NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-IDS> 2000-q4

Subject: Re: Fooling NIDS
From: Jon Gary (jgaryCLICKTOSECURE.COM)
Date: Tue Dec 05 2000 - 14:09:57 CST

Next message: Kevin Pietersma: "Switched environment NIDS"
Previous message: Crist Clark: "Re: Fooling NIDS"
In reply to: Matías Bevilacqua: "Fooling NIDS"
Next in thread: Kevin Pietersma: "Switched environment NIDS"
Reply: Jon Gary: "Re: Fooling NIDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've been involved in discussions about this sort of behavior before, and
the concensus usually is that attackers _really_ do not want to be noticed
at all. They don't want any alarms, false or otherwise. The problem is
that as soon as an attacker sets off an alarm, they increase the likelyhood
that they can be identified, and that is exactly what they don't want.
Also, it seems to me that this sort of thing would not greatly increase the
chances of breaking into a system. A well-planned attack scenario should
take only a few seconds, which is not enough time for a sysadmin to take any
preventative measures anyway. A promiscuous NIDS is much better at
detecting attacks in progress than defeating them anyway. There are some
products that can adjust your firewall/router settings, etc.; but for the
most part, they just detect.

Essentially, the decoy approach would be useful only in rare cases, and I've
never seen nor heard of any attempts like this.

Jon Gary
ClickToSecure Labs
http://www.clicktosecure.com

-----Original Message-----
From: Focus on Intrusion Detection Systems
[mailto:FOCUS-IDSSECURITYFOCUS.COM]On Behalf Of Matías Bevilacqua
Sent: Tuesday, December 05, 2000 7:44 AM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Fooling NIDS

This idea has just occured to me (10sec. so don't blame me on it). Has
someone seen on the wild attackers fooling NIDS systems just to get security
personel running from host to host while silenlty compromising other systems
while sec. guys are occupied?

I'm talking about something like nmaps's -D option. Make 20 alarms jump
while you're randomly hacking at one of those machines. Sure you'll gain
some a time to conceal your traces.

What about setting off 1000 alarms just for fun? Could we coin that as ADoD
(Admin DoS)
¿Someone seen this out there?

See-ya.
Mat.

Next message: Kevin Pietersma: "Switched environment NIDS"
Previous message: Crist Clark: "Re: Fooling NIDS"
In reply to: Matías Bevilacqua: "Fooling NIDS"
Next in thread: Kevin Pietersma: "Switched environment NIDS"
Reply: Jon Gary: "Re: Fooling NIDS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]