Advanced Evasion Techniques - funkschau.de · Research Paper Advanced Evasion Techniques page 3 Abstract The complexity of today’s network environments presents challenges to managing

Stonesoft Corporation International HeadquartersItälahdenkatu 22 A Fl-0021O Helsinki, Finland

tel. +358 9 4767 11 | fax. +358 9 4767 1349www.stonesoft.com

Stonesoft Inc. Americas Headquarters1050 Crown Pointe Parkway, Suite 900Atlanta, GA 30338, USAtel. +1 866 869 4075 | fax. +1 770 668 1131

Advanced Evasion Techniques

New Methods and Combinatorics for Bypassing Intrusion Prevention Technologies

Mark Boltz, Mika Jalava, Jack Walsh (ICSA Labs)

Stonesoft Corporation

Research Paper Advanced Evasion Techniques page 2

Table of ContentsAbstract 3

The Authors 3

Network Security 4Role of Intrusion Detection and Prevention 5

Evasions 6Networking Standards 6Evasion Research 6Normalization 7

Advanced Evasion Techniques 8

Conclusion 9ICSA Labs Research Contribution 9

References 11


AbstractThe complexity of today’s network environments presents challenges to managing information

security systems. Intrusion detection and prevention systems (IPS) provide protection,

par ticularly to systems that must be left vulnerable because they cannot be updated without

adverse risks. For almost as long as there has been IPS technology, there have been attempts

to evade detection by such systems. However, the evasion techniques used by criminals

and other bad actors has most likely been limited to a handful of techniques that are well-

known. Stonesoft found evasion techniques that extend earlier research to include a new set

of techniques—and combinations of the prior techniques. Together, these advanced evasion

techniques (AETs) prey upon protocol weaknesses and the permissive nature of network-based

communication, exponentially increasing the number of evasions that can bypass even the most

up-to-date IPS technologies.

The AuthorsMark Boltz is a senior solutions architect with Stonesoft Corporation. He has over 20 years

of experience in information technology, with over 18 years specializing in network security.

He holds CISSP and CISA cer tifications, and is pursuing a master’s degree in information

technology.

Mika Jalava is the chief technical of ficer (CTO) of Stonesoft Corporation.

Jack Walsh is Anti-SPAM and Network IPS Program Manager for ICSA Labs, an independent

division of Verizon Business.


Network SecuritySecurity in computer networks depends on a surprisingly large number of factors. This is true

even if we limit our scope to defending against active, network-based attacks. The variety of

controls that network, ser ver, and security administrators must understand and correctly use to

defend their organizations against an evolving threat landscape can be intimidating. Networking

devices, ser ver operating systems and applications must be up to date and correctly configured.

Access controls must be properly applied. The network must be segmented to provide protection

and minimize the damage that may result from possible compromise. Firewall rules must allow

only the ser vices required by the organization. Logs from all the systems should be centrally

collected, stored and analyzed for anomalous or unexpected behavior. Payment card and

personal information must be protected according to the internal security policy as well as

external compliance requirements.

While all organizations may attempt to follow the steps above as well as other best practices,

their network topology may preclude them from doing all that is in their best interest. Dynamic

and poorly designed network ser vices may not allow strict segmentation and firewall policies.

Organizations, such as many industrial networks, may be limited in terms of what updates can

be made to operating systems due to suppor t for legacy software and protocols. The sheer

volume of patches and new versions for operating systems and applications as well as their

mutual compatibility may limit the organization’s ability to adequately test them and keep pace.


Role of Intrusion Detection and PreventionTo complement the fundamentally static, although ever-evolving protection provided by network

firewalls, intrusion detection (IDS) and prevention systems (IPS) have been deployed. IDS and

IPS technology help to mitigate concerns organizations have about the aforementioned issues.

Unlike a firewall with its set of

security policy rules that allow or

disallow packets depending on their

source, destination, protocol and

other proper ties, IDS and IPS

devices promise to inspect and

allow all traf fic to pass as long as

no threat is detected. If a malicious

connection is attempted, these

devices will either aler t the

administrator (in the case of an

IDS), or drop the connection (in the

case of an IPS). The techniques

used by these inspection-based

security devices var y, but usually

include protocol analysis and attack

signatures that detect

predetermined patterns in the

network traf fic caused by malicious

exploits of vulnerabilities in one of

the communicating systems.

