Combating Advanced Evasion Techniques with Network ... · PDF fileMcAfee® Network Security...

McAfee® Network Security Platform

Combating Advanced Evasion Techniques with Network Security Platform

Revision B

2015

Intel Security, Inc. Network Security Platform

1

Contents

Evasion .......................................................................................................................................................... 2

How different AETs operate.......................................................................................................................... 2

SMB and MSRPC........................................................................................................................................ 2

SMB or MSRPC fragmentation .................................................................................................................. 4

SMB padding ............................................................................................................................................. 6

Application layer evasion through document obfuscation....................................................................... 7

JavaScript obfuscation .............................................................................................................................. 9

HTTP UTF-8 encoded content ................................................................................................................... 9

HTTP evasion (URL encoding) ................................................................................................................. 10

TCP Urgent Pointer ................................................................................................................................. 11

TCP split handshake ................................................................................................................................ 12

IP fragmentation ..................................................................................................................................... 15

IP fragmentation with chaff .................................................................................................................... 17

Testing the effectiveness of Network Security Platform against advanced evasion techniques ............... 18

Summary ..................................................................................................................................................... 21


2

Evasion Internet protocols are known to be complicated and to allow multiple interpretations during

implementation. Attackers use unusual combinations and several evasion tools such as fragroute,

whisker, and nikto to evade network security systems. If the network security device used to secure a

network uses traditional methods to detect attacks, the attack slips into the network undetected. After

this the attacker is able to launch advanced persistent threats (APTs) from a remote location.

How different AETs operate Each AET is designed to make use of inherent features in a protocol to pass through the network

security system undetected. In this document, we will compare the effects of a traditional Intrusion

Prevention System (IPS) versus that of Network Security Platform.

To exhibit these effects, we will consider four such AETs:

SMB or MSRPC fragmentation

SMB padding

Application layer evasion through document obfuscation

JavaScript obfuscation

HTTP UTF-8 encoded content

HTTP evasion (URL encoding)

TCP Urgent Pointer

TCP split handshake

IP fragmentation

IP fragmentation with chaff

SMB and MSRPC

Remote procedure call (RPC) is an inter-process communication framework that allows a computer

program to cause a subroutine or procedure to execute in another address space (commonly on another

computer on a shared network). In effect, it takes on much of the low-level network functions and

allows the programmer to focus on methods and procedures he wants to implement.

Microsoft Windows (Windows) ships in both server and desktop variants. All variants of Windows ship

with implementations of numerous network services. The Server service is one such service which

supports file, print, and named-pipe sharing over the network for Windows-based computers. Named-

pipe communication is used for RPC because it supports communication between applications running

on distributed systems.

There is a buffer overflow vulnerability in the "Server service" when processing RPC requests. Remote

unauthenticated attackers can exploit this vulnerability by sending specially crafted messages to the

affected interface. A successful exploitation can lead to arbitrary code execution with system-level

privileges.


3

Server message block (SMB) is a protocol used by Windows for locating and accessing resources like

shares, printers, computers, etc. Just as other protocols do, SMB too has characteristics that an attacker

can leverage to hide malicious traffic to exploit SMB- and MSRPC-based vulnerabilities. In addition, SMB

acts as a transport for Microsoft Remote Procedure Call (MSRPC).

The RPC mechanism allows an application to seamlessly invoke remote procedures, as if these

procedures were executed locally.

There are two main implementations of the RPC mechanism:

Open Network Computing (ONC) RPC

Distributed Computing Environment (DCE) RPC

MSRPC is the Microsoft implementation of the DCE RPC mechanism. In particular, Microsoft added new

transport protocols for DCE RPC, which is the ncacn_np transport, which use named pipes carried into

the SMB protocol. For more information about MSRPC, refer to

http://www.hsc.fr/ressources/articles/win_net_srv/msrpc_intro.html.

It uses one or more of the following protocols for transport.

TCP

UDP

HTTP

SMB

For any MSRPC request to be made, the client first contacts the destination and establishes an SMB

handshake. After the SMB handshake is established is when an MSRPC request and response can follow.

