Intrusion Detection System Evasion.
Evasion is defined as such: You can use evasion methods to bypass IDSs by submitting a packet to the IDS, which will be denied. The packet, however is accepted by the host. However, because the IDS denied the packet, it didn’t verify it’s contents, enabling the illegal packet to obtain access to the host.
This confuses me on two levels.
One, what type of IDS would be used in this case? Allowing a denied packet to go through is a bit of an oxy moron, no? And two, how can the IDS deny a packet it does not verify? Doesn’t the verification come after inspection?
I throw these questions out to you, please be kind and respond. Looking for a detailed example of how the illegal packet makes it to the host if it is denied.
My previous post above (posted 4 days ago) and the mystery packet that can defy evil? Well it has been demistified and the answer is below: Thanks to a mentor!
An example of one of the potential evasion techniques would be using packets that do not adhere to protocol standards. It is possible for a packet to be crafted in such a way that it will be handled differently by an IDS than by a host. Resulting in the packet being dropped by the IDS, but processed by the client.
Regarding your question, “Allowing a denied packet to go through is a bit of an oxy moron, no?”; an IDS is a passive device that is used to monitor traffic. It will inspect a copy of a packet that is traversing a network, but the IDS is not positioned in the traffic stream and therefore it cannot prevent a packet from reaching its destination. It is an Intrusion Prevention System (IPS) that is an active device positioned in line of the traffic flow and can take active steps to stop an attack, not an Intrusion Detection System (IDS).
Regarding your question, “And two, how can the IDS deny a packet it does not verify?”; A packet that is denied by an IDS would be discarded. Whether the IDS logs the packet activity would depend on how the IDS is configured, and the type of packet that was received. For example, if a packet is deemed to be corrupt or malformed by the IDS it could be simply dropped without logging the event. Since the packet was deemed to be corrupt, the contents would not be inspected by the IDS, but the client may process the packet differently.
- IDS Evasion Part I (jeffsoh.blogspot.com)
- IDS Evasion Part II (jeffsoh.blogspot.com)
- It’s Time To Think Like A Hacker (prweb.com)
- DEEPSEC: Reassemble or GTFO! (c22.cc)
- Question for Hacker or InfoSec Pro….Evading the IDS (netsecurityit.wordpress.com)