Description: Slide : - https://deepsec.net/docs/Slides/DeepSec_2011_Arron_Finnon_-_Reassemble_or_GTFO!_-_IDS_Evasion_Strategies.pdf
Intrusion Detection Systems or IDS for short have been sold for many years as a solution to stop attackers from both the "inside" of a network, and the "outside". There is little doubt that the capabilities of these devices have been over sold, and at their very heart is some implementation problems that have no simple fixes.
The talk looks at one of the underlying problems an IDS faces when conducting packet inspection, reassembly.
Reassembly evasion techniques aims is to confuse an IDS system during packet inspection, by either supplying data to an IDS that will never be factored in at the receiving end (insertion), or by confusing an IDS's very process of reconstructing the data stream. In essence Reassembly evasion techniques attack the very process of inspection.
From the insertion of rogue nulls, to over-lapping, and over-writing the contents of packets, mean that an IDS has very little chance of being able to catch all bad traffic. Many IDS systems are geared to dealing with a high traffic volume, and any reassembly is going to be both difficult and taxing on system resources, whilst slowing the network down. With very little enumeration a potential attacker can utilise a number of reassembly evasion techniques to aid in the escape of otherwise prohibited traffic.
The talk will look at a few of the known reassembly evasion, and some of the not so well known techniques.
With the aim of educating the attendees of the talk on what to look out for, and how to better understand the threat faced by IDS's. In short this talk looks at: Getting The Fragments Out
Tags: securitytube , Confidence , hacking , hackers , information security , convention , computer security , deepsec-11 , deepsec-2011 ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.