Industry Trends

A Few Words About Evasion Techniques

By Chris Dawson | October 09, 2014

Hackers have been using evasion techniques for years to get malicious payloads past firewalls. Make sure your firewall is set up out of the box to detect these attacks.

So-called evasion techniques have been part of the hacker’s toolkit for years. Evasion techniques attempt to confuse, overwhelm, or blind firewalls with unexpected data, letting the bad guys (or bots) circumvent intrusion detection algorithms and launch attacks or sneak malicious payloads past the firewall.

Next gen firewalls (NGFWs) are generally designed to, among other things, prevent these types of attacks through deep packet inspection. NSS Labs, leading advisors in the information security market, recently put 12 NGFWs through their paces and found that some firewalls were not configured out of the box to handle these threats effectively. The types of tests and methodologies employed for the evaluations paint a clear picture of the expected functions of next gen firewalls, but a closer look at their evasion tests in particular are instructive for administrators and IT decision makers since hackers continue to use these well-known attacks against organizations of all sizes.

NSS Labs tests everything from firewall policy enforcement to measure of raw performance and throughput. Evasion tactics are just one of five sets of evaluations conducted under the umbrella of “security effectiveness”. Of course, as administrators and pen testers know, if even one area of a firewall is vulnerable, then the entire network is vulnerable. Let’s consider two types of evasion techniques in particular: IP Fragmentation+TCP Segmentation and RPC Fragmentation. At a high level, these tests evaluate the ease with which hackers can evade intrusion detection systems in a firewall.

IP Fragmentation and TCP Segmentation exploit the fundamental process of slicing and dicing traffic that ensures reliable data transmission between networks. Hackers have used vulnerabilities in TCP/IP for years to effectively blind intrusion detection systems, launch Denial of Service attacks, and otherwise slip payloads past firewalls. They do so by manipulating sizes and other attributes of so-called packet fragments that would ordinarily be transmitted and reassembled on a network.

Remote Procedure Call, or RPC, is a widely used methodology for facilitating client server interactions and, like TCP/IP, necessarily breaks up messages (“requests” in RPC nomenclature) into fragments for transmission. As with IP Fragmentation, hackers can manipulate RPC fragments to transmit malicious payloads. RPC vulnerabilities have been well-known since 2001 and NGFWs incorporate reassembly mechanisms to detect RPC exploits.

As described in their methodology documentation, NSS Labs runs well-known exploits like tiny fragment and overlapping fragment attacks against the firewalls under test. Most next generation firewalls reassemble these packet fragments on the fly to detect such exploits and NSS requires that the devices they test have packet reassembly options enabled. However, given the results of the NSS tests, administrators should be vigilant about ensuring correct configurations and full support for these types of fragmentation and segmentation attacks.

Perhaps more importantly, the results of NSS Labs’ Comparative Analysis reinforce the critical nature of third-party testing. The ability to efficiently remediate evasion threats is de rigueur among NGFWs, but users and potential buyers can’t risk their network security assuming that all next gen firewalls will meet their individual needs. Third-party testing, like that conducted by NSS Labs, is an important feedback loop for vendors and a useful starting point for customers.

Join the Discussion