[Snort-devel] IDS fingerprinting techniques & Snort's FlexRe sponse...

Smith, Donald Donald.Smith at ...530...
Tue Aug 21 12:09:21 EDT 2001

Hash: SHA1

Something like 
TTL = 63 + (int) ( 192 * rand()/(RAND_MAX+1.0) ) 

will give you a psuedo random number between 64 and 255.
Of course don't to forget to seed your random number generator (1
time) before using this.

As for not bothering to send rst or icmp these methods do work for
many of the tools that
are currently being used to scan our networks. 

LaBrea by Tom Liston [tliston at ...621...] is currently being used to
SLOW down the infection rate of the code red worm.
It sends syn/ack for every syn it sees that it shouldn't be seeing.

Until all hackers use prefected tools active defense works.

Donald.Smith at ...530... IP Engineering Security
303-226-9939/0688 Office/Fax
720-320-1537 cell

> -----Original Message-----
> From: Burak DAYIOGLU [mailto:dayioglu at ...287...]
> Sent: Tuesday, August 21, 2001 1:07 AM
> To: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] IDS fingerprinting techniques & Snort's
> FlexResponse...
> agetchel at ...358... wrote:
> > traceroute into your network and determines that he's ten 
> hops away from
> > your border router, and receives packets which are 
> resetting his connection
> > that have a TTL of fifty-four (a TTL of sixty-four minus 
> ten hops for the
> > packet to get to you) then he knows that the IDS is sitting 
> on the other
> > side of your border router.  If he bypasses those 
> countermeasures, and is
> > still getting resets from a Snort box placed deep within 
> your network, he
> > can tell how far into your environment you have your second 
> tier IDS placed.
> > An attacker knowing your IDS placement is "bad thing".
> Dynamic routing may result in different TTL's counted at each 
> time especially
> when the distance increases.
> Your arguments are true. Counting TTLs to measure exact 
> distance is not
> generally accepted, which is one thing I hate.
> Gateway systems decrease TTL "at least by one" depending on 
> the time it takes
> to process the packet. Still, I argue that exact TTL counting 
> should work because
> the processing power of ordinary gateway equipment has 
> improved so much that it
> ALWAYS takes less than a second.
> Exact TTL counting cannot be used to measure distances in the 
> Internet (because
> of the existance of dynamic routing), but it is possible for 
> an IDS to measure
> its distance to hosts on the protected domain.
> If an IDS can measure its distance from a protected host, it 
> cannot be fooled
> any more by TTL games (see Ptacek and Newsham for explanation 
> of the game).
> Any counter-arguments to this suggestion? Measuring distances 
> between the NIDS
> and the protected hosts is easy if one has a passive 
> fingerprint plug-in with
> a good database of fingerprints. (I have one :)
> >         Would it be a better solution to have Snort 
> randomly generate the
> > TTL of the packet when using FlexResponse?  Say to a number 
> between 64 and
> > 255?  This would at least keep the attacker guessing about 
> where your IDS is
> Sending RST's or ICMP errors back to the attacker is 
> meaningless. A skilled
> attacker can easily discard such packets and attempt to 
> continue processing.
> It is best to send such active-response packets to the 
> protected domain
> only to close the protected-end of the communication. 
> However, we know that
> there are many people doing the reverse thing so I find your 
> proposition
> appropriate. Dynamically changing response packet properties with
> some randomness should be an easy trick for Marty.
> Thanks.
> -- 
> Phone: +90 312 2103379   Fax: +90 312 2103333
>        http://www.dayioglu.net
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

Version: PGP Personal Privacy 6.5.8


More information about the Snort-devel mailing list