By definition, evasion is the process of avoiding or bypassing an object or a situation. In the technical terms, evasion is a technique by which an attacker bypasses a security system in the cyber security space. The system may typically consist of routers, firewalls, network switches and intrusion detection devices. As we know, the routers segregate the networks, the firewalls block unwanted IP address and TCP port communications, whereas the intrusion detection devices add a layer of intelligence based on anomaly detection techniques. Few years back, these techniques were implemented and network administrators could safely say that their infrastructure was secure. However, the law of nature tells us that a thief is always a step ahead of cops. While these devices seem to thwart the attacks for some time, it made cyber criminals more aggressive and come up with ways to penetrate and breakdown the security perimeter. Attackers use evasion methods in order to steal data, disrupt the IT networks or plant a software exploit etc.
As shown in Figure 1., a typical secure infrastructure contains at least a router, whereas a switch and a firewall are also incorporated. To learn about device evasions we are going to concentrate on these three devices only, and we will talk a bit about IDS systems too. We will also learn how each of these devices can be broken into, and finally how to secure those to protect the infrastructure. Device evasion is a highly technical, and a systematic approach to penetrate through a network.
It is commonly found that routers are the first device that is accessible from outside a firm's network. Routers maintain their own tables called as routing table which stores the path to destination IP ranges with a cost metric. Routing table is referred every time a TCPIP packet is processed and to be sent to the desired destination. Besides this, routers implement intelligent algorithms to speed up the routing process. The router device thus acts as a first line of defense from cyber security perimeter standpoint. In earlier articles of this series, we learnt about denial of service attack, IP spoofing attack, man in the middle attack and packet crafting attack. All these attack vectors can either fool a router to route malicious packets into the target network, or can simply render its functionality useless, thus disrupting the whole network. Besides this there are few router-specific techniques too mentioned below.
Route Hijacking - In this method, the hacker first sniffs the traffic originating from a router. Based on the information gathered, the router is then supplied with bogus source and destination IP addresses which are spoofed purposefully to trick the router. Router keeps a track of it, and keeps on updating its routing table. In some cases this process can become very overwhelming to the router, overflowing and corrupting its routing table. This is similar to a denial of service attack but can take much lesser time in reality. An expert hacker can further exploit this situation by feeding the vulnerable router with its own IP segment and waits for the routing table to get build up again. The very first routing protocol called RIP, didn't have a built-in authentication mechanism to verify the authenticity of the routes being updated. Hence a forged RIP packet can easily disrupt the routing table, and this scenario becomes dangerously serious if multiple routers are connected together using RIP protocol. Modern routers usually don't fall prey to this attack; however an improperly configured router can still be vulnerable.
IOS penetration - Like any other network device, a router runs on its own operating system which can be vulnerable to attacks. For example, most of the wireless router and early generation industry grade routers were running on compromised kernel OS. Attacker having a complete knowledge of such vulnerability, can write scripts and programmatically subject the device to DoS or other dangerous attacks such as remote code execution. Once the OS is thus penetrated, attacker can remotely run commands to change critical configurations and settings. Attacker can route traffic to malicious servers for data stealing and data corruption, and cause a bigger damage.
It is a common practice to host a firewall behind a router, however many mid-size firms running only one office, may completely remove the router and in such case the firewall becomes the first line of defense. As compared to the router, a firewall acts as a strong opposition to hacking attacks; this is because its kernel functionality is designed just for the cause. For the same reason, the biggest headache for attackers is to get past a nicely configured firewall.
As we know, a firewall is a rule based device which allows or disallows traffic entering or exiting a security perimeter. When a source address initiates a connection with a host behind a firewall, the firewall rules intercept the connection, interpret it, and take the appropriate action. This also tells us that the TCP handshake actually happens between the source and firewall. In case the connection being established is not allowed based on the rules configured, the firewall drops the connection by sending a TCP RST signal to the source. If the connection is allowed, it initiates connection with the destination and performs the packet transfer. This also shows us, that the source and destination IP addresses, as well as the ports, are very important from firewall's standpoint. With this fundamental theory in mind, let's look at few firewall specific evasion attacks.
Firewall request spoofing - If the attacker can spoof its packets to make those look coming from the internal network segment of firewall, an improperly configured firewall may allow those through the system. Similar effect can be achieved by spoofing the MAC address, in case the firewall is keeping a track of all internal MAC addresses.
