I said it over 15 years ago. I will repeat it again, just in case someone wasn’t paying attention. TCP/IP, although a nice little protocol suite and quite popular, was NOT designed to be secure. Shoe-horning and bolting on security to an insecure and largely connectionless protocol is simply asking for trouble.
TCP/IP’s primary objective has been MESSAGE DELIVERY. AVAILABILITY. ROUTING. Ensuring that if a section of the internetwork disappeared, messages could still be routed to existing destinations. Parts of the protocol will simply send, not waiting for and ignoring responses to acknowledge receipt of data packets. Yeah sure, some parts do the 3-way handshake, ack, reset, etc, however they can easily be spoofed and fooled into sharing your secrets, can have routes altered arbitrarily, allow systems within the delivery path to have a peek at your data, and suffer from a host of other more complex vulnerabilities at the protocol abuse level.
Stonesoft seems to agree with me. They have announced delivery of 163 new “advanced evasion technique” (AET) samples for global vulnerability coordination. AET’s are an entirely new category of network security threat that are completely undetectable by all of the tested major security devices on the market. The new samples include various protocols, including IPv4, IPv6, TCP and HTTP. The set is comprised of 54 atomic evasions and 109 combinations that can be further combined with each other or with the evasions in previous releases to create new AETs. Using AETs, malware can be disguised to appear safe and may therefore be delivered to networks without detection from security appliances.
After publicly announcing the discovery of 23 Advanced Evasion Techniques in 2010, the CERT-FI issued an advisory statement to the network security community.
During its ongoing research on AETs, Stonesoft recently discovered that AETs can be deployed across the HTTP protocol without detection by firewalls, and can be deployed externally across web traffic. Prior to this discovery, many vendors believed that AETs could only operate inside a network and only affect IPS devices. To protect against AETs, Stonesoft strongly recommends that organizations implement IPS technologies that offer deep packet inspection and support multiple protocols to protect themselves against increasing threats inherent in HTTP/HTTPS traffic.
As you can imagine, evading detection is not a new concept.
- Techniques for evading Intrusion Detection Systems have been discussed in research since at least 1998. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection.
- Traffic normalization has been studied Network intrusion detection: evasion, traffic normalization, and end-to-end protocol semantics & Gorton and Champion Combining Evasion Techniques to Avoid Network Intrusion Detection Systems
- The conversation has continued publicly, e.g Moore and Caswell discussed evasions at Black Hat 2006.
StoneLabs started working on defining and scoping the AET problem by establishing a dedicated team focused first on developing better anti-evasion capabilities in the company’s own products. It became clear that this development work would be too time consuming without an automated test environment and comprehensive research tools. The team designed a test environment that enabled the study of different evasion techniques in a radical way. By breaking all the dominant rules and principles they started to run evasions in various forms and combinations, on all TCP/ IP stack levels, and across multiple protocols or protocol combinations.
The first results surprised all. They discovered a new species of evasion techniques that could bypass detection without leaving any traces. They installed many of the leading network security devices to see if the problem exists with them as well. It did.
As the number of AETs and their potential combinations grows, building efficient protection against them requires an understanding of network traffic. Very few vendors truly understand the magnitude of the problem, while some are struggling to provide reactive protection. A security vendor who still uses 10-year old protocol normalization methods in order to look for exploits or other malicious activities is likely to miss the new threats. The core functionality of protocol parsing cannot be static. It has to evolve in order to meet constantly changing threats. New vulnerabilities, exploits, and even attack vectors are constantly being discovered and must be addressed dynamically.