Wednesday, January 03, 2007

Intrusion Detection System (IDS) Evasion Techniques

In this article, i will share with you how an attacker used their technique to evade Intrusion Detection System (IDS). There are many methods to evade or bypass IDS sensors. There are several common techniques that can be used by an attacker to exploit inherent weaknesses in IDS. IDS evasion not only the process of totally concealing an attack but also a technique to disguise an attack to appear less threatening than it really is.
Anomaly-based IDS will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network- what sort of bandwidth is generally used, what protocols are used, what ports and devices generally connect to each other- and alert the administrator or user when traffic is detected which is anomalous, or significantly different, than the baseline.
A signature based IDS will monitor packets on the network and compare them against a database of signatures or attributes from known malicious threats. This is similar to the way most antivirus software detects malware. The issue is that there will be a lag between a new threat being discovered in the wild and the signature for detecting that threat being applied to your IDS. During that lag time your IDS would be unable to detect the new threat.
While anomaly-based IDS systems might detect an unknown attack, most signature-based IDS will miss a new exploit if there is no rule written for it. IDS systems must receive vendor signature updates. Even if updates are applied, exploits that are unknown to the IDS vendor will not be caught by the signature-based system. Attackers may also try to evade the IDS by using their techniques, exploits or tools. These evasive techniques include flooding, fragmentation, encryption, and obfuscation.
  • Flooding- IDSs depend on resources such as memory and processor power to effectively capture packets, analyze traffic, and report malicious attacks. By flooding a network with noise traffic, an attacker can cause the IDS to exhaust its resources examining harmless traffic. In the meantime, while the IDS is distracted and occupied by the volume of noise traffic, the attacker can target its system with little or no intervention from the IDS.
  • Fragmentation-Because different network media allow variable maximum transmission units (MTUs), you must allow for the fragmentation of these transmission units into differently sized packets or cells. Hackers can take advantage of this fragmentation by dividing attacking packets into smaller and smaller portions that evade the IDS but cause an attack when reassembled by a target host.
  • Encryption-Network-based intrusion detection (covered later in this chapter) relies on the analysis of traffic that is captured as it traverses the network from a source to its destination. If a hacker can establish an encrypted session with its target host using Secure Shell (SSH), Secure Socket Layer (SSL), or a virtual private network (VPN) tunnel, the IDS cannot analyze the packets and the malicious traffic will be allowed to pass. Obviously, this technique requires that the attacker establish a secure encrypted session with its target host.
  • Obfuscation-Obfuscation, an increasingly popular evasive technique, involves concealing an attack with special characters. It can use control characters such as the space, tab, backspace, and Delete. Also, the technique might represent characters in hex format to elude the IDS. Using Unicode representation, where each character has a unique value regardless of the platform, program, or language, is also an effective way to evade IDSs. For example, an attacker might evade an IDS by using the Unicode character c1 to represent a slash for a Web page request.
This article discussed about some of the techniques used by an attacker to evade IDS. There are many other technique used by an attacker to minimize IDS alarm when a given packet or sequence of packets matches the characteristics of known attack. I hope this article will help you understand how an attacker used his technique to attack a system or network without triggered by IDS.

39 comments:

~ayoi~ said...

For No.1 aint got any ideas. Perhaps perimeter guardians, perhaps IPS shud be configured to deny those noise. For 2, perhaps the IDS shud dig deeper into the packets (bytes_depth, etc)
For 3. Snort 2.6 has patched on perhaps detecting any covert channel based on assymetrical data size between receiver and transmitter. and for 4, regex. That's my 1/2 cents thought.

Johncrackernet said...

Ayoi, thanks for your comment.Yes,i agree with you..this is an old method used by attacker to evade IDS.Latest IDS/IPS products already solved it. But, i think attackers will try to evade latest IPS/IDS using their skills...That's why security is very interesting....Thanks again...hehehehe

Anonymous said...

Hi There I'd love to congratulate you for such a great made site!
Was thinking this is a perfect way to introduce myself!

Sincerely,
Laurence Todd
if you're ever bored check out my site!
[url=http://www.partyopedia.com/articles/cowboy-party-supplies.html]cowboy Party Supplies[/url].

Anonymous said...

good evening everyone. I'm actually into shoes and I was looking for that singular brand. The prices seeking the boots were around 180 pounds on every page. But finally I set this locate selling them for half price. I really like these [url=http://www.shoesempire.com]prada sneakers[/url]. I will probably buy those. what is your opinion?

