Evading deep inspection for fun and shell presented at BlackHatUSA 2013

by Olli-pekka Niemi, Antti Levomäki,

Summary : Whether you have a Next Generation Firewall, an IPS, IDS, or a BDS, the security provided by these devices depends on their capability to perform robust TCP/IP reassembly. If this fails, the device can be bypassed. We researched the TCP/IP reassembly capabilities of security boxes and found that their detection can be evaded or pierced through with evasions that apply to the IP & TCP layers. The TCP reassembly capabilities of most security boxes are still poor. Instead of doing proper TCP reassembly, many of the analyzed boxes try to prevent attacks by anomaly detection, for example, by blocking small TCP segments. However, blocking small segments leads to false positives, so this kind of blocking strategy cannot be applied to real traffic without the false positive risk. We also found evasions that allowed the attack to succeed without any logs in the security box, even if all signatures were set to block.