Honeypots, IDSs, and Firewalls 385
Fun with Flags
The TCP protocol uses flags on packets to describe the status of the packet. Knowledge of
these flags can yield benefits such as evasion techniques for IDSs.
Bogus RST
RST is one of the many flags used to end two-way communications between endpoints. In
addition to these flags, checksums are used to verify the integrity of the packet to ensure
that what was received is what was sent originally. An attacker can use alteration of this
checksum to cause the IDS to not process the packet. What happens with some IDSs is that
upon receipt of an invalid checksum, processing stops and the traffic passes unimpeded by
the IDS without raising an alert.
Sense of Urgency
The URG flag is used to mark data as being urgent in nature. Although it is used to indicate
which information is of an urgent nature, all information that flows before it is ignored in
order to process the urgent data. Some IDSs do not take this previous data into account
and let it pass unimpeded, letting an attack potentially pass without hindrance.
Encryption
Some IDSs cannot process encrypted traffic and therefore will let it pass. In fact, of all the
evasion techniques, encryption is one of the most effective.
Evading Firewalls
Earlier you learned what a firewall is capable of doing and the different types that exist. So
how does an attacker evade these devices? A handful of techniques are available.
IP Address Spoofing
One effective way an attacker can evade a firewall is to appear as something else, such as
a trusted host. Using spoofing to modify address information, the attacker can make the
source of an attack appear to come from someplace else rather than the malicious party.
Source Routing
Using this technique, the sender of the packet designates the route that a packet should take
through the network in such a way that the designated route should bypass the firewall
node. Using this technique, the attacker can evade the firewall restrictions.
Through the use of source routing, it is entirely possible for the attacker or sender of
a packet to specify the route they want it to take instead of leaving such choices up to the
normal routing process. In this process the origin or source of a packet is assumed to have
all the information it needs about the layout of a network and can therefore specify its own
best path for getting to its destination.
By employing source routing, an attacker may be able to reach a system that would not
normally be reachable. These systems could include those with private IP addresses or those