[dundee] This week's meeting
Arron 'Finux' Finnon
finux at finux.co.uk
Tue Nov 1 12:36:28 UTC 2011
On 01/11/11 11:58, Robert Ladyman wrote:
> Oh no...not the techno-tart again.
Do i see a green eyed monster in this email?
Yes it is me speaking this week. I'm giving a very rough draft, and
first run of my "reassemble or gtfo" talk that i'm giving at Deepsec
this month (http://deepsec.net/schedule.html). The blurb is as follows;
"Intrusion Detection Systems or IDS for short have been sold for many
years as a solution to stop attackers from both the "inside" of a
network, and the "outside". There is little doubt that the capabilities
of these devices have been over sold, and at their very heart is some
implementation problems that have no simple fixes.
The talk looks at one of the underlying problems an IDS faces when
conducting packet inspection, reassembly.
Reassembly evasion techniques aims is to confuse an IDS system during
packet inspection, by either supplying data to an IDS that will never be
factored in at the receiving end (insertion), or by confusing an IDS's
very process of reconstructing the data stream. In essence Reassembly
evasion techniques attack the very process of inspection.
From the insertion of rogue nulls, to over-lapping, and over-writing
the contents of packets, mean that an IDS has very little chance of
being able to catch all bad traffic. Many IDS systems are geared to
dealing with a high traffic volume, and any reassembly is going to be
both difficult and taxing on system resources, whilst slowing the
network down. With very little enumeration a potential attacker can
utilise a number of reassembly evasion techniques to aid in the escape
of otherwise prohibited traffic.
With the aim of educating the attendees of the talk on what to look out
for, and how to better understand the threat faced by IDS's. In short
this talk looks at: Getting The Fragments Out"
See you guys on Thursday
--
Arron "finux" Finnon
Finux.co.uk - Twitter.com/f1nux - facebook.com/finux
NodeZero Linux Penetration Testing Distribution
finux at netinfinty.org - netinfinity.org
PGP: http://finux.co.uk/finux.asc
More information about the dundee
mailing list