Home > Articles > Cisco Certification > CCNP > CCNP Security IPS 642-627 Official Cert Guide: Network IPS Traffic Analysis Methods, Evasion Possibilities, and Anti-evasive Countermeasures

CCNP Security IPS 642-627 Official Cert Guide: Network IPS Traffic Analysis Methods, Evasion Possibilities, and Anti-evasive Countermeasures

  • Date: Jul 18, 2011.

Article Description

This chapter covers the various methods used for traffic analysis using a network IPS sensor, the various evasion techniques used by attackers to bypass detection & filtering while understanding the benefits and limitations of each method to assess the risk of evasion, and the various countermeasures, tools, and choosing the best approach based on the methods used by attackers.
Network IPS Evasion Techniques

Network IPS Evasion Techniques

As discussed in the previous section there are a number of methods to analyze attacks, but to better analyze and choose anti-evasion countermeasures it's important to understand the various evasion techniques used by attackers. Network attackers often use network IPS evasion techniques to attempt to bypass the intrusion detection, prevention, and traffic filtering functions provided by network IPS sensors. Some commonly used network IPS evasion techniques are listed below:

  • Encryption and Tunneling
  • Timing Attacks
  • Resource Exhaustion
  • Traffic Fragmentation
  • Protocol-level Misinterpretation
  • Traffic Substitution and Insertion

Encryption and Tunneling

One common method of evasion used by attackers is to avoid detection simply by encrypting the packets or putting them in a secure tunnel. As discussed now several times, IPS sensors monitor the network and capture the packets as they traverse the network, but network based sensors rely on the data being transmitted in plaintext. When and if the packets are encrypted, the sensor captures the data but is unable to decrypt it and cannot perform meaningful analysis. This is assuming the attacker has already established a secure session with the target network or host. Some examples that can be used for this method of encryption and tunneling are:

  • Secure Shell (SSH) connection to an SSH server
  • Client-to-LAN IPSec (IP Security) VPN (virtual private network) tunnel
  • Site-to-site IPSec VPN tunnel
  • SSL (Secure Socket Layer) connection to a secure website

There are other types of encapsulation that the sensor cannot analyze and unpack that attackers often use in an evasion attack. For example, GRE (Generic Route Encapsulation) tunnels are often used with or without encryption.

Timing Attacks

Attackers can evade detection by performing their actions slower than normal, not exceeding the thresholds inside the time windows the signatures use to correlate different packets together. These evasion attacks can be mounted against any correlating engine that uses a fixed time window and a threshold to classify multiple packets into a composite event. An example of this type of attack would be a very slow reconnaissance attack sending packets at the interval of a couple per minute. In this scenario, the attacker would likely evade detection simply by making the scan possibly unacceptably long.

Resource Exhaustion

A common method of evasion used by attackers is extreme resource consumption, though this subtle method doesn't matter if such a denial is against the device or the personnel managing the device. Specialized tools can be used to create a large number of alarms that consume the resources of the IPS device and prevent attacks from being logged. These attacks can overwhelm what is known as the management systems or server, database server, or out-of-band (OOB) network. Attacks of this nature can also succeed if they only overwhelm the administrative staff, which does not have the time or skill necessary to investigate the numerous false alarms that have been triggered.

Intrusion detection and prevention systems rely on their ability to capture packets off the wire and analyze them quickly, but this requires the sensor has adequate memory capacity and processor speed. The attacker can cause an attack to go undetected through the process of flooding the network with noise traffic and causing the sensor to capture unnecessary packets. If the attack is detected, the sensor resources may be exhausted but unable to respond within a timely manner due to resources being exhausted.

