 I'm Enrique Sanchez. I work for a pen testing company in Europe. Basically what we're going to do here is just a proof of concept. Louder! Okay, like this, you know, like speaking like a man. Yeah, that's what I thought. Yeah, okay, there are a couple of things I want to say before the speech. One, I like to conduct this more question-answer panel. I unfortunately lost my glasses and a really freak drunk accident. So these guys are here, if you raise your hand and I don't point you, it's not because I don't like you, I just don't see you. I can barely make his face, I'm for real. No, I actually managed to lose the glasses in an airport in London. I have no idea how I did it. I think it was like the 15 Guinness. I don't know, something weird like that. So first, what I'm going to do is I'm going to stand up because I'm extremely short. I like to be standing up because it's just something with my culture, I guess. Stand up? Fuck you. He just said stand up. Yeah, I am Mexican. No green card, dude. Just no green card. I'm just running for the border right after. At border first, you want to show your ID? Yeah, I have it right here. So the thing is, I'm going to show first what's an idea system because maybe not a lot of people actually do know what's an idea system. This is not the textbook definition, but it's the best thing that I can actually tell you so you will comprehend what's a really basic idea system. It's just a system that will report any activity that could be malicious and can compromise any server or any network in any way. Any questions? Yeah, that's what I thought. I'm not telling you. So how do the idea system work? Basically, an idea system is just a really big sniffer. So what you have is just sniff the network, which is just read every single packet that goes there. You filter everything via patterns. This will be a signature based idea system. You also have anomaly filters, which just have signatures which are anomaly traffic going to your network. A signature is just a filter. To say something is not really normal to see an FTP password 3,000 characters long. At least I really don't know somebody who will put a really long book into his password. So anything over maybe 15, you can do an idea system signature to flag it as an possible attack. This is a proactive way. You really don't know any idea system. You really don't know if the attack actually succeeded. Okay. Go back, dude. So the thing is, they also elaborate reports. Well, I'm doing this because after this, I'm going to tell you what kind of idea systems are out there. This can be divided in host-based and network-based. We're going to be, on this one, we're going to be attacking the network-based ideas. Examples of ideas are Snort, Dragonfly, RealSecure, and OnGuard24. You have more of them, of course. But these four can actually take up on the two selective categories. So why say that? What I'm saying right now is an idea system is just like a hack system. Why do I say that? The thing is the only thing that changes is who is in control of that server. Why? The boats need the traffic. They both are looking for patterns. The hacker will look for the passwords. The login names, the connections. And you will look for word connections and you will look for signature-based attacks. And of course, you always have signatures and you have traps and actions that you want to take. In the case of a hacker, if you see a login and a password, you log it to a file. Of course, you can even do more than log into a file. You can actually execute a couple of programs to be able to even get automatically into the computer. If you are on an idea system, what you will do, you will probably send an SNMP trap or you can even do an SMS or you can do login into a file, send a mail, anything that you want to do. Is it really that bad that they look like? Not really because hackers have been pushing the security for years. They are in the front and you're just trying to catch back. That is the reality. Most people don't like it, but that is that way. You just be realistic with yourself. So what is this there? Did say, and I put that name, not because it's really cool, it's really long to say, these three are intuition detection system evasion and I only have one hour. So the thing is, this is just a result of just bringing through a couple of stuff and trying to sync. What you do is, you do an analysis of the implementation on the network, the host and the idea system and is the result of the weakness of the link between this. This software will actually bypass, if you have the network characteristics, it will bypass your idea system. It will not lock anything at all. So how does it work? The thing is an ideas runs on a host. So maybe the idea system can go to a really high, but you always have a weak link of if your host is not really fast enough, it will drop packets by itself. Those packets can never be seen by the ideas because it's not really on level one. So there are a couple of principal elements that can be attacked on an idea system. The way they reassemble packets, which will be insertion and evasion, the time of the queue and signature-based attack and of course the speed of the network. The first three, they have been done and they are usually fairly picked up by idea systems. The usual dot attack, fragmentation attack, one-bit attacks. So how this thing works? The thing is, this is attached to the last one. It will do the speed of your network against the speed of your idea system. You can implement the fastest idea system you can have. You can even go to Giga if you want to. If you have a really slow system and cannot take your network, you will be in serious trouble against this. How do I know if I'm vulnerable to this? I got really a bit tired because it's really hot, so I'm going to sit down a little bit. Yeah, I'm short. I'm short, so I get to do this. So what you need to do is just this really simple calculation in which you take how many packets can take your idea system. And I don't mean on the book. I mean, honestly, how many packets can your idea system take? How many packets can your system take and how many packets can your network base take? So the thing is, you need to find the wicked link and that is where your point of breaking is. If your host or your idea system have a breaking point lower than your network, then you will be in trouble. You guys have any questions? Because I'm on... Thanks, I told you the glasses. Yeah, of course, it has to actually go into the network. You can break it into the firewall. You can do a couple of