Wednesday, January 03, 2007

Intrusion Detection System (IDS) Evasion Techniques

In this article, i will share with you how an attacker used their technique to evade Intrusion Detection System (IDS). There are many methods to evade or bypass IDS sensors. There are several common techniques that can be used by an attacker to exploit inherent weaknesses in IDS. IDS evasion not only the process of totally concealing an attack but also a technique to disguise an attack to appear less threatening than it really is.
Anomaly-based IDS will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline.
A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat.
While anomaly-based IDS systems might detect an unknown attack, most signature-based IDS will miss a new exploit if there is no rule written for it. IDS systems must receive vendor signature updates. Even if updates are applied, exploits that are unknown to the IDS vendor will not be caught by the signature-based system. Attackers may also try to evade the IDS by using their techniques, exploits or tools. These evasive techniques include flooding, fragmentation, encryption, and obfuscation.
  • Flooding- IDSs depend on resources such as memory and processor power to effectively capture packets, analyze traffic, and report malicious attacks. By flooding a network with noise traffic, an attacker can cause the IDS to exhaust its resources examining harmless traffic. In the meantime, while the IDS is distracted and occupied by the volume of noise traffic, the attacker can target its system with little or no intervention from the IDS.
  • Fragmentation-Because different network media allow variable maximum transmission units (MTUs), you must allow for the fragmentation of these transmission units into differently sized packets or cells. Hackers can take advantage of this fragmentation by dividing attacking packets into smaller and smaller portions that evade the IDS but cause an attack when reassembled by a target host.
  • Encryption-Network-based intrusion detection (covered later in this chapter) relies on the analysis of traffic that is captured as it traverses the network from a source to its destination. If a hacker can establish an encrypted session with its target host using Secure Shell (SSH), Secure Socket Layer (SSL), or a virtual private network (VPN) tunnel, the IDS cannot analyze the packets and the malicious traffic will be allowed to pass. Obviously, this technique requires that the attacker establish a secure encrypted session with its target host.
  • Obfuscation-Obfuscation, an increasingly popular evasive technique, involves concealing an attack with special characters. It can use control characters such as the space, tab, backspace, and Delete. Also, the technique might represent characters in hex format to elude the IDS. Using Unicode representation, where each character has a unique value regardless of the platform, program, or language, is also an effective way to evade IDSs. For example, an attacker might evade an IDS by using the Unicode character c1 to represent a slash for a Web page request.
This article discussed about some of the techniques used by an attacker to evade IDS. There are many other technique used by an attacker to minimize IDS alarm when a given packet or sequence of packets matches the characteristics of known attack. I hope this article will help you understand how an attacker used his technique to attack a system or network without triggered by IDS.

9 comments:

~ayoi~ said...

For No.1 aint got any ideas. Perhaps perimeter guardians, perhaps IPS shud be configured to deny those noise. For 2, perhaps the IDS shud dig deeper into the packets (bytes_depth, etc)
For 3. Snort 2.6 has patched on perhaps detecting any covert channel based on assymetrical data size between receiver and transmitter. and for 4, regex. That's my 1/2 cents thought.

Johncrackernet said...

Ayoi, thanks for your comment.Yes,i agree with you..this is an old method used by attacker to evade IDS.Latest IDS/IPS products already solved it. But, i think attackers will try to evade latest IPS/IDS using their skills...That's why security is very interesting....Thanks again...hehehehe

Anonymous said...

Hi There I'd love to congratulate you for such a great made site!
Was thinking this is a perfect way to introduce myself!

Sincerely,
Laurence Todd
if you're ever bored check out my site!
[url=http://www.partyopedia.com/articles/cowboy-party-supplies.html]cowboy Party Supplies[/url].

Anonymous said...

Hello everyone! Who knows where to upload the film Avatar?
I even bought the film Avatar for a SMS to http://rsskino.ru/kinofilm/avatar.html , the link was, but download fails, the system will boot quite strange cocoa something.
Men, advise where to normal as quickly download film avatar?

Anonymous said...

I sell a boat-program which will help you to outwit auction and to win, initially the boat was created for the Scandinavian auction http://internet-aukcion.ru/ but now the program can work with similar auctions: gagen ru, vezetmne ru and with ten.
The program-boat stakes for you, i.e. for this purpose it is not necessary to sit constantly at the monitor. The boat can set time when it is necessary to stake, thus you as much as possible will lower expenses for rates, and as much as possible increase the chances of a victory.

The price of the program a boat for the Scandinavian auctions 20$

For the first 10 clients the price 15$

To all clients free updating and support.

Behind purchases I ask in icq: 588889590 Max.

Anonymous said...

good evening everyone. I'm actually into shoes and I was looking for that singular brand. The prices seeking the boots were around 180 pounds on every page. But finally I set this locate selling them for half price. I really like these [url=http://www.shoesempire.com]prada sneakers[/url]. I will probably buy those. what is your opinion?

Anonymous said...

Bonjour I'd like to congratulate you for such a terrific quality forum!
Was thinking this would be a nice way to introduce myself!
The only right way increase revenue it is usually a sharp scheme to start a savings or investing plan as soon in life as obtainable. But don't despair if you have not started saving your capital until later on in life. As a consequence of honest work, that is exploring the best investment vehicles for your capital you can slowly but surely increase your growth so that it extends to a big amount by the time you wish to retire. Scout out all of the available asset classes from stocks to real estate as investments for your money. A well diversified portfolio of investments in a wide range of asset classes may make your money climb throughout the years.

-Clare Grafton
[url=http://urwealthy.com]currency conversion [/url]

Anonymous said...

[b]Set software LoveBots v 5.2[/b]

All for a mass mailing dating http://24lux.ru/

The script is written in php5

Features:

[i]registration, account activation
manual input captures, or the solution through antikapchu
filling data accounts:
- Gulf desired photo
- Инфы about yourself
- Diary
- Sexual preference[/i]

gulyalka on questionnaires spammer on lichku
- Randomization Posts: replacement of Russian letters in Latin analogues

optimized to work in a continuous loop
check-activation-filling-spam check ..

Updates and support free of charge.

Price per set 100 wmz

For the first 10 buyers price 70 wmz (your feedback on the software).

For shopping I ask in icq: 588889590 Max.

Scrin program:

[IMG]http://i066.radikal.ru/1002/9d/a7a68e8c96ee.jpg[/IMG]

[IMG]http://i054.radikal.ru/1002/19/9db76967c0e5.jpg[/IMG]

[IMG]http://s003.radikal.ru/i202/1002/24/20716e86512e.jpg[/IMG]

Flooding in the subject no! Write to feedback after the purchase.

sandiya said...

Thanks for the information, we will add this story to our blog, as we have a audience in this sector that loves reading like this” Intrusion Detection