 |
|
NSW Dragon Sensor 4.1
|
Network load |
0% |
25% |
50% |
75% |
100% |
|
Background traffic load – 64 byte packets (packets per second) |
0 |
37000 |
74000 |
110000 |
148000 |
|
IP port scan |
Y |
Y |
Y |
Y |
N/A1 |
|
SYN stealth port scan |
Y |
Y |
Y |
Y |
N/A1 |
|
FIN stealth port scan |
Y |
Y |
Y |
Y |
N/A1 |
|
UDP port scan |
Y |
Y |
Y |
Y |
N/A1 |
|
Nmap remote OS ID attempt 2 |
Y |
Y |
Y |
Y |
N/A1 |
|
CyberCop scan |
N |
N |
N |
N |
N/A1 |
|
Chargen attack |
N |
N |
N |
N |
N/A1 |
|
SYN flood DoS |
N |
N |
N |
N |
N/A1 |
|
WinNuke OOB |
N |
N |
N |
N |
N/A1 |
|
BackOrifice probe |
Y |
Y |
Y |
Y |
N/A1 |
|
FTP Bounce attack |
Y |
Y |
Y |
Y |
N/A1 |
|
Web PHF attack |
Y |
Y |
Y |
Y |
N/A1 |
|
Bonk 3 |
Y |
Y |
Y |
Y |
N/A1 |
|
Land 4 |
Y |
Y |
Y |
Y |
N/A1 |
|
Nestea 3 |
Y |
Y |
Y |
Y |
N/A1 |
|
NewTear 3� |
Y |
Y |
Y |
Y |
N/A1 |
|
SYNdrop 3 |
Y |
Y |
Y |
Y |
N/A1 |
|
Teardrop |
Y |
Y |
Y |
Y |
N/A1 |
|
Jolt2 |
N |
N |
N |
N |
N/A1 |
|
High volume boping/bosting (10,000 pings) |
100% |
100% |
32% |
N/A1 |
N/A1 |
�Notes:
1.The sensor became unreliable at 75 per cent load and crashed at 100 per cent. The vendor believes it to be a problem with the 3Com card or driver under Red Hat Linux 6.2 and is working on a solution at the time of writing.
2.Reported as TCP flags
3.Reported as fragment overlap
4.Reported as same IP address
|
IDS Evasion - fragrouter |
Detected? |
|
Ordered 8-byte IP fragments |
Y |
|
Ordered 24-byte IP fragments |
Y |
|
Ordered 8-byte IP fragments, one fragment sent out of order |
Y |
|
Ordered 8-byte IP fragments, duplicating the penultimate fragment in each packet |
N |
|
Out of order 8-byte IP fragments, duplicating the penultimate fragment in each packet |
N |
|
Ordered 8-byte IP fragments, sending the marked last fragment first |
P |
|
Ordered 16-byte IP fragments, preceding each fragment with an 8-byte null data fragment that overlaps the latter half of it |
N |
�
|
IDS Evasion – Whisker |
Detected? |
|
Mode 1: URL encoding |
P |
|
Mode 2: /./ directory insertion |
P |
|
Mode 3: Premature URL ending |
P |
|
Mode 5: Fake parameter |
P |
|
Mode 7: Case sensitivity |
P |
|
Mode 8: Windows \ delimiter |
Dragon Sensor provides no real-time monitoring of attacks – it all has to be done via reporting. Nor it is easy to clear down or filter out old attacks, making it very cumbersome to try and determine the exact number of attacks detected. Despite having the biggest library of signatures (over 1000) of the products tested, Dragon surprised us by missing Chargen, SYN Flood, WinNuke and Jolt2 attacks, and also offered incomplete fragmentation reassembly (missing some of the fragrouter attacks), though all the Whisker IDS evasion attacks were detected effectively. Unfortunately we noticed erratic behaviour of the Sensor at network loads in excess of 50 per cent, and a complete failure of the Sensor (causing a total machine crash) at 100 per cent loads. This is a bizarre fault to have in a shipping product, and we believe that we experienced a rare configuration problem that may be related to the combination of 3Com 3C905 cards under Red Hat Linux 6.2. The vendor is working on a solution at the time of writing. We would not dismiss Dragon Sensor completely because of this apparently isolated problem, but would certainly advocate careful evaluation in your own environment prior to purchase. Click here
to return to the NSW Dragon Sensor Review |
Send mail to [email protected] with
|