A pictorial illustration of the elements involved in the prelude to an MSRPC request is provided below.

Figure 1: SMB handshake between the client and its destination


4

SMB or MSRPC fragmentation

After an SMB handshake is successfully completed, an MSRPC request is made. An MSRPC request is

frequently used at the backend in Windows. Consider an example when you attempt to access email

using Microsoft Outlook. After you provide credentials, Outlook communicates with an exchange server

in order to download these mails. During this procedure, several MSRPC requests are made to the

exchange server. Or consider another example in which you want use a network printer to print a

document. As soon as you issue a print command, the client makes MSRPC requests to the printer

server.

An attack can take place either during an SMB handshake or during an MSRPC request. Just as the

payload can be fragmented in TCP and IP, it can be fragmented in SMB and MSRPC and spread across

multiple fragments. However, unlike TCP and IP, SMB and MSRPC fragments cannot be sent out of

order. A traditional IPS, that does not support such detection, will simply analyze behavior of completing

the handshake and request but will not delve further into these processes.

Once the IPS has validated the SMB handshake and MSRPC request, it proceeds to detect by matching

the string with the attack signature available in its signature set. However, a traditional IPS is unable to

reassemble SMB and MSRPC fragments and fails to recognize the attack because parts of the attack are

spread over multiple fragments.

The illustration below describes SMB fragmentation.

Figure 2: SMB fragmentation – 1 byte fragments


5

For instance, if an attacker wants to send some malicious code that contains the characters B, A, and D

in it, he might consider sending it as BAD. However, if the IPS contains this attack signature, it will be

able to detect and block the attack.

But assume that the MTU size on the path permits 3 bytes at a time. He could simply fragment the

traffic and pass it on 1 or 2 bytes at a time to the destination. That is, he could consider sending it as B

and then AD, or BA and then D, or B, A, and D. In any case, traffic is sent over multiple fragments as

represented in the illustration above. A network security device that is not capable of reassembling that

data prior to analysis will allow the malicious traffic to pass through, thereby compromising the

network.

MSRPC fragmentation works in much the same way with the exception that fragmentation is carried out

in the MSRPC datagrams. The illustration below describes MSRPC fragmentation.

Network Security Platform detection for SMB or MSRPC fragmentation

Figure 3: Network Security Platform is able to reassemble the payload before detection

Network Security Platform reassembles SMB or MSRPC fragments before the detection process begins

and is able to detect an attack.


6

SMB padding

To keep the SMB payload aligned to a specific memory size, SMB supports addition of pads within its

segments. The pad is inserted between the SMB header and the start of the actual payload.

Figure 4: Illustrative representation of a data pointer in an SMB segment

The SMB header has a data pointer field that shows the start of the actual payload when a pad is

present. This means that all data after the SMB header till the pointed byte will be discarded.

Figure 5: Pads help evade detection by adding characters to the string

Windows discards any pads present and proceeds directly to the payload. However, a traditional IPS

that is unable to discard such pads will extract them along with the payload during detection and

ultimately allow that traffic to pass through.

An attacker who wants to send malicious code which contains characters B, A, and D in its string can

consider padding each of these characters to evade detection. When this string passes through the IPS,

it is extracted for detection as padBpadApadD. As a result, a traditional IPS misses the malicious code

between each of the pads.


7

Network Security Platform detection for SMB padding

Figure 6: Network Security Platform discards pads

Network Security Platform is able to detect the presence of pads and skip those bytes before the payload

is extracted for detection.

Application layer evasion through document obfuscation

Document obfuscation has become a common method for malware authors to distribute malware and

infect networks. Documents such as Word, Excel, and PDF files are the most commonly used files. But

given the flexibility of PDFs to be rendered easily, PDF obfuscation has gained considerable popularity in

recent years.

Malicious PDF files are some of the most common threats used to infect users with malware. Network

Security Platform focuses much of its attention in proper detection of these files. In contrast, creators of

malicious files focus heavily on evading such detection techniques.

Detecting malicious documents is complicated by several reasons:

Basic building blocks of the document such as objects in PDF files are complex and have

numerous forms.

