IDS bypassing

• SECURITY ALERT ********************

        NAT/PAT/load_balancing/packet_manipulation implementations

Risk

        medium

Overview

        Multiple vendors' implementations of
NAT/PAT/load_balancing/packet_manipulation

	calculate level 4 checksum from scratch.
	This could be used by an attacker to bypass or confuse a NIDS with a stream
	of packets with a temporary invalid checksum.

Description

        Look the scheme:

	Evil --[badSYN]--> Router --[badSYN]--> Load_Balancer --[SYN]--> WebServer
						  |				    |
						NIDS1				  NIDS2

	NIDS1 will see a TCP SYN with invalid checksum while NIDS2 will see a valid
	and modifyed SYN. So the webserver will reply to us with a SYN+ACK, letting
	us talk with it while causing a lot of doubts to NIDS1.
	A NIDS network or a DIDS could be confused ignoring the packet or
considering
	it like two different packets (1 valid, 1 invalid) inexplicably received
only
	by one system (NIDS1 receives the invalid SYN, NIDS2 receives the valid

	The complete study is available at:
	
http://www.phrack.org/phrack/60/p60-0x0c.txt

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Solution

	Check the behaviour of every device on your network and eventually update
	your NIDS configuration (not) to analyze level 4 checksum.
	Apply the patch when available.



******************************   Ed3f
*****************************0x000001*