Anonymous said...

Bonjour I'd like to congratulate you for such a terrific quality forum!
Was thinking this would be a nice way to introduce myself!
The only right way increase revenue it is usually a sharp scheme to start a savings or investing plan as soon in life as obtainable. But don't despair if you have not started saving your capital until later on in life. As a consequence of honest work, that is exploring the best investment vehicles for your capital you can slowly but surely increase your growth so that it extends to a big amount by the time you wish to retire. Scout out all of the available asset classes from stocks to real estate as investments for your money. A well diversified portfolio of investments in a wide range of asset classes may make your money climb throughout the years.

-Clare Grafton
[url=http://urwealthy.com]currency conversion [/url]

Anonymous said...

Thanks for the information, we will add this story to our blog, as we have a audience in this sector that loves reading like this” Intrusion Detection

Keerthi vijay said...

Really nice information you had provided here. And i wanna appreciate within this. Thank you for providing this information and please keep update like this.

Digital Marketing Training in Chennai

SEO Training in Chennai

ganga pragya said...

Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic.
angularjs-Training in velachery

angularjs-Training in pune

angularjs Training in bangalore

angularjs Training in bangalore

angularjs Training in btm

angularjs Training in electronic-city

afiah b said...

The knowledge of technology you have been sharing thorough this post is very much helpful to develop new idea. here by i also want to share this.

Java training in Pune

Java interview questions and answers

Java training in Chennai | Java training institute in Chennai | Java course in Chennai

Java training in Bangalore | Java training institute in Bangalore | Java course in Bangalore

saranya said...

Wonderful bloggers like yourself who would positively reply encouraged me to be more open and engaging in commenting.So know it's helpful.
python interview questions and answers
python tutorials
python course institute in electronic city

Unknown said...

Nice post. Thanks for sharing the valuable information. it’s really helpful. Who want to learn this blog most helpful. Keep sharing on updated posts…

Data Science training in Chennai | Data Science Training Institute in Chennai
Data science training in Bangalore | Data Science Training institute in Bangalore
Data science training in pune | Data Science training institute in Pune
Data science online training | online Data Science certification Training-Gangboard
Data Science Interview questions and answers
Data Science Tutorial

user123 said...

Write more; that’s all I have to say. It seems as though you relied on the video to make your point. You know what you’re talking about, why waste your intelligence on just posting videos to your blog when you could be giving us something enlightening to read?
Check out the best python training in chennai at SLA

jvimala said...

Hey, would you mind if I share your blog with my twitter group? There’s a lot of folks that I think would enjoy your content. Please let me know. Thank you.
Java Training in Chennai | J2EE Training in Chennai | Advanced Java Training in Chennai | Core Java Training in Chennai | Java Training institute in Chennai

creative web solution said...

Get the best nursing services baby care services medical equipment services and allso get the physiotherapist at home in Delhi NCR For more information visit our site

nursing attendant services in Delhi NCR
medical equipment services in Delhi NCR
nursing services in Delhi NCR
physiotherapist at home in Delhi NCR
baby care services in Delhi NCR

Aruna said...

This content of the Blog is very Helpful for me.Thanks for this Article
Java training in chennai | Java training in annanagar | Java training in omr | Java training in porur | Java training in tambaram | Java training in velachery

nisha said...

The Blog is Really Impressive.

Data Science Training Course In Chennai | Data Science Training Course In Anna Nagar | Data Science Training Course In OMR | Data Science Training Course In Porur | Data Science Training Course In Tambaram | Data Science Training Course In Velachery

datasciencecourse said...

Awesome blog. I enjoyed reading your articles. This is truly a great read for me. I have bookmarked it and I am looking forward to reading new articles. Keep up the good work!

Correlation vs Covariance

rocky said...

Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. This article resolved my all queries.
python training in chennai

python online training in chennai

python training in bangalore

python training in hyderabad

python online training

python flask training

python flask online training

python training in coimbatore


devi said...

Excellent blog with lots of information, keep sharing. I am waiting for your more posts like this or related to any other informative topic.Very interesting blog Thank you for sharing such a nice and interesting blog and really very helpful articleData Science Training In Chennai

Data Science Online Training In Chennai

Data Science Training In Bangalore

Data Science Training In Hyderabad

Data Science Training In Coimbatore

Data Science Training

Data Science Online Training

training course said...

