IP Reassembly Mode

kurtpatzer · ‎11-22-2003

Hello,

Can anyone explain to me what is the purpose of IP Reassembly Mode selection on the IDS sensor? I fully understand why we want to reassemble fragments as an anti-evasive technique. What I don't understand is what the difference is between the modes "NT, Solaris, Linux & BSD". The docs to both IDM and IDS MC simply say "choose a mode" with no explaination of the differences. If anyone can shed some light, I'd appreciate it.

Thanks,

KEP

klwiley · ‎11-24-2003

The reassembly modes are there so that if the bulk of your network boxes being protected by the IDS are of a particular type you can configure the sensor to reassemble using that types reassembly method. By default the sensor reassembles as if it were a Solaris/Windows box which makes up roughly 80% of the systems that we protect. However we know that the sensor may be in an environment that is heavily Linux based and therefore allow the user to choose Linux reassembly mode as well.

If we are presented with a fragmented attack for a Linux box with overwrites in the stream and we are in our default reassembly mnode we will not reassemble the datagram as the Linux box would. Thiw will result in the sensor not be able to detect explicitly what attack was in the datagram, however a generic alarm alerting to the overwrite condition in the datagram will be produced.

Hope this helps.

KLW

kurtpatzer · ‎11-24-2003

This does help a little, but I think it mainly helps me rethink the question. Your description of why the option is there is rather intuitive given the options available. But I still don't understand how different OS's do reassembly differently. My understanding is fragment handling should be defined by the spec's of IP, not by the OS. If NT & Linux reassemble in a majorly different way, 2 systems of different OS wouldn't be able to communicate when fragmentation is involved. Given this, I'm guessing you are trying to address the known vulnerabilities in reassmbly of illegal fragments, not normal fragments. I know the original teardrop affected Linux only. Am I on the right track?

Let me ask 3 related questions:

1) Is there a document that you can point me to that references the differences between reassembly algortithms in the various OS's?

2) You say the default fragment reassmebly is Solaris/Windows, but NT and Solaris are 2 distinct options to choose from. NT is what I find by default.

3)If the DMZ has a few NT and a few Linux servers, is there a recommendation? 2 Sensors might do the trick! (Actually a potential design objective might be to segregate the DMZ into sections and use the multiple sensing interface capabilities in 4.1 to monitor each group separately)

Thanks,

KEP

marcabal · ‎11-24-2003

You are on the right track.

All Operating Systems will correctly reassemble normal fragments.

It is the abnormal fragments where a piece of one fragment can will overwrite another fragment where the differences come into play.

Hackers use these differences to try and evade detection by an IDS sensor.

A user can configure the sensor so that it will reassemble the abnormal fragments the same way a specific operating system would reassemble them.

This way the IDS can detect which actual attack is taking place.

Understand, however, that even though the IDS can not be configured to reassemble the abnormal fragments for each OS type at the same time; the sensor will still generate a Fragment OverWrite alarm if the hacker attempts this.

So if the sensor is protecting an NT machine and configured to reasemble packets like an NT machine. If the hacker tried to evade the IDS using fragment overlaps that the NT machine will understand. Then the sensor will generate both the Fragment Overwrite alarm as well as the alarm for the actual attack.

If the sensor is protecting a Linux machine, but the sensor if configured to reassemble like an NT machine.

If the hacker tried to evade the IDS using fragment overlaps the Linux machine will understand.

Then the sensor will generate the Fragment Overwrite alarm, but may not generate the alarm for the actual attack.

1) Is there a document that you can point me to that references the differences between reassembly algortithms in the various OS's?

Do a web search for:

"Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection"

by Thomas H. Ptacek and Timothy N. Newsham

It discusses evasion techniques.

I don't remember if they get into the details of how each OS reassembles the fragments.

2) You say the default fragment reassmebly is Solaris/Windows, but NT and Solaris are 2 distinct options to choose from. NT is what I find by default.

NT and Solaris both use the same technique for reassembling the abnormal fragments. So whether you choose NT or Solaris, the sensor will still act the same.

3)If the DMZ has a few NT and a few Linux servers, is there a recommendation? 2 Sensors might do the trick! (Actually a potential design objective might be to segregate the DMZ into sections and use the multiple sensing interface capabilities in 4.1 to monitor each group separately)

I would start with the NT setting since there are a number of attacks against NT machines.

But if you start seeing the Fragment OverWrite alarms with your Linux server as the target then I would switch to a Linux style reassembly for a period of time to see if the sensor can determine the actual attack taking place.

Alternatively you could use 2 sensors, with one configured to reassemble like an NT and the other like a Linux box.

Unfortunately you can't take advantage of the multiple sniffing interfaces in 4.1 to do this. This is because the reassemble settings and signature settings get applied to all of the interfaces. So you can't tell the sensor to do it one way on one interface and a different way on another interface.

kurtpatzer · ‎11-24-2003

Great Info - Thanks!