Insertion/evasion attack prevention – D-Link DFL-2500 User Manual
Page 191

The option exists in NetDefendOS IDP to look for intrusions in all traffic, even the packets that are
rejected by the IP rule set check for new connections, as well as packets that are not part of an
existing connection. This provides the firewall administrator with a way to detect any traffic that
appears to be an intrusion. With this option the only possible IDP Rule Action is logging. Caution
should of course be exercised with this option since the processing load can be much higher when
all data packets are checked.
6.5.4. Insertion/Evasion Attack Prevention
When defining an IDP Rule, the administrator has the option to enable or disable the ability to
"Protect against Insertion/Evasion attack". Insertion/Evasion Attack is a form of attack which is
specifically aimed at IDP systems. It exploits the fact that in a TCP/IP data transfer, the data stream
must often be reassembled from smaller pieces of data because the individual pieces either arrive in
the wrong order or are fragmented in some way. Insertions or Evasions are designed to exploit this
reassembly process.
Insertion Attacks
An Insertion attack consists of inserting data into a stream so that the resulting sequence of data
packets is accepted by the IDP subsystem but will be rejected by the targeted application. This
results is two different streams of data.
As an example, consider a data stream broken up into 4 packets: p1, p2, p3 and p4. The attacker
might first send packets p1 and p4 to the targeted application. These will be held by both the IDP
subsystem and the application until packets p2 and p3 arrive so that reassembly can be done. The
attacker now deliberately sends two packets, p2' and p3', which will be rejected by the application
but accepted by the IDP system. The IDP system is now able to complete reassembly of the packets
and believes it has the full data stream. The attacker now sends two futher packets, p2 and p3, which
will be accepted by the application which can now complete reassembly but resulting in a different
data stream to that seen by the IDP subsystem.
Evasion Attacks
An evasion attack has a similar end-result to the Insertion Attack in that it also generates two
different data streams, one that the IDP subsystem sees and one that the target application sees, but
it is achieved in the reverse way. It consists of sending data packets that are rejected by the IDP
subsystem but are acceptable to the target application.
Detection Action
If an Insertion/Evasion Attack is detected with the Insertion/Evasion Protect option enabled,
NetDefendOS automatically corrects the data stream by removing the extraneous data associated
with the attack.
Insertion/Evasion Log Events
The Insertion/Evasion Attack subsystem in NetDefendOS can generate two types of log message:
An Attack Detected log message, indicating an attack has been indentified and prevented.
An Unable to Detect log message when NetDefendOS has been unable to identify potential
attacks when reassembling a TCP/IP stream although such an attack may have been present.
This condition is caused by infrequent and unusually complex patterns of data in the stream.
Recommended Configuration
By default, Insertion/Evasion protection is enabled for all IDP rules and this is the recommended
setting for most configurations. There are two motivations for disabling the option:
6.5.4. Insertion/Evasion Attack
Chapter 6. Security Mechanisms