tricks. Maybe do like same source port destination, like destination port 80, source port 80. So you will force it to leave to be on the ideas queue. So the host, you know the host and the ideas are being fluted. Okay. I'll repeat the questions. Okay. Does matter packet that you really can send is around 20 bytes. Normally if you do normal socket, it will be around 46. You can even do one, but that will probably be blocked by the firewall. You want to make sure that every single packet is going through the firewall. You can of course do advanced more things, which I'm going to say like proxy. But right now we're going simple. So we want to bypass the firewall. The queue limit for the host can also be attacked and the queue for the ideas will be attacked. So this is an example. Let's say for instance that 50,000 packets is the limit for a host, which is a lot. An idea system can go to 20 megabit, but the network is a corporate one. So you have 100 megabit connection. I can pretty much see that since you don't have the equal one, you can pretty much see right now that you are probably in trouble right now. So these are the facts and the calculation are. You have 50,000 packets times 20 bytes, not the megabit, just the bytes. So you will get a million bytes. You multiply them by 8, so you get the megabit, so you don't start adding up like apples and oranges. So then you do the translation. You have 8 megabits against 100 megabytes. So this idea is in extreme trouble. Actually, if you were on a 10 megabit, you will still be in trouble. So here's how the attack is going to go. To be sure that we will have enough probability of dropping the packets, we will send 60,000 packets per second, which will be almost 10 megabit, will be 9.6. That means, like I said before, the idea is extremely vulnerable, but this arises the question of how many attackers do have a pure 10 megabit to just drop an attack like this on my corporate network. So the solution is, you distribute the attack. The hacker goes in there, gets 500 servers. It's the whole internet. Be sure that 500 servers right now still run the WUFTPD 2.6.0. I mean, if you prove me otherwise, I'll get you drunk for a week. So the thing is, you end up having only 200 packets per host, which is only 32,000 bits. That's a modem connection. So we just added up the whole internet to this attack. It really doesn't matter if you have a Linux computer running on a modem. The hacker can actually use that to hack into a big corporate network. Actually, just going to leave it here for a while. Anybody has a question? I was thinking, yeah, like working code? Well, it's just basically one extreme technique. It's just an implementation. I have working code, but for security reasons, I will not show it. I mean, I have a conscience, I'm sorry. But the thing is, the only trick that you need to do is you make sure that everything is load balancing by itself. You can do this by ICMP. You ping one host behind. You ping the router, or you can even do TCP pinging. And what you do is, you centralize everything on a server, like this laptop. And everything else is reporting. Every 35 seconds is reporting here. A normal synchronized attack will be five minutes. You let it brief for three minutes to send the attack. You wait for two minutes. The host will be flooded, and it will start dropping packets. Like I said, it's a fairly simple theory. There's not really a big magic. But every single IDS with the right configuration is grownable to this. It's really hard to patch it up. This could be implemented even with DDOS tools, like Trino. You could modify that. Of course, that wasn't UADP, but you can easily implement it on TCP. Can't see on the back. I'm okay. Nobody asking. What's going to cool? I'm going too fast. It's okay. These are the problems that I was saying before. It's hard for a hacker to have a head ten megabit connection all by himself. So what you do is just divide. You really have to think of how much you want to divide. Because managing 500 hosts is not going to be funny. And of course, it's going to take you a long time to actually do a program like that. So staying around 200, maybe 300 is the right idea. You could actually implement this as a Linux kernel module. You can make it load. You can make it actually listen to magic strings. You can do all the right techniques, but the theory is the same. You need to open a socket and send everything spoofed. I was maybe thinking of doing a real-life example with three persons from the audience. The thing is, I got wasted extremely yesterday. So I didn't manage to get the 1,000 papers I was going to hand you. And it's 110 degrees. So I didn't believe that anybody would just stand here. Of course, we can actually try to do it if you want to. Get a couple of papers and scream at each other. So this is the thing. Is it really doable in reality? Like I said before, working code exists. It really doesn't manage the 300 server because it's tight. But I've managed to actually make it work in the lab with 50 servers. So it's not that bad. So now it's broken. What can I do with this? Well, the solution is easy. You should never go over the breaking point of your idea system. I know it's really cool to have a 100 megabit connection. But even in money-wise, did you really need a 100 megabit connection? Most corporate positions don't. Most companies don't anyway. You need to make sure that your network is scalable, that your idea system is. All NFR systems are scalable in the hardware area. There's a hardware solution to actually be scalable so you're invulnerable to this attack. You have software like Snornet, which will also do it on level three. Layer, actually level seven. So it will be a little bit slower so you would end up with a big machine anyway. You need to do stacking and load balancing. And of course you need to take unusual network peaks extremely seriously. You need to configure your firewall wisely. And do you really have that much traffic at three a.m. anyway? I mean, unless there's a guy just pulling down wires or DVD rips, you probably not. So that was a extremely fast thing. It's probably because I'm extremely nervous. Do we have any questions? Yes, because the thing is, what you actually can do is... Okay, he's asking that if I'm going to flute the network so bad, if I'm sure that the host is actually going to receive my attack. So the answer is, you have a really high probability because maybe like 80, 85% of the packets, you do not send them to the host because you want to flute the idea system. You don't want to flute the