Idp Pattern Matching - D-Link NetDefend DFL-210 User Manual

6.5.5. IDP Pattern Matching

aimed at evading IDP mechanisms. It exploits the fact that in a TCP/IP data transfer, the data stream
must often be reassembled from smaller pieces of data because the individual pieces either arrive in
the wrong order or are fragmented in some way. Insertions or Evasions are designed to exploit this
reassembly process.
Insertion Attacks
An Insertion attack consists of inserting data into a stream so that the resulting sequence of data
packets is accepted by the IDP subsystem but will be rejected by the targeted application. This
results is two different streams of data.
As an example, consider a data stream broken up into 4 packets: p1, p2, p3 and p4. The attacker
might first send packets p1 and p4 to the targeted application. These will be held by both the IDP
subsystem and the application until packets p2 and p3 arrive so that reassembly can be done. The
attacker now deliberately sends two packets, p2' and p3', which will be rejected by the application
but accepted by the IDP system. The IDP system is now able to complete reassembly of the packets
and believes it has the full data stream. The attacker now sends two further packets, p2 and p3,
which will be accepted by the application which can now complete reassembly but resulting in a
different data stream to that seen by the IDP subsystem.
Evasion Attacks
An evasion attack has a similar end-result to the Insertion Attack in that it also generates two
different data streams, one that the IDP subsystem sees and one that the target application sees, but
it is achieved in the reverse way. It consists of sending data packets that are rejected by the IDP
subsystem but are acceptable to the target application.
Detection Action
If an Insertion/Evasion Attack is detected with the Insertion/Evasion Protect option enabled,
NetDefendOS automatically corrects the data stream by removing the extraneous data associated
with the attack.
Insertion/Evasion Log Events
The Insertion/Evasion Attack subsystem in NetDefendOS can generate two types of log message:
• An Attack Detected log message, indicating an attack has been identified and prevented.
• An Unable to Detect log message when NetDefendOS has been unable to identify potential
attacks when reassembling a TCP/IP stream although such an attack may have been present.
This condition is caused by infrequent and unusually complex patterns of data in the stream.
Recommended Configuration
By default, Insertion/Evasion protection is enabled for all IDP rules and this is the recommended
setting for most configurations. There are two motivations for disabling the option:
• Increasing throughput - Where the highest throughout possible is desirable, then turning the
option off, can provide a slight increase in processing speed.
• Excessive False Positives - If there is evidence of an unusually high level of Insertion/Evasion
false positives then disabling the option may be prudent while the false positive causes are
investigated.
6.5.5. IDP Pattern Matching
282
Chapter 6. Security Mechanisms