Intrusion detection system evasion techniques: Difference between revisions

Content deleted Content added
m Sentence casing for sub-section titles, as per WP:STYLE, etc.
Line 1:
{{Multiple issues|orphan = February 2012|no footnotes = February 2012|cleanup = February 2008}}
 
'''Intrusion Detection System evasion techniques''' are modifications made to attacks in order to prevent detection by an [[Intrusion Detection System]] (IDS). Almost all published evasion techniques modify network attacks. The 1998 paper ''[http://citeseer.ist.psu.edu/ptacek98insertion.html Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection]'' popularized IDS evasion, and discussed both evasion techniques and areas where the correct interpretation was ambiguous depending on the targeted computer system. The 'fragroute' and 'fragrouter' programs implement evasion techniques discussed in the paper. Many web vulnerability scanners, such as 'Nikto', 'whisker' and 'Sandcat', also incorporate IDS evasion techniques.
 
Most IDSs have been modified to detect or even reverse basic evasion techniques, but IDS evasion (and countering IDS evasion) are still active fields.
Line 14:
Intrusion detection systems are often repetitive and can be avoided by anticipating their predictable patterns. Memorization of said patterns and the subsequent avoidance of such can lead to a successful intrusion.<ref>http://www.youtube.com/watch?v=tyzLHFkdv6E</ref>
 
== Fragmentation and Smallsmall Packetspackets ==
 
One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by [[IP fragmentation|fragmenting]] them, but an [[Adversary (cryptography)|adversary]] can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.
Line 20:
By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet reassemblers but not the target computer.
 
== Overlapping Fragmentsfragments ==
 
An IDS evasion technique is to craft a series of packets with [[Transmission Control Protocol|TCP sequence numbers]] configured to overlap. For example, the first packet will include 80 bytes of payload but the second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data.
 
== Protocol Violationsviolations ==
Some IDS evasion techniques involve deliberately violating the [[Transmission Control Protocol|TCP]] or [[Internet Protocol|IP]] protocols in a way the target computer will handle differently from the IDS. For example, the [[Transmission Control Protocol|TCP Urgent Pointer]] is handled differently on different operating systems and may not be handled correctly by the IDS.
 
== Inserting Traffictraffic at the IDS ==
 
An adversary can send packets that the IDS will see but the target computer will not. For example, the attacker could send packets whose [[Time to live]] fields have been crafted to reach the IDS but not the target computers it protects. This technique will result in an IDS with different state than the target.
 
== Denial of Serviceservice ==
 
An adversary can evade detection by disabling or overwhelming the IDS. This can be accomplished by exploiting a bug in the IDS, using up computational resources on the IDS, or deliberately triggering a large number of alerts to disguise the actual attack. The tools 'stick' and 'snot' were designed to generate a large number of IDS alerts by sending attack signatures across the network, but will not trigger alerts in IDSs that maintain application protocol context.