The number of known exploits and

vulnerabilities is large and continues

to grow rapidly. Thankfully, the

inspection capabilities of IDS and IPS

products are also evolving quickly.

Generally, when a new enterprise-

relevant exploit is discovered,

detection methods are implemented

in the inspection devices within a few

days, even hours. Because they may

be similar to others, some exploits

may be detected and prevented with

prior analytic capabilities.

Figure 1: Basic Intrusion Prevention. The IPS inspects and disallows illegitimate packets.

k

Figure 2: Basic Intrusion Detection. The IPS inspects and repor ts illegitimate and suspicious packets.


EvasionsWhat if the target system is vulnerable to an enterprise-relevant exploit, but the attacker cannot

get his or her attack delivered because of a network-based detection system? Enter the evasion

technique. The development of evasion techniques, or just evasions for shor t, has not gone

unnoticed by those willing to misuse network resources. Evasions alter the attacker’s question

from, “How do I hack the destination system?” to “How do I hack the system unnoticed?”

Networking StandardsTCP/IP, the protocol suite used on the Internet and the vast majority of all computer networks,

is based on the requirements from RFC 791 that was written in 1981. Among other things, the

RFC says, “In general, an implementation must be conser vative in its sending behavior, and

liberal in its receiving behavior. That is, it must be careful to send well-formed datagrams, but

must accept any datagram that it can interpret (e.g., not object to technical errors where the

meaning is still clear)” (Postel, 1981, p. 23). That means there will be multiple ways to form

messages that will be interpreted identically by the receiving host. While this permissive stance

was intended to make interoperability between systems as reliable as possible, it at the same

time paved the way for a number of attacks and ways to hide those and other attacks from

detection.

As dif ferent operating systems and applications behave in dif ferent ways when receiving

packets, the destination host’s application may see something quite dif ferent than what was

in the network traf fic. Also, the network itself between the detection system and the host may

alter the traf fic. By carefully exploiting these dif ferences, in many cases, it is possible to

construct packets in a way that looks normal and safe, but when interpreted by the end host,

forms an exploit against it. In general, these techniques are called evasions.

Evasion Research Evasion research took of f in the late 1990’s. In their 1998 paper, Newsham and Ptacek

presented a number of techniques that could be used to ef fectively evade detection systems.

Since then, the area has had little new research and appeal to either security vendors or

adversaries in the “black hat community”.

One of the basic evasion techniques

outlined by Newsham and Ptacek is

centered on the challenges of IP

fragmentation. IP fragmentation is

also specified in RFC 791, and is

required to ensure interoperability

between systems and handling

var ying network topologies in

between (Postel, 1981). In IP

fragmentation evasions, the

attacker takes advantage of

scrambling fragments out-of-order,

“If we knew what we were doing, it wouldn’t be called research.”

Alber t Einstein


or by overwhelming the IPS with too many fragments, for example. They caution, “an IDS that

does not properly handle out-of-order fragments is vulnerable; an attacker can intentionally

scramble her fragment streams to elude the IDS” (Newsham & Ptacek, 1998). Fur thermore, IDS

systems are challenged by the fact “that received fragments must be stored until the stream

of fragments can be reassembled into an entire IP datagram” (Newsham & Ptacek, 1998). The

conclusion is that IDS and IPS architectures have to compensate for all the possible ways

that the target system can potentially re-assemble the fragments, and the IPS has to cover all

possibilities. If the IPS can’t buf fer enough fragments before applying signatures, or determine

the possible re-sequencing, it no longer has the appropriate context, thus “rewriting the stream

on the IDS” (Newsham & Ptacek, 1998). We refer to the change in context between the IPS and

the target system as “state de-synchronization”.

Other evasions already covered in their work in 1998 include various techniques involving IP

options, TCP options, and TCP sequencing. These are covered in detail in their paper and are

noted here to provide fur ther background into the age of these evasion techniques.

Many of the evasion techniques presented in that paper from 1998 are still ef fective against

today’s IPS systems. This surprising fact should give you some idea about the level of interest

and attention that evasions have so far received among security vendors. Laboratories involved

in cer tification testing of security devices, such as ICSA Labs, have included a number of

evasions in their IPS test suites. However, because the amount of new vulnerabilities and

exploits is so overwhelming, the payof f for the attacker has been suf ficiently high. This results

in continued use of the latest exploits rather than attacks in conjunction with evasions to

bypass network security protections.

