Evading Deep Inspection for Fun and Shell

Presented at Black Hat USA 2013, July 31, 2013, 2:15 p.m. (60 minutes)

Whether you have a Next Generation Firewall, an IPS, IDS, or a BDS, the security provided by these devices depends on their capability to perform robust TCP/IP reassembly. If this fails, the device can be bypassed. We researched the TCP/IP reassembly capabilities of security boxes and found that their detection can be evaded or pierced through with evasions that apply to the IP & TCP layers. The TCP reassembly capabilities of most security boxes are still poor. Instead of doing proper TCP reassembly, many of the analyzed boxes try to prevent attacks by anomaly detection, for example, by blocking small TCP segments. However, blocking small segments leads to false positives, so this kind of blocking strategy cannot be applied to real traffic without the false positive risk. We also found evasions that allowed the attack to succeed without any logs in the security box, even if all signatures were set to block.

Presenters:

• Antti Levomäki - Stonesoft   as Antti Levomaki
  Antti Levomäki has been working since 2004 at R&D of Finnish Cyber Security Company Stonesoft. For the last five years he has focused on researching evasion techniques against network security products and writing testing tools. Previous duties include writing attack and application signatures for Stonesoft network security products. Mr. Levomäki holds a Master Of Computer Science degree from the University of Helsinki and is currently pursuing a PhD at the Aalto University.
• Olli-Pekka Niemi - Stonesoft
  Olli-Pekka Niemi has been working in Internet security since 1996. He has experience in offensive security as a Penetration Tester and in defensive security as a System Administrator. Since December 2000, he has been working for Stonesoft R&D, developing Intrusion Prevention Systems and Next Generation Firewalls. His main R&D interests are analyzing network-based threats and evasion research. Mr. Niemi is the founder and head of the Stonesoft Vulnerability Analysis Group (VAG). He is also the Chief Research Officer of Stonesoft. Mr. Niemi has given presentations at various security conferences such as T2, DeepSec, Positive Hack Days, and SIGCOMM.

Links:

• https://www.blackhat.com/us-13/archives.html#Niemi
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2013/video/Black Hat 2013 - Evading Deep Inspection for Fun and Shell.mp4
• https://www.youtube.com/watch?v=BkmPZhgLmRo
• https://media.blackhat.com/us-13/US-13-Opi-Evading-Deep-Inspection-for-Fun-and-Shell-Slides.pdf
• https://media.blackhat.com/us-13/US-13-Opi-Evading-Deep-Inspection-for-Fun-and-Shell-WP.pdf
• https://media.blackhat.com/us-13/US-13-Opi-Evading-Deep-Inspection-for-Fun-and-Shell-Code.zip

Similar Presentations:

• DEF CON 7 (1999) / Intro to TCP/IP exploits
• Black Hat USA 1997 / TCP/IP insecurities.
• Black Hat USA 2010 / CSI: TCP/IP