Intrusion detection system evasion techniques

This article has multiple issues. Please help improve it or discuss these issues on the talk page. (Learn how and when to remove these messages) This article is an orphan, as no other articles link to it. Please introduce links to this page from related articles; try the Find link tool for suggestions. (February 2012) This article includes a list of general references, but it lacks sufficient corresponding inline citations. Please help to improve this article by introducing more precise citations. (February 2012) (Learn how and when to remove this message) This article may require cleanup to meet Wikipedia's quality standards. No cleanup reason has been specified. Please help improve this article if you can. (February 2008) (Learn how and when to remove this message) (Learn how and when to remove this message)

Intrusion Detection System evasion techniques are modifications made to attacks in order to prevent detection by an Intrusion Detection System (IDS). Almost all published evasion techniques modify network attacks. The 1998 paper Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection popularized IDS evasion, and discussed both evasion techniques and areas where the correct interpretation was ambiguous depending on the targeted computer system. The 'fragroute' and 'fragrouter' programs implement evasion techniques discussed in the paper. Many web vulnerability scanners, such as 'Nikto', 'whisker' and 'Sandcat', also incorporate IDS evasion techniques.

Most IDSs have been modified to detect or even reverse basic evasion techniques, but IDS evasion (and countering IDS evasion) are still active fields.

An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. In the past, an adversary using the Unicode character could encode attack packets that an IDS would not recognize but that an IIS web server would decode and become attacked.

Polymorphic code is another means to circumvent signature-based IDSs by creating unique attack patterns, so that the attack does not have a single detectable signature.

Attacks on encrypted protocols such as HTTPS are obfuscated if the attack is encrypted.

Intrusion detection systems are often repetitive and can be avoided by anticipating their predictable patterns. Memorization of said patterns and the subsequent avoidance of such can lead to a successful intrusion.^[1]

One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an adversary can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.

By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet reassemblers but not the target computer.

An IDS evasion technique is to craft a series of packets with TCP sequence numbers configured to overlap. For example, the first packet will include 80 bytes of payload but the second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data.

Some IDS evasion techniques involve deliberately violating the TCP or IP protocols in a way the target computer will handle differently from the IDS. For example, the TCP Urgent Pointer is handled differently on different operating systems and may not be handled correctly by the IDS.

An adversary can send packets that the IDS will see but the target computer will not. For example, the attacker could send packets whose Time to live fields have been crafted to reach the IDS but not the target computers it protects. This technique will result in an IDS with different state than the target.

Due to the fact that passive IDS are inherently fail-open (as opposed to fail-closed), launching a denial-of-service attack against the IDS on a network is a feasible method of circumventing its protection.^[2] An adversary can accomplish this by exploiting a bug in the IDS, consuming all of the computational resources on the IDS, or deliberately triggering a large number of alerts to disguise the actual attack.

An adversary can evade detection by disabling or overwhelming the IDS. This can be accomplished by exploiting a bug in the IDS, using up computational resources on the IDS, or deliberately triggering a large number of alerts to disguise the actual attack. The tools 'stick' and 'snot' were designed to generate a large number of IDS alerts by sending attack signatures across the network, but will not trigger alerts in IDSs that maintain application protocol context.

1. Evasions in IDS/IPS, Abhishek Singh, Virus Bulletin, April 2010.
2. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection Thomas Ptacek, Timothy Newsham. Technical Report, Secure Networks, Inc., January 1998.
3. IDS evasion with Unicode Eric Packer. last updated January 3, 2001.
4. Fragroute home page
5. Fragrouter source code
6. Nikto home page
7. Phrack 57 phile 0x03 mentioning the TCP Urgent pointer
8. Whisker home page
9. Sandcat home page
10. Snort's stream4 preprocessor for stateful packet reassembly