COMMAND

    "Stick"

SYSTEMS AFFECTED

    IDS products (RealSecure)

PROBLEM

    Following is based on a Internet Security Systems Security  Alert.
    ISS X-Force  has been  researching a  new attack  tool that can be
    used  to  launch  a  stress  test  against  many popular intrusion
    detection systems  (IDS).   The new  tool, dubbed  "Stick" by  its
    creators, has  been reported  to reduce  performance, and/or  deny
    service to many commercial IDS products.  Stick has been  reported
    to  direct  thousands  of  overt  attacks  at  IDS  systems.   The
    additional processing required  by IDS systems  to handle the  new
    load causes a Denial of Service (DoS) to manifest.

    Stick does not employ any new methods, nor does it expose any  new
    flaws in signature-based IDS.  Stick uses the very straightforward
    technique of firing numerous attacks at random from random  source
    IP addresses to purposely trigger IDS events.  The IDS system will
    attempt to keep up with the  new flood of events, but if  incoming
    events cross the IDS detection threshold, a DoS might result.  The
    effectiveness of the Stick attack is a function of the  attacker's
    available bandwidth.  Stick is essentially a flooding tool, so  if
    a large bandwidth link is available to the attacker, he or she may
    be more successful.  At the time of publication of this Alert, the
    Stick tool has not been made  public.  Refer to the following  URL
    for more information about the attack:

        http://www.eurocompton.net/stick

    ISS X-Force  verified the  existence of  the vulnerability  in the
    Windows NT and Windows 2000 versions of RealSecure Network  Sensor
    5.  0.  On  both  Windows  platforms,  the  event  channel becomes
    congested during the duration of  the attack.  The Network  Sensor
    must be manually reconnected to  restore normal operation.  At  no
    point does the Network Sensor or Network Console crash.

    RealSecure running on  the Solaris platform  does not exhibit  any
    event channel problems  during the attack  or after the  attack is
    suspended.  No reconnection is required.

SOLUTION

    ISS X-Force has developed two fixes for RealSecure Network  Sensor
    that will limit  the risk of  a Stick attack.   The first fix  was
    part of Service  Release 1.1 for  RealSecure Network Sensor.   The
    second fix will  be included in  X-Press Update MU  2.2, available
    on March 15, 2001.  X-Press Update MU 2.2 will also include 28 new
    signatures  and  can  be  accessed  through  the Internet Security
    Systems Web site.