Table of Contents Cyber Attacks Explained: Device Evasions
Scope of Article
This is the last installment of the year-long series of cyber attacks articles.
As we know, network infrastructures are protected by using security devices such as routers and firewalls.
So far, it was believed that such devices provide enough means towards securing the perimeter.
This belief was proved to be wrong by a technique called device evasion, which is a new trend of attacks in the cyber security world.
This month we are going to study this technique in detail and also learn about methods to prevent IT infrastructure from such attacks.
Device Evasion
By definition, evasion is the process of avoiding or bypassing an object or a situation.
In technical terms, evasion is a technique by which an attacker bypasses a security system in the cyber security space.
The system may typically consist of routers, firewalls, network switches, and intrusion detection devices.
Routers segregate the networks, firewalls block unwanted IP addresses and TCP port communications,
whereas intrusion detection devices add a layer of intelligence based on anomaly detection techniques.
While these devices seemed effective for a time, cyber criminals have become more aggressive and developed
ways to penetrate and break down the security perimeter.
Attackers use evasion methods to steal data, disrupt IT networks, or plant software exploits.
A typical secure infrastructure contains at least a router, and often a switch and firewall.
To learn about device evasions, we’ll focus on these three devices and touch upon IDS systems as well.
We’ll explore how each of these devices can be broken into, and finally how to secure them to protect infrastructure.
Device evasion is a highly technical and systematic approach to penetrating a network.
Router Evasion
Routers are often the first device accessible from outside a firm’s network.
They maintain routing tables that store paths to destination IP ranges with a cost metric.
Routing tables are referred every time a TCP/IP packet is processed and sent.
Besides routing, routers implement intelligent algorithms to speed up processing, making them a key line of defense.
Attack vectors such as denial of service, IP spoofing, man-in-the-middle attacks, and packet crafting
can either trick routers into routing malicious packets or render them useless.
Additionally, router-specific techniques include:
Route Hijacking
In this method, a hacker sniffs traffic originating from a router.
Based on gathered information, the router is then supplied with bogus source and destination IP addresses
that are spoofed to trick the router. This can overflow or corrupt the routing table, disrupting the network.
Early protocols like RIP lacked authentication, making them especially vulnerable.
While modern routers are more secure, improperly configured routers remain at risk.
IOS Penetration
Like any device, routers run on an operating system, which can be vulnerable.
Many early-generation routers and wireless routers ran compromised kernels.
Attackers exploit these vulnerabilities for DoS or remote code execution.
Once penetrated, attackers can remotely alter configurations, redirect traffic to malicious servers,
or cause large-scale damage.
Firewall Evasion
Firewalls are often hosted behind routers, but in smaller setups they may serve as the first line of defense.
Unlike routers, firewalls are designed specifically for security, making them tougher targets.
Firewalls are rule-based devices that intercept connections, interpret them, and either allow or drop traffic.
With this in mind, some firewall-specific evasion attacks include:
Firewall Request Spoofing
Attackers may spoof packets to make them appear as though they originate from the firewall’s internal segment.
An improperly configured firewall may allow these through.
Similarly, spoofed MAC addresses can bypass MAC-tracking firewalls.
Firewall DoS
Modern firewalls analyze packets using antivirus, antispyware, and anomaly detection before allowing them through.
Attackers exploit this by overwhelming firewalls with crafted requests.
For example, sending requests from spoofed, non-existent IPs forces the firewall to create useless connections,
exhausting its resources. Spoofed internal IPs and MACs can also disrupt the network through false RARP requests.
Packet Forging
Attackers may craft packets with incorrect TCP checksums, forcing the firewall to recalculate checksums and slow down.
Alternatively, inserting excessively large TCP data-length values tricks the firewall into waiting for data that never arrives,
exhausting its memory.
Rule Exploitation
Many firewalls are misconfigured. For example, administrators may configure TCP rules but forget about UDP traffic,
leaving it exposed. Or port 80 may be left open bi-directionally, instead of just inbound.
Attackers use scripts to detect and exploit such weaknesses.
IDS and Switch Evasion
Modern infrastructures use Layer-3 switches and intrusion detection systems (IDS) in addition to firewalls.
Switches provide features like VLANs, QoS, and MAC registration. IDS systems apply anomaly detection on traffic.
However, attackers can still evade them using techniques such as:
Forceful Signature Embossing
IDS systems update their anomaly signature databases over time.
Attackers send both well-formed and malformed packets to a target host over a long period.
The IDS eventually learns malformed packets as acceptable, after which the attacker floods the system with them.
This disrupts the IDS, making it ineffective.
DoS attacks at Layer-2 or Layer-3 are possible against both switches and IDS.
Attackers often target misconfigured devices as the weakest link.
Additionally, switch operating systems can be compromised, giving attackers remote control.
While IDS systems are harder to penetrate directly, poor configuration can render them useless.
Protecting FOSS Systems
Many open-source routers, firewalls, and IDS run on Linux distros like Ubuntu or CentOS.
These systems must be properly configured and monitored for anomalies.
Linux has a built-in feature called source address verification, which drops spoofed packets.
Enabling this kernel feature reduces the risk of spoofed traffic used in evasion attacks.
Summary
With this article, we conclude the series on cyber attacks.
Device evasion is a new trend of network attacks to break into corporate IT infrastructure,
and must be taken seriously by administrators and management alike.
FOSS can be powerful and secure — but only if properly configured.
About the Author
The author has over 20 years of experience in IT hardware, networking, web technologies, and IT security.
Prashant is MCSE, MCDBA certified and an F5 load balancer expert.
In IT security, he is an ethical hacker and net-forensic specialist.
Prashant runs his firm Valency Networks in India
(www.valencynetworks.com) providing consultancy in IT security design,
security audits, infrastructure technology, and business process management.
He can be reached at prashant@valencynetworks.com.