Streams within documents that show text or images can be compressed and stored in

numerous ways.

Most document formats support scripting to some degree. For example, JavaScript in PDF can

be heavily obfuscated, concealing the actual code.

Documents support embedding other documents. For example, a malicious executable file can

be embedded inside a non-malicious PDF file which, in turn, could be embedded in another

document.

Therefore, detection of malicious documents requires your IPS to have several engines that dynamically

profile document behavior. In this document, we will see one of the most prominent document

obfuscation techniques, PDF obfuscation using JavaScript and other methods.

PDF obfuscation can be carried out using several approaches.

Name fields which are the basic building blocks of PDFs can contain objects inside them which

are hex encoded. A traditional IPS looks for ASCII characters when analyzing the Name fields.


8

String fields within objects can be split across multiple lines. When string fields are split, they

become unrecognizable to a traditional IPS.

JavaScript can be encoded using several filters – ascii85, asciihex, lzw, run length encoding,

deflate, etc. These filters can be applied on the JavaScript multiple times. Using any of these

filters compresses data because of which it becomes unrecognizable to a traditional IPS unless

the IPS is capable of decompressing it.

Malicious JavaScript can be hidden inside XFA or Annotation fields.

Filter names in objects can be abbreviated

o For example, AsciiHexDecode becomes Ahx.

If an IPS is not able to detect such anomalies, a malicious PDF slips into the network.

Among the most common PDF exploits, attackers prefer to use some form of embedded JavaScript. For

example, string replacements, try-catch exceptions, fromCharCodeloops all work in PDF files as well.

This screenshot below shows you how some of these techniques are used. This particular exploit targets

Figure 7: Common JavaScript evasion / obfuscation techniques

(Image courtesy: http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-pdf-analysis-evasion-techniques/)

Network Security Platform detection for PDF obfuscation

NSP has been designed to detect malicious PDFs even when the above-mentioned obfuscation methods

are used. Decoders for frequently used JavaScript encoding/compression techniques are used. NSP can

locate JavaScript hidden in locations like XFA, Annotations, etc.

http://blog.trendmicro.com/trendlabs-security-intelligence/malicious-pdf-analysis-evasion-techniques/


9

Network Security Platform detection for JavaScript in PDF obfuscation

Also, if the vulnerability being exploited is not present in the JavaScript engine of Acrobat, JavaScript still

plays a significant role in creating a malicious PDF. The extraction and analysis of embedded JavaScript is

important to detect PDF-based threats.

JavaScript obfuscation

Consider an example where a simple Hello World program in JavaScript will look as follows and

traditional IPS will see the string Hello World as alert(Hello World).

The equivalent obfuscated version in JavaScript looks as follows.

var _1204;var

_2288='120B105E146A1044F1099C1064F1129A1139C759C729A919D1064F1099D1099

E1114C719E994B1114F1129F1099D1059A729D764A854A';var

_1804=/[\x41\x42\x43\x44\x45\x46]/;var _8663=2;var

_5586=_2288.charAt(_2288.length-1);var _5657;var

_2069=_2288.split(_1804);var

_9062=[String.fromCharCode,isNaN,parseInt,String];_2069[1]=_9062[_8663

+1](_9062[_8663](_2069[1])/21);var

_6574=(_8663==8)?String:eval;_5657='';_11=_9062[_8663](_2069[0])/_9062

[_8663](_2069[1]);for(_1204=3;_1204<_11;_1204++)_5657+=(_9062[_8663-

2]((_9062[_8663](_2069[_1204])+_9062[_8663](_2069[2])+_9062[_8663](_20

69[1]))/_9062[_8663](_2069[1])-

_9062[_8663](_2069[2])+_9062[_8663](_2069[1])-1));var

_2799='_5900';var _5430='_2799=_5657';function

_1039(_6946){_6574(_7060);_1039(_7196);_7196(_5430);_1039(_2799);}var

_7060='_1039=_6574';var _7196='_7196=_1039';_1039(_5586);

Traditional IPS will fail to detect Hello World in this obfuscated program.

