 |
|
Axent NetProwler
|
Network load |
0% |
25% |
50% |
75% |
100% |
|
Background traffic load – 64 byte packets (packets per second) |
0 |
37000 |
74000 |
110000 |
148000 |
|
IP port scan |
Y |
Y |
Y |
Y |
Y |
|
SYN stealth port scan� |
Y |
Y |
Y |
Y |
Y |
|
FIN stealth port scan 1 |
Y |
Y |
Y |
Y |
Y |
|
UDP port scan |
Y |
Y |
Y |
Y |
Y |
|
Nmap remote OS ID attempt 2 |
Y |
Y |
Y |
Y |
Y |
|
CyberCop scan |
N |
N |
N |
N |
N |
|
Chargen attack 3 |
Y |
Y |
Y |
Y |
Y |
|
SYN flood DoS 4 |
Y |
Y |
Y |
Y |
Y |
|
WinNuke OOB |
Y |
Y |
Y |
Y |
Y |
|
BackOrifice probe |
Y |
Y |
Y |
Y |
Y |
|
FTP Bounce attack 5 |
Y |
Y |
Y |
Y |
Y |
|
Web PHF attack |
Y |
Y |
Y |
Y |
Y |
|
Bonk 6 |
Y |
Y |
Y |
Y |
Y |
|
Land� |
Y |
Y |
Y |
Y |
Y |
|
Nestea |
N |
N |
N |
N |
N |
|
NewTear |
Y |
Y |
Y |
Y |
Y |
|
SYNdrop 7 |
Y |
Y |
Y |
Y |
Y |
|
Teardrop |
Y |
Y |
Y |
Y |
Y |
|
Jolt2 8 |
Y |
Y |
Y |
Y |
Y |
|
High volume boping (10,000 pings) |
100% |
100% |
100% |
100% |
100% |
Notes:
1.Reported as SYN snipping
2.Reported as conflicting TCP flags
3.Reported as Stacheldraht
4.Reported as ICMP Redirect
5.Reported as man in the middle attack on the FTP port
6.Reported as DNS Zone Transfer
7.Reported as Tribal Flood Network 2K
8.Reported as ping reply flood
|
IDS Evasion - fragrouter |
Detected? |
|
Ordered 8-byte IP fragments |
N |
|
Ordered 24-byte IP fragments |
N |
|
Ordered 8-byte IP fragments, one fragment sent out of order |
N |
|
Ordered 8-byte IP fragments, duplicating the penultimate fragment in each packet |
N |
|
Out of order 8-byte IP fragments, duplicating the penultimate fragment in each packet |
N |
|
Ordered 8-byte IP fragments, sending the marked last fragment first |
N |
|
Ordered 16-byte IP fragments, preceding each fragment with an 8-byte null data fragment that overlaps the latter half of it |
N |
�
|
IDS Evasion – Whisker |
Detected? |
|
Mode 1: URL encoding |
N |
|
Mode 2: /./ directory insertion |
Y |
|
Mode 3: Premature URL ending |
Y |
|
Mode 5: Fake parameter |
Y |
|
Mode 7: Case sensitivity |
Y |
|
Mode 8: Windows \ delimiter |
Y |
|
� Axent NetProwler performed exceptionally well in the network load tests, detecting 100 per cent of all attacks at 100 per cent network load. However, although it did spot all of the attacks (except for Nestea and the CyberCop scan) it misrepresented far too many of them, and some of the descriptions were entirely inaccurate (though always consistent). NetProwler does not provide packet reassembly and so failed to spot any fragmentation attacks launched through fragrouter. Performance against other IDS evasion techniques was mixed, handling most of the Whisker attacks quite well (though missing the URL encoding mode for some reason). On the plus side, the monitoring screen on the Agent GUI shows packets processed and packets dropped, which is an extremely useful indication of when an Agent is being overloaded (though we did not see this happen in our tests).� The attack counts are also very accurate, making it very easy to determine exactly how many attacks have been detected. Click here
to return to the Axent NetProwler Review |
Send mail to [email protected] with
|