindly trust those product providers. The vast majority of response mechanisms are one of two forms:
1. Block a session
two。 Firewall linkage
First, a brief introduction to the "blocking session" mechanism:
Blocking sessions is by far the most common way for most IDS vendors. This approach is popular because it does not require the support of external devices, such as firewalls, and it is easy to implement. This mechanism is very simple. Next we will gradually analyze this mechanism and reveal how to bypass it. I hope my evaluation will not arouse the resentment of manufacturers.
Let's take IIS's Unicode horizontal directory traversal * * as an example to illustrate how this mechanism works. * user issues the following request, which has a total of 51 bytes, and turns the 51 bytes into fragmented IP packets, each with a length of 20 bytes, as shown below:
Data: / scripts/..%c0%af../winnt/systme32/cmd.exe/c+dir+foo
+-+ +
Offset: 0 20 40 51
Sec Num: 100 120 140 151
The IDS mentioned in this article is a product with the following features:
1. There is a characteristic signal about "system32/cmd.exe"
two。 Ability to reorganize all broken packets and flow information
3. Ability to decode unicode, hexcode (hexadecimal encoding), escape and base64
If the user simply repeats the behavior without making any changes, the IDS will capture the behavior and generate an alarm. Generally speaking, when processing, the operating system generates a random isn value on the IP stack for the IP packet shown above, and then sends out the data in three packets. (of course, we all know that this cannot be achieved simply through a browser, and here is just an example.)
The IP stack of some systems waits for a while after each packet is sent to receive an acknowledgement from the recipient that the packet has been sent. On the other hand, the IP stack of some systems will send out all three packets at once and then resend the packets that the recipient has not acknowledged. Although different operating systems handle the IP stack differently after a session is established (Established state), the key here is to show that the stack can certainly handle a certain number of packets at the same time. In this case, our IDS will alarm when it receives the third packet because it has received the first and second packets, and it can reorganize the entire session and match the appropriate signal. At this time, if IDS has the function of session blocking, then IDS will send a TCP RESET packet to each end of the communication, thus realizing the purpose of actively severing the connection. At this time, the stack of both sides of the communication will interpret the RESET packet as a response from the other end, then stop the whole communication process, release the buffer and revoke all TCP status information. At this time, the * packet may still be in the TCP/IP stack buffer of the target host operating system and has not been submitted to the application. Because the buffer is emptied, * will not occur.
For RESET packages, the premise of a RESET package issued by IDS is to know the current sequence number and confirmation number of the entire session, otherwise the RESET package will be ignored. In this case, the acknowledgement number must be 152 (1 greater than the last sequence number). If you send a RESET packet with a confirmation number of 142, the stack will ignore it as an invalid or corrupted packet. (well, it seems that the problem is beginning to become clear.)
Second, bypass "session blocking"
The mechanism of session blocking can be bypassed by people, and many ways to bypass this mechanism depend on the choice of time.
If * does not need an interactive session process, * users can simply set the PUSH stack of TCP/IP packets to achieve time selection. The TCP/IP stack generally does not immediately send large chunks of data received to the application for processing. Most of the time, this will cause the application to spend a high cost of system interrupt calls and content exchange to improve the processing ability of small data packets. The stack puts all the data in a buffer, and when the buffer is full, the stack submits all the data in the stack to the application layer program at one time. In the above example, all 51 bytes of data are received before they are submitted to the application layer at one time.
Some applications want to get the data as quickly as possible, so these programs will pay extra overhead to get the highest possible processing speed. The setting of the PUSH flag actually tells the TCP/IP stack to submit the data to the application layer as soon as it receives the data. But if you need to get a list of directories, you can't set the PUSH flag in this way, because the session is terminated as soon as the data is passed to the application. You can't get an interactive process, but if you just want to copy a file to the web server path in order to download the file through the browser, you can use this method, because the whole process does not require any interaction, you can complete your operation. (for example, copy the SAM file to the Web path).
If you need a session that can be maintained so that you can get an interactive process, this article will introduce a set of techniques to achieve this goal. The trick here is to get the target host to ignore RESET packets. At this point, let IDS think that it has terminated the session, but in fact the * is still working well.