Network Security Platform detection for JavaScript obfuscation

NSP does not perform a string match here. Instead, it executes the JavaScript within a JavaScript VM and

profiles runtime behavior to determine whether it is malicious or not. NSP is able to detect malicious

code in spite of JavaScript obfuscation, and ignore the JavaScript if it is not malicious. Further, it does

not automatically trigger an alert for JavaScript obfuscation if traffic is not malicious.

HTTP UTF-8 encoded content

Any browser needs to know what character set to use to decode a page and render it correctly. In order

to support multiple languages, several formats of character encoding are used. In a typical attack

sequence when exploiting such evasion, the attacker will encode the contents of the HTML page using

UTF-8. In this scheme the character A, for example, can be represented either as 41 or as c1a1.


10

A traditional IPS will search for the character A and will miss it if it has been encoded.

Network Security Platform detection for HTTP UTF-8 evasion

NSP is designed to look at the content type field of the HTTP header, which contains information about

the nature of data in the body of the webpage.

The charset subfield in the header indicates what character set is used to encode the webpage. This

provides NSP the necessary insight to decode the page.

NSP parses these fields and invokes the appropriate character decoder based on the charset field.

HTTP evasion (URL encoding)

Every URL, when sent to a webserver, displays webpages which are fetched from that webserver using

an HTTP GET request. When you type in a URL in the address bar, the browser requests appropriate

webpages for display.

An attacker executes other actions such as displaying information from specific directories or executing

certain commands in the webserver. To evade network security devices, an attacker can encode or

obfuscate URLs. Default behavior of a recipient HTTP server is to normalize such URLs.

A traditional IPS that is not able to emulate behavior of a webserver is not able to normalize URLs prior

to detection, thereby allowing such attacks to penetrate network defenses.

HTTP evasion will be illustrated using a few examples.

HTTP evasion Original string When encoded becomes…

HTTP URL hex encoding

GET /index.html GET /%69%6e%64%65%78%2e%68%74%6d%6c

HTTP URL UTF encoding

GET /index.html GET /%u0069%u006e%u0064%u0065%u0078%u002e%u0068%u0074%u006d%u006c

HTTP URL with self-referential paths

GET /index.html GET /././index.html

HTTP URL with fake directories in the path

GET /index.html GET /FAKE../index.html

HTTP URL with multiple spaces and tabs

GET /index.html HTTP/1.0 GET /index.html HTTP/1.0

HTTP absolute URL GET /index.html GET http://192.168.1.10/index.html HTTP/1.0 Table 1: HTTP evasion techniques

In all the examples above, except that last one, a webserver normalizes an encoded or obfuscated URL

and parses it as the original URL. A traditional IPS is not able to emulate this behavior and is, as a result,

not able to match the string with any of the attack signatures.


11

Alternate method HTTP evasion – HTTP supports different verbs like GET, POST, PUT, and HEAD for actions such as fetching a page, sending data, requesting an HTTP server header, etc. In certain URL-based vulnerabilities, where the trigger for the vulnerability lies in the URL, any of these verbs can be used along with the malicious URL to send a request to the webserver to trigger the vulnerability. For example, if a URL that is greater than 128 bytes triggers a buffer overflow in a webserver, an attacker can send one of the following requests to set off that vulnerability into an attack.

GET /home/aaaaaaaaaaaaaa[more than 256 times] HTTP/1.0

POST /home/aaaaaaaaaaaaaa[more than 256 times] HTTP/1.0

PUT /home/aaaaaaaaaaaaaa[more than 256 times] HTTP/1.0 Most commonly, the IPS is programmed to only look for GET /home/aaaaaaaaaaaaaa [more than 256 times] HTTP/1.0.

Network Security Platform detection for HTTP evasion using URL encoding

Network Security Platform is able to normalize encoded or obfuscated URLs prior to detection. During

detection, these URLs match malicious URL strings present in attack signatures thereby blocking an

attack.

As an administrator, you are able to program your IPS to detect requests such as POST and PUT, and

focus only on the URL.

