[There are three articles on this, each can be found at:
http://thebusiness.vnunet.com/News/1119335
http://www.zdnet.co.uk/news/2001/10/ns-21602.html
http://www.theregister.co.uk/content/8/17660.html
I have included one below with a few comments because of its poor
wording. -sc]
http://thebusiness.vnunet.com/News/1119335
Hackers' Stick beats detection tools
By James Middleton
Malicious coders have developed an attack tool that can perform a
denial of service attack against many popular intrusion detection
products.
[Malicious coders? Once the tool was developed, these 'malicious' people
opted to share it only with IDS vendors. This was done to help vendor
improve their products and learn more about the inherant weaknesses of
current IDS products. The tool was not released to full disclosure mail
lists like Bugtraq, or posted to a web site as far as I have seen.
Given that, it would seem to me that the creators of the tool are not
malicious, and in fact are quite honorable in how they chose to deal with
a serious security problem that has severe implications if let into the
wild. This callous wording in the article is an insult. -sc]
The tool, known as Stick, directs thousands of overt attacks at
security systems, causing them to fall over.
Coretez Giovanni, of US-based security company Endeavor Systems, told
vnunet.com that flaws in the implementation and development of IDS
software were one of the main reasons for the success of these tools.
"Stick succeeds because script kiddies are operating security. People
are downloading and buying IDS without knowing what or why," he said.
"On the development side IDS must be able to validate that the alarm
is correct. This means that the IDS needs to determine if the
pre-cursor and post events that occurred confirm or deny that an
attack is real," he added.
Security firm Internet Security Systems said Stick uses "very
straightforward techniques" of firing numerous attacks from random IP
addresses to purposely trigger IDS events. As the IDS system attempts
to keep up with the flood of events it puts more strain on the system,
eventually resulting in denial of service.
As the Stick attack works on a 'flooding' level, its effectiveness is
limited by the bandwidth available to the attacker, although this also
means attackers with more bandwidth at their disposal will be more
successful.
ISS has developed two fixes for RealSecure Network Sensor, one of the
most popular IDS products, which are available [11]here.
A white paper on Stick is available [12]here.
If you would like to comment on this article email us @
newseditor@vnunet.com
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV@SecurityFocus.com with a message body of
"SIGNOFF ISN".
Received on Mon Mar 19 02:56 CST 2001