Network defense

HTTP header obfuscation

The headers of HTTP requests or responses can be modified to make the discovery of patterns and attacks more difficult. To prevent this, the FortiGate unit will:

  • remove junk header lines
  • reassemble an HTTP header that’s been folded onto multiple lines
  • move request parameters to HTTP POST body from the URL

 

The message is scanned for any enabled HTTP IPS signatures once these problems are corrected.

 

HTTP body obfuscation

The body content of HTTP traffic can be hidden in an attempt to circumvent security scanning. HTTP content can be GZipped or deflated to prevent security inspection. The FortiGate unit will uncompress the traffic before inspecting it.

Another way to hide the contents of HTTP traffic is to send the HTTP body in small pieces, splitting signature matches across two separate pieces of the HTTP body. The FortiGate unit reassembles these ‘chunked bodies’ before inspection.

 

Microsoft RPC evasion

 

Because of its complexity, the Microsoft Remote Procedure Call protocol suite is subject to a number of known evasion techniques, including:

  • SMB-level fragmentation
  • DCERPC-level fragmentation
  • DCERPC multi-part fragmentation
  • DCERPC UDP fragmentation
  • Multiple DCERPC fragments in one packet

 

The FortiGate unit reassembles the fragments into their original form before inspection.

 

Defending against DoS attacks

A denial of service is the result of an attacker sending an abnormally large amount of network traffic to a target system. Having to deal with the traffic flood slows down or disables the target system so that legitimate users can not use it for the duration of the attack.

Any network traffic the target system receives has to be examined, and then accepted or rejected. TCP, UDP, and ICMP traffic is most commonly used, but a particular type of TCP traffic is the most effective. TCP packets with the SYN flag are the most efficient DoS attack tool because of how communication sessions are started between systems.

 

The “three-way handshake”

Communication sessions between systems start with establishing a TCP/IP connection. This is a simple three step process, sometimes called a “three-way handshake,” initiated by the client attempting to open the connection.

1. The client sends a TCP packet with the SYN flag set. With the SYN packet, the client informs the server of its intention to establish a connection.

2. If the server is able to accept the connection to the client, it sends a packet with the SYN and the ACK flags set.

This simultaneously acknowledges the SYN packet the server has received, and informs the client that the server intends to establish a connection.

3. To acknowledge receipt of the packet and establish the connection, the client sends an ACK packet.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.