nst_11
11
If the attacker can guess the detection threshold of its target, he can reduce the chances of
detection to a minimum or even to no detection at all, as long as he doesnt include a
signature with his packet that alerts the intrusion detection system in other way.
3.2.3 Fragmentation Scanning
All IP packets that carry data can be fragmented.
If we need to send information using TCP and to fragment our data, normally the destination
port and source port along with the flags field will be traveling at the first packet sent.
RFC 79117 defines the minimum and maximum sizes of fragments.
In the case of TCP the 8 octets of data (minimum fragment size) are enough to contain the
source and destination port numbers. This will force the TCP flags field into the second
fragment18.
Some filtering devices and intrusion detection systems may incorrectly reassemble or
completely miss portions of the scan. They may assume that this was just another segment of
traffic that has already passed through their access list.
Filtering devices that queue all IP fragments can handle this method. Linux is a good example
with the CONFIG_IP_ALWAYS_DEFRAG kernel option. Some networks cannot afford the
performance hit this causes and disable this feature19.
This kind of scan has been fixed in most vendors products.
3.2.4 Decoy
Some network scanners include options for Decoys or spoofed addresses in their attacks.
It would appear to the attacked network / host that the host(s) you specified as decoys are
scanning them as well. This will drive intrusion detection systems into thinking that the target
network is being port scanned by all the hosts, and determining who the real attacker is, will
be nearly impossible.
One way that helped intrusion detection systems detect the decoy hosts in the past was the
TTL (Time to Live) field values in the scanned packets. If all the incoming packets TTL values
have the same value, it is likely that they were generated in the same factory.
If the attacker is using nmap intrusion detection systems cannot use this method since nmap
generates random TTL fields between 51-65.
Another way of detecting the real scan among the decoys is to try to traceroute the source IP.
If the attacker used non-routable IPs or the IPs belongs to a host that is not up something is
suspicious. This can also result in a denial of service.
Attackers solved this by using spoofed IPs of hosts that were up.
Another aspect of detection is using IPs rather than names, which is a really smart move,
because the decoys network will not see the attackers IP in their name servers log20.
17
http://www.ietf.org/rfc/rfc0791.txt
18
RFC 1858 http://www.ietf.org/rfc/rfc1858.txt
19
nmap network security scanner man page, http://insecure.org/nmap/nmap_manpage.html
20
Ron Gula, How to Handle and Identify Network Probes, Netowrk Defense Consultng.