Insertion/evasion attack prevention – Amer Networks E5Web GUI User Manual

•

Invalid hex encoding

A valid hex sequence is where a percentage sign is followed by two hexadecimal values to
represent a single byte of data. An invalid hex sequence would be percentage sign followed
by something which is not a valid hexadecimal value.

•

Double encoding

This looks for any hex sequence which itself is encoded using other hex escape sequences.
An example would be the original sequence %2526 where %25 is then might be decoded by
the HTTP server to '%' and results in the sequence '%26'. This is then finally decoded to '&'.

Initial Packet Processing

The initial order of packet processing with IDP is as follows:

1.

A packet arrives at the gateway and cOS Core performs normal verification. If the packet is
part of a new connection then it is checked against the IP rule set before being passed to
the IDP subsystem. If the packet is part of an existing connection it is passed straight to the
IDP system. If the packet is not part of an existing connection or is rejected by the IP rule set
then it is dropped.

2.

The source and destination information of the packet is compared to the set of IDP Rules
defined by the administrator. If a match is found, it is passed on to the next level of IDP
processing which is pattern matching, described in step below. If there is no match against
an IDP rule then the packet is accepted and the IDP system takes no further actions
although further actions defined in the IP rule set are applied such as address translation
and logging.

6.5.4. Insertion/Evasion Attack Prevention

Overview

When defining an IDP Rule, the administrator can enable or disable the option Protect against
Insertion/Evasion attack. An Insertion/Evasion Attack is a form of attack which is specifically
aimed at evading IDP mechanisms. It exploits the fact that in a TCP/IP data transfer, the data
stream must often be reassembled from smaller pieces of data because the individual pieces
either arrive in the wrong order or are fragmented in some way. Insertions or evasions are
designed to exploit this reassembly process.

Insertion Attacks

An insertion attack consists of inserting data into a stream so that the resulting sequence of data
packets is accepted by the IDP subsystem but will be rejected by the targeted application. This
results is two different streams of data.

As an example, consider a data stream broken up into 4 packets: p1, p2, p3 and p4. The attacker
might first send packets p1 and p4 to the targeted application. These will be held by both the
IDP subsystem and the application until packets p2 and p3 arrive so that reassembly can be
done. The attacker now deliberately sends two packets, p2' and p3', which will be rejected by the
application but accepted by the IDP system. The IDP system is now able to complete reassembly
of the packets and believes it has the full data stream. The attacker now sends two further
packets, p2 and p3, which will be accepted by the application which can now complete
reassembly but resulting in a different data stream to that seen by the IDP subsystem.

Chapter 6: Security Mechanisms

473