NormalizationWhile security devices providing inspection ser vices need to match attack signatures to the

information being seen by the target host, they cannot simply obser ve the network traf fic

packet by packet. Similarly, it is not enough for security devices to place packets in the correct

order and reassemble any fragments. Security devices must consider other possibilities like

packets not received by the end host or protocols that can be decoded in multiple ways.

The mechanism for handling this is called normalization, and was suggested in research

from Handley and Paxson in 1999 and expanded in 2001. It is a task ver y much complicated

by the policy set for th in RFC 791. Although the standard requires the sending host to be

conser vative, it is unreasonable to expect anything of the kind from malicious users. Also, while

the target hosts are required by RFC 791 to be liberal in their receiving behavior, the fur ther

standards actually defining what this means are often ambiguous and simply allow too much

variation. Handley and Paxson add that “network traf fic unfor tunately often includes a non-

negligible propor tion of highly unusual, but benign, traf fic that will often result in false positives

concerning possible evasion attempts” (2001). And if dif ferent operating systems decode a

given message in dif ferent ways, it is dif ficult for a security device to make correct decisions

as a result of the normalization process.


Advanced Evasion TechniquesAt Stonesoft, our vulnerability research team has been deeply involved in improving our

products, including the IPS. Disappointing test results with some existing evasions forced us to

shift the team’s emphasis towards evasion research. Comprised of experienced security

professionals, the vulnerability research team was not satisfied merely by making the required

fixes. They delved much deeper into the realm of evasions, and were quite surprised by the

potential security risks that they found hidden there.

The team’s findings indicate that there are many more ways to desynchronize an IPS from

network traf fic with evasion techniques than had heretofore been publicly known. What that

means is that the IPS has a dif ferent understanding of the protocol state from what the target

host has. Because some of the methods discovered are rather simple, Stonesoft was initially

quite worried that these evasions

may well have already been

discovered and actually used by

criminals, unbeknownst to the

existing crop of commercial IPS

devices and the organizations where

they are deployed. Other evasions

are significantly more complicated,

but never theless just as practical

and ef fective.

What may have slowed down evasion research is the fact that many of the attack and evasion

tools have been limited by standard operating systems and their TCP/IP stacks. The limitations

are to be expected, as these systems are supposed to follow the conser vative sending behavior

requirement. Freeing themselves from these limitations with special low-level tools, including

TCP/IP stacks having greatly increased flexibility, the Stonesoft researchers soon discovered

dozens of potential evasions. Testing these against a number of existing IPS and similar

systems, Stonesoft also found that the techniques ef fectively evaded detection.

The new evasions mostly build on well-known principles of de-synchronizing detection systems

relying on the network view of the traf fic, from the target host’s perspective. Although the

objective is the same, the methods var y. Evasion possibilities have been found on IP and

transpor t (TCP, UDP) layers as well as on application layer protocols, including but not limited

to SMB and RPC protocols. Although we cannot disclose the details of the advanced evasion

techniques during the vulnerability coordination process led by CERT-FI, the validity of the

findings has been verified through independent tests per formed by ICSA Labs (see contribution

note after the conclusion). The technical community will be provided fur ther details on the

techniques as soon as it is safe and responsible to do so.

The ef fectiveness of the detection process, including normalization, is limited by the fact that

the evasion methods can be combined. Unhindered by the operating system’s limitations on

sending malformed packets to the network, any modifications and combinations thereof can

be easily tested in Stonesoft’s laborator y environment against vulnerable host systems in

conjunction with either a commercial IPS or other security devices (e.g., a network firewall). It is

clear that these new evasions, along with the new ways to utilize them, add new requirements

to the normalization process. It is no longer possible to rely on low level normalization only at

the IP and transpor t layers as an increasing number of evasions show up at the application

layer targeting multiple protocols.

“There are no rules here. We’re tr ying to accomplish something.”

