Attacking a packet Analyzer: Caronte case study

Abstract

Nowadays it is common the adoption of network traffic analysis tools as a protection against possible cyberattacks, but Attackers have become increasingly skilled at building more and more complex attacks in order to avoid IDS/IPS action, typically through the adoption of evasion that hides attacks to the monitoring system. In this paper, we test an innovative idea to build attacks, that relies on the idea of carrying out attacks against a specific component of IDS/IPS, the packet analyzers, in order to make it (at least temporarily) unavailable, hiding possible attacks against the services. In order to explore the feasibility of the approach, we focused on a particular usage example: the network traffic analysis performed during the attack/defence Capture the Flag (CTF), a cybersecurity competition where different teams attempt to find vulnerabilities in services run by the opposing team, fix them and build exploits to perform attacks. It is worth noticing that such a scenario enabled us even to work in a protected context, avoiding producing attacks that can be exploited in a production environment. Accordingly, outlining that the state of the art shows a lack of results with respect to the proposed approach we performed a security assessment of the chosen tools and demonstrated the feasibility of the approach, concluding that these attack patterns should be taken into consideration when building a protection system.