Intrusion Detection (from Phrak.Com)

(Taken from phrack.com, the best Hacker zine ever)

-------------------------[ Defeating Sniffers and Intrusion Detection Systems

----[ Overview

The purpose of this article is to demonstrate some techniques that can be used

to defeat sniffers and intrusion detection systems. This article focuses

mainly on confusing your average "hacker" sniffer, with some rough coverage of

Intrusion Detection Systems (IDS). However, the methods and code present in

this article should be a good starting point for getting your packets past ID

systems. For an intense examination of attack techniques against IDS, check

out: http://www.nai.com/products/security/advisory/papers/ids-html/doc000.asp.

There are a large number of effective techniques other than those that are

implemented in this article. I have chosen a few generic techniques that

hopefully can be easily expanded into more targeted and complex attacks. After

implementing these attacks, I have gone through and attempted to correlate

them to the attacks described in the NAI paper, where appropriate.

The root cause of the flaws discussed in this article is that most sniffers

and intrusion detection systems do not have as robust of a TCP/IP

implementation as the machines that are actually communicating on the network.

Many sniffers and IDS use a form of datalink level access, such as BPF, DLPI,

or SOCK_PACKET. The sniffer receives the entire datalink level frame, and

gets no contextual clues from the kernel as to how that frame will be

interpreted. Thus, the sniffer has the job of interpreting the entire packet

and guessing how the kernel of the receiving machine is going to process it.

Luckily, 95% of the time, the packet is going to be sane, and the kernel

TCP/IP stack is going to behave rather predictably. It is the other 5% of the

time that we will be focusing on.

This article is divided into three sections: an overview of the techniques

employed, a description of the implementation and usage, and the code. Where

possible, the code has been implemented in a somewhat portable format: a

shared library that wraps around connect(), which you can use LD_PRELOAD to

"install" into your normal client programs. This shared library uses raw

sockets to create TCP packets, which should work on most unixes. However, some

of the attacks described are too complex to implement with raw sockets, so

simple OpenBSD kernel patches are supplied. I am working on complementary

kernel patches for Linux, which will be placed on the rhino9 web site when

they are complete. The rhino9 web site is at: http://www.rhino9.ml.org/

----[ Section 1. The Tricks

The first set of tricks are solely designed to fool most sniffers, and will

most likely have no effect on a decent ID system. The second set of tricks

should be advanced enough to start to have an impact on the effectiveness of

an intrusion detection system.

Sniffer Specific Attacks

------------------------

1. Sniffer Design - One Host Design

The first technique is extremely simple, and takes advantage of the design of

many sniffers. Several hacker sniffers are designed to follow one connection,

and ignore everything