- Intrusion detection system evasion techniques
Intrusion Detection System Evasion Techniques
Intrusion Detection System evasion techniques are modifications made to attacks in order to prevent detection by an
Intrusion Detection System (IDS). Almost all published evasion techniques modify network attacks. The 1998 paper " [http://citeseer.ist.psu.edu/ptacek98insertion.html Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection] " popularized IDS evasion, and discussed both evasion techniques and areas where the correct interpretation was ambiguous depending on the targeted computer system. The 'fragroute' and 'fragrouter' programs implement evasion techniques discussed in the paper. Many web vulnerability scanners, such as 'Nikto', 'whisker' and 'Sandcat', also incorporate IDS evasion techniques.Most IDSs have been modified to detect or even reverse basic evasion techniques, but IDS evasion (and countering IDS evasion) are still active fields.
Obfuscating attack payload
An IDS can be evaded by obfuscating or encoding the attack payload in a way that the target computer will reverse but the IDS will not. In the past, an adversary using the
Unicode character could encode attack packets that an IDS would not recognize but that an IIS web server would decode and become attacked.Polymorphic code is another means to circumvent signature-based IDSs by creating unique attack patterns, so that the attack does not have a single detectable signature.Attacks on encrypted protocols such as HTTPS are obfuscated if the attack is encrypted.
Fragmentation and Small Packets
One basic technique is to split the attack payload into multiple small packets, so that the IDS must reassemble the packet stream to detect the attack. A simple way of splitting packets is by fragmenting them, but an
adversary can also simply craft packets with small payloads. The 'whisker' evasion tool calls crafting packets with small payloads 'session splicing'.By itself, small packets will not evade any IDS that reassembles packet streams. However, small packets can be further modified in order to complicate reassembly and detection. One evasion technique is to pause between sending parts of the attack, hoping that the IDS will time out before the target computer does. A second evasion technique is to send the packets out of order, confusing simple packet reassemblers but not the target computer.
Overlapping Fragments
An IDS evasion technique is to craft a series of packets with TCP sequence numbers configured to overlap. For example, the first packet will include 80 bytes of payload but the second packet's sequence number will be 76 bytes after the start of the first packet. When the target computer reassembles the TCP stream, they must decide how to handle the four overlapping bytes. Some operating systems will take the older data, and some will take the newer data.
Protocol Violations
Some IDS evasion techniques involve deliberately violating the TCP or IP protocols in a way the target computer will handle differently than the IDS. For example, the TCP Urgent Pointer is handled differently on different operating systems and may not be handled correctly by the IDS.
Inserting Traffic at the IDS
An adversary can send packets that the IDS will see but the target computer will not. For example, the attacker could send packets whose
Time to live fields have been crafted to reach the IDS but not the target computers it protects. This technique will result in an IDS with different state than the target.Denial of Service
An adversary can evade detection by disabling or overwhelming the IDS. This can be accomplished by exploiting a bug in the IDS, using up computational resources on the IDS, or deliberately triggering a large number of alerts to disguise the actual attack. The tools 'stick' and 'snot' were designed to generate a large number of IDS alerts by sending attack signatures across the network, but will not trigger alerts in IDSs that maintain application protocol context.
References
# [http://citeseer.ist.psu.edu/ptacek98insertion.html Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection] Thomas Ptacek, Timothy Newsham. Technical Report, Secure Networks, Inc., January 1998.
# [http://www.securityfocus.com/infocus/1232 IDS evasion with Unicode] Eric Packer. last updated January 3, 2001.
# [http://monkey.org/~dugsong/fragroute/ Fragroute home page]
# [http://www.freshports.org/security/fragrouter Fragrouter source code]
# [http://www.cirt.net/code/nikto.shtml Nikto home page]
# [http://www.phrack.org/archives/57/p57-0x03 Phrack 57 phile 0x03] mentioning the TCP Urgent pointer
# [http://www.wiretrip.net/rfp/ Whisker home page]
# [http://www.syhunt.com/sandcat Sandcat home page]
# [http://www.snort.org/docs/faq/1Q05/node47.html#stream4 Snort's stream4 preprocessor] for stateful packet reassembly
Wikimedia Foundation. 2010.
Intrusion detection system — An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.[1] Some systems may attempt to stop … Wikipedia
Intrusion Detection System — Système de détection d intrusion Un système de détection d intrusion (ou IDS : Intrusion Detection System) est un mécanisme destiné à repérer des activités anormales ou suspectes sur la cible analysée (un réseau ou un hôte). Il permet ainsi… … Wikipédia en Français
Intrusion-prevention system — An intrusion prevention system is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real time, to block or prevent those activities. Network based IPS, for example, will… … Wikipedia
Détection d'intrusion — Système de détection d intrusion Un système de détection d intrusion (ou IDS : Intrusion Detection System) est un mécanisme destiné à repérer des activités anormales ou suspectes sur la cible analysée (un réseau ou un hôte). Il permet ainsi… … Wikipédia en Français
Systeme de detection d'intrusion — Système de détection d intrusion Un système de détection d intrusion (ou IDS : Intrusion Detection System) est un mécanisme destiné à repérer des activités anormales ou suspectes sur la cible analysée (un réseau ou un hôte). Il permet ainsi… … Wikipédia en Français
Systèmes de détection d'intrusion — Système de détection d intrusion Un système de détection d intrusion (ou IDS : Intrusion Detection System) est un mécanisme destiné à repérer des activités anormales ou suspectes sur la cible analysée (un réseau ou un hôte). Il permet ainsi… … Wikipédia en Français
Système de détection d'intrusion — Un système de détection d intrusion (ou IDS : Intrusion Detection System) est un mécanisme destiné à repérer des activités anormales ou suspectes sur la cible analysée (un réseau ou un hôte). Il permet ainsi d avoir une connaissance sur les… … Wikipédia en Français
Rootkit — A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications. The term rootkit is a concatenation… … Wikipedia
HIDS — Système de détection d intrusion Un système de détection d intrusion (ou IDS : Intrusion Detection System) est un mécanisme destiné à repérer des activités anormales ou suspectes sur la cible analysée (un réseau ou un hôte). Il permet ainsi… … Wikipédia en Français
NIDS — Système de détection d intrusion Un système de détection d intrusion (ou IDS : Intrusion Detection System) est un mécanisme destiné à repérer des activités anormales ou suspectes sur la cible analysée (un réseau ou un hôte). Il permet ainsi… … Wikipédia en Français
Intrusion detection system evasion techniques
18+
© Academic, 2000-2024
- Contact us: Technical Support, Advertising
Dictionaries export, created on PHP, Joomla, Drupal, WordPress, MODx.