Hackers' Stick beats detection tools

Malicious coders have developed an attack tool that can perform a denial of service attack against many popular intrusion detection products.

The tool, known as Stick, directs thousands of overt attacks at security systems, causing them to fall over.

Coretez Giovanni, of US-based security company Endeavor Systems, told vnunet.com that flaws in the implementation and development of IDS software were one of the main reasons for the success of these tools.

"Stick succeeds because script kiddies are operating security. People are downloading and buying IDS without knowing what or why," he said.

"On the development side IDS must be able to validate that the alarm is correct. This means that the IDS needs to determine if the pre-cursor and post events that occurred confirm or deny that an attack is real," he added.

Security firm Internet Security Systems said Stick uses "very straightforward techniques" of firing numerous attacks from random IP addresses to purposely trigger IDS events. As the IDS system attempts to keep up with the flood of events it puts more strain on the system, eventually resulting in denial of service.

As the Stick attack works on a 'flooding' level, its effectiveness is limited by the bandwidth available to the attacker, although this also means attackers with more bandwidth at their disposal will be more successful.

ISS has developed two fixes for RealSecure Network Sensor, one of the most popular IDS products, which are available here.

A white paper on Stick is available here.