First of all, the advantage is that all IDS have a delay when responding to *, because IDS takes a certain amount of time from grabbing data packets, monitoring * *, generating RESET packets, and finally sending RESET. Many IDS use the libpcap library to capture packets, and most of the IDS is built on BSD-like systems. Under BSD systems, BPF (Berkeley Packet Filters) is used to capture packets. BPF will open a large buffer by default. In a typical network, the process of sending RESET packets by IDS will be delayed by about half a second. On Linux and Solaris platforms, performance is slightly better, but there must be latency.
To invalidate the RESET sent by IDS, we must be able to ensure that after the * * feature appears in a session, the subsequent packet arrives at the destination before the RESET packet. Next we will briefly introduce how to implement a RESET packet that causes the target host to ignore IDS through the TCP working mechanism.
In TCP, everyone knows that there is a concept of Window window. Some of the data received by the system has been submitted to the application, and some are stored in the buffer, waiting to be submitted to the application, while there is an empty space in the system to accept the newly arrived data. As follows:
+
Unprocessed data gap of data that has been handed over to the application
+-+
^
Current pointer (CP)
All the data and gaps in the buffer constitute the window in TCP, and only the data in the form can perform send or receive or reset operations. The data before the form (that is, the data that has been submitted to the application layer above) is processed data, and the data after the form will be ignored. As shown in the figure above, the TCP stack also uses a current pointer CP to locate the start of the current empty space. The CP pointer points to the starting position of the next packet to be received, and its value is equal to the exact value. For example, if the current stack has 76 bytes of data, the exact value is 77. If the next packet arrives, the CP pointer will move to + 1 at the end of the next packet.
Since not all packets in TCP need to arrive sequentially, it is possible that subsequent packets arrive earlier than previous packets, for example, packets starting at 90 bytes may arrive earlier than packets starting at 77 bytes. All incoming packets will enter the buffer, but the CP pointer will stay at 77 until packets starting at 77 bytes arrive. When packets starting at 77 bytes arrive, the CP pointer will be moved to the end of the received packet at this time, as shown in the following figure:
+-+-- +-+
Data that has been handed over to the application the unprocessed data gap comes first and the data gap at the back of the location
+-+
^
Current pointer (CP)
Unordered packet arrival
Data that has been handed over to the application the unprocessed data arrives at the front of the data, the data comes first, the data gap at the back of the location.
^
Current pointer (CP)
After the packet arrives, the CP pointer moves one time.
In most TCP implementations, the RESET package must match the CP pointer, otherwise the RESET package will be discarded. Well, everything is completely clear, as long as we can construct a series of consecutive packets to modify the current CP. For example, in our example above, we construct a fourth package after the third package, such as containing a space or something, as long as it does not affect the effect of *. If we send out these two packets in succession at a very fast speed, when IDS catches the third packet, it will generate a RESET packet, but at this time the fourth packet has reached the target host. Modify
CP pointer. When the RESET packet sent by IDS arrives at the target host, the RESET packet is ignored. As we said earlier, IDS has delays. At the same time, we can have a better way. When we construct a packet, we send the fourth packet first and then the third packet, then the fourth packet arrives first and it enters the buffer, but the CP has not changed at this time. When the third packet arrives, the CP will move to the fourth packet, so that no matter how fast the RESET generated by IDS can be sent. The confirmation sequence of this RESET is always
If it is generated according to the third packet, it must be ignored. Because the CP pointer has already changed.
III. Conclusion
This paper mainly talks about the IDS active response mechanism in which RESET packets prevent TCP sessions. As for the firewall linkage mechanism, we can actually cause the firewall to mistakenly reject some important addresses, such as gateway routing address, DNS address, etc., by cheating and redirecting (such as FTP jump, see phrack 51). This can also bring great interference to users. At the same time, generally speaking, the firewall linkage mechanism has a delay of 1 to 2 seconds, which is enough time for the user to insert a back door to the target host, so that any kind of defense can be easily broken through. Through the description of this article, we can see that IDS provides an active response mechanism, which is much better than simply giving an alarm without responding, and it is also very attractive to users. Even this has become a propaganda weapon for many manufacturers, making many consumers think that this is a very advanced technology at this time. In fact, a person with a little knowledge of TCP/IP can make this response mechanism invalid.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.