Traffic Fragmentation

Fragmentation of traffic was one of the early network IPS evasion techniques used to attempt to bypass the network IPS sensor. Any evasion attempt where the attacker splits malicious traffic to avoid detection or filtering is considered a fragmentation-based evasion by:

  • Bypassing the network IPS sensor if it does not perform any reassembly at all.
  • Reordering split data if the network IPS sensor does not correctly order it in the reassembly process.
  • Confusing the network IPS sensor's reassembly methods which may not reassemble split data correctly and result in missing the malicious payload associated with it.
  • A few classic examples of fragmentation-based evasion are below:
  • TCP segmentation and reordering, where the sensor must correctly reassemble the entire TCP session, including possible corner cases, such as selective ACKs and selective retransmission.
  • IP fragmentation, where the attacker fragments all traffic if the network IPS does not perform reassembly. Most sensors do perform reassembly, so the attacker fragments the IP traffic in a manner that it is not uniquely interpreted. This action causes the sensor to interpret it differently from the target, which leads to the target being compromised.

In the same class of fragmentation attacks, there is a class of attacks involving overlapping fragments. In overlapping fragments the offset values in the IP header don't match up as they should, thus one fragment overlaps another. The IPS sensor may not know how the target system will reassemble these packets, and typically different operating systems handle this situation differently.

Protocol-level Misinterpretation

Attackers also evade detection by causing the network IPS sensor to misinterpret the end-to-end meaning of network protocols. In this scenario the traffic is seen differently from the target by the attacker causing the sensor either to ignore traffic that should not be ignored or vice versa. Two common examples are packets with bad TCP checksum and IP TTL (Time-to-live) attacks.

A bad TCP checksum could occur in the following manner: An attack intentionally corrupts the TCP checksum of specific packets, thus confusing the state of the network IPS sensor that does not validate checksums. The attacker can also send a good payload with the bad checksum. The sensor can process it, but most hosts will not. The attacker follows with a bad payload with a good checksum. From the network IPS sensor this appears to be a duplicate and will ignore it, but the end host will now process the malicious payload.

The IP TTL field in packets presents a problem to network IPS sensor because there is no easy way to know the number of hops from the snesor to the end point of an IP session stream. Attackers can take advantage of this through a method of reconnaissance by sending a packet that has a very short TTL which will pass through the network IPS fine, but be dropped by a router between the sensor and the target host due to a TTL equaling zero. The attacker may then follow by sending a malicious packet with a long TTL, which will make it to the end host or target. The packet looks like a retransmission or duplicate packet from the attacker, but to the host or target this is the first packet that actually reached it. The result is a compromised host and the network IPS sensor ignored or missed the attack.

Traffic Substitution and Insertion

Another class of evasion attacks includes traffic substitution and insertion. Traffic substitution is when that attacker attempts to substitute payload data with other data in a different format, but the same meaning. A network IPS sensor may miss such malicious payloads if it looks for data in a particular format and doesn't recognize the true meaning of the data. Some examples of substitution attacks are below:

  • Substitution of spaces with tabs, and vice versa, for example inside HTTP requests.
  • Using Unicode instead of ASCII strings and characters inside HTTP requests.
  • Exploit mutation, where specific malicious shellcode (executable exploit code that forces the target system to execute it) can be substituted by completely different shellcode with the same meaning and thus consequences on the end host or target.
  • Exploit case sensitivity and changing case of characters in a malicious payload, if the network IPS sensor is configured with case-sensitive signature.

Insertion attacks act in the same manner in that the attacker inserts additional information that does not change the payload meaning into the attack payload. An example would be the insertion of spaces or tabs into protocols that ignore such sequences.

Unicode provides a unique identifier for every character in every language to facilitate uniform computer representation of the world's languages. The Unicode Consortium manages Unicode and has been adopted by the majority of information technology industry leaders. Modern standards including Java, LDAP (Lightweight Directory Access Protocol), and XML require Unicode. Many operating systems and applications support Unicode. Also known as 'code points', Unicode can be represented by U+xxxx where x is a hexadecimal digit.

UTF-8 is the Unicode Transformation Format that serializes a Unicode code point as a sequence of one to four bytes, as defined by the Unicode Consortium in its "Corrigendum to Unicode 3.0.1." UTF-8 provides a way to encode Unicode points and still be compatible with ASCII, which is the common representation of text on the Internet.

