Information Security all in one place!

Posts tagged “Intrusion detection system

Network Scanning: Concerns and Countermeasures


Network Scanning Concerns and Countermeasures

Daniel Saucier (Student of the InfoSec Industry, March 2012) – Network vulnerability scanning can not be more important than it is, right now in this day and age of internet computing. As technology grows the architectures are not catching up quite as fast as most would like. This article written below assumes you have basic networking knowledge, and assumes no responsibility for actions taken from this article. It’s sole purpose is to educate the savvy portion of the internet community with different protection types and threat preventive measures for today’s networking environments.

Different IP network scanning methods allow you to test and effectively identify vulnerable network components. Here is a list of effective scanning techniques and there applications: These options can be found in most advanced configuration options on most downloadable network scanners.

ICMP scanning and Probing:

>| By launching an ICMP ping sweep, you can effectively identified poorly protected hosts ( as security conscious administrator such as myself, filter inbound ICMP messages) and perform a degree of OS fingerprinting and reconnaissance by analyzing responses to the ICMP probe.

Half-open SYN flag TCP port scanning:

>| A SYN port scan is often the most effective type of port scan to launch directly against a target IP network space. SYN scanning is very fast, which allows large networks to be scanned rather quickly.

Inverse TCP port scanning:

>| Inverse scanning types (particularly FIN, XMAS, and NULL) take advantage of idiosyncrasies in certain TCP/IP stack implementations. This scanning type is not useful for large networks. Use this scan type for testing individual host or small network segments‘ security. Make sure your code is as up to date as possible and apply any manual workarounds to protect gear from this type of scan. Some if not all of these type of scans identify weak components because of the cost of business.

Third-party TCP port scanning:

>| Using a combination of vulnerable network components and TCP spoofing, third-party TCP port scans can be effectively launched. Scanning in this fashion has two benenfits: hiding the true source of the TCP scan and assessing the filters and levels of trust between hosts. Although time-consuming to undertake, this can be proved to be very effective when applied correctly.

UDP port scanning:

>| Identifying accessible UDP services can be undertaken easily, only if ICMP type 3 Code 3 (“Destination port unreachable”) messages are allowed back through filtering mechanisms that protect target systems. UDP services can sometimes be used to gather useful data or directly compromise hosts (the DNS, SNMP, TFTP, and BOOTP services in particular). Make sure you are locking these down!!

IDS evasion and filter circumvention:

>| Intrusion detection systems and other security mechanisms can be rendered ineffective by using multiple spoofed decoy hosts when scanning or by fragmenting probe packets using Nmap or fragroute. Filters such as firewalls, routers, and even software (IPsec) can sometimes be bypassed using specific source TCP or UDP port, source routing, or stateful attacks.

Using the different scanning methods mentioned above you can harden you network pretty well, however. Change is always a factor, what if you need to undertake a major network overhaul and start exposing different types of protocols to the network. The following list will help you when considering modifications to your components and minimize risk of re-exposing vulnerable services.

>| This list could be used as a baseline, guideline in some cases on any network configuration.

  1. Filter inbound ICMP message types at the border, or perimeter if you DMZ any servers on any routers and firewalls. This will force an attackers to use full-blown out TCP scans against all of your IP addresses to map effectively.
  2. Filter all outbound ICMP type 3 “unreachable” messages at the edge routers and firewalls to prevent UDP port scanning and firewalking from being effective. Firewalking – process of identifying firewalls in the scanning enumerations
  3. Consider configuring Internet firewalls so they can identify ports scans and throttle the connections accordingly. You can configure such as Check Point, NetScreen, and Watchguard appliances to name a few to prevent fast port scans and SYN floods from being launched against your network. However, this can back fire if the attacker is using a spoofed source address, resulting in DoS. PortSentry as an Open Source option is pretty effective as well in identifying scanns against your network.
  4. Asses the way that your network firewall or IDS devices handle fragmented IP packets by using tools such as fragtest and fragroute. Such devices can be taken down by being flooded with high volumes of fragments being processed. Bring your findings to the vendors attention……
  5. Ensure that your routing and filtering appliances (both routers and firewalls) can’t be bypassed using specific source ports or source routing techniques.
  6. If you run FTP services; ensure that your firewalls aren’t vulnerable to stateful circumvention attacks relating to malformed PORT and PASV commands
  7. If a commercial firewall is being used, ensure the following:
  • Latest code is installed, consider replacement is you can not comply
  • Antispoofing rules have been correctly defined so that the device doesn’t accept packets with private spoofed source addresses on its external interfaces

8.  Investigate the use of reverse proxy services if high security is a must. Fragments and malforms are not getting  by these guys, thus mitigating low level recon.

Wrapping up this article I would like to mention; be aware of your own network configurations and its publicly accessible ports by launching TCP and UDP port scans along with ICMP probes against your own IP address space. It really is surprising how many companies large and small still do not undertake proper scanning exercises.

Happy Hardening!



Question for Hacker or InfoSec Pro….Evading the IDS: UPDATED!

Intrusion Detection System Evasion.

I am in the middle of my CEH training and the topic of IDS (Intrusion Detection Systems) bypassing is on the agenda. Currently I am covering the topic of “Evasion” when it comes to bypassing an IDS.

Evasion is defined as such: You can use evasion methods to bypass IDSs by submitting a packet to the IDS, which will be denied. The packet, however is accepted by the host. However, because the IDS denied the packet, it didn’t verify it’s contents, enabling the illegal packet to obtain access to the host.

This confuses me on two levels.

One, what type of IDS would be used in this case? Allowing a denied packet to go through is a bit of an oxy moron, no? And two, how can the IDS deny a packet it does not verify? Doesn’t the verification come after inspection?

I throw these questions out to you, please be kind and respond. Looking for a detailed example of  how the illegal packet makes it to the host if it is denied.

My previous post above (posted 4 days ago) and the mystery packet that can defy evil? Well it has been demistified and the answer is below: Thanks to a mentor!

An example of one of the potential evasion techniques would be using packets that do not adhere to protocol standards. It is possible for a packet to be crafted in such a way that it will be handled differently by an IDS than by a host. Resulting in the packet being dropped by the IDS, but processed by the client.

Regarding your question, “Allowing a denied packet to go through is a bit of an oxy moron, no?”; an IDS is a passive device that is used to monitor traffic. It will inspect a copy of a packet that is traversing a network, but the IDS is not positioned in the traffic stream and therefore it cannot prevent a packet from reaching its destination. It is an Intrusion Prevention System (IPS) that is an active device positioned in line of the traffic flow and can take active steps to stop an attack, not an Intrusion Detection System (IDS).

Regarding your question, “And two, how can the IDS deny a packet it does not verify?”; A packet that is denied by an IDS would be discarded. Whether the IDS logs the packet activity would depend on how the IDS is configured, and the type of packet that was received. For example, if a packet is deemed to be corrupt or malformed by the IDS it could be simply dropped without logging the event. Since the packet was deemed to be corrupt, the contents would not be inspected by the IDS, but the client may process the packet differently.

Alarm System Sign