Results 1 to 10 of 10

Thread: 'Stick' IDS stressing tool

  1. #1

    'Stick' IDS stressing tool

    geez, can you guys imagine what your Snort logs are going to look like, if anyone suspects that you are using Snort, after the program 'Stick' is released?

    all the kiddies are going to be looking to fill up your Snort logs. Not to mention the CPU usage that 'Stick' is reported to cause and the possible shutdown/dropping of packets as a result of a 'Stick' attack

    This sounds bad. And if the IDS is not somehow modified to deal with this eventually, 'Stick' would be the perfect pre-attack tool. If your IDS stops dropping packets after a given period of time, what better time to launch an attack!?!?

    The 'Stick' website http://www.eurocompton.net/stick/projects8.html says that they are waiting for IDS vendors to make modifications to deal with Stick before it is released, but it looked like they could be talking about the fact that ISS Real Secure v5.5 would turn itself off via error during a 'Stick' session. I wasn't real clear on that.

    If Snort is not however, going to be able to make some sort of modifications to deal with 'Stick', then as I said, we are going to all be in big trouble if anyone suspects that we may be using Snort. I'm not sure how you could go about getting around this problem, but I am sure hoping that there will be a way! This tool could actually turn your IDS AGAINST you!

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Are you sure this information isn't ancient ? I remember a stick attack for ISS, but that was ALONG time ago...

    http://securitytracker.com/alerts/2001/Mar/1001098.html
    May 2001...

    http://archives.neohapsis.com/archiv...1-q1/0229.html

    March 2001...

    Also...RealSecure 5.5, that is ANCIENT. The most current release is under the Site Protector flag and is in the 7.0 range...A much more recent, and much nastier attack (and still old) was the Witty worm that specifically targeted ISS deployments (all the more reason to not put all your eggs in one basket).

    Because of the complexity of the protocols that are being analyzed by every type of IDS (or at least good ones), I would expect that vulnerabilities such as this one would continue; however, steps can always be taken to properly isolate your IDS so that it would be very difficult for anyone to even know it existed and steps you can take to properly secure it so that it would be very difficult to completely disable (think multiple layers, multiple vendors).
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Damn.... Stick is nearly as old as me......

    The stream4 preprocessor was written to ignore such an attack... and the stream4 preprocessor has been around a good long time now.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    No kidding? This was the first I heard about it. Read an article mentioning stick and the website. I thought this was something that hadn't even come out yet.

    Well cool. Glad to hear that. Especialy regarding the stream4 preprocessor.

    That must be the thing. If it's that old, thats probably why I never heard about it.

    Thats a welcome relief ;-)

  5. #5
    Damn, how did I end up running into an article AND the website itself that wasn't dated. If these pages are still online, at least they could date them, so that this kind of thing doesn't happen! LOL!

  6. #6
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    hey, if you dont know about the past then you cant predict the future. YOU learned something new, and thats good reguardless of how outdated it is.

    on a side note, I have a pre-release of this expeimental processor intel is working on, its called the Pentium Pro, Ill sell it to you for a low low cost
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Originally posted here by XTC46
    on a side note, I have a pre-release of this expeimental processor intel is working on, its called the Pentium Pro, Ill sell it to you for a low low cost
    Wow! How'd you get one of those things?! I heard The powerful Pentium® Pro processor boasts 5.5 million transistors!!!??? Is that even possible?!
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  8. #8
    Really? I'm sincerely interested in obtaining one of those. Please send me an email at iamgullable@Illbuyanything.net

    LOL! Really though, XTC46..You're exactly right. Any knowledge, past or present is good knowledge. It's just like me wanting to recreate the teardrop attack vulnerability [EDIT: I meant to refer what is actually called an Overlapping Fragment Attack. NOT a teardrop attack.] and use packet fragmentation to bypass an ipchains firewall. Doesn't matter to me that the vulnerability is not present anymore, it's the knowledge and experience that I am more interested in.

    On the other hand, it WOULD have been nice to know when I ran into this article, that this was a historical thing. lol!

    And on the other hand again, I now know that Snort has fixed this with the Stream4 preprocessor. Any knowledge is good knowledge in my book ;-)

  9. #9
    Thanks to nebulus200 for pointing out the 'antiquity' of this issue! lol!

  10. #10
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by phishphreek80
    Wow! How'd you get one of those things?! I heard The powerful Pentium® Pro processor boasts 5.5 million transistors!!!??? Is that even possible?!
    Actually, it has 5.479827630a1863d11234f936yndknqw12i9faui132b...
    Code:
    CORE DUMP
    Error Code 1751
    
    Pentium FDIV flawed processor present
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •