386 Chapter 16 ■ Evading IDSs, Firewalls, and Honeypots
that are protected under normal conditions from the Internet. The attacker may even be
able to perform IP spoofing, further complicating detection and tracing of the attack by
making the packet’s origin unknown or different from its actual origin.
Fortunately, the easiest way to prevent source routing is to configure routers to ignore
any source routing attempts on the privately controlled network.Fragmentation
The attacker uses the IP fragmentation technique to create extremely small fragments and
force the TCP header information into the next fragment. This may result in a case where
the TCP flags field is forced into the second fragment, while filters can check these flags
only in the first octet. Thus the IDS ignores the TCP flags.IP Addresses to Access Websites
A mechanism that is effective in some cases at evading or bypassing a firewall is the use of an
IP address in place of a URL. Since some firewalls only look at URLs instead of the actual IP
address, use of the address to access a website can allow an attacker to bypass the device.Use of mechanisms such as host2ip can convert URLs to IP addresses,
potentially allowing for this address to be used in a browser to bypass the
firewall.Other mechanisms that are somewhat similar to this technique are using website
anonymizers and using open public proxy servers to get around the firewalls or website
restrictions of a company.Using ICMP Tunneling
Yet another method to bypass or evade a firewall is through the use of ICMP tunneling. ICMP
can be used to bypass a firewall through a little-known part of the RFC 792 specification
(responsible for defining the operation of ICMP). The ICMP protocol defines the format and
structure of the packet, but not what the packet carries as part of its data portion. Due to
this ambiguous definition of the data portion, the contents can be completely arbitrary, thus
allowing for a diverse range of items to be included within the data section. This section can
include information regarding applications that can open a covert channel or plant malware.
The end result can be that an organization’s firewalls can be opened.
One tool that is effective at performing this type of task is Loki, which has the ability to
tunnel commands within an ICMP echo packet. Other similar tools are ncovert and 007shell,
both of which allow for the crafting of packets that can be used to bypass a firewall.Using ACK Tunneling
Pursuing a variation of a theme, you can also use ACK tunneling to bypass the scrutiny of a
firewall. ACK tunneling exploits the fact that some firewalls do not check packets that have
the ACK bit configured. The reason for this lapse is that the ACK packet is used to respond
to previous, and assumed legitimate, traffic that has already been approved.