[25148] in bugtraq
fragroute vs. snort: the tempest in a teacup
daemon@ATHENA.MIT.EDU (Dragos Ruiu)
Thu Apr 18 20:29:45 2002
Date: Wed, 17 Apr 2002 23:11:54 +0000
From: Dragos Ruiu <dr@dursec.com>
To: bugtraq@securityfocus.com, snort-users@lists.sourceforge.net,
pen-test@securityfocus.com
Cc: dugsong@monkey.org, roesch@sourcefire.com, 0xcafebabe@hushmail.com
Message-Id: <20020417231154.18b08cf0.dr@dursec.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Just a quick follow-up to the fragroute alarmism (which I see has
prompted Mr. James Middleton at vnunet to write a news story
"Evasion tool put's Snort's nose out of joint" :-). First, this
is not a snort-only issue, as I would wager other idses have as
many if not more evasion modes as well as sharing these with Snort...
But upon further analysis, this issue is a bit of a tempest in
a teacup, as a vast majority of these attack obfuscations, particularly
the IP fragmentation ones are not a real threat in practice, because
they are not actually useable in real networks except on vulnerable
bastion hosts. Most firewalls these days (especially Linux and OpenBSD
ones) actually do reassembly inbound. This was an interesting point
discovered recently when it was realized that the snort defragger was
actually never getting touched at all in some installations. So in
reality these fragroute obfuscations are actually obfuscating things
from the firewall rather than from internal snort sensors. Which is
just fine, as snort will see the same traffic as a system being
attacked... and therefore operate properly.
Theo DeRaadt coined the best answer for fragrouter in this procedure, a
single word: scrub.
So in practice, the fragment level obfuscations are usually hidden/scrubbed
from internal snort sensors by the firewalls... but that's ok because they are
also hidden from most of the target systems too... ;) and therefore the
attack is of not much value or cause for alarm as it will either be
stripped of obfuscation or broken and not be a concern or significant
threat.
cheers,
--dr
--
--dr pgpkey: http://dragos.com/dr-dursec.asc
CanSecWest/core02 - May 1-3 2002 - Vancouver B.C. - http://cansecwest.com
