|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Shashank Rai (shashrai_at_emirates.net.ae)
Date: Sun Jan 26 2003 - 22:17:49 CST
On Fri, 2003-01-24 at 21:38, Ralph Los wrote:
> First off, as the email mentions below, the attacker can just simply hack his stack to ignore the
> resets...hey, it's possible.
possible, but will not be effective (ofcourse depending upon the IDS one
has). For eg, in case of ISS, the IDS sends a RST packet to the attacker
as well as the target. Hence, even if the attacker ignores the RST and
continues to send packets, the target will not be responding to it,
because for it the connection has already been broken.
> Also, TCP-Resets can create a storm of packets
> between your attacker and your IDS, effectively decreasing the effectiveness
> of the IDS you have.
well, this is what exactly "stick" does. It creates a "storm of
packets". I have personally played with this tool against ISS and CISCO
IDS (Netranger ??). The idea was to send attacks specific to the target
along with this storm. It worked well with the CISCO IDS and it did
alllow certain attacks to get through, but it was useless against ISS
(ofcourse this also depends upon a lot of other factors, such as how big
is the pipe you are attacking from. How big is pipe the target is stting
on). And, during this primitive IDS evasion techniqe there was hardly
any difference in the normal funtionality of the target.
But as i mentioned earlier, if you are on a fatter pipe than the target,
you can easily choke it up with the packet flood.
> Just my personal, very humble opinion
> Ralph
my $0.2 :)
-- shashank+------------------------------------------------------------------------+ How much net work could a network work, if a network could net work? +------------------------------------------------------------------------+
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]