TCP Urgent Pointer

Urgent data refers to data that should be processed as soon as possible, even before "normal" data that

may be waiting. The presence of urgent data is signified by setting the urgent flag. If the urgent flag is

set, it indicates that the urgent pointer is valid and points to that data.

Figure 8: TCP urgent pointer refer to the last byte

Urgent data may also be referred to as out-of-band data and the urgent pointer refers to the last byte of

such data. Protocols such as SMB and HTTP ignore such data. A traditional IPS does not ignore this data,

because of which it becomes part of the reassembled payload used for detection and can, as a result,

cause malicious code to evade detection.


12

Figure 9: Traditional IPS detection of a string with urgent data

Picking up on an example similar to BAD (refer SMB or MSRPC fragmentation), the string “BAD” could be

split across three segments each of which begins with a byte of urgent data, “X”. If this urgent data is

not ignored then the reassembled payload will appear as “XB XA XD”. The string when extracted by a

traditional IPS will appear as XBXAXD. IPS matches this extracted string with its attack signature but does

not find anything malicious, and allows it to pass through.

Network Security Platform detection for TCP urgent pointer evasion

Figure 10: Network Security Platform ignores urgent data during reassembly

At the time of TCP stream reassembly, Network Security Platform ignores urgent data for SMB and other

protocols known to ignore it.

TCP split handshake

The TCP three-way handshake in Transmission Control Protocol is used by TCP to set up a TCP/IP

connection over an Internet Protocol-based network. TCP's three way handshaking technique is often


13

referred to as "SYN, SYN-ACK, ACK" because there are three messages transmitted by TCP to negotiate

and start a TCP session between two computers (in the context of this document, we will be considering

a client and an HTTP server).

Figure 11: A traditional TCP three-way handshake

The TCP handshaking mechanism is designed so that two computers attempting to communicate can

negotiate the parameters of the network TCP socket connection before transmitting data such as SSH

and HTTP web browser requests.

In addition to this formally accepted handshake, there is also another method of establishing a TCP/IP

connection between a client and a server. This is a legitimate, yet rarely adopted method and is known

as a simultaneous-open handshake.

Figure 12: A simultaneous open connection

With this connection, both a client and a server send a SYN packet to each other at about the same time.

Then both sides send ACK packets to each other in response. This unconventional variant of the TCP

handshake is not practiced much in the real world, but is accepted by RFC as a legitimate way to start a

TCP connection.


14

In case of a TCP split handshake evasion, the attacker uses the concept of a simultaneous-open

handshake. The attacker is the server that is seeking to gain access to a network.

Figure 13: A traditional IPS is not able to differentiate this behavior

Essentially, a client sends a SYN packet to a server, intending to complete a normal three-way

handshake. However, rather than completing the client’s three-way handshake, a malicious server starts

by replying as though it were performing a simultaneous-open connection, and then starts its own

three-way handshake in the other direction — from server to client. A traditional IPS is confused into

analyzing this behavior as the initiation of a fresh three-way handshake. Consequently the attacker is

able to gain control over the client.

Network Security Platform detection for TCP split handshake evasion

Figure 14: Network Security Platform can distinguish this behavior as a potential threat

Apart from the regular TCP handshake, Network Security Platform is able to detect a split handshake

and any attack that happens across such a connection.


15

IP fragmentation

The MTU size of a link determines whether there is a need to fragment a datagram into smaller units or

not. If the MTU allowed by the link is lesser than the original datagram size, IP uses fragmentation so

that packets may be formed to pass through the link. An attacker can deliberately fragment an IP packet

so that the IP packet gets spread across multiple fragments.

Figure 15: IP fragmentation

An attacker can exploit this feature to evade a network security device. He can use an evasion tool to

fragment the original attack packets. He can then use one of the following techniques to send out

fragments:

All fragments are sent in the:

proper order (increasing values for frag offset)

the reverse order (decreasing values for frag offset)

the proper order except the first fragment which is sent last

the proper order except the last fragment which is sent first

Fragments are shuffled and sent out of order


16

Figure 16: IP datagram fragmented

Assume that malicious code contains ATTACK in its IP datagram. It will be fragmented as shown in Fig 15.