Thomas Edison


ConclusionThe Stonesoft research team discovered the new evasion techniques in a lab environment

rather than while investigating nefarious activities on the Internet. However, this does not

mean that criminals or other bad actors had not already discovered and possibly been using

these evasions against real world targets. After all, a large percentage of information security

incidents actually go unnoticed. And according to the Verizon Business 2010 Data Breach

Investigations Repor t, approximately 20% of incidents involving malware detected have an

“unknown” component for the infection vector (Baker, et. al., 2010). Whether or not and to what

extent this may have been as a result of advanced evasion techniques is of course impossible

to say. It is quite probable though, especially in the more advanced, targeted attacks that

unknown evasion tools may be in use. Stonesoft has found that it is possible to evade many,

if not all, commercially available IPS’s and cer tainly all that have been tested. Given their

architecture, not all of them will be easily fixed.

Most of the network security threats, and almost all serious ones, are caused by criminals

motivated by money. As the rewards may be ver y high, the motivation to invest in the attacks

and evasions cer tainly exists. These facts then beg some obvious questions: Why haven’t

more security vendors continued from where the last set of published research left of f? Is the

problem too dif ficult to tackle with the current security device architectures?

Looking at the past, the main selling points and comparison metrics for security devices have

been throughput per formance and price. Yet the actual reason for inspection-based security

devices is protection. It is curious then that the accuracy of inspection and ef ficiency of

responses to detected attacks and evasions has been neglected by security vendors. While

throughput is an impor tant factor, it is still secondar y to the security functionality – or ought

to be. Perhaps some security vendors believe that selling fast systems with seriously limited

security functionality is too lucrative to risk by researching and resolving threats such as the

evasions found by Stonesoft as they cannot be easily detected with per formance-optimized

systems.

ICSA Labs Research ContributionFor over 20 years ICSA Labs has tested hundreds of computer and network security products.

During that time ICSA Labs has helped ensure that enterprise end users get the best possible

protection as a result of rigorous, independent, third par ty testing of anti-virus, anti-spam,

network intrusion prevention, firewall, FIPS-140, USGv6, SSL, IPsec, and many other kinds of

products. It’s not surprising then that Stonesoft contacted ICSA Labs to verify its research into

the newly-found advanced evasion techniques (AETs).

Through the use of video conferencing equipment, Stonesoft demonstrated its findings to ICSA

Labs. Having packaged the evasions into an internal Stonesoft tool called Predator, ICSA Labs

watched as attacks using the newly discovered advanced evasions successfully passed through

IPS devices that were capable of detecting the original attack. Long proponents of responsible

disclosure, Stonesoft and ICSA Labs then formulated a plan that would permit ICSA Labs to test

the AETs while allowing the Predator tool and its evasion-related code to remain safely confined

to Stonesoft’s research lab in Finland.


Following the video conferencing demonstration of the Predator tool and some of evasion

techniques, Stonesoft delivered traf fic packet captures that their research team had created

using the tool – the same packet captures that CERT-FI made available to af fected network

security vendors. Vulnerability exper ts at ICSA Labs analyzed and confirmed that many of the

evasions in those captures belonged to a new class of evasions not previously seen in public.

ICSA Labs then confirmed, by properly replaying the traf fic captures that the attacks disguised

by the AETs were not detected by several well-known intrusion prevention systems.

But to truly verify the AETs could evade detection and compromise systems, ICSA Labs needed

a way for themselves to combine the AETs with actual attacks and launch them against

vulnerable systems. To do so, ICSA Labs and Stonesoft set up a vir tual private network (VPN)

tunnel between Stonesoft’s Helsinki, Finland headquar ters and ICSA Labs’ Mechanicsburg,

Pennsylvania testing laborator y. ICSA Labs used the VPN connection to access the Predator

tool’s graphical user inter face. Picking and choosing from the Predator tool’s many options,

ICSA Labs was able to launch attacks coupled with the new AETs through several IPS devices

against a vulnerable system. Of the dozen-or-so new evasions tested, ICSA Labs was able to

confirm that many of the stealthy attacks passed through one or more of the tested commercial

IPS devices undetected and successfully compromised the vulnerable systems.


