[Snort-devel] IDS fingerprinting techniques & Snort's FlexResponse...

Burak DAYIOGLU dayioglu at ...287...
Tue Aug 21 03:06:35 EDT 2001

agetchel at ...358... wrote:
> traceroute into your network and determines that he's ten hops away from
> your border router, and receives packets which are resetting his connection
> that have a TTL of fifty-four (a TTL of sixty-four minus ten hops for the
> packet to get to you) then he knows that the IDS is sitting on the other
> side of your border router.  If he bypasses those countermeasures, and is
> still getting resets from a Snort box placed deep within your network, he
> can tell how far into your environment you have your second tier IDS placed.
> An attacker knowing your IDS placement is "bad thing".

Dynamic routing may result in different TTL's counted at each time especially
when the distance increases.

Your arguments are true. Counting TTLs to measure exact distance is not
generally accepted, which is one thing I hate.

Gateway systems decrease TTL "at least by one" depending on the time it takes
to process the packet. Still, I argue that exact TTL counting should work because
the processing power of ordinary gateway equipment has improved so much that it
ALWAYS takes less than a second.

Exact TTL counting cannot be used to measure distances in the Internet (because
of the existance of dynamic routing), but it is possible for an IDS to measure
its distance to hosts on the protected domain.

If an IDS can measure its distance from a protected host, it cannot be fooled
any more by TTL games (see Ptacek and Newsham for explanation of the game).

Any counter-arguments to this suggestion? Measuring distances between the NIDS
and the protected hosts is easy if one has a passive fingerprint plug-in with
a good database of fingerprints. (I have one :)

>         Would it be a better solution to have Snort randomly generate the
> TTL of the packet when using FlexResponse?  Say to a number between 64 and
> 255?  This would at least keep the attacker guessing about where your IDS is

Sending RST's or ICMP errors back to the attacker is meaningless. A skilled
attacker can easily discard such packets and attempt to continue processing.
It is best to send such active-response packets to the protected domain
only to close the protected-end of the communication. However, we know that
there are many people doing the reverse thing so I find your proposition
appropriate. Dynamically changing response packet properties with some
randomness should be an easy trick for Marty.

Phone: +90 312 2103379   Fax: +90 312 2103333

More information about the Snort-devel mailing list