Wikipedia

Intrusion detection system evasion techniques: Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Pickyt (talk | contribs)
45 edits
Insertion & evasion - fragmentation and small packets
Pickyt (talk | contribs)
45 edits
Insertion & Evasion - overlapping fragments & segments
Line 34:
By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet re-assemblers but not the target computer.<ref name=":15" />
 
=== Overlapping fragments and TCP segments ===
Another evasion technique is to craft a series of packets with [[Transmission Control Protocol|TCP sequence numbers]] configured to overlap. For example, the first packet will include 80 bytes of payload but the second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data.<ref name=":06">{{Cite journal|last=Ptacek|first=Thomas H.|last2=Newsham|first2=Timothy N.|date=1998-01-01|title=Insertion, evasion, and denial of service: Eluding network intrusion detection|url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.119.399&rank=1}}</ref> If the IDS doesn't reassemble the TCP in the same way as the target, it can manipulated into either missing a portion of the attack payload or seeing benign data inserted into the malicious payload, breaking the attack signature.<ref name=":06" /><ref name=":13">{{Cite journal|last=Cheng|first=Tsung-Huan|last2=Lin|first2=Ying-Dar|last3=Lai|first3=Yuan-Cheng|last4=Lin|first4=Po-Ching|title=Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems|url=http://dx.doi.org.ezproxy.neu.edu/10.1109/SURV.2011.092311.00082|journal=IEEE Communications Surveys & Tutorials|volume=14|issue=4|pages=1011–1020|doi=10.1109/surv.2011.092311.00082}}</ref> This technique can also be used with IP fragmentation in a similar manner.
 
An IDS evasion technique is to craft a series of packets with [[Transmission Control Protocol|TCP sequence numbers]] configured to overlap. For example, the first packet will include 80 bytes of payload but the second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data.
 
=== Protocol violations ===
Retrieved from "https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques"