Check Point IPS Protects Against IPS/IDS Evasion Techniques
( CVE-2010-0102, CERT-FI Advisory )
Summary
Hackers constantly try to avoid detection by IPS systems by changing various aspects of the traffic to make it more difficult to detect. They use various methods; from fragmenting the IP packets, to segmenting the TCP stream, to fragmenting RPC traffic and encoding parts of the stream in various ways. Recently, a Finnish security firm reported several specific techniques for evading IPS detection.
Details
Stonesoft Corporation, a security company based in Finland, has reported 23 techniques for evading IPS/IDS detection to the CERT-FI organization. All of these techniques are based on known ideas that were described over twelve years ago in the seminal work "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" by Thomas Ptacek and Timothy Newsham. The techniques described in that paper and demonstrated by Stonesoft use a combination of manipulations of IPv4, TCP, SMB, and MSRPC protocols. Manipulation methods include use of overlapping and/or unordered fragments, invalid protocol field values, alterations of endianity, and others.
CERT-FI is the Finnish national Computer Emergency Response Team whose task is to promote security in the information society by sharing information on threats and vulnerabilities with network security vendors.
Solution
Check Point IPS has always handled all possible manipulations at IP and TCP levels, and has published IPS updates to address manipulations at the SMB and MSRPC levels. For more information about these updates, please see SBP-2010-32, SBP-2010-31, SBP-2010-35, SBP-2010-34, and SBP-2010-33
Originally Published:
Last Updated: 16-Dec-2010