A traditional IPS cannot reassemble fragments to detect the attack. It will examine traffic as separate

frames and therefore, allow an attack to slip through.

Network Security Platform detection for IP fragmentation evasion

Figure 17: Network Security Platform is able to reassemble fragments before detection

Network Security Platform is able reassemble a malicious string and consequently detects an attack.


17

IP fragmentation with chaff

Just as in IP fragmentation, an attacker uses an evasion tool to fragment original IP datagram that

contain attack packets. After fragmenting the packet, the attacker interleaves chaff packets with the

fragments.

Figure 18: IP fragmentation with chaff means a traditional IPS will analyze traffic with chaff

A chaff packet is an invalid packet which will be ignored by the target stack based on certain checks

mentioned below. The chaff can contain any one of the following anomalies because of which it is

ignored.

Bad checksum and so it gets dropped by the target stack.

A small TTL because of which it expires before it reaches the target.

An invalid options field because of which it is dropped by the target stack.

A traditional IPS does not perform the same validation on chaff packets. Therefore, invalid payload in

the chaff will become part of the reassembled stream at the IPS and evade the detection mechanism.


18

Network Security Platform detection for IP fragmentation with chaff evasion

Figure 19: Network Security Platform analyzes the attack by disregarding chaff

At the time of reassembly, all IP header fields are examined to contain valid content before the payload

is used for detection. If a packet is suspected to be chaff because of invalid checksum, TTL, or any other

reason, it is dropped and the invalid payload carried by it is ignored.

Testing the effectiveness of Network Security Platform against advanced

evasion techniques If you want to test the effectiveness of McAfee Network Security Platform against advanced evasion

techniques, you can do so using an advanced evasion technique testing tool. For this document, we will

illustrate this test using McAfee (Stonesoft) Evader.

The test environment used for this test is similar to that used during NSS testing. McAfee

Network Security Platform achieved 100% detection during NSS labs testing.

Prerequisites:

You will need to make sure you are using the following versions of software and signature set:

1. Sensor

M-Series: 8.1.3.52 or later

NS-Series: 8.1.5.59 or later

2. Manager: 8.1.7.5 or later

3. Signature set: 8.7.46.3 or later

4. Evader: 2013_4_594 or later


19

Configure Sensor policy

You must configure your Sensor to use the All-Inclusive-with-Audit policy or a clone of this

policy.

To optimize the number of alerts you receive and minimize the number of low-severity alerts,

you will need to follow these steps.

1. Log on to your Manager and go to Policy | <Admin Domain Name> | Intrusion

Prevention | IPS Policies.

2. Select the All-Inclusive-With-Audit policy or an unmodified clone and click View/Edit.

3. In the policy editing window that appears, click the Severity column header to sort by

severity.

4. Beginning at the top of the list, use the shift key and the down arrow key to select all

attacks that categorized 0 (Info) and 1 (Low).

5. Right-click in the list and select Disable.

All the selected attacks must disable the X symbol.

6. Now search for the attacks listed below and enable just those attacks:

0x4070d200 – NETBIOS-SS: Microsoft Server Service Remote Code Execution

Vulnerability (Info)

0x4070d000 – NETBIOS-SS: Potential DCERPC Big Endian Evasion

0x4070d100 – NETBIOS-SS: Potential TCP Segmentation Evasion

0x4070cf00 – NETBIOS-SS: Potential TCP URG Pointer Evasion

0x4070ca00 – NETBIOS-SS: Suspicious SRVSVC Call

0x00010300 – TCP: Small Window Packets Detected

0x40011400 – TCP: Illegal Packet Missing SYN, ACK or RST fields

0x40011500 – TCP: Anomalous Urgent Flag Set without ACK

0x00009e00 – TCP: 3-Way Handshake PAWS Fail Dos

7. Click Save to complete your configuration.

For details about activating this policy, refer to the 7.x or 8.x NSP IPS Administration Guide.