host. You really don't need to send all the packets to the host. The idea is he's going to read them anyway because he's sniffing the network. I mean like how I'm actually making sure I'm getting 60,000 packets. He's asking how do I know it's 60,000? How I make sure that every single thing that I'm running is actually getting 60,000 packets into the network. You can do this with TCP ping in, load balancing. You're just playing with probability in there. I mean it's not... I'm sorry? Yes, but the thing is now the idea system are extremely efficient but the hosts are not. I mean I don't want to bash any OS but I mean the one I'm right now it doesn't really take 10 megabits on the really kind. So yes, you're just playing with probability. The thing is you only alarm the ideas like five minutes and right now I'm just taking for instance 50,000 and I'm just going 10,000 just to make sure that 10,000 packets get dropped. If you're going to do this real, you probably have to do like you said you probably have to do like triple to make sure and even then you will have maybe like 15 to 20% just to say something. On my test it will get picked up anyway and this will attack if you don't have an anomaly filter if you have an anomaly filter of anything going over 20 megabits anyway this should be picked up anyway. What I'm actually doing is distributing my attack. He's asking if the ISPs or the T1s are doing anything to prevent this type of attack. Not really. I mean that is the bad thing. And you really can't help this much. He's saying that if you're aware of this can you handle it in a way that you can block all the attacks? Not really. You can spoof every single packet if you want to with random numbers as long as they are within the internet that are rootable. So you either let them go through until a certain point or get yourself ready for a DOS attack because if you start blocking every single packet and I'm going from 0, 0, 0, 0 to 2, 5, 5, 5 everything is going to be blocked. There is actually a tool called stick that does the reverse of this. It sends so many alarms that the idea gets full or you really don't know if the attack is there but the thing is then you know you're being attacked. This is more of the thinking of you will get a 5-minute peak warning and you really don't know if somebody attacked you, you had a lot of people going into your web server or exactly what. This is extremely more silent but it can also be done in the other way. He's asking if I'm just sending garbage. Yeah, pretty much. I mean actually you try to be really small packets since everything doesn't get filtered for the firewall. A couple of tricks. You can go down to 1 byte TCP so you know it's going to pass the firewall. You go to the same source port and destination and if they have a really bad firewall you really, really, really want to make the idea system slow. You spoof the server request with the same source port and destination. So the idea system is not going to know if the web server is initiated the connection or the outside so it just has to hold on there until it times out which is really long. That only happens if you are seeing base firewall. He's asking if I've done it against some ideas. Yes, actually I've done it about all commercials, most all commercials that I can get my hands on. This is not an implementation. This is more of a theoretical thing. It's not really the idea system fault. You can go into Higa if you want to. The host is going to break and if you have a really fast host and the ideas breaks well. I can assure you right now the biggest problem is the host is breaking at least on my tests. He's asking if the solution is to have a host really beefy and ideas really beefy and hooking up the network. If you have a big network, yes. Or you can stack your ideas systems. You can make it low hardware balance like NFR. Like I said before, NFR has an implementation on that. We don't know if real secure or the other ones actually do have an implementation on that. I know they can load balance on level seven. But I mean that makes it also slow so you're putting yourself in a position in which then I'm attacking the CPU power that you will have not only the network. Hold on a second my man. Can you repeat the question? No really. I mean I'm just here to tell you I really don't have all the questions. I really didn't try but I'm sure we can give it a try later on. He's asking if you're eliminating or reducing the chance. You're actually just reducing the chance of evasion. You really can't go 100% on this. You are going to get picked up sooner or later. This is not an old breaking idea system. Don't go running into your networks and turn it off. It's really nice to have it anyway. He's asking if the idea actually detects anything. It really doesn't detect anything if you don't have an anomaly peak filter. When the CPU, it goes out a lot but not really that much. I mean I actually see it go to 65% but that's it. I never made it go to 100. But that's because it's a small package. Any more questions? Yeah fill it out. Okay that was a really long comment. I heard half of it but he's basically saying that you can actually turn the problem around if you have a really fast idea system and all you can do is you do two. The ideas will actually get the first one and the server will actually get only into the second one so you will corrupt the TCP reassembly. Any other questions? Please ask some more. That's it? Sorry? Yeah? I tested it out. It did really well. Dragonfly is extremely fast. Snort really did nice. Also real secure. The best actually was NFR. Sorry man can you shout it out? Really deaf. It depended on what kind of host I was running but Windows started dying around 15 megabit. OpenBSD did really well. It went to 28 I think. So it's just a matter of not really the ideas. Like I said before it's not really the ideas fault. It's right now I'm just attacking the hosts. Sure. No I didn't have any around. I'm sorry. Didn't have any time to test them. He's asking if I tested it on the Cisco ideas. No I haven't actually tested. I have a couple of ideas just to go back and go over it. Of course the donations of hardware are really really appreciated. But the router can preach really nice. Any other questions? Because I see people leaving anyway. No more questions? The slides are going to be at this URL. If you have any questions, rants, flames, anything that will be my email. You check it at least three times a day so you will get a response back. I can actually tell you about that. No spam please. Just no spam man. That's it.