Information, tools and how-to's for the new intrusion analyst. Mentoring by blogging.
Wednesday, July 21, 2010
Too Configurable...
I was working with a semi-popular IDS system, and discovered that TCP checksum checking is turned off by default. That's bad enough, as an IDS that doesn't check (and drop) packets with a bad TCP checksum is vulnerable an IDS insertion attack (the scenario where the IDS sees a packet that the host will discard). It gets better... it's configurable from anywhere from 0 (check all packets) to 255 (check every 255th packet). What good is TCP checksumming if you're not going to do it on every packet, especially if you're going to skip every 10 or 50 or 255? packets? It only takes one packet with a bad TCP checksum to do an insertion attack, so to me the pretty common sense default here would be ON, and not allow the admin to tinker with what packets are checked. Yes, I realize the issue of overhead, but if you're going to check them, the only assurance you have against that particular attack is to check them all. Or you could turn it off altogether and enjoy your blissful ignorance
Subscribe to:
Post Comments (Atom)
2 comments:
Good evening
Thanks for writing this blog, loved reading it
Hi there
Just wanted to show my appreciation for your time and hard work
Post a Comment