Firewall DoS - Modern firewalls intercept each packet and apply enough intelligent on it than their predecessors, before it is let through the network. A typical check by antivirus and antispyware algorithms, attack anomalies etc are performed on each packet. This feature, though tremendously useful, is exploited by attackers in some cases. While sending an overwhelming number of requests is one way to do so, there are few other tricks that are used by attackers. In one case, a malicious request to a known destination host listening on a known port is sent multiple times, however the source IP and port of that packet are spoofed to a non-existing host. Firewall doesn't have a way to know this, and make an internal connection to destination and updates its own tracking table. Since the source does not exist, such requests keep on piling up, thus exhausting the firewall resources. In another case, the source address is spoofed to be one of the internal network IP range, and the MAC address is spoofed. This causes the destination host call for a MAC address RARP request, causing turbulence on the internal network. It is important to note, that a firewall denial of service attack can disrupt internal to external network traffic, as well as can take down the internal network.
Packet forging - In one of the previous articles of this series we learnt about packet crafting. The same technique can be used against firewall. In one case, packet can be crafted to have bad TCP checksum, which the firewall has to calculate every time, before taking a decision on the packet, thus causing sluggishness. In another case, the data-length parameter in the TCP packet can be filled with a very big number, which tricks firewall into waiting for the entire data chunk to arrive. This can eventually exhaust firewall's internal memory.
Rule exploitation - Attackers know by experience, that in many cases a firewall is not configured correctly. For example, it is commonly found that TCP packet rules are setup whereas the administrator simply forgets to deal with UDP packets, letting those get through the firewall. It is also found that many firewalls are configured with port 80 being open bi-directionally, whereas it should be open only from external network to internal network. Modern black hat attackers often write scripts to detect such mis-configurations and upon finding one, they gather enough data to exploit those further.
IDS and Switch evasion
Today's IT infrastructures always try to go beyond firewall, by implementing Layer-3 switches as well as intrusion detection systems. A layer-3 switch contains few great features such as compartmentalized virtual networks, network bandwidth quality of service, MAC registration etc. An IDS system works by applying attack anomaly algorithms on the packet traffic in a network. While each of those have their advantages, the techniques used to invade into a router and firewall apply to them too. The heart of all these techniques is the packet crafting and packet spoofing, so that these devices are fooled to treat those packets as legitimate and thus the attack is not sensed, suspected or detected. One common technique to evade an IDS system is forceful signature embossing. An IDS system learns as time goes by, and updates its own database of anomaly signatures which further helps in deciding which request is legitimate and which is not. Attacker sends multiple spoofed packets over a long period of time to a destination host running a known TCP service. The packets are sent in well-formed as well as mal-formed patterns. IDS drops the mal-formed ones, but eventually learns it as an acceptable behavior based on historic patterns. Once this state is attained, attacker storms the IDS with malformed packets to the host, thus achieving the goal of disrupting system. This also shows us, that having an IDS is a great thing, but having a mis-configured IDS can be equivalent to having almost no security at all.
As for switches and the IDS systems, denial of service attack planted at Layer-2 or Layer-3 is possible. Switches are configured to deal with such situations however attackers scan networks to find out the weakest link, which is usually the mis-configured device, and use it as a target. Similar to the routers, the operating system of switches is possible to be compromised whereby attacker can take control of it remotely. This is however not so easily possible in case of IDS systems, making those an important network component from cyber security perspective.
Protecting FOSS systems
There are many flavors of open source routers running on Ubuntu and other distros. The same is true for firewalls and intrusion detection systems. While we discussed about the devices, it is important to note here that the FOSS systems behind the perimeter of these devices should be properly configured and monitored for network attack anomalies. At the network layer, Linux FOSS systems come with a built in feature called as the source address verification. It is a kernel feature which when turned on, starts dropping packets which appear to be arriving from the internal network, but in reality are not. Most of the latest kernels such as Ubuntu and CentOS etc, do support it. This usually helps a step towards reducing the chances of packet spoofing, which is primarily used by the attackers.
With this article, we conclude this series of technical articles. We all love FOSS world and can love it more only if it is cyber-secured. Thanks for all the great feedbacks received so far, and the encouraging words via emails and social networks. Device evasion is a new trend of network attacks to break into corporate IT infrastructure for malicious reasons, and hence should be taken very seriously by network administrators and IT senior management.