Note that, because the Evader tool can generate attacks using randomized sets of evasion

techniques, it is possible to get a minor difference in results when run for an extended period of

time. It is suggested that this tool be used as a means of comparing the relative performance of

several products, running the test multiple times for each product. This will provide an

understanding of the comparative ability of each product tested to detect and block attacks that

are masked with these techniques.

After you have made sure of the above prerequisites, follow the steps below.

1. Use the McAfee (Stonesoft) User Guide to install and set up the Evader Test environment.

2. After your deployment of Network Security Platform is, verify that you have made the following

settings in the Manager before using Evader:

a. Under Policy | Advanced | TCP Settings, set TCP flow Violation to DENY.

Configuring this setting ensures that TCP flow violations will be dropped.


20

b. Under Policy | Advanced | TCP Settings, set Cold Start Drop Action to DROP.

c. Under IPS Interfaces | <Interface or sub-interface Name> | Protection Profile |

Advanced Traffic Inspection, enable the following:

Inspect MS RPC/SMB fragments for malicious payload

d. While running the conficker test, go to the Manager and configure the response

action as blocked with TCP RST of the source and the destination IP addresses,

for the following attacks.

0x47602f00 – DCERPC: Suspicious DCERPC Call

0x4021c500 – HTTP: phpBB Viewtopic.php Remote Command Execution

0x4023a400 – HTTP: possible IPS evasive with Apache HTTP Server

0x40018e00 – IP: Options Validation Vulnerability

0x00010a00 – IPv4: Malformed Options Evasion Attempt Detected


Vulnerability (High)


Vulnerability (Info)

0x4070d000 – NETBIOS-SS: Potential DCERPC Big Endian Evasion

0x4070d100 – NETBIOS-SS: Potential TCP Segmentation Evasion

0x4070cf00 – NETBIOS-SS: Potential TCP URG Pointer Evasion

0x4070ca00 – NETBIOS-SS: Suspicious SRVSVC Call

0x00012f00 – SMB: NB Chaff Detected

0x00013000 – SMB: SMB Chaff Packet Detected

0x00012e00 – SMB: SMB Payload Suspicious pad bytes

0x40011400 – TCP: Illegal Packet Missing SYN, ACK or RST fields

0x40011500 – TCP: Anomalous Urgent Flag Set without ACK

0x00010300 – TCP: Small window packets detected

0x00009e00 – TCP: 3-Way Handshake PAWS Fail Dos

Note: To search for a specific attack in the Manager, follow the steps below.

1. Go to Policy | <Admin Domain Name> | Intrusion Prevention | IPS Policies.

2. In the IPS Policies page, select the All-inclusive-With-Audit policy or clone it.

3. Click All (clear drilldown) to make sure no filters are set.

4. Copy the attack name or NSP attack ID from this document and paste it in the Attack

Name field.

5. Click Apply.

To learn more about IPS policies in Network Security Platform, refer to the 7.x or 8.x IPS Administration

Guide.


21

Summary With attackers becoming more adept at scripting attacks, certain complex evasions cut across multiple

layers of the protocol stack by incorporating evasions at more than one layer, in more than one

protocol.

In a situation where a client sends an HTTP GET request to a rogue server, the server responds with a

malicious page. At layer 7, the attacker may have chunked webpages before serving them to the client.

Further, at the TCP level the attacker can segment TCP data. At the IP level, the attacker can fragment

traffic before serving it to the client. The attacker can, in addition, add chaff between IP data. A

traditional IPS will miss some or all these techniques of evasion and allow malicious traffic to pass

through. However, as illustrated in the examples above, Network Security Platform is equipped to

protect your network from some of the most insidious attack campaigns.

This application note discusses only a few examples of evasions that Network Security Platform

supports. McAfee Network Security Platform supports several other combinations of advanced evasion

techniques that occur at each layer of the protocol stack where multiple exploits can be applied.

For support information, visit mysupport.mcafee.com.

Copyright © 2015 Intel Security, Inc. All Rights Reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of Intel Security, Inc., or its suppliers or affiliate companies.

Date post:	25-Mar-2018
Category:	Documents
Upload:	haquynh
View:	222 times
Download:	1 times