ReferencesBaker, W., Goudie, M., Hutton, A., Hylender, C., Niemantsverdriet, J., Novak, C., Oster tag, D.,

Por ter, C., Rosen, M., Sar tin, B., Tippett, P. (2010). Verizon 2010 Data Breach Investigations

Repor t. Verizon Business. Retrieved from http://www.verizonbusiness.com/resources/repor ts/

rp_2010-data-breach-repor t_en_xg.pdf

Caswell, B., Moore, H. D. (2006). Thermoptic Camouflage: Total IDS Evasion. Proceedings of

the BlackHat Conference. Retrieved from www.blackhat.com/presentations/bh-usa-06/BH-US-

06-Caswell.pdf

Chien, E., Falliere, N., Murchu, L. O. (2010). W32.Stuxnet Dossier. Symantec Security

Response. Retrieved from http://www.wired.com/images_blogs/threatlevel/2010/10/w32_

stuxnet_dossier.pdf

Gor ton, S. A., Champion, T. G. (2003). Combining Evasion Techniques to Avoid Network Intrusion

Detection Systems. Skaion Corporation. Retrieved from http://www.skaion.com/research/tgc-

rsd-raid.pdf

Handley, M., Kreibich, C., Paxson, V. (2001). Network Intrusion Detection: Evasion, Traf fic

Normalization, and End-to-end Protocol Semantics. In Proceedings of the 10th USENIX Security

Symposium. Vol. 10. Berkeley, CA: USENIX Association. pp. 115-131. Retrieved from http://

www.usenix.org/events/sec01/full_papers/handley/handley.pdf

Jang, Jong-Soo, Jeon, Yong-Hee, Oh, Jin-Tae, Park, Sang-Kil. (2007). Detection of DDoS and IDS

Evasion Attacks in a High-Speed Networks Environment. In International Journal of Computer

Science and Network Security. Vol. 7, No. 6. Retrieved from http://paper.ijcsns.org/07_

book/200706/20070617.pdf

Newsham, Timothy N., Ptacek, Thomas H. (1998). Inser tion, Evasion, and Denial of Ser vice:

Eluding Network Intrusion Detection. Secure Networks, Inc. Retrieved from http://insecure.org/

stf/secnet_ids/secnet_ids.html

Pazos-Revilla, M.. FPGA based fuzzy intrusion detection system for network security. M.S.

disser tation, Tennessee Technological University, United States -- Tennessee. Retrieved from

Disser tations & Theses: Full Text. (Publication No. AAT 1480256).

Postel, J. (1981). RFC 791: Internet Protocol. DARPA Internet Program Protocol Specification.

Internet Engineering Task Force. Retrieved from http://datatracker.ietf.org/doc/r fc791/

Cop

yrig

ht 2

010

Sto

neso

ft C

orpo

ratio

n. A

ll rig

hts

rese

rved

. All

spec

ifica

tions

are

sub

ject

to c

hang

e.

Stonesoft Corporation International HeadquartersItälahdenkatu 22 A Fl-0021O Helsinki, Finland

tel. +358 9 4767 11 | fax. +358 9 4767 1349www.stonesoft.com

Stonesoft Inc. Americas Headquarters1050 Crown Pointe Parkway, Suite 900Atlanta, GA 30338, USAtel. +1 866 869 4075 | fax. +1 770 668 1131

About Stonesoft

Stonesoft Corporation (NASDAQ OMX: SFT1V) is an innovative provider of integrated network security solutions to secure the

information flow of distributed organizations. Stonesoft customers include enterprises with growing business needs requiring

advanced network security and always-on business connectivity.

StoneGate™ secure connectivity solution unifies firewall, VPN, IPS and SSL VPN blending network security, end-to-end

availability and award-winning load balancing into a unified and centrally managed system. The key benefits of StoneGatesecure

connectivity solution include low TCO, excellent price-per formance ratio and high ROI. The vir tual StoneGate solution protects

the network and ensures business continuity in both vir tual and physical network environments.

StoneGate Management Center provides unified management for StoneGate Firewall with VPN, IPS, and SSL VPN. StoneGate

Firewall and IPS work together to provide intelligent defence all over the enterprise network while StoneGate SSL VPN provides

enhanced security for mobile and remote use.

Founded in 1990, Stonesoft Corporation is a global company with corporate headquar ters in Helsinki, Finland and Americas

headquar ters in Atlanta, Georgia. For more information, visit www.stonesoft.com.

Documents

Advanced Evasion Techniques - funkschau.de · Research Paper Advanced Evasion Techniques page 3 Abstract The complexity of today’s network environments presents challenges to managing