Content deleted Content added
Payload obfuscation - polymorphism |
Insertion & Evasion |
||
Line 26:
Polymorphic attacks don't have a single detectable signature, making them very difficult for signature-based IDS, and even some anomaly-based IDS, to detect.<ref name=":32" /><ref name=":14" /> [[Shikata ga nai]] ("it cannot be helped") is a popular polymorphic encoder in the [[Metasploit Project|Metasploit]] framework used to convert malicious [[shellcode]] into difficult-to-detect polymorphic shellcode using XOR additive feedback.<ref>{{cite web|url=http://www.rapid7.com/db/modules/encoder/x86/shikata_ga_nai|title=Polymorphic XOR Additive Feedback Encoder|work=rapid7.com}}</ref>
==
Attackers can evade IDS by crafting packets in such a way that the end host interprets the attack payload correctly while the IDS either interprets the attack incorrectly or determines that the traffic is benign too quickly.<ref name=":05">{{Cite journal|last=Ptacek|first=Thomas H.|last2=Newsham|first2=Timothy N.|date=1998-01-01|title=Insertion, evasion, and denial of service: Eluding network intrusion detection|url=http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.119.399&rank=1}}</ref>
=== Fragmentation and small packets ===
One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by [[IP fragmentation|fragmenting]] them, but an [[Adversary (cryptography)|adversary]] can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.
Line 32 ⟶ 35:
By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet reassemblers but not the target computer.
=== Overlapping fragments ===
An IDS evasion technique is to craft a series of packets with [[Transmission Control Protocol|TCP sequence numbers]] configured to overlap. For example, the first packet will include 80 bytes of payload but the second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data.
=== Protocol violations ===
Some IDS evasion techniques involve deliberately violating the [[Transmission Control Protocol|TCP]] or [[Internet Protocol|IP]] protocols in a way the target computer will handle differently from the IDS. For example, the [[Transmission Control Protocol|TCP Urgent Pointer]] is handled differently on different operating systems and may not be handled correctly by the IDS.
=== Inserting traffic at the IDS ===
An adversary can send packets that the IDS will see but the target computer will not. For example, the attacker could send packets whose [[Time to live]] fields have been crafted to reach the IDS but not the target computers it protects. This technique will result in an IDS with different state than the target.
| |||