Insertion attack definition
An insertion attack is a cyberattack that deliberately adds bad packets to a data stream to confuse intrusion detection systems (IDS). In an insertion attack, the IDS accepts packets that will be rejected by the end system, causing the two to see the same message differently.
Insertion attacks should not be confused with injection attacks, where hackers exploit user-supplied input to make applications or their host systems perform in desired ways. Insertion attacks are also distinct from network insertion, which is a cyberattack that involves adding unauthorized nodes to a network to intercept its traffic.
See also: network based ids, host based intrusion detection system, intrusion detection system, network intrusion protection system, wireless intrusion prevention system, attack signature, cyberattack
How an insertion attack works
Insertion attacks rely on the IDS and the end-system having different criteria for rejecting packets. For example, the end-system may reject a packet due to a bad header or incorrect checksum, whereas the IDS could ignore these fields and include the packet in its analysis. The extra packets are intended to foil simple signature analysis by distorting the actual message.
Stopping insertion attacks
- Add additional criteria to your IDS to make sure it only inspects packets that will be accepted by the end system.
- Use a sophisticated IDS that relies on anomaly-based detection instead of signature-based detection.
- Consider using an intrusion prevention system (IPS) in place of or alongside your IDS.