Wikipedia

Intrusion detection system evasion techniques: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Pickyt (talk | contribs)
45 edits
Insertion & Evasion
Pickyt (talk | contribs)
45 edits
Insertion & evasion - fragmentation and small packets
Line 30:
 
=== Fragmentation and small packets ===
One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by [[IP fragmentation|fragmenting]] them, but an [[Adversary (cryptography)|adversary]] can also simply craft packets with small payloads.<ref name=":15">{{Cite journal|last=Cheng|first=Tsung-Huan|last2=Lin|first2=Ying-Dar|last3=Lai|first3=Yuan-Cheng|last4=Lin|first4=Po-Ching|title=Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems|url=http://dx.doi.org.ezproxy.neu.edu/10.1109/SURV.2011.092311.00082|journal=IEEE Communications Surveys & Tutorials|volume=14|issue=4|pages=1011–1020|doi=10.1109/surv.2011.092311.00082}}</ref> The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.
 
By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet reassemblersre-assemblers but not the target computer.<ref name=":15" />
One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by [[IP fragmentation|fragmenting]] them, but an [[Adversary (cryptography)|adversary]] can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.
 
By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet reassemblers but not the target computer.
 
=== Overlapping fragments ===
Retrieved from "https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques"