Researcher Bypasses IDS Using IDS Signatures

Bucharest - DefCamp 2017- Intrusion detection system (IDS) signatures can be used as an evasion technique to bypass the IDS itself, a security researcher claims.

During a presentation at the DefCamp 2017 security conference in Bucharest, Romania, Kirill Shipulin, a security researcher atPositive Technologies, explained that available IDS signatures can be turned against the system to paralyze its defenses. He also argued that compromises between performance and security can produce opportunities for bypass.

Signature-based IDS relies on discovering specific patterns for the detection of attacks, either by looking for byte sequences in network traffic, or for known malicious instruction sequences used by malware.

The main limitation of such systems is that they can’t detect attacks for which no pattern is available. However, there’s also the gap between when a new threat has been discovered and when its signature starts being applied to the IDS that an attacker can exploit without fearing that the intrusion could be detected.

Many of the available signatures have been designed to protect systems from public exploits, and designing high-quality signatures requires a wide range of skills from the developer in order to avoid false-positives, Shipulin says. What’s more, slow, inefficient signatures can create weaknesses in IDS, adding to the range of already available common bypass techniques.

“Signature are expert knowledge shaped into forms that the system understands. Developers usually have limited or no time to analyze a vulnerability in depth and devise a fix. They also need to focus on performance, and this could lead to errors,” the security researcher told SecurityWeek during an interview at DefCamp.

Some of the available signatures can be slow, requiring a lot of time to perform the necessary analysis. The researcher demonstrated that when such a rule meets bad traffic, the system can become paralyzed and can start dropping traffic. This can result in either denial of service or in the bypass of the detection system.

While planning IDS/IPS capacity, a rule of thumb to follow is to assign only a limited number of signatures and amount of traffic to each processor, thus ensuring that the system can do its job efficiently.

According to Shipulin, who performed his research using the open source Suricata network threat detection engine, it takes more time for a signature to find no match than to find any match. This hurts performance, he added.

Suricata, which was designed to use “a powerful and extensive rules and signature language” and offers support for standard input and output formats like YAML and JSON, was built in a special performance mode. However, a vulnerability addressed in the platform not long ago can be exploited to create bad traffic and load the system to the full, thus bypassing defenses.

Tracked as CVE-2017-15377 and impacting Suricata before 4.x, the vulnerability makes it possible to “trigger lots of redundant checks on the content of crafted network traffic with a certain signature.” Basically, the search engine would continue the check even after no match was found, and would stop only upon reaching inspection-recursion-limit (3,000 by default).

Suricata takes advantage of regular expressions (PCRE), and Shipulin discovered that he could determine the string an expression was designed to search for. Using amplification, he also discovered that he could load the system to the full: with a PCRE check taking around 1.5 million CPU ticks, a 1000 times amplification would result in over 3 billion ticks, which would be a second for the processor.  

Paired with the fact that Suricata performs checks even after no match was found, this led the researcher to discover that he could use only 250Kb of network traffic per second to load to the full 8 out of 40 cores on a corporate server. At 10 HTTP POST requests per second, the system starts dropping packets and is bypassed. He used a clean installation, so the amount of network traffic required in real-life corporate networks could be much lower.

“There is no automatic way to detect slow signatures, which means that the discovered attack goes undetected,” the researcher said. “Once we manage to make the system to drop packets, we can shut it down,” he continues.

Shipulin also points out that there are other systems that use signature-based detection that attackers could abuse in a similar manner, especially since the attack vector is silent. However, he also points out that the signatures themselves aren’t the problem, but that they do require quality checking.

“This is only one method we found to create bad traffic and amplify slow signatures. There might be other methods, other cases, other keyword combinations that an actor could use to paralyze or bypass a defense system,” Shipulin told SecurityWeek.

view counter
image
Ionut Arghire is an international correspondent for SecurityWeek.
Previous Columns by Ionut Arghire:
Tags:
Original author: Ionut Arghire