New tool helps hackers evade detection

R. A. Hettinga rah at
Fri Apr 19 21:53:33 EDT 2002

New tool helps hackers evade detection
By Robert Lemos
Staff Writer, CNET
April 19, 2002, 9:45 AM PT
A new tool for manipulating packets of data that travel over the Internet
could allow attackers to camouflage malicious programs just enough to
bypass many intrusion-detection systems and firewalls.

The tool, called Fragroute, performs several techniques to fool the
signature-based recognition systems used by many intrusion-detection
systems and firewalls. Many of these duping techniques were outlined in a
research paper published four years ago.

Arbor Networks security researcher Dug Song posted the tool to his Web site
this week. Arbor is a network protection company.

"(Some) firewalls and intrusion prevention or other application-layer
content-filtering devices have similar vulnerabilities that may be tested
with Fragroute," Song wrote in a posting to security mailing list Bugtraq
on Thursday.

The new tool tips the arms race between those who look to break in to
networks and those who defend them toward the attackers, at least for the
moment. Any firewall or intrusion-detection system that fails the Fragroute
test is vulnerable attack from vandals using the program.

Song was traveling and could not be reached for comment, an Arbor
representative said, and his company would not comment on the issue.

The Fragroute program is a dual-use program: It illuminates weaknesses in a
network's security--information that can aid a system administrator in
protecting the network or helping a hacker attack the network. The program
exploits several ways of inserting specific data into a sequence of
information to fool detection programs. The methods were highlighted in a
January 1998 paper written by Thomas Ptacek and Timothy Newsham of security
specialist Secure Networks, a company later bought by Network Associates.

The program exploits intrusion-detection systems, which often check the
correctness of incoming data less stringently than the server software that
is typically targeted by hackers. In one version of such "insertion"
attacks, a command sent to a server could be disguised by adding
extraneous, illegitimate data. The targeted server software will throw away
any bad data, leaving itself with a valid, but malicious, command.

However, many intrusion-detection systems don't remove the corrupted data,
so the hostile command remains disguised from the system's recognition

For example, an intrusion-detection system that watches out for a recent
buffer overflow might recognize the attack by the text "http:///" appearing
in the incoming data. However, if an attacker sends
"http://somegarbagehere/" and knows that the "somegarbagehere" portion will
be thrown out by the target computer, then the attack still works.
Moreover, if the intrusion-detection system doesn't remove the same text
portion as the server, it won't recognize the threat.

Marti Roesch, president of security appliance seller SourceFire and the
creator of the popular open-source intrusion-detection system Snort, said
that the majority of the problems exploited by Fragroute have been fixed,
and he plans to fix the rest by next week.

"Dug contacted me about this stuff several months ago, and I fixed it,"
Roesch said.

While he hasn't programmed a defense to every stealth attack that Fragroute
has in its repertoire, doing so won't be hard, he added.

"Many of these take 10 minutes of coding, max, to fix," he said. "It just
wasn't an issue before."

While many of the attacks won't work against Snort if it's configured
properly, Roesch said that the default configuration doesn't detect the
camouflaged data, because such settings produce a far greater number of
false alarms.

Some security aficionados posting to the Bugtraq list concentrated on Snort
as a program vulnerable to the Fragroute program, but Song waved off the
implied criticism on the open-source program in his posting.

"Snort, I'd wager, does much better than most," he wrote, adding that many
other proprietary programs are also vulnerable.

One commercial software seller, network protection firm Internet Security
Systems, claimed that its product, RealSecure, wasn't affected.

"We initially fixed the fragmentation issues when we saw the paper quite
some time ago," said Dan Ingevaldson, team lead for the company's security
research and development group.

His group tested Song's tool earlier this week, and they were still able to
detect attacks, Ingevaldson said.

 Go to Front Door  |  Enterprise  |  Search  |  One Week View

R. A. Hettinga <mailto: rah at>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list