A researcher at US-based security company Endeavor Systems has released a white paper that details a new tool, called Stick, that can defeat intrusion detection systems (IDSs). Cortez Giovanni published the paper that explains how generating false attacks can trigger false alarms in some IDSs. When the volume of false attacks become higher than the IDS software can process, the system overloads, leaving room to hide a real attack among a barrage of false attacks. In many cases, administrators don't examine each attack, packet by packet, to learn the nature of what is occurring.
To perpetrate an attack, Giovanni's Stick program launches a multitude of false attacks with spoofed source addresses that serve as noise to confuse the IDS into miscategorizing each attack. In his whitepaper, Giovanni said, "Stick succeeds because script kiddies are operating security," suggesting that many companies don't ensure the knowledge level of the administrator they hire.
Giovanni said that many signature-based IDSs are flawed and likens the technology to virus-scanning software. Giovanni goes on to suggest that developers can design IDSs to be similar to firewalls that use stateful inspection. "An IDS must be able to validate that the alarm is correct. This means that the IDS needs to determine if the precursor- and post-events occurred that confirm or deny that an attack is real."
Internet Security Systems (ISS) has admitted that Stick does, in fact, congest the event channel within the company's RealSecure Network Sensor IDS product. ISS has released fixes for its RealSecure Network Sensor that limit the impact of Stick-based attacks.
