New batch of IDS, IPS evasion techniques are hitting their targets

Stonesoft has discovered 163 new advanced evasion techniques (AET), claiming these AETs can pass below the radar of some IDS, IPS products.

Hackers are increasingly adopting more sophisticated techniques in order to avoid being caught by intrusion detection and prevention systems (IDS and IPS).

A lot of detection technologies are missing these AETs, and so people are in denial about their existence.

Andrew Blyth
University of Glamorgan

Finnish IPS vendor Stonesoft said that in the last few months it has discovered 163 advanced evasion techniques (AETs) capable of passing below the radar of most IDSes and IPSes, thereby penetrating their target networks.

This latest batch of IPS and IDS evasion techniques is in addition to the 120 Stonesoft discovered in February, and the 23 it found in October 2010. All the samples have been submitted to the Finnish CERT (computer emergency readiness team) for further analysis and validation.

Stonesoft said the new samples exploit various protocols, including IPv4, IPv6, TCP and HTTP, and would not be picked up by most commercial IPS products. “Most of the vendors who acknowledge the problem are incapable of building a working solution,” said Ilkka Hiidenheimo, founder and CEO of Stonesoft in a written statement. “Instead, they are keeping themselves busy doing temporary and inflexible fixes. The rest just ignore the issue and do nothing.”

IDS, IPS evasion techniques

The new set of AET samples, gathered from a honeypot operated by Stonesoft, includes 54 that use a single technique, and 109 that combine several techniques in a single attack. Ash Patel, UK country manager with Stonesoft, said this indicates there could be an almost unlimited number of permutations of techniques that might be used.

The attacks are especially dangerous because many organisations rely on IPS to provide a level of protection for systems that haven’t been fully patched for known vulnerabilities.

So far, Stonesoft has been a lone voice in raising the alarm about AETs, but many of its claims have been validated recently by researchers at the University of Glamorgan, which is working in partnership with Stonesoft to research AETs.

Professor Andrew Blyth, head of advanced technology at Glamorgan, said: “Stonesoft came to us saying they wanted to find someone who could independently either validate their findings, or prove them wrong. Our research tells us that there are definitely techniques being used to successfully bypass current defence methods.”

Glamorgan carries out forensic post-breach investigations for businesses and government, and Blyth said some attacks are becoming far more sophisticated and able to stay ahead of current defences. “AETs are not new – they have been with us since the early days of networking,” he said. “The threats are constantly developing as we come up with ways of stopping today’s AETs.”

How the AETs work

Blyth said attackers now often use multiple sessions to try to confuse IDSes and IPSes. “Snort, for example, makes a decision based on a packet. So the attacker will create packets that look harmless individually, but which can combine to do harm,” he said. “Snort doesn’t do session reconstruction over long periods of time well, because it would have to hold a lot of sessions in memory.”

Sourcefire, the company that produces Snort and other IPS products, declined to comment on the findings.

Blyth said the initial work with Stonesoft will last a year, the plan being to bring some clear definitions for AETs in a series of white papers. The Glamorgan team will also examine the various threat samples. “The techniques are a cause for concern, because they exist and they are being used in the wild. We have seen some of them, if not all of them,” Blyth said.

He also confirmed the attacks are successful against many conventional defences. “A lot of detection technologies are missing these AETs, so people are in denial about their existence,” he said. “Companies are trying to fix the problem, but some of the evasion techniques are very sophisticated and hard to detect. It’s like a needle in a haystack, with a very big data stream you must process in a reasonable period of time. It makes it very challenging.”

Blyth also predicted commercial toolkits will soon be available for many of the new attack techniques. “Exploits tend to go from zero-day to point-and-click fairly quickly, because someone turns the tool into a product and sells it,” he said. “There is no reason to doubt the industrialisation trend will apply to AETs. It might take bit longer, but it will happen.”

Read more on Hackers and cybercrime prevention