Internet Security Systems - AlertCon(TM)

The Eavesdropper's Dilemma

Posted by Tom Cross on October 26, 2006 at 1:55 PM EDT.

On Tuesday, Ars Technica reported that police in Gretna, Virginia executed a search warrant against the wrong house because an ISP misread a subpoena asking for customer information relating to an IP address that had been involved in criminal activity on the Internet. In a discussion of the incident on Interesting People, cryptographer Matt Blaze referenced a paper he cowrote entitled the Eavesdropper's Dilemma.

This paper makes for interesting reading. It proposes that Internet users could inject noise into their communications sessions which would impact and confuse eavesdroppers but would be ignored by the other side of a communication. The examples given include employing low TTL values so that noise packets won't reach the destination host, and incorrect destination MAC addresses so that packets won't be forwarded on to their IP destinations. A wide array of Internet monitoring software fails to eliminate these problem packets, resulting in an incorrect and potentially misleading record of the communication in question. The problems can also be hard to address. Monitoring software doesn't usually know how many hops exist in the path between two parties to an Internet communication, and so it may be difficult to determine what TTL values will reach a destination.

These observations could have significant implications for law enforcement and also enterprise security personnel who may rely solely on logs from Internet monitoring as evidence of crimes or policy violations. This is particularly important in cases where bad packets could be spoofed by a malicious actor in order to frame other users. It's important for investigators to acknowledge that computer based evidence may be subject to manipulation, and approach investigations with an open and critical mind.

These observations are also important in the realm of Intrusion Detection technology. IDS/IPS vendors have long been aware of various evasions that attackers can employ to reach protected systems while avoiding detection, many of which take a form similar to the sort of techniques discussed in this paper. Sophisticated protocol analysis systems can thwart most evasions through careful awareness of the state of network communications, but stateless signature engines can often be fooled. This is an important criterion for consideration in evaluating the security of IDS/IPS technology, and evasion testing has become a significant factor in technical reviews such as those performed by The NSS Group. Furthermore, researchers studying the effectiveness of Internet monitoring technology designed for evidence collection could do worse than to examine some of the evasion techniques that have been used in the past against IDS/IPS systems.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.