Content deleted Content added
Insertion & Evasion - overlapping fragments & segments |
Insertion & Evasion - Protocol Ambiguities |
||
Line 37:
Another evasion technique is to craft a series of packets with [[Transmission Control Protocol|TCP sequence numbers]] configured to overlap. For example, the first packet will include 80 bytes of payload but the second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data.<ref name=":06">{{Cite journal|last=Ptacek|first=Thomas H.|last2=Newsham|first2=Timothy N.|date=1998-01-01|title=Insertion, evasion, and denial of service: Eluding network intrusion detection|url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.119.399&rank=1}}</ref> If the IDS doesn't reassemble the TCP in the same way as the target, it can manipulated into either missing a portion of the attack payload or seeing benign data inserted into the malicious payload, breaking the attack signature.<ref name=":06" /><ref name=":13">{{Cite journal|last=Cheng|first=Tsung-Huan|last2=Lin|first2=Ying-Dar|last3=Lai|first3=Yuan-Cheng|last4=Lin|first4=Po-Ching|title=Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems|url=http://dx.doi.org.ezproxy.neu.edu/10.1109/SURV.2011.092311.00082|journal=IEEE Communications Surveys & Tutorials|volume=14|issue=4|pages=1011–1020|doi=10.1109/surv.2011.092311.00082}}</ref> This technique can also be used with IP fragmentation in a similar manner.
=== Protocol
Some IDS evasion techniques involve deliberately
=== Inserting traffic at the IDS ===
| |||