I finally found great post here.I will get back here. I just added your blog to my bookmark sites. thanks.Quality posts is the crucial to invite the visitors to visit the web page, that's what this web page is providing.Learn best Ethical Hacking Training in Bangalore

Jayalakshmi said...

Thank you for some other informative blog. Where else could I get that type of information written in such an ideal means? I have a mission that I’m just now working on, and I have been at the look out for such information
oracle training in chennai

oracle training in tambaram

oracle dba training in chennai

oracle dba training in tambaram

ccna training in chennai

ccna training in tambaram

seo training in chennai

seo training in tambaram

praveen said...

First i got a great blog .I will be interested in more similar topics. i see you got really very useful topics, i will be always checking your blog thanks.
hadoop training in chennai

hadoop training in porur

salesforce training in chennai

salesforce training in porur

c and c plus plus course in chennai

c and c plus plus course in porur

machine learning training in chennai

machine learning training in porur

deiva said...

Thanks for taking the time to discuss this, I feel strongly about it and love learning more on this topic.
java training in chennai

java training in omr

aws training in chennai

aws training in omr

python training in chennai

python training in omr

selenium training in chennai

selenium training in omr

PROFESSIONAL PROGRAMMERS said...

Very interesting blog. Many blogs I see these days do not really provide anything that attracts others, but believe me the way you interact is literally awesome. I will instantly grab your rss feed to stay informed of any updates you make and as well take the advantage to share some latest information about

CREDIT CARD HACK SOFTWARE which many are not yet informed, of the recent technology.

Thank so much for the great job.

jenani said...

I just got to this amazing site not long ago. I was actually captured with the piece of resources you have got here. Big thumbs up for making such wonderful blog page!
Java Training in Chennai

Java Training in Velachery

Java Training inTambaram

Java Training in Porur

Java Training in Omr

Java Training in Annanagar

subathara said...

Thanks for giving great kind of information. So useful and practical for me. Thanks for your excellent blog, nice work keep it up thanks for sharing the knowledge.
Digital Marketing Training in Velachery

Digital Marketing Training in Tambaram

Digital Marketing Training in Porur

Digital Marketing Training in Omr

Digital MarketingTraining in Annanagar

vanathi said...

Awesome Post. It was a pleasure reading your article. Thanks for sharing.
Software Testing Training in Chennai

Software Testing Training in Velachery

Software Testing Training in Tambaram

Software Testing Training in Porur

Software Testing Training in Omr

Software Testing Training in Annanagar

Online Front said...

Mostly I use to wait for informative article on daily bases to get something new, but today i found your blog very interesting and unique, providing the information helpful to others. Keep it up and waiting for your new updates thanks. We offer multiple services in digital marketing, some of our services are:

Digital marketing Company in Delhi
SMM Services
PPC Services in Delhi
Website Design & Development Packages
SEO Services Packages
Local SEO services
E-mail marketing services
YouTube plans
Digital Marketing Service in Delhi

saketh321 said...


Very educating story, saved your site for hopes to read more! ExcelR Data Analytics Course

360digiTMG Training said...


I think I have never seen such blogs before that have completed things with all the details which I want. So kindly update this ever for us.

Data Science Training in Hyderabad

data scientist course said...

A debt of gratitude is in order for sharing the information, keep doing awesome... I truly delighted in investigating your site. great asset...
data scientist training in hyderabad

traininginstitute said...

This is really very nice post you shared, i like the post, thanks for sharing..
data scientist training in malaysia

salome said...

very informative post. thanks for sharing.keep up the good work. AWS Training in Chennai

Maneesha said...

Thanks for sharing this information. I really like your blog post very much. You have really shared a informative and interesting blog post with people..
data science course in hyderabad

traininginstitute said...

This post is very simple to read and appreciate without leaving any details out. Great work!
cyber security training malaysia

PMP Training in Malaysia said...

Glad to chat your blog, I seem to be forward to more reliable articles and I think we all wish to thank so many good articles, blog to share with us. pmp training

360DigiTMG said...

Very nice article, I enjoyed reading your post, very nice share, I want to twit this to my followers. Thanks!.
data analytics course in hyderabad

Data Science said...



Amazingly by and large very interesting post. I was looking for such an information and thoroughly enjoyed examining this one.
Keep posting. An obligation of appreciation is all together for sharing.
business analytics course in gwalior

BORIVALI said...

This article will present a closer look at data science courses that give you a comprehensive look at the field. So let's get started.

data science course in borivali