Even though the Unicode specification dictates that the code points should be treated differently there are times the application or operation system can assign the same interpretation to different code points.

Cisco supports the following variations of its Unicode de-obfuscation though there are many different implementations of Unicode decoding (including some "free interpretations"):

  • Ambiguous bits - Some decoder implementations ignore certain bits in the encoding. For example, an application will treat %A9 and %C9 identically, discarding the fifth bit in a UTF8 two octet encoding.
  • Alternate code pages - Most Windows-based personal computers have extended Latin code pages loaded. Typically when an extended character is processed it is normalized to an ASCII equivalent character.
  • Self-referencing directories - The directory name "test/././app" refers to the same path as "test/app".
  • Double Encoding - The code point passes through two levels of encoding. The base encoding can be either a single octet UTF-8 or Unicode %U encoding (without variation). The second encoding can encode each octet of the base encoding with any encoding method and variation. When utilized a single character can be encoded in many unique ways, such as listed below:
    • "%" can be represented at least 140 ways.
    • "x" can be represented at least 1000 ways on average.
    • "U" can be represented at least 3260 ways.
  • Multiple directory delimiters - Some operating systems will treat "/" and "\" equivalently as directory delimiters. Repeated directory delimiters are also ignored.
  • Unencoded octtets mixed with encoded octets in a UTF8 sequence - Any octet except the first octet in a UTF8 sequence can be an unencoded value. A good example of this is the value 0x123 represented in UTF-8 is %E0%84%A3, but the 84 being an ASCII value can also be represented with a UTF-8 value.
  • Microsoft base-36 - Older version of Microsoft's UTF8 decoder accept 36 characters (A-Z and 0-9) as valid hexadecimal characters in the UTF8 encoding instead of the normal 16 characters (A-F and 0-9). This is often referred to as a decoder implementation error.

Table 3-2 Cisco IPS Evasion Tools & Anti-Evasion Features

Evasion Method

Evasion Tool

Cisco IPS Anti-Evasion Features

Traffic Fragmentation

Fragroute, fragrouter

Full session reassembly in STRING and SERVICE engines

Traffic Substitution and Insertion

Metasploit, Nessus

Data normalization (de-obfuscation) in SERVICE engines

Protocol-level Misinterpretation


IP TTL Validation

TCP Checksum Validation

Timing Attacks

Nmap

Configuration intervals and Use of CS MARS and similar tools for correlation

Encryption and Tunneling

Any encrypted protocol

GRE tunnel inspection

Resource Exhaustion

Stick

Smart dynamic event summarization

Table 3-2 above summarizes the evasion methods, tools, and the corresponding IPS anti-evasion features available on the Cisco IPS sensors. Though they are covered in the table the anti-evasion features are listed below:

  • Smart and dynamic summarization of events to guard against too many alarms for high event rates.
  • IP TTL analysis and TCP checksum validation to guard against end-to-end protocol-level traffic interpretation.
  • Full session reassembly that supports the STRING and SERVICE engines that must examine a reliable byte stream between two network endpoints.
  • Configurable intervals for correlating signatures, or the use of an external correlation that does not require real-time resources, such as Cisco Security MARS.
  • Data normalization (de-obfuscation) inside SERVICE engines, where all signatures convert network traffic data into a normalized, canonical form being comparing it to the signature matching rules.
  • Inspection of traffic inside GRE tunnels to prevent evasion through tunneling.

We'll discuss the configuration of these features in later chapters.

Cisco Press Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Cisco Press and its family of brands. I can unsubscribe at any time.

Overview

Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Cisco Press products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information

To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@ciscopress.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information

Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security

Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children

This site is not directed to children under the age of 13.

Marketing

Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information

If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out

Users can always make an informed choice as to whether they should proceed with certain services offered by Cisco Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.ciscopress.com/u.aspx.

Sale of Personal Information

Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents

California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure

Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links

This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact

Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice

We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020