Table of Contents
Advertisement
IDP system. If the packet is not part of an existing connection or is rejected by the IP rule set
then it is dropped.
2.
The source and destination information of the packet is compared to the set of IDP Rules
defined by the administrator. If a match is found, it is passed on to the next level of IDP
processing which is pattern matching, described in step below. If there is no match against
an IDP rule then the packet is accepted and the IDP system takes no further actions
although further actions defined in the IP rule set are applied such as address translation
and logging.
6.6.4. Insertion/Evasion Attack Prevention
Overview
When defining an IDP Rule, the administrator can enable or disable the option Protect against
Insertion/Evasion attack. An Insertion/Evasion Attack is a form of attack which is specifically
aimed at evading IDP mechanisms. It exploits the fact that in a TCP/IP data transfer, the data
stream must often be reassembled from smaller pieces of data because the individual pieces
either arrive in the wrong order or are fragmented in some way. Insertions or evasions are
designed to exploit this reassembly process.
Insertion Attacks
An insertion attack consists of inserting data into a stream so that the resulting sequence of data
packets is accepted by the IDP subsystem but will be rejected by the targeted application. This
results is two different streams of data.
As an example, consider a data stream broken up into 4 packets: p1, p2, p3 and p4. The attacker
might first send packets p1 and p4 to the targeted application. These will be held by both the
IDP subsystem and the application until packets p2 and p3 arrive so that reassembly can be
done. The attacker now deliberately sends two packets, p2' and p3', which will be rejected by the
application but accepted by the IDP system. The IDP system is now able to complete reassembly
of the packets and believes it has the full data stream. The attacker now sends two further
packets, p2 and p3, which will be accepted by the application which can now complete
reassembly but resulting in a different data stream to that seen by the IDP subsystem.
Evasion Attacks
An evasion attack has a similar end-result to the insertion Attack in that it also generates two
different data streams, one that the IDP subsystem sees and one that the target application sees,
but it is achieved in the reverse way. It consists of sending data packets that are rejected by the
IDP subsystem but are acceptable to the target application.
Detection Action
If an insertion or evasion attack is detected with the Insertion/Evasion Protect option enabled,
NetDefendOS automatically corrects the data stream by removing the extraneous data
associated with the attack.
Insertion/Evasion Log Events
The insertion/evasion attack subsystem in NetDefendOS can generate two types of log message:
•
An Attack Detected log message, indicating an attack has been identified and prevented.
556
Chapter 6: Security Mechanisms
- Quick Links:
- User Manual
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
